CN112651000A - Permission configuration integrated system for modular plug-in development - Google Patents
Permission configuration integrated system for modular plug-in development Download PDFInfo
- Publication number
- CN112651000A CN112651000A CN202011626733.8A CN202011626733A CN112651000A CN 112651000 A CN112651000 A CN 112651000A CN 202011626733 A CN202011626733 A CN 202011626733A CN 112651000 A CN112651000 A CN 112651000A
- Authority
- CN
- China
- Prior art keywords
- organization
- account
- management
- entity
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
- 238000011161 development Methods 0.000 title claims abstract description 20
- 230000008520 organization Effects 0.000 claims abstract description 149
- 238000007726 management method Methods 0.000 claims abstract description 115
- 238000013475 authorization Methods 0.000 claims abstract description 30
- 238000002955 isolation Methods 0.000 claims abstract description 11
- 230000010354 integration Effects 0.000 claims abstract description 10
- 238000012550 audit Methods 0.000 claims description 24
- 230000006870 function Effects 0.000 claims description 24
- 238000000034 method Methods 0.000 claims description 15
- 238000012797 qualification Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 claims description 10
- 238000013499 data model Methods 0.000 claims description 6
- 230000004927 fusion Effects 0.000 claims description 4
- 101001072091 Homo sapiens ProSAAS Proteins 0.000 claims description 3
- 102100036366 ProSAAS Human genes 0.000 claims description 3
- 230000009471 action Effects 0.000 claims description 3
- 239000013256 coordination polymer Substances 0.000 claims description 3
- 238000013523 data management Methods 0.000 claims description 3
- 238000000605 extraction Methods 0.000 abstract description 5
- 230000000694 effects Effects 0.000 abstract description 3
- 238000005516 engineering process Methods 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 238000012827 research and development Methods 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 230000003321 amplification Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013506 data mapping Methods 0.000 description 1
- 230000002950 deficient Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000007717 exclusion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 238000003199 nucleic acid amplification method Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Computing Systems (AREA)
- Automation & Control Theory (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a permission configuration integrated system for modular plug-in development, which provides unified public modules comprising modules of authorization authentication, a user module, a menu module, a role module, an organization module, a post module, permission subordination, a permission strategy, permission identification, a service dictionary and the like; the invention performs unified planning around resource integration and all bottom layer logics, performs integral integration and extraction on other system authority management and identity recognition, performs system authority management and rapid development through a configurable means based on the principles of personal account unification, organization entity isolation, dependency relationship isolation and OS-RABC, performs rapid configuration and definition on page authorities, operation authorities and data authorities under different service scene requirements, and achieves the effects of agile development of service requirements, high reuse of code logic and high efficiency of code realization.
Description
Technical Field
The invention belongs to a unified authority configuration management system, in particular to an authority management system for carrying out public extraction unified configuration on entities such as roles, authorities, resources, organizations and the like in each service system.
Background
The background art refers to the art adopted in this field prior to the present invention, and is deficient.
Disclosure of Invention
The invention aims to solve the technical problem of providing an authority configuration integrated system for modular plug-in development, and achieving the effects of agile development of service requirements, high reuse of code logic and high efficiency of code realization.
The technical scheme of the invention is as follows: an authority configuration integrated system for modular plug-in development comprises a unified identity management system, wherein the unified identity management system comprises a centralized account management system, a centralized authentication management system, a centralized authorization management system and a centralized audit management system;
the unified identity management system is a basic system for managing and controlling the account number and the authority of the whole platform, and the actions of account management, identity authentication, user authorization, authority control and the like of all systems under the platform are required to be processed by the unified identity management system, so that the functions of account password management, basic data management, role authority management and the like are provided;
the centralized account management system manages personal accounts of all access systems and organizes account metadata, and manages and stores all account IDs, passwords, authorization IDs, affiliated systems, account information, call logs, registration logs, password policies and the like; the centralized authentication management system performs centralized management of real-name system approval authentication and organization qualification approval authentication on the personal account and the organization account; the centralized authorization management system comprises authorization configuration and access strategy management of modules, menus, data, regions, roles, organizations and relationship chains, and can be used for configuring and managing all accounts subjected to real-name system and organization qualification authentication; the centralized audit management system comprises account number audit, authentication audit, authorization audit, difference audit and interface, statistics, parameters, processes, authority subordination, dependency relationship, operation instructions, operation behavior record logs and other contents, and statistics and data behavior record are carried out on all account numbers, authorities, interfaces and authenticated instruction logs.
Specifically, the unified identity management system can be divided into a two-level account system, a basic authority module and a basic information module; the two-level account system divides the accounts into two categories of organization entity accounts and personal entity accounts, wherein the personal entity belongs to an organization entity or does not belong to any organization entity, and the personal entity can simultaneously belong to a plurality of organization entities; the basic authority module performs unified management and authorization on the resource authority of each service system; the basic information module is used for describing basic information of an organization entity and a personal entity; the unified identity management system provides a unified API to be connected with each service system;
more specifically, the platform-level SAAS with multi-system fusion is realized by adopting a two-level account system, and the two-level account system divides account types into two types, namely an organization entity and a personal entity; the personal entity may or may not be affiliated with the organizational entity; the personal account system and the organization account system have different permissions in the system platform, and can self-define and organize independently used modules, menus and data ranges, also can define the modules, menus and data ranges which are only used by personal entities, and simultaneously can define the modules, menus and data ranges which can be used by the personal entities and the organization account system at the same time.
More specifically, the basic permission module follows the principle of personal account unification: the personal account is registered once, the whole platform is universal, and the registration and the login are performed in a unified identity management system; service authority independent principle: the authority system of each subsystem is independently managed; the functions and services which can be used by each account, and the data authority which can be viewed is independently maintained; organization entity isolation principle: different organization entities are isolated and managed independently; each organization entity can organize own organization system, account system and authority system by itself, and different organization entity resource authorities are also isolated; dependency isolation principle: the affiliation of individual accounts with organizational entities exists separately from business system storage.
More specifically, the basic authority module adopts an OS-RBAC authority system, wherein the OS, namely the authority, is influenced by an organization entity and a service system, the RBAC is access control based on roles, and the OS-RBAC is an organization entity-service system-user-role-authority identifier; wherein, divide into two kinds of cases again, one is the personal account with subordinate organization; the other is an independent organization personal account which is unorganized but also complies with the RBAC's rights restrictions and whose rights identification scheme allows organizations to be null.
More specifically, the basic information module mainly aims at personal entities and organization entities, and meets the requirement of flexible expansion; the deployment is realized mainly by adopting an EAV data model and a database with a loose data structure; the EAV data model is a model in which entity attributes correspond to behavior records of a data table one by one, the database of the loose data structure and a distributed file storage database product between a relational database and a non-relational database belong to the CP category in the CAP theory, support the loose data structure, support the complex mixed data type, and support JSON and document storage.
Specifically, the functional services provided by the unified identity management system further include system identifier management, service account management, organization entity management, organization architecture management, individual account management, user group management, role management, resource authority management, authority policy group management, authentication and audit management, personal authentication and management, organization authentication and management, qualification and audit management, organization authorization and management, unified registration, unified login, organization and admission, personal real-name authentication, organization real-name authentication, and authentication interface.
Compared with the prior art, the invention has the beneficial effects that: the invention is based on big data demand resources of service system authority management, establishes the page authority, the operation authority and the data authority which can be rapidly configured and defined under different service scene requirements, achieves the effects of agile development of service requirements, high reuse of code logic and high efficiency of code realization, and has the following specific advantages:
1. the invention carries out extraction and development mode according to the service and the commonly used and compatible authority using scene to the original system, establishes the pluggable application (making positive response according to the timeliness of the project, completing the construction of the basic application through the configurability, and then confirming and developing according to the requirement of the client by the customized part); carrying out demand analysis on extraction, arrangement and extraction of the public part of the service, and carrying out standardized modular development of granularity refinement;
2. an integral architecture style is formed by a plurality of independently delivered front-end applications; breaking up the front-end application into smaller, simpler pieces that can be developed, tested, deployed independently, yet still appear to the user as a cohesive single product: the code base is smaller, more cohesive and higher in maintainability; the expandability of a loosely-coupled and autonomous team is better; part of front-end functions are gradually upgraded, updated and even rewritten, and the problems of multiple, messy and unavailable management of the existing code base are solved;
3. the new and old codes are harmoniously coexisted, and then the old codes are gradually converted until the whole reconstruction is completed, so that the flexibility of technology type selection is brought, and experimental trial and error of a new technology and a new interaction mode are facilitated;
4. the independent deployment capability is crucial in a system, and the change range can be reduced, so that the related risks are reduced;
5. besides decoupling on a code base and a release cycle, the method is also beneficial to forming a completely independent team, different teams are respectively responsible for the whole process from conception to release of a product function, and the team can completely possess everything needed for providing value for a client, so that the method can operate quickly and efficiently;
the permission configuration integrated system for modular plug-in development is applied, information sharing and fusion among all service systems are further accelerated, permission information resources can be repeatedly utilized, permission service support is provided for modular management, service application and analysis decision-making capacity is improved, and hidden danger of user permission amplification in the permission adjustment process is avoided. The process of unified identity management and verification is accelerated, the consistency of data of personnel and organizations in the system is ensured, the authority of the personnel is comprehensively monitored and the compliance is detected by utilizing the authority analysis and detection function, and the adjustment efficiency is improved through a safe and efficient data synchronization technology.
Drawings
FIG. 1 is a user classification diagram of the integration system of the present invention;
FIG. 2 is an organization classification diagram of the integrated system of the present invention;
FIG. 3 is a diagram of an RBAC model according to the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
An authority configuration integration system for modular plug-in development comprises Unified Identity Management (UIMS), wherein the UIMS comprises centralized account management, centralized authentication management, centralized authorization management and centralized audit management.
Unified Identity Management (UIMS) is a basic system for managing and controlling accounts and permissions of the whole platform, and the actions of account management, identity authentication, user authorization, permission control and the like of all systems under the platform are required to be processed by the system, so that the functions of account password management, basic data management, role permission management and the like are provided.
The centralized account management system manages personal accounts of all access systems and organizes account metadata, and manages and stores all account IDs, passwords, authorization IDs, affiliated systems, account information, call logs, registration logs, password policies and the like; the centralized authentication management system performs centralized management of real-name system approval authentication and organization qualification approval authentication on the personal account and the organization account; the centralized authorization management system comprises authorization configuration and access strategy management of modules, menus, data, regions, roles, organizations and relationship chains, and can be used for configuring and managing all accounts subjected to real-name system and organization qualification authentication; the centralized audit management system comprises account number audit, authentication audit, authorization audit, difference audit and interface, statistics, parameters, processes, authority subordination, dependency relationship, operation instructions, operation behavior record logs and other contents, and statistics and data behavior record are carried out on all account numbers, authorities, interfaces and authenticated instruction logs.
UIMS is based on the concept of unified identity management and can be divided into three major modules, namely a two-level account system, a basic authority module and a basic information module. The two-level account system divides the accounts into two categories of organization entity accounts and personal entity accounts, the personal entity is subordinate to an organization entity or not subordinate to any organization entity, and the personal entity can be subordinate to a plurality of organization entities at the same time; the basic authority module performs unified management and authorization on the resource authority of each service system; the basic information module is used for describing basic information of the organization entity and the personal entity, such as the name, the address, the legal person, the name, the telephone number, the gender and the like of the organization entity. UIMS provides a unified API to connect with each service system. After the UIMS provides the above functions and services, the following requirements should be met, as shown in table 1:
TABLE 1 UIMS description of functions and services provided
Numbering | Demand for | Description of the invention |
1 | Software authorization | Self-defining authorization mechanism, capable of selecting authorization according to time, function, quantity, etc |
2 | Organization of immigration | Enabling organization active application joining platform |
3 | Real name authentication | Personal real-name authentication and organization real-name authentication |
4 | Qualification review | Qualification checks of individuals and organizations, e.g. checking for certificates or honors obtained |
5 | Organization binding | Personal account binding organization and establishing association relation with organization |
6 | Tissue unbinding | Personal accounts unbinding from organizations |
7 | Account logout | The personal account is logged off, and all personal data and files are destroyed |
8 | Unified login | SSO single sign-on authentication technology |
9 | Unified registration | Providing a unified user registration page |
The UIMS system provides unified public functions from the function angle, which comprise system identification management, service account management, organization entity management, organization architecture management, individual account management, user group management, role management, resource authority management, authority policy group management, authentication and audit management, individual authentication management, organization authentication management, qualification audit management, organization authorization management, unified registration, unified login, organization enrollment, individual real name authentication, organization real name authentication and authentication interface.
The two-level account system is a platform-level SAAS which is based on the characteristic of unified identity governance and realizes multi-system fusion by adopting a two-level account system (UIMS provides an interface). The two-level account system divides the account categories into two categories, organization entities and personal entities. The personal entity may or may not be affiliated with the organizational entity (which may be affiliated with multiple organizational entities). The individual account system and the organization account system have different permissions in the system platform, and can self-define and organize independently used modules, menus and data ranges, also can define the modules, menus and data ranges which are only used by individual entities, and simultaneously can define the modules, menus and data ranges which can be used by the individual entities and the organization account system at the same time.
The basic information module mainly aims at individual entities and organization entities, such as enterprise and business information, general information and the like, to meet the requirements of flexible expansion, the types of the entities are various, and the information structure can be changed frequently along with the change of a business scene. The technology adopts the following two ways to deal with the following problems:
an EAV data model, namely an Entity-Attribute-Value data model, transforms a traditional ORM mapping model, namely a model in which Entity attributes correspond to database table fields one to one, into a model in which Entity attributes correspond to row records of a data table one to one. The EAV model greatly increases the complexity of data mapping and related business logic, but has high flexibility, and can meet the requirements of information structures changing at any time, entity structures changing dynamically, field-level authority control, field-level data version history and other functions.
2. A database scheme with a loose data structure is adopted, a distributed file storage database product between a relational database and a non-relational database belongs to the CP category in the CAP theory, supports the loose data structure, supports the complex mixed data type, and supports JSON and document storage. The method has obvious advantages, can meet most functions of the EAV model, greatly simplifies the technical complexity and supports distributed deployment.
The characteristics in the basic information module comprise basic information of information classification and service information. The basic information is divided into personal entity information and organization entity information, and mainly describes basic information and general information of the entities, such as name, gender, identity card number, mobile phone number, enterprise general information, enterprise business information and the like; as shown in table 2 below:
table 2 information category scope description
The basic authority module is required to follow the principle of personal account unification: the personal account is registered once, is universal in a full platform and is similar to a full network pass and SSO, and the registration and the login are carried out in UIMS.
Service authority independent principle: the authority system of each subsystem is independently managed; the principle of unified personal accounts is that the account system is unified, but for each subsystem, the functions and services that can be used by each account, the viewed data rights are maintained independently, such as XXX corporation (organization) -r & d T3 group (user group) -zhang san (user) -r & d personnel (role), and in the a system, the owned resource rights are definitely inconsistent with the owned resource rights in the B system.
Organization entity isolation principle: different organization entities are isolated and managed independently. Each organization entity can self-organize its own organization system, account system and authority system. Different organizational entity resource permissions are also isolated.
Dependency isolation principle: the affiliation of the individual account and the organization entity exists independently for the business system, the principle of the unity of the individual account is definite and is only the network unity of the individual account, but the organization entity and the affiliation are not unified and are isolated. For example, in the a system, zhang san (user) is subordinate to XXXX company (organization), but in the B system, zhang san (user) is not subordinate to any organization by default, and the dependency relationship is affected by a specific business system. In fact, this principle is not mandatory, depending on the respective service logic and service scenario. If the management of affiliations is to be simplified, the principle may not be followed, i.e., the affiliations of individual accounts with organizational entities are platform-wide and uniform, independent of business systems, but this reduces the flexibility and extensibility of the platform. There is usually a trade-off between flexibility and complexity.
The basic permission module is characterized by an OS-RBAC permission system: the OS, namely the authority, is influenced by an organization entity and a service system, the RBAC is based on the role access control, and the OS-RBAC is based on the organization entity-service system-user-role-authority identification. The method is divided into two cases, wherein one case is a personal account with a subordinate organization; the other is an independent organization personal account which is unorganized but also complies with the RBAC's rights restrictions and whose rights identification scheme allows organizations to be null.
The UIMS software authorization module establishes a cloud platform authorization mechanism based on a two-level account system, and performs independent authorization aiming at user accounts and organization accounts. Depending on the business policy of the product, a flexible authorization scheme may be implemented: time limit, function limit, and quantity limit.
UIMS said organization register provides a process of registration of organization entity, allowing organization to actively submit basic information, and open account register platform. In addition, the function of manually entering and organizing account opening in the management background should be provided.
UIMS said real name authentication is divided into personal account real name authentication and organization account real name authentication, UIMS provides the flow of real name authentication.
UIMS is divided into two parts: firstly, manual checking in the real-name authentication process of part of entities; and secondly, carrying out technical or manual review on the additional qualification submitted by the entity.
UIMS the organization binding is based on an affiliation isolation principle, personal accounts are bound with organization accounts in a specific service system, and the binding process is divided into two types: one is a subordinate individual account created manually by an organization administrator, and the other is an individual account application for joining an organization. For example, after an individual registers an account, the binding organization can be actively registered, the organization administrator is required to check the registered organization, and the organization which is not registered in the system is always in a state to be checked.
UIMS the organization unbind allows individual accounts to be disassociated from the organization. Unbinding is divided into two cases: one is the individual account actively disarming, and the organization administrator unbinds, hires, or clears employees (individual accounts). The first individual unbinding should be approved by the organization, the individual applies for unbinding relationship, and the organization checks.
UIMS said employment (affiliation) relationships are divided into direct employment and indirect employment relationships. For example, a security guard is working at a security company (direct hiring) and working at a property (indirect hiring). Two approaches are taken to identify indirect employment relationships: adding the entity concept of service units (project points, property communities); indirect employment entities are treated as branches of the current organization using an organizational hierarchy within the organization.
UIMS the account logout is divided into individual account logout and organization account logout.
Resource identification: and the method is divided into logical resources and entity resources. Logic resources such as functional resources like menus, pages, forms, button groups, buttons, fields, etc., or data resources like personnel files, attendance records, task records, position data, points, e-wallets, etc.; the physical resources such as chairs, stools, computers, vehicles and other physical assets, and sometimes part of the logical resources can also be summarized as physical resources such as electronic photos, video files, music files and the like.
Condition identification: the constraint conditions of the authority mainly include visible organization structure range limitation, time limitation, region limitation and the like. For example, the validity period of a certain authority is as long as the financial department is visible, and is as long as 11 months 2, where the financial department belongs to the visible organizational structure range limitation, and as long as 11 months 2, the time limitation.
And (3) authority identification: for identifying that an account entity has access to a certain function, viewing certain data, under specified conditions. The resource identifier and the condition identifier are associated with the authority identifier, the authority identifier is associated with the role, and the role is associated with the user. For example, Zhang three (user) -research and development personnel (role) -have research and development department for all personnel files increase and change the right.
Service system identifier: the business authority independent principle is used for restricting the business authority, and different from the traditional resource authority, all authority identifications are associated with a specific business system, for example, an enterprise A system is a business system, and the specific authority identifications have direct relation with the business system, such as menus, forms, pages, buttons, pictures and other resources.
Example rights identification: in the enterprise A system [1], before No. 12/18 in 2020 [2], all personnel files [6] in the Guangdong region [5] of the intelligent technology company [3], the research and development center [4] have read-only rights [7 ].
1.[1] service system identification;
[2] Condition identification: defining time;
[3] organizational entity identification;
[4] conditional identification: visible organizational structure range limitation;
[5] conditional identification: defining a region range;
[6] resource identification;
[7] Authority type.
The authority affiliation, namely the affiliation between the user entity and the organization entity, is independent of the service system. The entity types involved in the system are:
business system (System identification)
Service account (client)
Personal account entity
Organizing account entities
Organization architecture
User group (optional)
Role entity
Authority entity
Resource entity
Qualifying conditional entities
Permission policy group (optional)
The entity types which are strongly associated with the organization entities can not exist independently from the organization entities, and comprise organization frameworks, role entities, authority entities, resource entities and limitation condition entities.
Since an organizational structure cannot exist separately from an organizational entity, when a user entity binds to an organizational structure, the user entity must be affiliated with the organizational entity to which the organizational structure is affiliated. The same can be seen in the following dependencies that follow the same constraint-that is, the two entity objects of each pair must belong to the same organizational entity, including users and roles, roles and permissions, resources and permissions, and constraints and permissions. The entity type strongly associated with the service system cannot be independent of the service system, and comprises an authority entity, a resource entity and a limiting condition entity.
In the above principles, the entity types are classified into the following cases:
organization entity (unauthenticated): in the mode of organizing entity, a set of organization structure, account and data authority system can be independently set according to the management requirement of organization, such as subordinate enterprises, branch companies, departments, post jobs and role authorities, the organizing entity assigns an administrator account by default, has all authorities, and the administrator initializes configuration information.
Organization entity (authenticated): the entity has all rights of the unauthorized organization entity, but the authenticated entity generally has more quota and less function limit, and some specific business functions and business processes must be used by the entity with real name authentication, such as payment and transaction.
Personal entity (unauthenticated): in the mode of the personal entity, the enjoying right is determined by a specific business system, and in principle, the personal entity is used as an independent account type and should enjoy basic function authority and data authority, such as various functions of a personal center and the like.
Personal entity (authenticated): similar to an organizational entity (authenticated).
Personal entity (not subordinate to organization): a personal entity account of an unaffiliated organization, consistent with the personal entity type described above.
Personal entity (subordinate single organization): the individual entity accounts affiliated with a single organization are also restricted by the organization's rights, in addition to having the original rights of the individual entity accounts, which may now be enjoyable, which may not now be enjoyable.
Personal entity (subordinate multiple organizations): when the personal entity account is subordinate to a plurality of organizations, in addition to the original rights owned by the personal account, the rights brought by the subordinate organization are subject to the organization entity isolation principle and are constrained by the subordinate relationship isolation principle, and the specific rights configuration is independently managed by each business system. There are two cases here: firstly, when a user logs in, the organization to which the user belongs must be selected, similar to global networking services, and when the user logs in, the area and the server to which the user belongs must be selected; and secondly, after the user logs in, the organization entity can be freely selected, similar to the region selection of the Ariiyun or Huayun, and when the user does not select the organization to which the user belongs, the user should treat the organization according to the personal entity account which is not subordinate to the organization.
Organization and management personnel: an organization administrator has all resource permissions in the organization, for example, a personal account can be created, before the individual finishes the first login, the individual can be deleted (hired) and modified, and after the individual finishes the login, the permission is handed over to the individual; when deleted (hired), the individual simply leaves the organization, the individual no longer has the authority of the employees of the organization, the personal working experiences within the organization remain, the organization clears away the employees, and these working experiences will not be manageable by the enterprise, but will be visible to the individual and unchangeable.
Permission policy group: the authority policy group is set on the basis of OS-RBAC, and in order to simplify an auxiliary means of authority configuration, the policy group is not created in practical application. The policy groups are platform level policy groups and business system level policy groups, and the scope of the two policy groups is limited to the inside of the same organization entity except for the personal account without subordinate organization. The policy groups are similar to roles and can bind resource permissions into policy groups, but differ in that platform-level policy groups can perform platform-level resource permission binding across business systems. Because the account system spans a plurality of subsystems, under the limitation of following the 'independent principle of service authority', each subsystem needs to do a set of authority configuration, and the operation is more complicated, so the authority configuration work can be greatly simplified by fully applying the strategy group. A plurality of commonly used strategy groups can be built in the platform, and a terminal user can directly select the strategy groups or modify the strategy groups based on a certain strategy group. It is worth noting that the scope of the policy group is limited to the same organizational entity, i.e., the policy group may span the business system, but cannot act on multiple organizational entities simultaneously.
And (4) permission intersection: in contrast to the static role separation-role mutual exclusion principle of the RBAC, the platform adopts a design of a multi-role authority union.
The preferred embodiments of the invention disclosed above are intended to be illustrative only. The preferred embodiments are not intended to be exhaustive or to limit the invention to the precise embodiments disclosed. Obviously, many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and the practical application, to thereby enable others skilled in the art to best utilize the invention.
Claims (7)
1. An integrated system for configuring permissions for componentized plug-in development, comprising: the system comprises a unified identity management system, wherein the unified identity management system comprises a centralized account management system, a centralized authentication management system, a centralized authorization management system and a centralized audit management system;
the unified identity management system is a basic system for managing and controlling the account number and the authority of the whole platform, and the actions of account management, identity authentication, user authorization, authority control and the like of all systems under the platform are required to be processed by the unified identity management system, so that the functions of account password management, basic data management, role authority management and the like are provided;
the centralized account management system manages personal accounts of all access systems and organizes account metadata, and manages and stores all account IDs, passwords, authorization IDs, affiliated systems, account information, call logs, registration logs, password policies and the like; the centralized authentication management system performs centralized management of real-name system approval authentication and organization qualification approval authentication on the personal account and the organization account; the centralized authorization management system comprises authorization configuration and access strategy management of modules, menus, data, regions, roles, organizations and relationship chains, and can be used for configuring and managing all accounts subjected to real-name system and organization qualification authentication; the centralized audit management system comprises account number audit, authentication audit, authorization audit, difference audit and interface, statistics, parameters, processes, authority subordination, dependency relationship, operation instructions, operation behavior record logs and other contents, and statistics and data behavior record are carried out on all account numbers, authorities, interfaces and authenticated instruction logs.
2. A privilege configuration integration system for componentized plug-in development as claimed in claim 1, wherein: the unified identity management system can be divided into a two-level account system, a basic authority module and a basic information module; the two-level account system divides the accounts into two categories of organization entity accounts and personal entity accounts, wherein the personal entity belongs to an organization entity or does not belong to any organization entity, and the personal entity can simultaneously belong to a plurality of organization entities; the basic authority module performs unified management and authorization on the resource authority of each service system; the basic information module is used for describing basic information of an organization entity and a personal entity; the unified identity management system provides a unified API to be connected with each service system.
3. A privilege configuration integration system for componentized plug-in development as claimed in claim 2, wherein: the platform-level SAAS which adopts a two-level account system to realize multi-system fusion is adopted, and the two-level account system divides the account types into an organization entity and a personal entity; the personal entity may or may not be affiliated with the organizational entity; the personal account system and the organization account system have different permissions in the system platform, and can self-define and organize independently used modules, menus and data ranges, also can define the modules, menus and data ranges which are only used by personal entities, and simultaneously can define the modules, menus and data ranges which can be used by the personal entities and the organization account system at the same time.
4. A privilege configuration integration system for componentized plug-in development as claimed in claim 2, wherein: the basic permission module follows the principle of personal account unification: the personal account is registered once, the whole platform is universal, and the registration and the login are performed in a unified identity management system; service authority independent principle: the authority system of each subsystem is independently managed; the functions and services which can be used by each account, and the data authority which can be viewed is independently maintained; organization entity isolation principle: different organization entities are isolated and managed independently; each organization entity can organize own organization system, account system and authority system by itself, and different organization entity resource authorities are also isolated; dependency isolation principle: the affiliation of individual accounts with organizational entities exists separately from business system storage.
5. A rights configuration integration system for componentized plug-in development according to claim 2 or 4, characterized in that: the basic authority module adopts an OS-RBAC authority system, wherein the OS, namely the authority, is influenced by an organization entity and a service system, the RBAC is based on role access control, and the OS-RBAC is an organization entity-service system-user-role-authority identification; wherein, divide into two kinds of cases again, one is the personal account with subordinate organization; the other is an independent organization personal account which is unorganized but also complies with the RBAC's rights restrictions and whose rights identification scheme allows organizations to be null.
6. A privilege configuration integration system for componentized plug-in development as claimed in claim 2, wherein: the basic information module mainly aims at personal entities and organization entities and meets the requirement of flexible expansion; the deployment is realized mainly by adopting an EAV data model and a database with a loose data structure; the EAV data model is a model in which entity attributes correspond to behavior records of a data table one by one, the database of the loose data structure and a distributed file storage database product between a relational database and a non-relational database belong to the CP category in the CAP theory, support the loose data structure, support the complex mixed data type, and support JSON and document storage.
7. A privilege configuration integration system for componentized plug-in development as claimed in claim 1, wherein: the function service provided by the unified identity management system also comprises system identification management, service account management, organization entity management, organization architecture management, individual account management, user group management, role management, resource authority management, authority policy group management, authentication and audit management, individual authentication management, organization authentication management, qualification audit management, organization authorization management, unified registration, unified login, organization enrollment, individual real-name authentication, organization real-name authentication and authentication interfaces.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011626733.8A CN112651000A (en) | 2020-12-30 | 2020-12-30 | Permission configuration integrated system for modular plug-in development |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011626733.8A CN112651000A (en) | 2020-12-30 | 2020-12-30 | Permission configuration integrated system for modular plug-in development |
Publications (1)
Publication Number | Publication Date |
---|---|
CN112651000A true CN112651000A (en) | 2021-04-13 |
Family
ID=75367338
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011626733.8A Withdrawn CN112651000A (en) | 2020-12-30 | 2020-12-30 | Permission configuration integrated system for modular plug-in development |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112651000A (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113568758A (en) * | 2021-09-23 | 2021-10-29 | 深圳市信润富联数字科技有限公司 | GPU resource pooling method, system, device and computer readable storage medium |
CN113590118A (en) * | 2021-07-23 | 2021-11-02 | 南京赛宁信息技术有限公司 | Resource authority control device and method based on DRF framework |
CN115484155A (en) * | 2022-08-15 | 2022-12-16 | 南京国电南自电网自动化有限公司 | Management system for multi-web micro-service application |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104125063A (en) * | 2013-04-28 | 2014-10-29 | 腾讯科技(深圳)有限公司 | Authentication method, equipment and system |
CN110084033A (en) * | 2019-04-19 | 2019-08-02 | 广东中安金狮科创有限公司 | User identity management method, system and computer readable storage medium |
-
2020
- 2020-12-30 CN CN202011626733.8A patent/CN112651000A/en not_active Withdrawn
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104125063A (en) * | 2013-04-28 | 2014-10-29 | 腾讯科技(深圳)有限公司 | Authentication method, equipment and system |
CN110084033A (en) * | 2019-04-19 | 2019-08-02 | 广东中安金狮科创有限公司 | User identity management method, system and computer readable storage medium |
Non-Patent Citations (1)
Title |
---|
BOCHS: "平台级 SAAS 架构的基础:统一身份管理系统", 《HTTPS://MY.OSCHINA.NET/BOCHS/BLOG/2248954》, pages 1 - 9 * |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113590118A (en) * | 2021-07-23 | 2021-11-02 | 南京赛宁信息技术有限公司 | Resource authority control device and method based on DRF framework |
CN113590118B (en) * | 2021-07-23 | 2024-02-09 | 南京赛宁信息技术有限公司 | Resource authority control device and method based on DRF framework |
CN113568758A (en) * | 2021-09-23 | 2021-10-29 | 深圳市信润富联数字科技有限公司 | GPU resource pooling method, system, device and computer readable storage medium |
CN113568758B (en) * | 2021-09-23 | 2022-02-15 | 深圳市信润富联数字科技有限公司 | GPU resource pooling method, system, device and computer readable storage medium |
CN115484155A (en) * | 2022-08-15 | 2022-12-16 | 南京国电南自电网自动化有限公司 | Management system for multi-web micro-service application |
CN115484155B (en) * | 2022-08-15 | 2024-05-28 | 南京国电南自电网自动化有限公司 | Management system for multi-web micro-service application |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA3073459C (en) | System and method for tracking of provenance and flows of goods, services, and payments in responsible supply chains | |
CN112651000A (en) | Permission configuration integrated system for modular plug-in development | |
US7350226B2 (en) | System and method for analyzing security policies in a distributed computer network | |
CN104573478B (en) | A kind of user authority management system of Web applications | |
US7363650B2 (en) | System and method for incrementally distributing a security policy in a computer network | |
US9639594B2 (en) | Common data model for identity access management data | |
US7870156B2 (en) | Organizational reference data and entitlement system with entitlement generator | |
Vo et al. | Internet of blockchains: Techniques and challenges ahead | |
CN110084033B (en) | User identity management method, system and computer readable storage medium | |
US7805325B2 (en) | Method and system for secured execution of an activity in a workflow process | |
US20120131189A1 (en) | Apparatus and method for information sharing and privacy assurance | |
CN110337676B (en) | Framework for access settings in a physical access control system | |
US20080244687A1 (en) | Federated role provisioning | |
CN114143069B (en) | Authority management system and method applied to microservice | |
EP4214899B1 (en) | Scenario-based access control | |
Zaidi et al. | Fabrication of flexible role-based access control based on blockchain for internet of things use cases | |
CN106487770A (en) | Method for authenticating and authentication device | |
Chua et al. | Adopting hyperledger fabric blockchain for epcglobal network | |
US20060259491A1 (en) | Computer system, integrable software component and software application | |
US9465951B1 (en) | Systems and methods for resource management and certification | |
Nanda et al. | Oracle Privacy Security Auditing: Includes Federal Law Compliance with HIPAA, Sarbanes Oxley and the Gramm Leach Bliley Act GLB | |
CN113904875A (en) | Multi-chain fusion authority control system based on block chain | |
WO2002067173A1 (en) | A hierarchy model | |
KR20210086328A (en) | PS-LTE OneID record management blockchain system by use of FIDO transaction certification | |
KR102564706B1 (en) | System for providing identity verification service for military personnel, method for identity verification of military personnel and computer program for the same |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20210413 |
|
WW01 | Invention patent application withdrawn after publication |