CN112995094A - Dynamic management method and system for account number authority of network equipment - Google Patents
Dynamic management method and system for account number authority of network equipment Download PDFInfo
- Publication number
- CN112995094A CN112995094A CN201911280398.8A CN201911280398A CN112995094A CN 112995094 A CN112995094 A CN 112995094A CN 201911280398 A CN201911280398 A CN 201911280398A CN 112995094 A CN112995094 A CN 112995094A
- Authority
- CN
- China
- Prior art keywords
- task
- authority
- approval
- permission
- account
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 53
- 230000008859 change Effects 0.000 claims abstract description 30
- 238000000034 method Methods 0.000 claims abstract description 29
- 239000003999 initiator Substances 0.000 claims abstract description 27
- 238000012550 audit Methods 0.000 claims abstract description 16
- 238000004590 computer program Methods 0.000 claims description 19
- 230000000977 initiatory effect Effects 0.000 claims description 5
- 238000013475 authorization Methods 0.000 claims description 2
- 239000000725 suspension Substances 0.000 claims description 2
- 238000010586 diagram Methods 0.000 description 27
- 230000008569 process Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000003111 delayed effect Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012552 review Methods 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 241000721662 Juniperus Species 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a dynamic management method and a system for account number authority of network equipment, wherein the method comprises the following steps: acquiring a task of a permission change application proposed by a task initiator; sending the task to an auditor for authority audit, and obtaining an authority audit result; under the condition that the examination and approval are passed, the task is sent to an approver for application examination and approval, and an application examination and approval result is obtained; under the condition of passing the examination and approval, enabling the account number applied by the permission change to obtain the temporary control permission of the applied equipment; and when the temporary control authority reaches the preset authority validity period, recovering the temporary control authority, generating task completion information and sending the task completion information to the task initiator. The method and the system can carry out safe, quick and flexible dynamic change on the user account number authority, and can automatically recover the user account number authority to be in an initial state, thereby facilitating dynamic management of personnel on the authority and ensuring the stability of system management.
Description
Technical Field
The invention relates to the technical field of authority management, in particular to a dynamic management method and a dynamic management system for network equipment account authority.
Background
Currently, in an AAA (Authentication, Authorization, and Accounting) rights management system, rights management of each user account to each device is already implemented, the AAA management system can obtain rights of logging in a device by configuring the role of AAA, the system sets the role and constructs the same name account of the network management user on a TACACS + (terminal access controller access control system) server, and such an account is very inconvenient to manage in TACACS +, which is not favorable for the current management mode based on engineering tasks.
Therefore, a technical scheme for flexibly and quickly changing account permissions is urgently needed.
Disclosure of Invention
In order to solve the problems, the invention provides a dynamic management method and a dynamic management system for the account number authority of the network equipment, which can provide the capability of carrying out safe, quick and flexible dynamic change on the authority of the user account number by temporarily changing the authority of the user account number for accessing the equipment in order to adapt to the engineering task requirement, and can automatically recover the authority of the user account number to be in an initial state.
In an embodiment of the present invention, a method for dynamically managing account permissions of network devices is provided, where the method includes:
acquiring a task of a permission change application proposed by a task initiator;
sending the task to an auditor for authority audit, and obtaining an authority audit result;
under the condition that the examination and approval are passed, the task is sent to an approver for application examination and approval, and an application examination and approval result is obtained;
under the condition of passing the examination and approval, enabling the account number applied by the permission change to obtain the temporary control permission of the applied equipment;
and when the temporary control authority reaches the preset authority validity period, recovering the temporary control authority, generating task completion information and sending the task completion information to the task initiator.
In an embodiment of the present invention, a system for dynamically managing account permissions of network devices is provided, where the system includes:
the task initiating module is used for acquiring a task of the permission change application proposed by the task initiating party;
the auditing module is used for sending the task to an auditor for authority auditing and obtaining an authority auditing result;
the approval module is used for sending the task to an approver for application approval under the condition that the approval is passed, and obtaining an application approval result;
the authority management module is used for enabling the authority to change the applied account number to obtain the temporary control authority of the applied equipment under the condition that the application approval result passes;
and when the temporary control authority reaches the preset authority validity period, recovering the temporary control authority, generating task completion information and sending the task completion information to the task initiator.
In an embodiment of the present invention, a computer device is provided, which includes a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements a dynamic management method for account permissions of a network device when executing the computer program.
In an embodiment of the present invention, a computer-readable storage medium is provided, where a computer program is stored, and when executed by a processor, the computer program implements a method for dynamically managing account permissions of network devices.
The dynamic management method and the dynamic management system for the account number authority of the network equipment can carry out safe, quick and flexible dynamic change on the account number authority of the user, can automatically recover the account number authority of the user to be in an initial state, are convenient for personnel to dynamically manage the authority, and ensure the stability of system management.
Drawings
Fig. 1 is a flowchart illustrating a dynamic management method for account permissions of network devices according to an embodiment of the present invention.
Fig. 2 is a schematic view of a command set configuration interface for dynamically managing account permissions of network devices according to an embodiment of the present invention.
FIG. 3 is a diagram of a task rights management interface according to an embodiment of the invention.
FIG. 4 is a task management interface diagram according to an embodiment of the invention.
FIG. 5 is a flowchart illustrating the dynamic management of permissions according to an embodiment of the present invention.
FIG. 6 is a schematic interface diagram of a task application according to an embodiment of the present invention.
Fig. 7 is a schematic interface diagram of a new task application according to an embodiment of the present invention.
FIG. 8 is a schematic view of an operation interface for task review according to an embodiment of the present invention.
FIG. 9 is a diagram of a task approval interface according to an embodiment of the present invention.
FIG. 10 is a diagram of an operation interface for task approval according to an embodiment of the present invention.
FIG. 11 is a diagram of an interface for task advisory, in accordance with an embodiment of the present invention.
Fig. 12 is a schematic diagram of information related to configuration in a rights record file according to an embodiment of the invention.
FIG. 13 is a diagram illustrating configuration information generated by a create task according to an embodiment of the invention.
Fig. 14 is a diagram illustrating remaining information after deleting configuration segment information according to an embodiment of the present invention.
FIG. 15 is a diagram illustrating configuration information for adding a new task according to an embodiment of the present invention.
Fig. 16 is a schematic diagram of a system architecture for dynamically managing account permissions of network devices according to an embodiment of the present invention.
Fig. 17 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The principles and spirit of the present invention will be described with reference to a number of exemplary embodiments. It is understood that these embodiments are given solely for the purpose of enabling those skilled in the art to better understand and to practice the invention, and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As will be appreciated by one skilled in the art, embodiments of the present invention may be embodied as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of: entirely hardware, entirely software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, a method and a system for dynamically managing account permissions of network equipment are provided.
In the present invention, terms to be explained:
equipment: including but not limited to routers, switches, firewalls, and like network devices, which in this context encompasses the concept of hosts.
Task: a series of configurations of the device (including the host) and tasks performed by specific personnel are required as defined by the customer.
The applicant: the initiator of the task, defined by a role, generally refers to the engineer implementer of the integrator/vendor.
And (4) an auditor: the reviewers of the tasks, defined by roles, typically refer to the engineer officers of the integrator/manufacturer.
The approver: the task approver is defined by a role, and generally refers to a project supervisor of a group (client).
The consultant: consultants of a task, defined by role, typically refer to manufacturer technical support personnel.
The task type is as follows: corresponding to the original role concept, i.e., the collection of commands.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments of the invention.
Fig. 1 is a flowchart illustrating a dynamic management method for account permissions of network devices according to an embodiment of the present invention. As shown in fig. 1, the method includes:
step S101, acquiring a task of the permission change application proposed by the task initiator.
Step S102, sending the task to an auditor for authority audit, and obtaining an authority audit result; if the permission verification result is that the verification is passed, executing step S103; in the case where the audit is not passed, step S103' is executed.
Step S103, sending the task to an approver for application approval, and obtaining an application approval result; if the application approval result is approval, executing step S104; in the case where the approval fails, step S104' is executed.
And step S103', generating information of not passing the audit, and sending the information to the task initiator.
Step S104, temporarily authorizing the account number due to the approval, so that the account number applied for permission change obtains the temporary control permission of the applied equipment;
and step S104', generating approval failure information and sending the approval failure information to the task initiator.
And step S105, when the temporary control authority reaches the preset authority validity period, recovering the temporary control authority, generating task completion information and sending the task completion information to the task initiator.
In an embodiment, the temporary operation right usually sets a right validity period, such as 24H, 48H, and the like, and may be specifically set according to actual needs, which is not strictly limited in this application.
Before the temporary control authority reaches the preset authority validity period, an operator can put forward authority extension according to needs and input an authority extension instruction; the system can prolong the validity period of the authority for a certain time according to the authority prolonging instruction, and the certain time can also be set according to actual needs, such as 12H, 24H and the like.
More specifically, the system can generate an extension request according to the permission extension instruction, and send the extension request to the approver for extension approval;
and in the case of approval, prolonging the validity period of the authority for a certain time.
If the approval of the extension request is not passed, the validity period of the authority cannot be extended.
In one embodiment, in the process that an operator performs related operation by using the temporary operation permission, an approver can send out a permission stopping instruction according to the condition and withdraw the temporary operation permission;
specifically, when the system receives a permission suspension instruction input by an approver, the temporary control permission is recovered, task failure information is generated, and the task failure information is sent to the task initiator.
In one embodiment, the task initiator can cancel the task at any time before approval; that is, before the application approval result is obtained or under the condition that the approval is not passed, if the system receives a task cancellation instruction provided by the task initiator, the task can be cancelled.
In the dynamic management process of the account number authority of the network equipment, besides a task initiator, an auditor and an approver, the dynamic management system also comprises a consultant which can be a manufacturer technical support person and provides some consultation suggestions for the approver;
the specific process is as follows:
during the process of applying for and examining and approving by an approver or after the approval is passed, the task can be sent to a consultant for checking; the consultant can check the relevant information and give suggestions;
the system receives the consultation information of the consultant and provides the consultation information for the approver to check; the approver can refer to the related suggestions for approval, or send out an abort instruction to withdraw the temporary control authority.
In an embodiment, if the task initiator has completed the relevant operation, the task initiator may also actively propose the callback authority, and the system withdraws the temporary manipulation authority according to the callback instruction.
The dynamic management method for the account number authority of the network equipment covers different situations of daily authority management, can carry out safe, quick and flexible dynamic change aiming at the account number authority of the user, can automatically recover the account number authority of the user to be in an initial state, and is convenient for personnel to dynamically manage the authority.
In this privilege management mode, for example, an account may only have the privilege of logging in the network management, the privilege of view (show) of the device (or the privilege of not logging in the device) at ordinary times, and when there is an engineering task, the account may have the device modification privilege assigned by the corresponding task, such as: upgrade ios privileges, change backplane privileges, and so on. When the task is finished, the system automatically withdraws the authority and restores to the initial state.
It should be noted that although the operations of the method of the present invention have been described in the above embodiments and the accompanying drawings in a particular order, this does not require or imply that these operations must be performed in this particular order, or that all of the operations shown must be performed, to achieve the desired results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
In order to explain the above dynamic management method for network device account permissions more clearly, the following description is made with reference to specific embodiments.
The dynamic management method for the account number authority of the network equipment, provided by the invention, is characterized in that a TACACS + user authority configuration file is used as an authentication configuration file, an engineering task firstly searches whether the user configuration exists in the file, if the user configuration exists, the part is firstly stored, then the authority is set according to the engineering task when the task starts, the user authority configuration file is written in, and after the task ends, the pre-stored part is recovered. If no configuration exists, setting the authority according to the engineering task when the task starts, writing the authority into a user authority configuration file, and deleting the part after the task ends.
In a specific embodiment, referring to fig. 2, a schematic diagram of a command set configuration interface for dynamic management of account permissions of a network device is shown, for example, for a Cisco router and a Juniper device, various command sets may be created, so that a user applies for a corresponding command set permission when applying for permission change.
With reference to fig. 3, a task rights management interface is shown. As shown in fig. 3, by configuring the authority of each user account, the application, audit, approval and consultation authority of the user account can be configured, so that the authority of each user account in the authority change application process can be controlled; the user account on the application column is checked, and the permission change application can be carried out; and on the check column check, the corresponding user account has the check authority, and after the check column check, the user account corresponds to the authority after the same processing.
With reference to fig. 4, a task management interface diagram is shown. In the task management module, the pages displayed by each person access system are different according to different personal authorities, and the total number of the pages is five: and task inquiry, application, audit, approval and consultation are carried out. As shown in fig. 4, the interface only includes a task query and task application interface.
The task query is a public page, and the page is visible for each role; the task in the list can pop up the detailed information of the task by clicking the task name, and the detailed information can only be checked and cannot be modified and flow operation is carried out; for the auditing and approving page, the user with the authority can open, after the page is opened, the application of the task which needs to be audited/approved by the user can be displayed in a relevant way, and the task can be read in detail and audited/approved and confirmed by clicking the task.
Further, a workflow of dynamic management of account permissions of network devices is specifically described, and a workflow diagram is shown in fig. 5.
The initial node 'task application' is initiated by an applicant (task initiator) with a task application role, the applicant initiates a task, a task auditor in the organization needs to be appointed, and the task auditor is submitted to a task approver after the task auditor passes the task audit.
The task has three final states: completion, failure or cancellation, the task state changing with the change of the task flow;
in the states 1 to 6 in the flow, the state can be cancelled by human operation.
And the system checks the passed task and generates the task as a configuration item in the user account authority file. The program also detects the expired task and deletes the task account (permission) from the user account permission file.
Each step of the workflow in fig. 5 is specifically explained with reference to a specific operation interface:
firstly, a task application:
fig. 6 is a schematic diagram of an interface of a task application.
a. The applicant has task application page authority.
b. The applicant role can add new tasks by adding in the lower right corner of the interface in the task application page.
c. And clicking the corresponding task in the task application page to edit the task.
d. Entering the task application page, the tasks (in fig. 5) in the states 1 and 2 can be viewed, and each task can be clicked to perform editing and flow operation.
e. The creator of the new task is the user himself, and is not changeable, the state of the new task is 1, and the newly added task interface can be entered by clicking 'add', as shown in fig. 7.
As shown in fig. 7, the task period is the effective time of the task; the account number period is a user account number authority change period of the application; selecting a command set at the task type, and clicking the preview command set to view the command permission corresponding to the command set; the task auditors can be selected more than three, and the task auditors cannot be selected by themselves; the number of the devices can be increased randomly or according to the number of the devices.
Second, task auditing:
a. the reviewer has task review page permission.
b. And entering a task auditing page, checking the tasks with the states of to-be-audited and audited by the account, clicking each task, and performing flow operation. In the interface of task review, tasks that need to be reviewed by the reviewer are listed.
c. And clicking to display an audit page, as shown in fig. 8, and auditing the operation performed according to the processing drawn by the flow.
d. During the auditing, only an approver can revise the auditing remarks.
e. The task approver can select more than three, and at most three can be selected.
f. The reviewer can view the attachment but cannot upload and delete it.
g. Clicking on the cancellation of the underlying page does not cancel the task, but rather saves the modifications made.
h. And clicking to pass and return, the state of the task needs to be modified, the record is saved for ensuring the concurrency correctness, and the record can be updated only when the state of the task at the time is not changed.
Thirdly, task approval:
fig. 9 is a schematic diagram of an interface for task approval.
a. The approver has the task approval TAB authority.
b. And entering a task approval TAB, checking the tasks with the states of waiting for approval, approval passing, proceeding and task delay, clicking each task, and performing flow operation.
c. As shown in FIG. 9, the tasks listed in the table are tasks that require approval by the approver.
d. The operation performed by the approval is processed according to the operation interface shown in fig. 10.
e. Only tasks whose state is in progress can be delayed.
f. And only the task with the state of in-progress and delayed task can be subjected to completion/failure operation.
g. Completion/failure/cancellation/delay operations can be performed in batches, with operations filtered by task status for non-conforming ignorance.
h. During examination and approval, only consultants (same application/examination and multiple selection) can modify examination and approval remarks.
i. As shown in FIG. 10, clicking through and returning requires modifying the task state, saving the record to ensure the correctness of the concurrency, and updating the record only when the task state is not changed at the time.
Fourthly, task consultation:
FIG. 11 is a schematic diagram of an interface for consulting a task.
a. The consultant can see that a self-consultation is required, such as a task with state 5 (in fig. 5).
b. Default displays tasks that are not consulted.
c. Whether the consultation dropdown box has three choices, whether the consultation remark is empty or not is used for indicating whether the consultation is available, and if the consultation remark is empty, the consultation is marked as not available.
d. Clicking a certain task can pop up a detailed page, and the page can edit the consultation remarks.
e. When consulting, only the consulting remarks can be modified.
f. The consultant can view the attachment but cannot upload and delete it.
Fifthly, task cancellation:
a. and the task which is not started can be cancelled, and the state of the updated task is C.
b. Cannot be cancelled for tasks that have already started.
Sixthly, completing the tasks:
a. only the approver can complete the task.
b. If the task deadline is over, the operation is completed, and only the completion state needs to be set.
c. If the task is not overdue and is completed in advance, the data in the user task account table and the data in the mycfg need to be deleted at the same time, and the completion state is collocated.
d. The tasks can be completed in batches.
Seventhly, task failure:
a. only the approver can perform a failed operation on the task.
b. For the task during the execution period, double confirmation is needed when the operation fails (whether deletion is prompted firstly, and then the deletion of the device account number of the task is prompted to be cleared), meanwhile, the configuration of the task in the mycfg is deleted, and the AAA account number is deleted.
c. If the task deadline is over, the operation fails, and only the failure state needs to be set.
d. And if the task is not overdue, deleting the data in the user task account table and the data in the mycfg at the same time, and juxtaposing the completion state.
e. And judging whether the task account is overdue or not, and checking the end time of the account in the task account table.
f. The task failure may be performed in batches.
Eighthly, task delay:
a. only the approver can delay the ongoing task.
b. And the task state is set to be delayed during the delay, so that the delay can be only carried out once.
c. When the delay is carried out, the approver can prolong the account ending time in the task account list by 24 hours at most.
In a specific embodiment, the principle of generating account permissions is further explained:
a user belongs to a unique task user Group at any time, the change of task types is embodied in the setting of Group, for example, a test2 user, and relevant information is configured in the authority record file as shown in fig. 12, wherein, a column of "member ═ indicates the affiliation Group of the user;
"role cisco241 ═ cisco 10; 0 "indicates that there is some operation right for some device group, and the operation right can contain multiple dimensions, including devices of the whole node (a certain range), specified multiple (single) devices, and specific to a certain instruction or instructions.
Therefore, a task account is generated, and only the two parts need to be adjusted correspondingly.
In a specific embodiment, the process of generating the authority for the temporary task account is as follows:
and generating an engineering account, namely changing the original user and the corresponding operation authority in the user group, so that one engineering account is added, a user and a user group need to be automatically created, if the user already exists in the original configuration, the configuration of the user is stored, and the configuration of the user group to which the user belongs is unchanged.
For example, if Testuser creates a task for the first time, a configuration may be generated as shown in fig. 13, where the password is the same as the password of the network manager.
Referring to fig. 12 again, the configuration segment originally in the permission saving file of the user needs to be saved in the database and then deleted, and the remaining information is as shown in fig. 14.
If the user has a task in this time, it is shown that the user group to which the user belongs already exists at this time, and therefore, a new task is added (as shown in fig. 15), and only one record (the last record) needs to be added to the group;
"role test3333 ═ cisco 20; 0 "is the corresponding right of the adjusted user, and" role test2_241 is cisco 10; 0 "is another adjusted right of the user.
In a specific embodiment, the principle of recovering the account permissions is described as follows:
a. and scanning the permission change task table by the program, and processing an expired task.
b. And deleting the expired task, wherein the records in the authority record file and the authority change task table need to be cleared.
c. When dealing with a certain user, there are two cases:
for the task, if the record of the user account number only appears once, deleting the configuration of the user and the user group in the corresponding mycfg, and recovering the original configuration, namely automatically generating the configuration according to the original condition in the database, writing the configuration into an authority record file, replacing the original user record, and then deleting the record in the authority change task table;
if the database has a plurality of records, the records are generated by a plurality of tasks, and the configuration items of the task type/task equipment which are consistent with the records of the database need to be deleted, and then the records in the database are deleted.
Having described the method according to the exemplary embodiment of the present invention, a dynamic management system for network device account permissions according to the exemplary embodiment of the present invention is described with reference to fig. 16.
The implementation of the dynamic management system for account permissions of network devices may refer to the implementation of the above method, and repeated details are omitted. The term "module," as used below, may be a combination of software and/or hardware that implements a predetermined function. Although the means described in the embodiments below are preferably implemented in software, an implementation in hardware, or a combination of software and hardware is also possible and contemplated.
Based on the same inventive concept, the present invention further provides a dynamic management system for account permissions of network devices, as shown in fig. 16, the system includes:
a task initiating module 1610, configured to obtain a task of a permission change application provided by a task initiator;
the auditing module 1620 is used for sending the task to an auditor for authority auditing and obtaining an authority auditing result;
the approval module 1630 is configured to send the task to an approver for application approval if the approval is passed, and obtain an application approval result;
the authority management module 1640 is used for enabling the authority to change the applied account number to obtain the temporary control authority of the applied equipment under the condition that the application approval result passes;
and when the temporary control authority reaches the preset authority validity period, recovering the temporary control authority, generating task completion information and sending the task completion information to the task initiator.
It should be noted that although several modules of the network device account permissions dynamic management system are mentioned in the above detailed description, such partitioning is merely exemplary and not mandatory. Indeed, the features and functionality of two or more of the modules described above may be embodied in one module according to embodiments of the invention. Conversely, the features and functions of one module described above may be further divided into embodiments by a plurality of modules.
Based on the foregoing inventive concept, as shown in fig. 17, the present invention further provides a computer device 1700, which includes a memory 1710, a processor 1720, and a computer program 1730 stored in the memory 1710 and operable on the processor 1720, where the processor 1720 executes the computer program 1730 to implement the foregoing dynamic management method for network device account permissions.
Based on the foregoing inventive concept, the present invention further provides a computer-readable storage medium, where a computer program is stored, and when the computer program is executed by a processor, the method for dynamically managing account permissions of network devices is implemented.
The dynamic management method and the dynamic management system for the account number authority of the network equipment can carry out safe, quick and flexible dynamic change on the account number authority of the user, can automatically recover the account number authority of the user to be in an initial state, are convenient for personnel to dynamically manage the authority, and ensure the stability of system management.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (12)
1. A dynamic management method for account number authority of network equipment is characterized by comprising the following steps:
acquiring a task of a permission change application proposed by a task initiator;
sending the task to an auditor for authority audit, and obtaining an authority audit result;
under the condition that the examination and approval are passed, the task is sent to an approver for application examination and approval, and an application examination and approval result is obtained;
under the condition of passing the examination and approval, enabling the account number applied by the permission change to obtain the temporary control permission of the applied equipment;
and when the temporary control authority reaches the preset authority validity period, recovering the temporary control authority, generating task completion information and sending the task completion information to the task initiator.
2. The dynamic management method for account permissions of network devices according to claim 1, wherein enabling the account for which the permission change is applied to obtain the temporary control permission of the applied device under the condition that the approval is passed comprises:
and before the temporary control authority reaches the preset authority validity period, prolonging the authority validity period for a certain time according to the authority prolonging instruction.
3. The method for dynamically managing the account permission of the network device according to claim 2, further comprising:
generating an extension request according to the permission extension instruction, and sending the extension request to the approver for extension approval;
and in the case of approval, prolonging the validity period of the authority for a certain time.
4. The method for dynamically managing the account permission of the network device according to any one of claims 1 to 3, wherein the method further comprises:
and when receiving a permission suspension instruction input by an approver, withdrawing the temporary control permission, generating task failure information and sending the task failure information to the task initiator.
5. The dynamic management method for account permissions of network devices according to claim 1, wherein obtaining permission audit results further comprises:
and generating auditing failure information under the condition that the auditing is not passed, and sending the auditing failure information to the task initiator.
6. The method for dynamically managing the account permission of the network device according to claim 1, wherein obtaining the application approval result further comprises:
and under the condition of failure of examination and approval, generating examination and approval failure information and sending the examination and approval failure information to the task initiator.
7. The dynamic management method for the account permissions of the network devices according to claim 1, wherein a permission audit result is obtained, and the task is sent to an approver for application and approval if the authorization is passed, further comprising:
sending the task to a consultant for viewing;
and receiving the consultation information of the consultant, and providing the consultation information for the approver to view.
8. The method for dynamically managing the account permission of the network device according to claim 1, further comprising:
and receiving a task canceling instruction provided by the task initiator before obtaining the application approval result or under the condition that the application approval result is not passed, and canceling the task.
9. The method for dynamically managing the account permission of the network device according to claim 1, further comprising:
and when a return instruction provided by a task initiator is received, the temporary control permission is recovered according to the return instruction.
10. A dynamic management system for account number authority of network equipment is characterized in that the system comprises:
the task initiating module is used for acquiring a task of the permission change application proposed by the task initiating party;
the auditing module is used for sending the task to an auditor for authority auditing and obtaining an authority auditing result;
the approval module is used for sending the task to an approver for application approval under the condition that the approval is passed, and obtaining an application approval result;
the authority management module is used for enabling the authority to change the applied account number to obtain the temporary control authority of the applied equipment under the condition that the application approval result passes;
and when the temporary control authority reaches the preset authority validity period, recovering the temporary control authority, generating task completion information and sending the task completion information to the task initiator.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the method of any of claims 1 to 9 when executing the computer program.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the method of any one of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911280398.8A CN112995094A (en) | 2019-12-13 | 2019-12-13 | Dynamic management method and system for account number authority of network equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911280398.8A CN112995094A (en) | 2019-12-13 | 2019-12-13 | Dynamic management method and system for account number authority of network equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112995094A true CN112995094A (en) | 2021-06-18 |
Family
ID=76332203
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911280398.8A Pending CN112995094A (en) | 2019-12-13 | 2019-12-13 | Dynamic management method and system for account number authority of network equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112995094A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113573316A (en) * | 2021-07-15 | 2021-10-29 | 中国人民解放军陆军工程大学 | Method for temporarily changing private authority of special mobile communication network user |
| CN116644477A (en) * | 2023-07-27 | 2023-08-25 | 恒丰银行股份有限公司 | Full-flow authority operation and maintenance management and control method, equipment and medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005202931A (en) * | 2003-12-17 | 2005-07-28 | Canon Software Inc | Information processor management system, information processor management method, program, and recording medium |
| CN105405041A (en) * | 2015-10-30 | 2016-03-16 | 腾讯科技(深圳)有限公司 | Information processing method and terminal |
| CN105991310A (en) * | 2015-02-02 | 2016-10-05 | 中国移动通信集团河北有限公司 | Account authority regulation method and device based on user behavior |
| CN109831322A (en) * | 2019-01-15 | 2019-05-31 | 中国联合网络通信集团有限公司 | Management method, equipment and storage medium in multisystem account authority set |
-
2019
- 2019-12-13 CN CN201911280398.8A patent/CN112995094A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2005202931A (en) * | 2003-12-17 | 2005-07-28 | Canon Software Inc | Information processor management system, information processor management method, program, and recording medium |
| CN105991310A (en) * | 2015-02-02 | 2016-10-05 | 中国移动通信集团河北有限公司 | Account authority regulation method and device based on user behavior |
| CN105405041A (en) * | 2015-10-30 | 2016-03-16 | 腾讯科技(深圳)有限公司 | Information processing method and terminal |
| WO2017071168A1 (en) * | 2015-10-30 | 2017-05-04 | 腾讯科技(深圳)有限公司 | Information processing method and terminal, and computer storage medium |
| CN109831322A (en) * | 2019-01-15 | 2019-05-31 | 中国联合网络通信集团有限公司 | Management method, equipment and storage medium in multisystem account authority set |
Non-Patent Citations (2)
| Title |
|---|
| 刘志军等: "一种账户分配和动态密码管理的方法", 《信息通信技术》 * |
| 张洹滨: "浅析网络设备的安全设置", 《华南金融电脑》 * |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113573316A (en) * | 2021-07-15 | 2021-10-29 | 中国人民解放军陆军工程大学 | Method for temporarily changing private authority of special mobile communication network user |
| CN113573316B (en) * | 2021-07-15 | 2024-02-20 | 中国人民解放军陆军工程大学 | Method for temporarily changing private authority of private mobile communication network user |
| CN116644477A (en) * | 2023-07-27 | 2023-08-25 | 恒丰银行股份有限公司 | Full-flow authority operation and maintenance management and control method, equipment and medium |
| CN116644477B (en) * | 2023-07-27 | 2023-09-26 | 恒丰银行股份有限公司 | Full-flow authority operation and maintenance management and control method, equipment and medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20070220068A1 (en) | Electronic document and business process control | |
| KR100781730B1 (en) | System and method for electronically managing composite documents | |
| JP4842248B2 (en) | Procedural defect detection across multiple business applications | |
| US9342364B2 (en) | Workflow managed composite applications | |
| US20070043716A1 (en) | Methods, systems and computer program products for changing objects in a directory system | |
| JP2006202267A (en) | Web based data collaboration tool | |
| US7596674B2 (en) | Data managed storage system for regulatory compliance | |
| CN112995094A (en) | Dynamic management method and system for account number authority of network equipment | |
| CN108932432A (en) | Data guard method and host server system | |
| US8327457B1 (en) | Managing asset access | |
| US20100064290A1 (en) | Computer-readable recording medium storing a control program, information processing system, and information processing method | |
| CN110990802B (en) | Method and device for carrying out batch authorization on mysql user permission information | |
| US8521698B2 (en) | Method for safeguarding the integrity of a relational database in case of structural transaction execution | |
| CN111861357A (en) | Authority information processing method and system, computer device and storage medium | |
| US20090055683A1 (en) | Method of restoring previous computer configuration | |
| Cisco | Performing Maintenance on your Essentials Server | |
| CA3126362A1 (en) | System permission management method and device, computer equipment and storage medium | |
| US8914344B1 (en) | Service manager source code control system | |
| US20160034908A1 (en) | Employee Certification Management System | |
| US20060107313A1 (en) | Method, system, and medium for the analysis of information system security | |
| US20150370773A1 (en) | System for Generating and Completing Safety Evaluation Forms | |
| JP4832132B2 (en) | Access control device, access control simulation method, and access control simulation program | |
| KR20200143100A (en) | System for transferring electric document and driving method thereof | |
| JP2016038618A (en) | Access control apparatus, access control method, and access control program | |
| US20220327534A1 (en) | Security system and method that allows users to securely setup and maintain system security for all business systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210618 |
|
| RJ01 | Rejection of invention patent application after publication |