CN114662084A - Method and device for monitoring full life cycle of user account - Google Patents

Abstract

The invention discloses a method and a device for monitoring a full life cycle of a user account, wherein the whole process from the establishment of corresponding user account related information by a user entering into the job to the archiving of a user account leaving from the job is completed on a unified identity authentication platform. The invention realizes the monitoring of all the operation behaviors of the user account in the whole life cycle, thereby improving the operation and maintenance management level of the information system.

Description

A method and device for monitoring the full life cycle of a user account

technical field

The invention relates to the technical field of information security, and more particularly, to a monitoring method and device for the full life cycle of a user account.

Background technique

With the development of information technology and the continuous progress of informatization construction, business applications, office systems and business platforms have been continuously launched and put into operation, and information systems have fully penetrated into enterprise operations. Due to factors such as the large number of devices and servers included in the information system and the relatively difficult management, unauthorized access, misoperation, abuse of operating authority, and malicious damage often occur, which seriously affects the economic operation and energy efficiency of enterprises.

Therefore, how to monitor the user's operation behavior based on the user account and improve the operation and maintenance management level of the information system has become an urgent technical problem to be solved by those skilled in the art.

SUMMARY OF THE INVENTION

In view of this, the present invention discloses a method and device for monitoring the entire life cycle of a user account, so as to monitor all operational behaviors of the user account during the entire life cycle, thereby improving the operation and maintenance management level of the information system.

A method for monitoring the entire life cycle of a user account, comprising:

Create user account related information on the front-end unified identity authentication platform, where the user account related information includes: user account and corresponding user account attribute information and access operation authority;

When the user account attribute information is changed and/or abnormal operation is detected through the unified identity authentication platform, the access operation authority of the target user account whose user account attribute information is changed and/or abnormal operation occurs is modified, wherein , the change of the attribute information of the user account includes the user's position invocation and the user's resignation;

Synchronize the relevant information of the target user account modified by the access operation authority to all applications docked with the unified identity authentication platform, wherein the relevant information of the target user account includes: the target user account and the corresponding target user account attribute information and target user account access permissions.

Optionally, the creation of user account-related information on the front-end unified identity authentication platform specifically includes:

Through the synchronization engine, the transaction mechanism and the preset communication protocol, the existing user account related information is synchronized from the Active Directory AD domain or the office automation OA system to the unified identity authentication platform, so as to realize the creation of the user account related information.

Optionally, also include:

Multi-dimensional recording is performed on the synchronization success information and synchronization failure information of the user account related information.

Optionally, the creation of user account-related information on the front-end unified identity authentication platform specifically further includes:

Using the preset unified account naming specification, create a new user account on the unified identity authentication platform;

Corresponding user account attribute information is added to the newly created user account, and corresponding access operation authority is assigned.

Optionally, the preset unified account naming specification is used to create a new user account on the unified identity authentication platform, which specifically includes:

Arrange and combine the initials and finals in the pinyin of the user's name, and obtain the initial user account in combination with the Unicode code table;

sending the initial user account to the server, and the server verifies the uniqueness and legitimacy of the initial user account;

Receive the verification passing instruction fed back by the server, and determine the initial user account as a newly created user account on the unified identity authentication platform.

Optionally, the preset unified account naming specification is used to create a new user account on the unified identity authentication platform, which further includes:

Receive the modified user account fed back by the server, and determine the modified user account as a newly created user account on the unified identity authentication platform, wherein the modified user account is determined by the server side. When the initial user account is repeated, a unique random number is superimposed on the initial user account and generated.

Optionally, also include:

After the system administrator account logs in to the unified identity authentication platform, receiving the extension information sent by the system administrator account to the attribute information of the user account;

The extended information is added to the user account attribute information, and the user account attribute information added with the extended information is synchronized to all applications connected to the unified identity authentication platform.

Optionally, also include:

Receive the modified content for the relevant information of the user account sent by the user account that has logged in to the unified identity authentication platform;

Send the modified content to the system administrator for validity review, wherein the validity review content at least includes: whether the modified content is information other than the user account unique identifier in the user account-related information;

Receive the validity review and pass instruction fed back by the system administrator, modify the user account related information according to the modified content, and synchronize the modified user account related information to the unified identity authentication platform. All docking applications.

A monitoring device for the full life cycle of a user account, comprising:

an information creation unit, used for creating user account related information on the front-end unified identity authentication platform, where the user account related information includes: user account and corresponding user account attribute information and access operation authority;

A permission modification unit, used to access the target user account whose attribute information of the user account is changed and/or the abnormal operation occurs when a change in the attribute information of the user account and/or an abnormal operation is detected on the unified identity authentication platform The operation authority is modified, wherein the change of the user account attribute information includes the user's position invocation and the user's resignation;

an information synchronization unit, used for synchronizing the relevant information of the target user account modified by the access operation authority to all applications connected to the unified identity authentication platform, wherein the relevant information of the target user account includes: the target user account and the corresponding The attribute information of the target user account and the access operation permissions of the target user account.

Optionally, the information creation unit specifically includes:

The first information creation subunit is used for synchronizing the relevant information of existing user accounts from the Active Directory AD domain or the office automation OA system to the unified identity authentication platform through the synchronization engine, the transaction mechanism and the preset communication protocol, so as to realize the user Creation of account-related information.

Optionally, the information creation unit further includes:

The information recording subunit is used for multi-dimensional recording of the synchronization success information and synchronization failure information of the user account related information.

Optionally, the information creation unit specifically further includes:

The second information creation subunit is used to create a new user account on the unified identity authentication platform by adopting a preset unified account naming specification;

The authority assignment subunit is used for adding corresponding user account attribute information to the newly created user account, and assigning corresponding access operation authority.

Optionally, the second information creation subunit is specifically used for:

Arrange and combine the initials and finals in the pinyin of the user's name, and obtain the initial user account in combination with the Unicode code table;

sending the initial user account to the server, and the server verifies the uniqueness and legitimacy of the initial user account;

Receive the verification passing instruction fed back by the server, and determine the initial user account as a newly created user account on the unified identity authentication platform.

Optionally, the second information creation subunit is further used for:

Receive the modified user account fed back by the server, and determine the modified user account as a newly created user account on the unified identity authentication platform, wherein the modified user account is determined by the server side. When the initial user account is repeated, a unique random number is superimposed on the initial user account and generated.

Optionally, also include:

an extension information receiving unit, configured to receive extension information sent by the system administrator account to the attribute information of the user account after the system administrator account logs in to the unified identity authentication platform;

An extension information adding unit, configured to add the extension information to the user account attribute information, and synchronize the user account attribute information added with the extension information to all applications connected to the unified identity authentication platform .

Optionally, also include:

a modified content receiving unit, configured to receive the modified content for the relevant information of the user account sent by the user account that has logged in to the unified identity authentication platform;

A modified content review unit, configured to send the modified content to a system administrator for validity review, wherein the validity review content at least includes: whether the modified content is the unique identity of the user account other than the user account related information Information other than identification;

The modification content synchronization unit is used to receive the validity review and approval instruction fed back by the system administrator, modify the user account related information according to the modification content, and synchronize the modified user account related information to the relevant information of the user account. All applications connected to the unified identity authentication platform described above.

As can be seen from the above technical solutions, the present invention discloses a monitoring method and device for the full life cycle of a user account, creating user account related information on the front-end unified identity authentication platform, and the user account related information includes: the user account and the corresponding user account. Account attribute information and access permissions, when changes in user account attribute information and/or abnormal operations are detected on the unified identity authentication platform, access to the target user account whose user account attribute information changes and/or abnormal operations occur Modify the operation authority, and synchronize the relevant information of the target user account with the modified access operation authority to all applications connected to the unified identity authentication platform. In the present invention, the entire process from the user's entry to create the corresponding user account-related information to the user's resignation and the user account filing is completed on the unified identity authentication platform. When the information changes, such as the user's position transfer or the user's resignation, and/or abnormal operation, the unified identity authentication platform will modify the access operation authority of the target user account whose user account attribute information changes and/or abnormal operation occurs, so as to Restricting the user's access and operation authority, the unified identity authentication platform, as the only data source for connecting all applications, will synchronize the relevant information of the target user account modified by the access operation authority to all the connected applications, so as to realize the unified identity authentication platform and all connected applications. The application is updated synchronously. Therefore, the present invention realizes the monitoring of all operation behaviors in the whole life cycle of the user account through a unified identity authentication platform, thereby improving the operation and maintenance management level of the information system.

Description of drawings

In order to explain the embodiments of the present invention or the technical solutions in the prior art more clearly, the following briefly introduces the accompanying drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only It is an embodiment of the present invention. For those of ordinary skill in the art, other drawings can also be obtained according to the disclosed drawings without creative efforts.

1 is a flowchart of a method for monitoring the full life cycle of a user account disclosed in an embodiment of the present invention;

FIG. 2 is a schematic structural diagram of a monitoring device for a full life cycle of a user account disclosed in an embodiment of the present invention.

Detailed ways

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only a part of the embodiments of the present invention, but not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

Referring to FIG. 1 , a flowchart of a method for monitoring the full life cycle of a user account disclosed in an embodiment of the present invention, the method is applied to the front end, and includes:

Step S101, creating user account related information on the front-end unified identity authentication platform;

Wherein, the user account related information includes: user account and corresponding user account attribute information and access operation authority.

The unified identity authentication platform is a user authentication data source and a user account full life cycle management platform.

In this embodiment, the unified identity authentication platform is interconnected with multiple application systems, wherein the interconnected application systems include but are not limited to AD (Active Directory, Active Directory) domains, OA (Office Automation, Office Automation) systems, and all interconnected applications.

Wherein, a communication connection is established between the unified identity authentication platform and multiple application systems using a preset communication protocol, and the preset communication protocol may include: SCIM (System for Cross-domain Identity Management, cross-domain identity management system), JNDI (Java Naming and Directory Interface, Java naming and directory interface) and LDAP (Lightweight Directory Access Protocol, Lightweight Directory Access Protocol).

The attribute information of the user account may include: email address, mobile phone number, position, and home address, and the like.

Step S102, when the user account attribute information is changed and/or abnormal operation is detected through the unified identity authentication platform, the access operation authority of the target user account whose user account attribute information is changed and/or abnormal operation occurs is modified. ;

Wherein, the change of the attribute information of the user account includes the invocation of the user's position and the resignation of the user.

The user creates the corresponding user account related information on the unified identity authentication platform. After the system administrator configures the corresponding user account attribute information and access operation authority for the user account, the user account can access applications and resources according to the access operation authority.

System administrator: After logging in to the unified identity authentication platform, he has the highest authority, can add and maintain users, user organizations and user groups, assign user access and operation authority, manage and maintain the entire user life cycle, and can also be responsible for approving the user's self-modified removal account and all self-attribute information other than the name.

The unified identity authentication platform maintains the normal operation of the entire unified identity authentication platform according to its own security access policy and risk control system.

Specifically, the user account attribute information changes, for example, the user resigns (the system policy will be triggered once the user submits the resignation process), and the user account attribute changes (such as tampering with the user attribute through abnormal channels to increase access rights).

Abnormal operations include: frequent user account logins to the unified identity authentication platform, multiple remote logins and frequent logins from multiple terminals, etc. When an abnormal operation occurs, the security risk control response mechanism of the unified identity authentication platform will be triggered.

When the user account attribute information is changed and/or abnormal operation is detected through the unified identity authentication platform, the system will, according to the existing task mechanism or security policy, identify the target user whose user account attribute information is changed and/or abnormal operation occurs. The access operation authority of the account is modified, and the relevant information of the target user account whose access operation authority is modified is synchronized to all applications connected to the unified identity authentication platform. That is, after the access operation authority is modified, all connected applications will be notified as soon as possible, so that the modified access operation authority will take effect immediately, so as to minimize the loss of the unified identity authentication platform or prevent problems before they occur. The entire process is unaware of the user and is completely automated by the system.

Step S103 , synchronizing the relevant information of the target user account modified by the access operation authority to all applications connected to the unified identity authentication platform.

Wherein, the relevant information of the target user account includes: the target user account and corresponding attribute information of the target user account and the access operation authority of the target user account.

To sum up, the monitoring method for the full life cycle of a user account disclosed in the present invention creates user account related information on the front-end unified identity authentication platform, and the user account related information includes: user account and corresponding user account attribute information and access operation authority , when the user account attribute information is changed and/or abnormal operation is detected through the unified identity authentication platform, the access operation authority of the target user account whose user account attribute information is changed and/or abnormal operation occurs shall be modified, and the access operation authority shall be modified. The relevant information of the target user account modified by the operation authority is synchronized to all applications connected to the unified identity authentication platform. In the present invention, the entire process from the user's entry to create the corresponding user account-related information to the user's resignation and the user account filing is completed on the unified identity authentication platform. When the information changes, such as the user's position transfer or the user's resignation, and/or abnormal operation, the unified identity authentication platform will modify the access operation authority of the target user account whose user account attribute information changes and/or abnormal operation occurs, so as to Restricting the user's access and operation authority, the unified identity authentication platform, as the only data source for connecting all applications, will synchronize the relevant information of the target user account modified by the access operation authority to all the connected applications, so as to realize the unified identity authentication platform and all connected applications. The application is updated synchronously. Therefore, the present invention realizes the monitoring of all operation behaviors in the whole life cycle of the user account through a unified identity authentication platform, thereby improving the operation and maintenance management level of the information system.

In practical application, the present invention mainly has two ways to create user account-related information on the front-end unified identity authentication platform, the first is to synchronize user account-related information, and the second is to directly create user accounts on the unified identity authentication platform Related Information.

Therefore, step S101 may specifically include:

Through the synchronization engine, the transaction mechanism and the preset communication protocol, the existing user account related information is synchronized from the AD domain or the OA system to the unified identity authentication platform, so as to realize the creation of the user account related information.

During the synchronization process, the synchronization success information and synchronization failure information of the user account related information can be recorded in multiple dimensions. The synchronization success information can be output in the form of a report to facilitate the system administrator to view, and the synchronization failure information can trigger the synchronization process again through the timer mechanism until the synchronization is successful.

Step S101 may also specifically include:

Use the preset unified account naming specification to create a new user account on the unified identity authentication platform;

Corresponding user account attribute information is added to the newly created user account, and corresponding access operation authority is assigned.

It should be noted that the newly created user account is the only information for determining the user's identity. Therefore, in order to prevent duplicate names, the present invention defines the same account naming specification for the user account.

Wherein, a preset unified account naming specification is adopted to create a new user account on the unified identity authentication platform, which specifically includes:

Arrange and combine the initials and finals in the pinyin of the user's name, and obtain the initial user account in combination with the Unicode encoding table;

sending the initial user account to the server, and the server verifies the uniqueness and legitimacy of the initial user account;

Receive the verification passing instruction fed back by the server, and determine the initial user account as a newly created user account on the unified identity authentication platform.

It should be noted that when the server side detects that there are duplicate user accounts in the initial user account, in order to ensure the uniqueness of the user account, the server side will superimpose a unique random number after the initial user account to modify the initial user account, and Feed back the modified initial user account to the front end.

The random number may be any unique random number, for example, a unique random number within 100, which is determined according to actual needs, which is not limited in the present invention.

Therefore, using the preset unified account naming specification, creating a new user account on the unified identity authentication platform may further include:

Receive the modified user account fed back by the server, and determine the modified user account as a newly created user account on the unified identity authentication platform, wherein the modified user account is determined by the server side. When the initial user account is repeated, a unique random number is superimposed on the initial user account and generated.

After the user account related information is created on the unified identity authentication platform, the user account related information can be maintained through the unified identity authentication platform, except that the user account number and name can be used to determine the uniqueness and immutability of the user identity information. The unified identity authentication platform can customize and expand other user information, such as email, mobile phone number, position, address and other information to improve user account information. The system administrator has the highest operating authority on the unified identity authentication platform. In practical applications, the system administrator can expand the user account attribute information on the unified identity authentication platform according to actual needs.

Therefore, in order to further optimize the above embodiment, the monitoring method may further include:

After the system administrator account logs in to the unified identity authentication platform, receiving the extension information sent by the system administrator account to the attribute information of the user account;

The extended information is added to the user account attribute information, and the user account attribute information added with the extended information is synchronized to all applications connected to the unified identity authentication platform.

In practical applications, the whole life cycle management of user accounts can also be realized through a unified identity authentication platform, and organizations can be established or synchronized according to the existing personnel department, group information, and categories, select an organization, and obtain all the organization's information Member list, in the member list interface, you can add, modify, delete company department information, personnel information, and synchronize personnel information to all applications connected to the unified identity authentication platform.

After the system administrator defines the user account attribute information (attribute field) on the unified identity authentication platform, not only can it be maintained through the relevant information of the existing user account, but also the user can independently modify the user account and name through the PC terminal and mobile terminal. and so on to uniquely identify all information other than user identity information, such as job title, address, etc. When other information such as job title and address is changed, the user can modify it without notifying the system administrator. The user can modify it after logging in to the unified identity authentication platform. The modified information is sent to the system administrator for review. The review content can include: whether the modified content is Valid, whether the modification format is correct, whether the job information call is correct, and so on. When the user's modification content is approved, it will take effect immediately. If the modified content is associated with all applications connected to the unified identity authentication platform, the unified identity authentication platform will synchronize the modified user account related information to all connected applications.

Therefore, in order to further optimize the above embodiment, the monitoring method may further include:

Receive the modified content for the relevant information of the user account sent by the user account that has logged in to the unified identity authentication platform;

Send the modified content to the system administrator for validity review, wherein the validity review content at least includes: whether the modified content is information other than the user account unique identifier in the user account-related information;

Receive the validity review instruction fed back by the system administrator, modify the user account related information according to the modified content, and synchronize the modified user account related information to all applications connected to the unified identity authentication platform middle.

It should be noted that if the system administrator finds that the modified content is wrong or incorrect, the review will not be approved. At this time, the system administrator will send an email to the user through the unified identity authentication platform to inform the user that the review is not approved, and explain the reason for the failure to pass the review. . After the user has modified it and resubmitted it, the system administrator will review it again until the modified content is approved or the user abandons the modification. For the modified content, the system can provide complete modification records and user operation behavior information.

Corresponding to the above method embodiments, the present invention also discloses a monitoring device for the full life cycle of a user account.

Referring to FIG. 2, a schematic structural diagram of a user account full life cycle monitoring device disclosed in an embodiment of the present invention, the device includes:

The information creation unit 201 is used for creating user account related information on the front-end unified identity authentication platform, the user account related information includes: user account and corresponding user account attribute information and access operation authority;

In this embodiment, the unified identity authentication platform is interconnected with multiple application systems, wherein the interconnected application systems include but are not limited to AD (Active Directory, Active Directory) domains, OA (Office Automation, Office Automation) systems, and all interconnected applications.

Wherein, a communication connection is established between the unified identity authentication platform and multiple application systems using a preset communication protocol, and the preset communication protocol may include: SCIM (System for Cross-domain Identity Management, cross-domain identity management system), JNDI (Java Naming and Directory Interface, Java naming and directory interface) and LDAP (Lightweight Directory Access Protocol, Lightweight Directory Access Protocol).

The attribute information of the user account may include: email address, mobile phone number, position, and home address, and the like.

The authority modification unit 202 is used to change the attribute information of the user account and/or the target user account of the abnormal operation when the change of the attribute information of the user account and/or the abnormal operation is detected on the unified identity authentication platform. The access operation authority is modified, wherein the change of the user account attribute information includes the user's position call and the user's resignation;

The user creates the corresponding user account related information on the unified identity authentication platform. After the system administrator configures the corresponding user account attribute information and access operation authority for the user account, the user account can access applications and resources according to the access operation authority.

System administrator: After logging in to the unified identity authentication platform, he has the highest authority, can add and maintain users, user organizations and user groups, assign user access and operation authority, manage and maintain the entire user life cycle, and can also be responsible for approving the user's self-modified removal account and all self-attribute information other than the name.

The unified identity authentication platform maintains the normal operation of the entire unified identity authentication platform according to its own security access policy and risk control system.

Specifically, the user account attribute information changes, for example, the user resigns (the system policy will be triggered once the user submits the resignation process), and the user account attribute changes (such as tampering with the user attribute through abnormal channels to increase access rights).

Abnormal operations include: frequent user account logins to the unified identity authentication platform, multiple remote logins and frequent logins from multiple terminals, etc. When an abnormal operation occurs, the security risk control response mechanism of the unified identity authentication platform will be triggered.

When the user account attribute information is changed and/or abnormal operation is detected through the unified identity authentication platform, the system will, according to the existing task mechanism or security policy, identify the target user whose user account attribute information is changed and/or abnormal operation occurs. The access operation authority of the account is modified, and the relevant information of the target user account whose access operation authority is modified is synchronized to all applications connected to the unified identity authentication platform. That is, after the access operation authority is modified, all connected applications will be notified as soon as possible, so that the modified access operation authority will take effect immediately, so as to minimize the loss of the unified identity authentication platform or prevent problems before they occur. The entire process is unaware of the user and is completely automated by the system.

The information synchronization unit 203 is used for synchronizing the relevant information of the target user account modified by the access operation authority to all applications connected to the unified identity authentication platform, wherein the relevant information of the target user account includes: the target user account and Corresponding target user account attribute information and target user account access permissions.

To sum up, the monitoring device for the full life cycle of a user account disclosed in the present invention creates user account related information on the front-end unified identity authentication platform, and the user account related information includes: user account and corresponding user account attribute information and access operation authority , when the user account attribute information is changed and/or abnormal operation is detected through the unified identity authentication platform, the access operation authority of the target user account whose user account attribute information is changed and/or abnormal operation occurs shall be modified, and the access operation authority shall be modified. The relevant information of the target user account modified by the operation authority is synchronized to all applications connected to the unified identity authentication platform. In the present invention, the entire process from the user's entry to create the corresponding user account-related information to the user's resignation and the user account filing is completed on the unified identity authentication platform. When the information changes, such as the user's position transfer or the user's resignation, and/or abnormal operation, the unified identity authentication platform will modify the access operation authority of the target user account whose user account attribute information changes and/or abnormal operation occurs, so as to Restricting the user's access and operation authority, the unified identity authentication platform, as the only data source for connecting all applications, will synchronize the relevant information of the target user account modified by the access operation authority to all the connected applications, so as to realize the unified identity authentication platform and all connected applications. The application is updated synchronously. Therefore, the present invention realizes the monitoring of all operation behaviors in the whole life cycle of the user account through a unified identity authentication platform, thereby improving the operation and maintenance management level of the information system.

In practical application, the present invention mainly has two ways to create user account-related information on the front-end unified identity authentication platform, the first is to synchronize user account-related information, and the second is to directly create user accounts on the unified identity authentication platform Related Information.

Therefore, the information creation unit 201 may specifically include:

The first information creation subunit is used for synchronizing the relevant information of existing user accounts from the Active Directory AD domain or the office automation OA system to the unified identity authentication platform through the synchronization engine, the transaction mechanism and the preset communication protocol, so as to realize the user Creation of account-related information.

During the synchronization process, the synchronization success information and synchronization failure information of the user account related information can be recorded in multiple dimensions. The synchronization success information can be output in the form of a report to facilitate the system administrator to view, and the synchronization failure information can be triggered again through the timer mechanism until the synchronization is successful.

Therefore, the information creation unit may also include:

The information recording subunit is used for multi-dimensional recording of the synchronization success information and synchronization failure information of the user account related information.

When directly creating user account related information on the unified identity authentication platform, the information creation unit 201 specifically further includes:

The second information creation subunit is used to create a new user account on the unified identity authentication platform by adopting a preset unified account naming specification;

The authority assignment subunit is used for adding corresponding user account attribute information to the newly created user account, and assigning corresponding access operation authority.

It should be noted that the newly created user account is the only information for determining the user's identity. Therefore, in order to prevent duplicate names, the present invention defines the same account naming specification for the user account.

Therefore, the second information creation subunit is specifically used for:

Arrange and combine the initials and finals in the pinyin of the user's name, and obtain the initial user account in combination with the Unicode code table;

sending the initial user account to the server, and the server verifies the uniqueness and legitimacy of the initial user account;

Receive the verification passing instruction fed back by the server, and determine the initial user account as a newly created user account on the unified identity authentication platform.

It should be noted that when the server side detects that there is a duplicate user account in the initial user account, in order to ensure the uniqueness of the user account, the server side will superimpose a unique random number after the initial user account to modify the initial user account, and Feedback the modified initial user account to the front end.

The random number may be any unique random number, such as a unique random number within 100, which is determined according to actual needs, and is not limited in the present invention.

Therefore, the second information creation subunit is specifically also used for:

Receive the modified user account fed back by the server, and determine the modified user account as a newly created user account on the unified identity authentication platform, wherein the modified user account is determined by the server side. When the initial user account is repeated, a unique random number is superimposed on the initial user account and generated.

After the user account related information is created on the unified identity authentication platform, the user account related information can be maintained through the unified identity authentication platform, except that the user account number, name, etc. can be used to determine the uniqueness and immutability of the user identity information. The unified identity authentication platform can customize and expand other user information, such as email, mobile phone number, position, address and other information to improve user account information. The system administrator has the highest operating authority on the unified identity authentication platform. In practical applications, the system administrator can expand the user account attribute information on the unified identity authentication platform according to actual needs.

Therefore, in order to further optimize the above embodiment, the monitoring device may further include:

an extension information receiving unit, configured to receive extension information sent by the system administrator account to the attribute information of the user account after the system administrator account logs in to the unified identity authentication platform;

An extension information adding unit, configured to add the extension information to the user account attribute information, and synchronize the user account attribute information added with the extension information to all applications connected to the unified identity authentication platform .

In practical applications, the whole life cycle management of user accounts can also be realized through a unified identity authentication platform, and organizations can be established or synchronized according to the existing personnel department, group information, and categories, select an organization, and obtain all the organization's information Member list, in the member list interface, you can add, modify, delete company department information, personnel information, and synchronize personnel information to all applications connected to the unified identity authentication platform.

After the system administrator defines the user account attribute information (attribute field) on the unified identity authentication platform, not only can it be maintained through the relevant information of the existing user account, but also the user can independently modify the user account and name through the PC terminal and mobile terminal. and so on to uniquely identify all information other than user identity information, such as job title, address, etc. When other information such as job title and address is changed, the user can modify it without notifying the system administrator. The user can modify it after logging in to the unified identity authentication platform. The modified information is sent to the system administrator for review. The review content can include: whether the modified content is Valid, whether the modification format is correct, whether the job information call is correct, and so on. When the user's modification content is approved, it will take effect immediately. If the modified content is associated with all applications connected to the unified identity authentication platform, the unified identity authentication platform will synchronize the modified user account related information to all connected applications.

Therefore, in order to further optimize the above embodiment, the monitoring device may further include:

a modified content receiving unit, configured to receive the modified content for the relevant information of the user account sent by the user account that has logged in to the unified identity authentication platform;

A modified content review unit, configured to send the modified content to a system administrator for validity review, wherein the validity review content at least includes: whether the modified content is the unique identity of the user account other than the user account related information Information other than identification;

The modification content synchronization unit is used to receive the validity review and approval instruction fed back by the system administrator, modify the user account related information according to the modification content, and synchronize the modified user account related information to the relevant information of the user account. All applications connected to the unified identity authentication platform described above.

It should be noted that if the system administrator finds that the modified content is wrong or incorrect, the review will not be approved. At this time, the system administrator will send an email to the user through the unified identity authentication platform to inform the user that the review is not approved, and explain the reason for the failure to pass the review. . After the user has modified it and resubmitted it, the system administrator will review it again until the modified content is approved or the user abandons the modification. For the modified content, the system can provide complete modification records and user operation behavior information.

Finally, it should also be noted that in this document, relational terms such as first and second are used only to distinguish one entity or operation from another, and do not necessarily require or imply these entities or that there is any such actual relationship or sequence between operations. Moreover, the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device that includes a list of elements includes not only those elements, but also includes not explicitly listed or other elements inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element.

The various embodiments in this specification are described in a progressive manner, and each embodiment focuses on the differences from other embodiments, and the same and similar parts between the various embodiments can be referred to each other.

The above description of the disclosed embodiments enables any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be implemented in other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein, but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (16)

1. the monitoring method of a user account full life cycle, is characterized in that, comprises: Create user account related information on the front-end unified identity authentication platform, where the user account related information includes: user account and corresponding user account attribute information and access operation authority; When the user account attribute information is changed and/or abnormal operation is detected through the unified identity authentication platform, the access operation authority of the target user account whose user account attribute information is changed and/or abnormal operation occurs is modified, wherein , the change of the attribute information of the user account includes the user's position invocation and the user's resignation; Synchronize the relevant information of the target user account modified by the access operation authority to all applications docked with the unified identity authentication platform, wherein the relevant information of the target user account includes: the target user account and the corresponding target user account attribute information and target user account access permissions. 2. monitoring method according to claim 1, is characterized in that, described in the unified identity authentication platform of front-end to create user account related information, specifically comprises: Through the synchronization engine, the transaction mechanism and the preset communication protocol, the existing user account related information is synchronized from the Active Directory AD domain or the office automation OA system to the unified identity authentication platform, so as to realize the creation of the user account related information. 3. monitoring method according to claim 2, is characterized in that, also comprises: Multi-dimensional recording is performed on the synchronization success information and synchronization failure information of the user account related information. 4. monitoring method according to claim 1, is characterized in that, described in the unified identity authentication platform of front-end to create user account related information, specifically also comprises: Using the preset unified account naming specification, create a new user account on the unified identity authentication platform; Corresponding user account attribute information is added to the newly created user account, and corresponding access operation authority is assigned. 5. The monitoring method according to claim 4, characterized in that, said adopting a preset unified account naming specification, creating a new user account on the unified identity authentication platform, specifically comprising: Arrange and combine the initials and finals in the pinyin of the user's name, and obtain the initial user account in combination with the Unicode code table; sending the initial user account to the server, and the server verifies the uniqueness and legitimacy of the initial user account; Receive the verification passing instruction fed back by the server, and determine the initial user account as a newly created user account on the unified identity authentication platform. 6. The monitoring method according to claim 5, characterized in that, by adopting a preset unified account naming specification, creating a new user account on the unified identity authentication platform, further comprising: Receive the modified user account fed back by the server, and determine the modified user account as a newly created user account on the unified identity authentication platform, wherein the modified user account is determined by the server side. When the initial user account is repeated, a unique random number is superimposed on the initial user account and generated. 7. The monitoring method according to claim 1, further comprising: After the system administrator account logs in to the unified identity authentication platform, receiving the extension information sent by the system administrator account to the attribute information of the user account; The extended information is added to the user account attribute information, and the user account attribute information added with the extended information is synchronized to all applications connected to the unified identity authentication platform. 8. The monitoring method according to claim 1, further comprising: Receive the modified content for the relevant information of the user account sent by the user account that has logged in to the unified identity authentication platform; Send the modified content to the system administrator for validity review, wherein the validity review content at least includes: whether the modified content is information other than the user account unique identifier in the user account-related information; Receive the validity review and pass instruction fed back by the system administrator, modify the user account related information according to the modified content, and synchronize the modified user account related information to the unified identity authentication platform. All docking applications. 9. A monitoring device for the full life cycle of a user account, comprising: an information creation unit, used for creating user account related information on the front-end unified identity authentication platform, where the user account related information includes: user account and corresponding user account attribute information and access operation authority; A permission modification unit, used to access the target user account whose attribute information of the user account is changed and/or an abnormal operation occurs when a change in the attribute information of the user account and/or an abnormal operation is detected on the unified identity authentication platform The operation authority is modified, wherein the change of the user account attribute information includes the user's position invocation and the user's resignation; an information synchronization unit, used for synchronizing the relevant information of the target user account modified by the access operation authority to all applications connected to the unified identity authentication platform, wherein the relevant information of the target user account includes: the target user account and the corresponding The attribute information of the target user account and the access operation permissions of the target user account. 10. The monitoring device according to claim 9, wherein the information creation unit specifically comprises: The first information creation subunit is used for synchronizing the relevant information of existing user accounts from the Active Directory AD domain or the office automation OA system to the unified identity authentication platform through the synchronization engine, the transaction mechanism and the preset communication protocol, so as to realize the user Creation of account-related information. 11. The monitoring device according to claim 10, wherein the information creation unit further comprises: The information recording subunit is used for multi-dimensional recording of the synchronization success information and synchronization failure information of the user account related information. 12. The monitoring device according to claim 9, wherein the information creation unit specifically further comprises: The second information creation subunit is used to create a new user account on the unified identity authentication platform by adopting a preset unified account naming specification; The authority assignment subunit is used for adding corresponding user account attribute information to the newly created user account, and assigning corresponding access operation authority. 13. The monitoring professional according to claim 12, wherein the second information creation subunit is specifically used for: Arrange and combine the initials and finals in the pinyin of the user's name, and obtain the initial user account in combination with the Unicode code table; sending the initial user account to the server, and the server verifies the uniqueness and legitimacy of the initial user account; Receive the verification passing instruction fed back by the server, and determine the initial user account as a newly created user account on the unified identity authentication platform. 14. The monitoring device according to claim 13, wherein the second information creation subunit is further used for: Receive the modified user account fed back by the server, and determine the modified user account as a newly created user account on the unified identity authentication platform, wherein the modified user account is determined by the server side. When the initial user account is repeated, a unique random number is superimposed on the initial user account and generated. 15. The monitoring device of claim 9, further comprising: an extension information receiving unit, configured to receive extension information sent by the system administrator account to the attribute information of the user account after the system administrator account logs in to the unified identity authentication platform; An extension information adding unit, configured to add the extension information to the user account attribute information, and synchronize the user account attribute information added with the extension information to all applications connected to the unified identity authentication platform . 16. The monitoring device of claim 9, further comprising: a modified content receiving unit, configured to receive the modified content for the relevant information of the user account sent by the user account that has logged in to the unified identity authentication platform; A modified content review unit, configured to send the modified content to a system administrator for validity review, wherein the validity review content at least includes: whether the modified content is the unique identity of the user account other than the user account related information Information other than identification; The modification content synchronization unit is used to receive the validity review and approval instruction fed back by the system administrator, modify the user account related information according to the modification content, and synchronize the modified user account related information to the relevant information of the user account. All applications connected to the unified identity authentication platform described above.

Images