CN111368284A - Method for distributing user authority in enterprise information management system - Google Patents

Method for distributing user authority in enterprise information management system Download PDF

Info

Publication number
CN111368284A
CN111368284A CN201811599342.4A CN201811599342A CN111368284A CN 111368284 A CN111368284 A CN 111368284A CN 201811599342 A CN201811599342 A CN 201811599342A CN 111368284 A CN111368284 A CN 111368284A
Authority
CN
China
Prior art keywords
authority
user account
attribute
basic
code
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811599342.4A
Other languages
Chinese (zh)
Inventor
杨伟业
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangzhou Linglian Information Technology Co ltd
Original Assignee
Guangzhou Linglian Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangzhou Linglian Information Technology Co ltd filed Critical Guangzhou Linglian Information Technology Co ltd
Priority to CN201811599342.4A priority Critical patent/CN111368284A/en
Publication of CN111368284A publication Critical patent/CN111368284A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Computer Security & Cryptography (AREA)
  • Strategic Management (AREA)
  • Human Resources & Organizations (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Operations Research (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention provides a method for distributing user authority in an enterprise information management system, which comprises the following steps: setting a basic authority attribute of a user account; generating a basic authority code of the user account according to the basic authority attribute; setting an additional authority attribute of the user account; generating an extra authority code of the user account according to the extra authority attribute; superimposing the extra-permission code onto the base-permission code to form a master-permission code; and issuing corresponding user permission to the user account according to the total permission code. The method and the system can improve the flexibility of authority adjustment in the enterprise information management system and avoid the safety risk in the conventional authority adjustment.

Description

Method for distributing user authority in enterprise information management system
Technical Field
The invention relates to the field of authority control in an information management system, in particular to a method for distributing user authority in an enterprise information management system.
Background
In an enterprise information management system, the authority control of system information is a core function for measuring whether a system can meet the needs of a user, and is also an important component of a system security system and user experience. Many functions included in the system need to be differentially displayed for users of different levels, so as to match the operation authority of the user in the system with the authority obtained in the actual work of the user, for example, after the user logs in the system, the user is judged to have which authorities such as addition, deletion, modification, inquiry, approval and the like or other management authorities (specific to a system administrator), and the authorities are applicable to which modules and data ranges related to the modules. The users in different levels have different authorities, for example, in a production department, a department administrator user has multiple authorities, such as the authority for inquiring production data, the authority for inquiring attendance data of all employees in a home department, and the authority for inquiring charges paid by public fees in the home department, while a production operator user in the production department only has the authority for viewing production data.
Further, the mature authority control also includes the aspect of quickly adjusting the authority and distributing the authority, i.e. allowing the administrator of the system to give a new authority to the user in the system or adjust the acquired authority of the user in the system, which helps the system flexibly cope with personnel change and flexibly realize cooperation among departments to complete a certain work task.
Existing enterprise information management systems use databases to implement the rights mapping, for example, by storing users and their corresponding rights items through predefined database tables. Once adjustments to the user's permissions are involved, the database tables need to be adjusted by the developer of the enterprise information management system before they can be implemented, thus adding additional maintenance costs.
Some enterprise information management systems have a one-dimensional authority management structure, that is, authority management is performed by only one system administrator, and this authority management mode is only suitable for small and medium-sized enterprises, but is not suitable for large group enterprises including multiple sub-units because the workload of the administrator responsible for authority management is too large. Other enterprise information management systems have complex rules for defining authority and managing authority, but the basic logic of authority management is realized according to the logic matched with the downward management of an actual organization, that is, all authorities of current users are only suitable for distribution and operation of lower-level units of the units where the authorities are located, and technically cannot authorize information of the same-level units or authorize the lower-level units to operate the upper-level units. For example, in principle, all the users of a first company in a group are authorized only to the first company and subordinate units, and the authority administrator cannot authorize the users of the first company to operate on the data of a second company, but in actual use, there is often a need for mutual check service or audit among units. Under normal logic, data operation cannot be performed between two same-level units and between a lower-level unit and an upper-level unit, and only one unit user can be adjusted on the system to achieve adjustment from a new post setting after operation, which has considerable operation risk.
Disclosure of Invention
In order to overcome the above defects in the prior art, the present invention provides a method for assigning user rights in an enterprise information management system, which comprises:
setting a basic authority attribute of a user account;
generating a basic authority code of the user account according to the basic authority attribute;
setting an additional authority attribute of the user account;
generating an extra authority code of the user account according to the extra authority attribute;
superimposing the extra-permission code onto the base-permission code to form a master-permission code;
and issuing corresponding user permission to the user account according to the total permission code.
According to one aspect of the invention, the basic permission attribute in the method comprises a unit attribute; the unit attribute is generated according to an organization tree to which the user account belongs.
According to another aspect of the present invention, the basic permission attributes in the method further include role attributes; the role attributes are generated according to the custom operation of a system administrator.
According to another aspect of the invention, the basic permission attribute in the method further comprises a station attribute; and the post attribute is generated according to the specific business operation corresponding to the user account.
According to another aspect of the invention, the basic permission attributes in the method further comprise department attributes; the department attributes are generated according to the organizational structure tree.
According to another aspect of the present invention, the issuing, according to the master authority code, a corresponding user authority for the user account in the method includes: analyzing the total authority code to obtain a page control ID corresponding to the user authority; and presenting the page control corresponding to the page control ID.
According to another aspect of the present invention, the extra right attribute in the method is generated according to extra rights configured to the user account by a system administrator or a superior user.
The method for distributing the user authority in the enterprise information management system realizes the issuing of the authority through the authority code, the authority code is formed by overlapping a basic authority code and an additional authority code, wherein the basic authority code is generated according to the basic authority attribute of a user account and is used for distributing the authority possessed by daily work to the user account; the extra authority code is generated according to the extra authority attribute of the user account and is used for carrying out dynamic authority adjustment under the condition that the attribution relationship of the organization of the user account is not changed. The method and the system can improve the flexibility of authority adjustment in the enterprise information management system and avoid the safety risk in the conventional authority adjustment.
Drawings
Other features, objects and advantages of the invention will become more apparent upon reading of the detailed description of non-limiting embodiments made with reference to the following drawings:
FIG. 1 is a flow diagram of one embodiment of a method for assigning user privileges in an enterprise information management system, in accordance with the present invention;
FIGS. 2-4 are schematic logical structures of embodiments of a composition spanning tree;
the same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
For a better understanding and explanation of the present invention, reference will now be made in detail to the present invention as illustrated in the accompanying drawings.
Referring to fig. 1, fig. 1 is a flowchart of an embodiment of a method for assigning user rights in an enterprise information management system according to the present invention, where the method includes:
step S100, setting a basic authority attribute of a user account;
step S200, generating a basic authority code of the user account according to the basic authority attribute;
step S300, setting an additional authority attribute of the user account;
step S400, generating an extra authority code of the user account according to the extra authority attribute;
step S500, the extra authority code is superposed on the basic authority code to form a total authority code;
and step S600, issuing corresponding user permission for the user account according to the general permission code.
Those skilled in the art will understand that the user account is mapped to an operator who uses the user account to log in the enterprise information management system in reality, the operator has a real personal ownership, a work duty and a work goal, and in order to use the enterprise information management system to complete the work duty or achieve the work goal, the enterprise information management system needs to assign a basic operation right to the user account.
Specifically, in step S100, a basic permission attribute of the user account is first set, where the basic permission attribute is used to define or map a basic permission possessed by the user account, and typically, the basic permission attribute includes a unit attribute, and the unit attribute is generated according to an organizational tree to which the user account belongs. The organizational structure tree is a data structure for defining the organizational affiliation, the superior-inferior relationship, and the functional scope of the global user account in the enterprise information management system, and is usually constructed according to the actual administrative structure of the enterprise matched with the enterprise information management system. For example, if the operator of the user account is affiliated to the administrative department of the first branch company of the first group, the unit attribute correspondingly records the first group, the first branch company, the administrative department and the superior-inferior attribution relationship thereof, and maps one or more work sub-rights of the administrative department of the first branch company of the first group.
Optionally, the basic permission attributes further include role attributes, the role attributes are generated according to a user-defined operation of a system administrator, and the purpose of defining the role attributes for the user account is to mark permissions that the user account has on role assignment, and on the other hand, to facilitate the system administrator to grant the same group of permissions to a plurality of user accounts in batch within an authorization range of the system administrator. For example, if the operator of the user account has reimbursement authority, the role attribute marks one or more sub-authorities including approval, and approval in the user account mapping reimbursement authority.
Optionally, the basic permission attribute further includes a post attribute, and the post attribute is generated according to a specific service operation corresponding to the user account. The specific business operation is an operation required by an operator of the user account to complete a specific work task, and the specific work task is related to a post actually defined by the operator in an administrative personnel relationship, and can be determined according to a daily work task of the operator, or can be determined according to a post task distributed to the work content of the operator according to a post affiliation relationship of the operator. For example, the operator of the user account has a work task of safety inspection, the post attribute correspondingly marks that the user account belongs to a safety post, and one or more safety work sub-permissions of the safety post are mapped, and a plurality of user accounts with the same post attribute generally belong to the same user group. Those skilled in the art will appreciate that a group of user accounts having the same unit attribute may have different station attributes, for example, a group of user accounts belonging to a device management department may be respectively configured with their corresponding security station, patrol station, logistics station, etc.
Optionally, the basic permission attributes further include department attributes, and the department attributes are generated according to the organizational structure tree. The department attribute is used for marking out a specific department to which the user account belongs in the organization tree. Such as whether the user account belongs to the finance department, the human resources department, or the administrative department.
In step S100, a basic permission attribute of the user account is set, and in step S200, a basic permission code of the user account is further generated according to the basic permission attribute, and typically, the basic permission code includes a field or an identifier for identifying the basic permission attribute.
In order to give the user account new rights without causing security risk, an additional rights attribute of the user account is further set in step S300, and typically, the additional rights attribute is generated according to additional rights configured to the user account by a system administrator or a superior user, where the system administrator or the superior user refers to another user account having a right to manage the user account in the enterprise information management system. For example, if the user account is a general employee user of the administration, the upper-level user may be a user of the administration length level, or may be a person in charge of the upper-level administration of the administration. Accordingly, in step S400, an extra authority code of the user account is generated according to the extra authority attribute, where the extra authority code includes a field or an identifier for identifying the extra authority attribute.
In step S500, the extra privilege code is superimposed on the basic privilege code to form a total privilege code, where the specific way of forming the total privilege code may be to simply merge, de-merge, or mathematically transform the extra privilege code and the basic privilege code by using a suitable computer algorithm, and the total privilege code includes a field or an identifier for identifying the basic privilege attribute and the extra privilege attribute. The purpose of generating the master authority code is that after the user account successfully logs in the enterprise information management system, the enterprise information management system can allocate a corresponding set of system operation authorities to the user account according to the master authority code.
The specific process of operating the general permission code is as described in step S600, and a corresponding user permission is issued to the user account according to the general permission code. The user rights should include a basic right of the basic rights code mapping and an additional right of the additional rights code mapping. Taking the implementation of the enterprise information management system as a B/S mode as an example, the interaction between the user account and the system server is finally realized through a Web page presented on the user terminal, and thus issuing the corresponding user right for the user account according to the total right code may include the following steps: firstly, the total authority code is analyzed to obtain a page control ID corresponding to the user authority, and a page control corresponding to the page control ID is further presented. Specifically, the page controls presented in the interactive page of the user account are in one-to-one correspondence with the page control IDs, and are also in one-to-one correspondence with the user permissions. Correspondingly, other page controls irrelevant to the user authority are hidden when the interactive page is constructed or are not selected for constructing the interactive page.
It is noted that while the operations of the method of the present invention are depicted in the drawings in a particular order, this is not intended to require or imply that these operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Rather, the steps depicted in the flowcharts may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
It is considered that the organizational structure tree is an important factor constituting the authority system and also an important factor determining the basic authority attribute. Referring to fig. 2 to 4, fig. 2 to 4 are schematic logical structures of embodiments of organization structure trees. Where fig. 2 shows the logical structure of the organizational tree being a single tree, this type of organizational tree is suitable for use in constructing a rights system for an independent enterprise administration, for example, comprising a plurality of levels of departments below a company, such as the first department, the second department, and the third department shown in fig. 2, each of the levels of departments directly comprising a respective user account. Fig. 3 shows a logical structure in which the organization tree is a group tree, and this type of organization tree is suitable for constructing a privilege system of an enterprise administration including sub-units and independent departments, for example, a company includes a plurality of sub-units and departments in a flat level, such as the first company, the second company and the finance department shown in fig. 3, and accordingly, the sub-units may include sub-unit departments or sub-units of sub-units in a lower level. Fig. 4 shows the logical structure of the organization tree being a forest of cliques, this type of organization tree being suitable for building a rights system of an enterprise's administration comprising a plurality of cliques and not comprising individual administration departments or users, such as the plurality of flat cliques shown in fig. 4: one of the clusters, two of the clusters, and three of the clusters. Those skilled in the art will appreciate that the organizational tree involved in an enterprise information management system needs to be determined based on the enterprise's own administrative divisions.
The portions of the method of assigning user rights in an enterprise information management system provided by the present invention that involve software logic may be implemented using programmable logic devices or as computer program products that cause a computer to perform the methods for demonstration. The computer program product includes a computer-readable storage medium having computer program logic or code portions embodied therein for performing the various steps described above with respect to the portions of software logic. The computer-readable storage medium may be a built-in medium installed in the computer or a removable medium detachable from the computer main body (e.g., a hot-pluggable storage device). The built-in medium includes, but is not limited to, rewritable nonvolatile memories such as RAM, ROM, and hard disk. The removable media include, but are not limited to: optical storage media (e.g., CD-ROMs and DVDs), magneto-optical storage media (e.g., MOs), magnetic storage media (e.g., magnetic tapes or removable hard disks), media with a built-in rewritable non-volatile memory (e.g., memory cards), and media with a built-in ROM (e.g., ROM cartridges).
Those skilled in the art will appreciate that any computer system having suitable programming means will be capable of executing the steps of the method of the invention as embodied in a computer program product. Although most of the specific embodiments described in this specification focus on software routines, alternative embodiments for implementing the methods provided by the present invention in hardware are also within the scope of the invention as claimed.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are, therefore, to be considered as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it will be obvious that the term "comprising" does not exclude other elements, units or steps, and the singular does not exclude the plural. A plurality of components, units or means recited in the claims may also be implemented by one component, unit or means in software or hardware.
The method for distributing the user authority in the enterprise information management system realizes the issuing of the authority through the authority code, the authority code is formed by overlapping a basic authority code and an additional authority code, wherein the basic authority code is generated according to the basic authority attribute of a user account and is used for distributing the authority possessed by daily work to the user account; the extra authority code is generated according to the extra authority attribute of the user account and is used for carrying out dynamic authority adjustment under the condition that the attribution relationship of the organization of the user account is not changed. The method and the system can improve the flexibility of authority adjustment in the enterprise information management system and avoid the safety risk in the conventional authority adjustment.
While the invention has been described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention.

Claims (7)

1. A method for assigning user rights in an enterprise information management system, the method comprising:
setting a basic authority attribute of a user account;
generating a basic authority code of the user account according to the basic authority attribute;
setting an additional authority attribute of the user account;
generating an extra authority code of the user account according to the extra authority attribute;
superimposing the extra-permission code onto the base-permission code to form a master-permission code;
and issuing corresponding user permission to the user account according to the total permission code.
2. The method of claim 1, wherein:
the basic permission attributes comprise editing attributes;
and the editing attribute is generated according to the organization function tree to which the user account belongs.
3. The method of claim 2, wherein:
the basic permission attributes further comprise role attributes;
the role attributes are generated according to the custom operation of a system administrator.
4. The method of claim 2 or 3, wherein:
the basic permission attributes further comprise position attributes;
and the job position attribute is generated according to the specific business operation corresponding to the user account.
5. The method of claim 4, wherein:
the basic authority attribute also comprises a department attribute;
the department attributes are generated according to the organizational structure tree.
6. The method of claim 1, wherein:
the basic permission attributes comprise management attributes;
and the management attribute is generated according to the organization function tree to which the user account belongs.
7. The method of claim 1, wherein:
the extra authority attribute is generated according to extra authority configured by a system administrator or a superior user to the user account.
CN201811599342.4A 2018-12-26 2018-12-26 Method for distributing user authority in enterprise information management system Pending CN111368284A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811599342.4A CN111368284A (en) 2018-12-26 2018-12-26 Method for distributing user authority in enterprise information management system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811599342.4A CN111368284A (en) 2018-12-26 2018-12-26 Method for distributing user authority in enterprise information management system

Publications (1)

Publication Number Publication Date
CN111368284A true CN111368284A (en) 2020-07-03

Family

ID=71205951

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811599342.4A Pending CN111368284A (en) 2018-12-26 2018-12-26 Method for distributing user authority in enterprise information management system

Country Status (1)

Country Link
CN (1) CN111368284A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114969811A (en) * 2022-05-16 2022-08-30 贵州领航视讯信息技术有限公司 Data authority control method based on data segmentation

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114969811A (en) * 2022-05-16 2022-08-30 贵州领航视讯信息技术有限公司 Data authority control method based on data segmentation

Similar Documents

Publication Publication Date Title
US7113923B1 (en) System and method of managing an office of programs
CN104919414B (en) The role of access right kmeans cluster has found
JP4903408B2 (en) Organization reference data and qualification system
CN109522707B (en) Role and resource-based user data read-write security authority control method and system
CN101453475B (en) Authentication management system and method
US20040024627A1 (en) Method and system for delivery of infrastructure components as they related to business processes
US20060075503A1 (en) Method and system for applying security vulnerability management process to an organization
CN111935073A (en) Authority management method and system of cloud platform based on multi-organization architecture
CN102047275A (en) Hierarchical administration of resources
CN105912924A (en) Method for sending permissions to users' accounts in enterprise information management system
WO2006078466A2 (en) User education and management system and method
Le et al. Constructing a synthetic population of establishments for the simmobility microsimulation platform
CA3099427A1 (en) Method and system for defining roles in an identity and access management system
CN111475784A (en) Authority management method and device
CN111291408A (en) Data management method and device and electronic equipment
CN111368284A (en) Method for distributing user authority in enterprise information management system
CN117034227A (en) Authority management method and device, electronic equipment and storage medium
Prasetyo et al. Development of project document management system based on data governance with DAMA International framework
CN109977657A (en) A kind of method of distributing user permission in the enterprise information management system
CN108521411A (en) Access control method, apparatus and system based on access control policy
AU2018340082A1 (en) Multiple project visualization tool
CN114037576A (en) System and method for allocating academic resources
US20120072316A1 (en) Virtual accounting ledger system
CN110427744B (en) Identity management method and system supporting service security label
CN113052547A (en) Capital transfer management method and management system for construction project in petrochemical industry

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20200703

WD01 Invention patent application deemed withdrawn after publication