CN114662084A - Method and device for monitoring full life cycle of user account - Google Patents

Method and device for monitoring full life cycle of user account Download PDF

Info

Publication number
CN114662084A
CN114662084A CN202011533368.6A CN202011533368A CN114662084A CN 114662084 A CN114662084 A CN 114662084A CN 202011533368 A CN202011533368 A CN 202011533368A CN 114662084 A CN114662084 A CN 114662084A
Authority
CN
China
Prior art keywords
user account
information
identity authentication
authentication platform
unified identity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011533368.6A
Other languages
Chinese (zh)
Inventor
吕江波
李飞
吴阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xi Xiang Beijing Technology Development Co ltd
Original Assignee
Xi Xiang Beijing Technology Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xi Xiang Beijing Technology Development Co ltd filed Critical Xi Xiang Beijing Technology Development Co ltd
Priority to CN202011533368.6A priority Critical patent/CN114662084A/en
Publication of CN114662084A publication Critical patent/CN114662084A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/27Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
    • G06F16/275Synchronous replication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a device for monitoring a full life cycle of a user account, wherein the whole process from the establishment of corresponding user account related information by a user entering into the job to the archiving of a user account leaving from the job is completed on a unified identity authentication platform. The invention realizes the monitoring of all the operation behaviors of the user account in the whole life cycle, thereby improving the operation and maintenance management level of the information system.

Description

Method and device for monitoring full life cycle of user account
Technical Field
The invention relates to the technical field of information security, in particular to a method and a device for monitoring the full life cycle of a user account.
Background
With the development of information technology and the continuous progress of informatization construction, business application, office systems and business platforms are continuously released and put into operation, and information systems are comprehensively permeated in enterprise operation. Due to the fact that the information system comprises a plurality of devices and servers, management difficulty is high, and the like, unauthorized access, misoperation, operation permission abuse, malicious damage and the like happen sometimes, and therefore economic operation energy efficiency of enterprises is seriously influenced.
Therefore, how to monitor the operation behavior of the user based on the user account and improve the operation and maintenance management level of the information system becomes a technical problem that needs to be solved urgently by technical personnel in the field.
Disclosure of Invention
In view of this, the invention discloses a method and a device for monitoring a full life cycle of a user account, so as to monitor all operation behaviors of the full life cycle of the user account, thereby improving the operation and maintenance management level of an information system.
A method for monitoring the full life cycle of a user account number comprises the following steps:
creating user account related information on a front-end unified identity authentication platform, wherein the user account related information comprises: the method comprises the steps that a user account, corresponding user account attribute information and access operation authority are obtained;
when the user account attribute information is monitored to be changed and/or abnormal operation occurs on the unified identity authentication platform, modifying the access operation authority of a target user account with the changed user account attribute information and/or the abnormal operation, wherein the changed user account attribute information comprises user position calling and user job leaving;
synchronizing the target user account related information modified by the access operation authority to all applications docked with the unified identity authentication platform, wherein the target user account related information comprises: and the target user account, the corresponding attribute information of the target user account and the access operation authority of the target user account.
Optionally, the creating of the user account related information on the front-end unified identity authentication platform specifically includes:
and synchronizing the related information of the existing user account from an active directory AD domain or an office automation OA system to the unified identity authentication platform through a synchronization engine, a transaction mechanism and a preset communication protocol, so as to realize the creation of the related information of the user account.
Optionally, the method further includes:
and carrying out multi-dimensional recording on the synchronization success information and the synchronization failure information of the user account related information.
Optionally, the creating user account related information on the front-end unified identity authentication platform specifically further includes:
establishing a user account on the unified identity authentication platform by adopting a preset unified account naming standard;
and adding corresponding user account attribute information for the newly-built user account, and distributing corresponding access operation permission.
Optionally, a preset unified account naming specification is adopted, and a user account is newly created on the unified identity authentication platform, which specifically includes:
arranging and combining initial consonants and vowels in pinyin of user names, and simultaneously combining a uniform code coding table to obtain an initial user account;
the initial user account is sent to a server side, and the server side verifies the uniqueness and the legality of the initial user account;
and receiving a verification passing instruction fed back by the server side, and determining the initial user account as a user account newly established on the unified identity authentication platform.
Optionally, a preset unified account naming specification is adopted, and a user account is newly created on the unified identity authentication platform, which specifically includes:
and receiving a modified user account fed back by the server, and determining the modified user account as a newly-established user account on the unified identity authentication platform, wherein the modified user account is generated by superimposing a unique random number behind the initial user account when the server determines that the initial user account is repeated.
Optionally, the method further includes:
when a system administrator account logs in the unified identity authentication platform, receiving extension information of the user account attribute information sent by the system administrator account;
and adding the extended information into the attribute information of the user account, and synchronizing the attribute information of the user account added with the extended information into all the applications in the butt joint with the unified identity authentication platform.
Optionally, the method further includes:
receiving modification content aiming at the related information of the user account sent by the user account which has logged in the unified identity authentication platform;
and sending the modified content to a system administrator terminal for validity examination, wherein the validity examination content at least comprises the following contents: whether the modified content is information except the unique identity of the user account in the related information of the user account or not;
and receiving a validity verification passing instruction fed back by the system administrator, modifying the related information of the user account according to the modification content, and synchronizing the modified related information of the user account to all applications in the joint with the unified identity authentication platform.
A monitoring device for a full life cycle of a user account number comprises:
an information creating unit, configured to create user account related information on a unified identity authentication platform at a front end, where the user account related information includes: a user account, corresponding user account attribute information and access operation authority;
the authority modification unit is used for modifying the access operation authority of the target user account with the changed user account attribute information and/or the abnormal operation when the user account attribute information is monitored to be changed and/or the abnormal operation is monitored on the unified identity authentication platform, wherein the user account attribute information is changed and comprises user position calling and user leaving;
an information synchronization unit, configured to synchronize information related to a target user account with access operation permission modified to all applications docked with the unified identity authentication platform, where the information related to the target user account includes: and the target user account, the corresponding attribute information of the target user account and the access operation authority of the target user account.
Optionally, the information creating unit specifically includes:
and the first information creating subunit is used for synchronizing the related information of the existing user account from an active directory AD domain or an office automation OA system to the unified identity authentication platform through a synchronization engine, a transaction mechanism and a preset communication protocol so as to create the related information of the user account.
Optionally, the information creating unit further includes:
and the information recording subunit is used for carrying out multi-dimensional recording on the synchronization success information and the synchronization failure information of the user account related information.
Optionally, the information creating unit further includes:
the second information creating subunit is used for creating a user account on the unified identity authentication platform by adopting a preset unified account naming standard;
and the permission allocation subunit is used for adding corresponding user account attribute information to the newly-built user account and allocating corresponding access operation permission.
Optionally, the second information creating subunit is specifically configured to:
arranging and combining initial consonants and vowels in pinyin of user names, and simultaneously combining a uniform code coding table to obtain an initial user account;
the initial user account is sent to a server side, and the server side verifies the uniqueness and the legality of the initial user account;
and receiving a verification passing instruction fed back by the server side, and determining the initial user account as a user account newly established on the unified identity authentication platform.
Optionally, the second information creating subunit is further specifically configured to:
and receiving a modified user account fed back by the server, and determining the modified user account as a user account newly established on the unified identity authentication platform, wherein the modified user account is generated by superposing a random number with uniqueness behind the initial user account when the server determines that the initial user account is repeated.
Optionally, the method further includes:
the extended information receiving unit is used for receiving extended information of the user account attribute information sent by the system administrator account after the system administrator account logs in the unified identity authentication platform;
and the extended information adding unit is used for adding the extended information into the user account attribute information and synchronizing the user account attribute information added with the extended information into all the applications in the butt joint with the unified identity authentication platform.
Optionally, the method further includes:
a modified content receiving unit, configured to receive modified content for the information related to the user account sent by the user account that has logged in the unified identity authentication platform;
and the modified content auditing unit is used for sending the modified content to a system administrator terminal for validity auditing, wherein the validity auditing content at least comprises: whether the modified content is information except the unique identity of the user account in the related information of the user account or not;
and the modified content synchronization unit is used for receiving a validity verification passing instruction fed back by the system administrator, modifying the related information of the user account according to the modified content, and synchronizing the modified related information of the user account to all applications in the joint with the unified identity authentication platform.
According to the technical scheme, the invention discloses a method and a device for monitoring the full life cycle of a user account, wherein the related information of the user account is established on a front-end unified identity authentication platform, and the related information of the user account comprises the following steps: when the user account attribute information is monitored to be changed and/or abnormal operation occurs on the user account attribute information through the unified identity authentication platform, the access operation authority of the target user account with the changed user account attribute information and/or the abnormal operation occurs is modified, and the related information of the target user account with the modified access operation authority is synchronized to all applications in butt joint with the unified identity authentication platform. The invention creates corresponding user account related information from user enrollment, and the whole process from user off-job user account archiving is completed on the unified identity authentication platform, when the unified identity authentication platform monitors that the user account attribute information is changed, such as user job position movement or user off-job, and/or abnormal operation occurs, the unified identity authentication platform modifies the access operation authority of the target user account with the user account attribute information changed and/or abnormal operation to limit the access operation authority of the user, the unified identity authentication platform is used as a unique data source for docking all applications, and synchronizes the target user account related information with the modified access operation authority into all docked applications, thereby realizing synchronous updating of the unified identity authentication platform and all docked applications, therefore, the invention realizes the monitoring of all the operation behaviors of the user account in the whole life cycle through the unified identity authentication platform, thereby improving the operation and maintenance management level of the information system.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the disclosed drawings without creative efforts.
Fig. 1 is a flowchart of a method for monitoring a full life cycle of a user account according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a monitoring apparatus for a full life cycle of a user account according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, a flowchart of a method for monitoring a full life cycle of a user account disclosed in the embodiment of the present invention is applied to a front end, and includes:
s101, creating user account related information on a unified identity authentication platform at the front end;
wherein the information related to the user account includes: and the user account, the corresponding user account attribute information and the access operation authority.
The unified identity authentication platform is a user authentication data source and a user account full life cycle management platform.
In this embodiment, the unified identity authentication platform interfaces with a plurality of application systems, where the interfacing application system includes, but is not limited to, an AD (Active Directory) domain, an OA (Office Automation) system, and all interfacing applications.
The unified identity authentication platform and the plurality of application systems establish communication connection by adopting a preset communication protocol, and the preset communication protocol may include: SCIM (System for Cross-domain Identity Management), JNDI (Java Naming and Directory Interface), and LDAP (Lightweight Directory Access Protocol).
The user account attribute information may include: mailbox, cell phone number, job position, home address, etc.
Step S102, when the attribute information of the user account is monitored to be changed and/or abnormal operation occurs through the unified identity authentication platform, modifying the access operation authority of the target user account with the changed attribute information of the user account and/or the abnormal operation;
the user account attribute information is changed, and the change comprises user position calling and user job leaving.
The user establishes corresponding user account related information on the unified identity authentication platform, and after a system administrator configures corresponding user account attribute information and access operation authority for the user account, the user account can access applications and resources according to the access operation authority.
A system administrator: the system has the highest authority after logging in the unified identity authentication platform, can add and maintain users, user organizations and user groups, allocate user access operation authority and manage and maintain the whole life cycle of the users, and can also be responsible for examining and approving all self attribute information except accounts and names which are independently modified by the users.
And the unified identity authentication platform maintains the normal operation of the whole unified identity authentication platform according to the self-set security access strategy and the wind control system.
Specifically, the attribute information of the user account is changed, for example, the user leaves a job (the user triggers a system policy once submitting a job leaving process), and the attribute of the user account is changed (for example, the user attribute is tampered through an abnormal channel to increase the access authority).
The abnormal operation includes: the user account frequently logs in a unified identity authentication platform, multiple off-site logins and multiple terminals frequently log in, and the like. And when abnormal operation occurs, a safety wind control reaction mechanism of the unified identity authentication platform is caused.
When the user account attribute information is monitored to be changed and/or abnormal operation occurs through the unified identity authentication platform, the system modifies the access operation authority of the target user account with the changed user account attribute information and/or the abnormal operation according to the existing task mechanism or the existing safety strategy, and synchronizes the information related to the target user account with the modified access operation authority to all applications in butt joint with the unified identity authentication platform. That is, all the applications that are docked are notified at the first time after the access operation authority is modified, so that the modified access operation authority becomes effective immediately, and the loss of the unified identity authentication platform is reduced to the minimum or prevented. The user is unaware in the whole process and is completely and automatically completed by the system.
And step S103, synchronizing the information related to the target user account with the modified access operation authority to all applications in butt joint with the unified identity authentication platform.
Wherein the information related to the target user account includes: and the target user account, corresponding target user account attribute information and target user account access operation authority.
In summary, the method for monitoring the full life cycle of the user account disclosed by the invention creates the relevant information of the user account on the unified identity authentication platform at the front end, wherein the relevant information of the user account comprises the following steps: when the attribute information of the user account is monitored to be changed and/or abnormal operation occurs on the unified identity authentication platform, the access operation authority of the target user account with the changed user account attribute information and/or abnormal operation is modified, and the related information of the target user account with the modified access operation authority is synchronized to all applications connected with the unified identity authentication platform. The invention creates corresponding user account related information from user enrollment, and the whole process from user off-job user account archiving is completed on the unified identity authentication platform, when the unified identity authentication platform monitors that the user account attribute information is changed, such as user job position movement or user off-job, and/or abnormal operation occurs, the unified identity authentication platform modifies the access operation authority of the target user account with the user account attribute information changed and/or abnormal operation to limit the access operation authority of the user, the unified identity authentication platform is used as a unique data source for docking all applications, and synchronizes the target user account related information with the modified access operation authority into all docked applications, thereby realizing synchronous updating of the unified identity authentication platform and all docked applications, therefore, the invention realizes the monitoring of all the operation behaviors of the user account in the whole life cycle through the unified identity authentication platform, thereby improving the operation and maintenance management level of the information system.
In practical application, the invention mainly has two modes of establishing the user account related information on the front-end unified identity authentication platform, wherein the first mode is synchronous user account related information, and the second mode is directly establishing the user account related information on the unified identity authentication platform.
Therefore, step S101 may specifically include:
and synchronizing the related information of the existing user account from the AD domain or the OA system to the unified identity authentication platform through a synchronization engine, a transaction mechanism and a preset communication protocol to realize the creation of the related information of the user account.
In the synchronization process, the synchronization success information and the synchronization failure information of the user account related information can be recorded in a multi-dimensional manner. The synchronization success information can be output in a report form so as to be convenient for a system administrator to check, and the synchronization failure information can trigger the synchronization process again through a timer mechanism until the synchronization is successful.
Step S101 may further include:
establishing a user account on a unified identity authentication platform by adopting a preset unified account naming standard;
and adding corresponding user account attribute information for the newly-built user account, and distributing corresponding access operation permission.
It should be noted that the newly created user account is the only information for determining the user identity, so that the same account naming specification is defined for the user account in order to prevent the occurrence of duplicate names.
The method specifically comprises the following steps of establishing a new user account on the unified identity authentication platform by adopting a preset unified account naming standard:
arranging and combining initial consonants and vowels in pinyin of a user name, and combining a Unicode (Unicode) coding table to obtain an initial user account;
the initial user account is sent to a server side, and the server side verifies the uniqueness and the legality of the initial user account;
and receiving a verification passing instruction fed back by the server side, and determining the initial user account as a user account newly established on the unified identity authentication platform.
It should be noted that, when the server detects that there is a duplicate user account in the initial user account, in order to ensure the uniqueness of the user account, the server may superimpose a random number with uniqueness behind the initial user account to modify the initial user account, and feed back the modified initial user account to the front end.
The random number may be any random number with uniqueness, such as a random number with uniqueness within 100, which is determined by actual needs, and the present invention is not limited herein.
Therefore, creating a new user account on the unified identity authentication platform by using a preset unified account naming specification may specifically include:
and receiving a modified user account fed back by the server, and determining the modified user account as a newly-established user account on the unified identity authentication platform, wherein the modified user account is generated by superimposing a unique random number behind the initial user account when the server determines that the initial user account is repeated.
After the user account related information is created on the unified identity authentication platform, the user account related information can be maintained through the unified identity authentication platform, the user account, the name and the like can be used for determining the uniqueness and the irredifilability of the user identity information, and the unified identity authentication platform can perform custom expansion on other user information, such as information of a mailbox, a mobile phone number, a position, an address and the like, so that the user account information is perfected. The system administrator has the highest operation authority for the unified identity authentication platform, and in practical application, the system administrator can expand the attribute information of the user account on the unified identity authentication platform according to actual requirements.
Therefore, to further optimize the above embodiment, the monitoring method may further include:
when a system administrator account logs in the unified identity authentication platform, receiving extension information of the user account attribute information sent by the system administrator account;
and adding the extended information into the attribute information of the user account, and synchronizing the attribute information of the user account added with the extended information into all applications in butt joint with a unified identity authentication platform.
In practical application, the user account full life cycle management can be realized through the unified identity authentication platform, organization establishment or synchronous work can be carried out according to the existing personnel department, group information and category, an organization is selected, all member lists of the organization are obtained, and company department information, personnel information and synchronous personnel information can be added, modified and deleted to all applications which are connected with the unified identity authentication platform in a member list interface.
After the system administrator defines the attribute information (attribute field) of the user account on the unified identity authentication platform, the user can not only maintain the attribute information through the existing user account, but also independently modify all information except the uniquely determined user identity information such as the job, the address and the like through a PC terminal and a mobile terminal user. After other information such as the position, the address, etc. changes, the user can not inform the system administrator to modify, the user modifies after logging in the unified identity authentication platform, the modification information is sent to the system administrator to be audited, and the auditing content can include: whether the modified content is valid, whether the modified format is correct, whether the job information invocation is correct, and the like. And when the user passes the content modification audit, the content modification audit is immediately effective. And if the modified content is associated with all the applications docked by the unified identity authentication platform, the unified identity authentication platform synchronizes the modified related information of the user account to all the docked applications.
Therefore, to further optimize the above embodiment, the monitoring method may further include:
receiving modification content aiming at the related information of the user account sent by the user account which has logged in the unified identity authentication platform;
and sending the modified content to a system administrator terminal for validity examination, wherein the validity examination content at least comprises the following contents: whether the modified content is information except the unique identity of the user account in the related information of the user account or not;
and receiving a validity verification passing instruction fed back by the system administrator terminal, modifying the related information of the user account according to the modification content, and synchronizing the modified related information of the user account to all applications in butt joint with the unified identity authentication platform.
It should be noted that, if the system administrator finds that the modified content is incorrect or incorrect, the modified content will not be approved, at this time, the system administrator sends an email to the user through the unified identity authentication platform to inform that the audit is not approved, and the reason for the non-approval is described. And after the user modifies the content, submitting the content again, and performing auditing again by a system administrator until the modified content is approved or the user gives up modifying. Aiming at the modified content, the system can provide complete modified records and user operation behavior information.
Corresponding to the embodiment of the method, the invention also discloses a monitoring device for the full life cycle of the user account.
Referring to fig. 2, a schematic structural diagram of a device for monitoring a full life cycle of a user account disclosed in an embodiment of the present invention includes:
an information creating unit 201, configured to create user account related information on a front-end unified identity authentication platform, where the user account related information includes: a user account, corresponding user account attribute information and access operation authority;
in this embodiment, the unified identity authentication platform interfaces with a plurality of application systems, where the interfacing application systems include, but are not limited to, an AD (Active Directory) domain, an OA (Office Automation) system, and all interfacing applications.
The unified identity authentication platform and the plurality of application systems establish communication connection by adopting a preset communication protocol, and the preset communication protocol may include: SCIM (System for Cross-domain Identity Management), JNDI (Java Naming and Directory Interface), and LDAP (Lightweight Directory Access Protocol).
The user account attribute information may include: mailbox, mobile phone number, position, home address, etc.
The authority modification unit 202 is configured to modify an access operation authority of a target user account in which the attribute information of the user account is changed and/or an abnormal operation occurs when it is monitored that the attribute information of the user account is changed and/or an abnormal operation occurs on the unified identity authentication platform, where the change in the attribute information of the user account includes user position invocation and user job leaving;
the user establishes corresponding user account related information on the unified identity authentication platform, and after a system administrator configures corresponding user account attribute information and access operation authority for the user account, the user account can access applications and resources according to the access operation authority.
A system administrator: the terminal has the highest authority after logging in the unified identity authentication platform, can add maintenance users, user organizations and user groups, distribute user access operation authority and manage and maintain the whole life cycle of the user, and can be responsible for approving all self attribute information except accounts and names which are autonomously modified by the user.
And the unified identity authentication platform maintains the normal operation of the whole unified identity authentication platform according to the self-set security access strategy and the wind control system.
Specifically, the attribute information of the user account is changed, for example, the user leaves a job (the user triggers a system policy once submitting a job leaving process), and the attribute of the user account is changed (for example, the user attribute is tampered through an abnormal channel to increase the access authority).
The abnormal operation includes: the user account frequently logs in a unified identity authentication platform, multiple remote logins and multiple terminals frequently log in, and the like. And when abnormal operation occurs, a safety wind control reaction mechanism of the unified identity authentication platform is caused.
When the user account attribute information is monitored to be changed and/or abnormal operation occurs through the unified identity authentication platform, the system modifies the access operation authority of the target user account with the changed user account attribute information and/or the abnormal operation according to the existing task mechanism or the existing safety strategy, and synchronizes the information related to the target user account with the modified access operation authority to all applications in butt joint with the unified identity authentication platform. That is, all the applications that are docked are notified at the first time after the access operation authority is modified, so that the modified access operation authority becomes effective immediately, and the loss of the unified identity authentication platform is reduced to the minimum or prevented. The user is unaware in the whole process and is completely and automatically completed by the system.
An information synchronization unit 203, configured to synchronize information related to a target user account with an access operation permission modified to all applications docked with the unified identity authentication platform, where the information related to the target user account includes: and the target user account, corresponding target user account attribute information and target user account access operation authority.
In summary, the monitoring apparatus for the full life cycle of the user account disclosed by the present invention creates the relevant information of the user account on the unified identity authentication platform at the front end, and the relevant information of the user account includes: when the user account attribute information is monitored to be changed and/or abnormal operation occurs on the user account attribute information through the unified identity authentication platform, the access operation authority of the target user account with the changed user account attribute information and/or the abnormal operation occurs is modified, and the related information of the target user account with the modified access operation authority is synchronized to all applications in butt joint with the unified identity authentication platform. The invention creates corresponding user account related information from user enrollment, and the whole process from user off-job user account archiving is completed on the unified identity authentication platform, when the unified identity authentication platform monitors that the user account attribute information is changed, such as user job position movement or user off-job, and/or abnormal operation occurs, the unified identity authentication platform modifies the access operation authority of the target user account with the user account attribute information changed and/or abnormal operation to limit the access operation authority of the user, the unified identity authentication platform is used as a unique data source for docking all applications, and synchronizes the target user account related information with the modified access operation authority into all docked applications, thereby realizing synchronous updating of the unified identity authentication platform and all docked applications, therefore, the invention realizes the monitoring of all the operation behaviors of the user account in the whole life cycle through the unified identity authentication platform, thereby improving the operation and maintenance management level of the information system.
In practical application, the invention mainly has two modes of establishing the user account related information on the front-end unified identity authentication platform, wherein the first mode is synchronous user account related information, and the second mode is directly establishing the user account related information on the unified identity authentication platform.
Therefore, the information creating unit 201 may specifically include:
and the first information creating subunit is used for synchronizing the related information of the existing user account from an active directory AD domain or an office automation OA system to the unified identity authentication platform through a synchronization engine, a transaction mechanism and a preset communication protocol so as to create the related information of the user account.
In the synchronization process, the synchronization success information and the synchronization failure information of the user account related information can be recorded in a multi-dimensional manner. The synchronization success information can be output in a report form so as to be convenient for a system administrator to check, and the synchronization failure information can trigger the synchronization process again through a timer mechanism until the synchronization is successful.
Therefore, the information creating unit may further include:
and the information recording subunit is used for carrying out multi-dimensional recording on the synchronization success information and the synchronization failure information of the user account related information.
When the information related to the user account is directly created on the unified identity authentication platform, the information creating unit 201 further includes:
the second information creating subunit is used for creating a new user account on the unified identity authentication platform by adopting a preset unified account naming standard;
and the permission allocation subunit is used for adding corresponding user account attribute information to the newly-built user account and allocating corresponding access operation permission.
It should be noted that the newly created user account is the only information for determining the user identity, so that the same account naming specification is defined for the user account in order to prevent the occurrence of duplicate names.
Thus, the second information creating subunit is specifically configured to:
arranging and combining initial consonants and vowels in pinyin of user names, and simultaneously combining a uniform code coding table to obtain an initial user account;
the initial user account is sent to a server side, and the server side verifies the uniqueness and the legality of the initial user account;
and receiving a verification passing instruction fed back by the server side, and determining the initial user account as a user account newly established on the unified identity authentication platform.
It should be noted that, when the server detects that there is a duplicate user account in the initial user account, in order to ensure the uniqueness of the user account, the server may superimpose a random number with uniqueness behind the initial user account to modify the initial user account, and feed back the modified initial user account to the front end.
The random number may be any random number with uniqueness, such as a random number with uniqueness within 100, which is determined by actual needs, and the present invention is not limited herein.
Therefore, the second information creating subunit is further specifically configured to:
and receiving a modified user account fed back by the server, and determining the modified user account as a newly-established user account on the unified identity authentication platform, wherein the modified user account is generated by superimposing a unique random number behind the initial user account when the server determines that the initial user account is repeated.
After the user account related information is created on the unified identity authentication platform, the user account related information can be maintained through the unified identity authentication platform, the user account, the name and the like can be used for determining the uniqueness and the irredifilability of the user identity information, and the unified identity authentication platform can perform custom expansion on other user information, such as information of a mailbox, a mobile phone number, a position, an address and the like, so that the user account information is perfected. The system administrator has the highest operation authority for the unified identity authentication platform, and in practical application, the system administrator can expand the attribute information of the user account on the unified identity authentication platform according to actual requirements.
Therefore, to further optimize the above embodiment, the monitoring device may further include:
the extended information receiving unit is used for receiving extended information of the user account attribute information sent by the system administrator account after the system administrator account logs in the unified identity authentication platform;
and the extended information adding unit is used for adding the extended information into the user account attribute information and synchronizing the user account attribute information added with the extended information into all the applications in the butt joint with the unified identity authentication platform.
In practical application, the user account full life cycle management can be realized through the unified identity authentication platform, organization establishment or synchronous work can be carried out according to the existing personnel department, group information and category, an organization is selected, all member lists of the organization are obtained, and company department information, personnel information and synchronous personnel information can be added, modified and deleted to all applications which are connected with the unified identity authentication platform in a member list interface.
After the system administrator defines the attribute information (attribute field) of the user account on the unified identity authentication platform, the system administrator can not only maintain the attribute information through the related information of the existing user account, but also independently modify all information except the user account, name and the like which uniquely determine the user identity information, such as the position, the address and the like, by the user through a PC terminal and a mobile terminal. After other information such as the position, the address, etc. changes, the user can not inform the system administrator to modify, the user modifies after logging in the unified identity authentication platform, the modification information is sent to the system administrator to be audited, and the auditing content can include: whether the modified content is valid, whether the modified format is correct, whether the job information invocation is correct, and the like. And when the user modified the content audit, the content audit is immediately effective. And if the modified content is associated with all the applications docked by the unified identity authentication platform, the unified identity authentication platform synchronizes the modified related information of the user account to all the docked applications.
Therefore, to further optimize the above embodiment, the monitoring device may further include:
a modified content receiving unit, configured to receive modified content for the information related to the user account sent by the user account that has logged in the unified identity authentication platform;
and the modified content auditing unit is used for sending the modified content to a system administrator terminal for validity auditing, wherein the validity auditing content at least comprises: whether the modified content is information except the unique identity of the user account in the related information of the user account or not;
and the modified content synchronization unit is used for receiving a validity verification passing instruction fed back by the system administrator, modifying the related information of the user account according to the modified content, and synchronizing the modified related information of the user account to all applications in the joint with the unified identity authentication platform.
It should be noted that, if the system administrator finds that the modified content is incorrect or incorrect, the modified content will not be approved, at this time, the system administrator sends an email to the user through the unified identity authentication platform to inform that the audit is not approved, and the reason for the non-approval is described. And after the user modifies the content, submitting the content again, and performing auditing again by a system administrator until the modified content is approved or the user gives up modifying. Aiming at the modified content, the system can provide complete modified records and user operation behavior information.
Finally, it should also be noted that, in this document, relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (16)

1. A method for monitoring the full life cycle of a user account is characterized by comprising the following steps:
creating user account related information on a unified identity authentication platform at a front end, wherein the user account related information comprises: the method comprises the steps that a user account, corresponding user account attribute information and access operation authority are obtained;
when the user account attribute information is monitored to be changed and/or abnormal operation occurs on the unified identity authentication platform, modifying the access operation authority of a target user account of which the user account attribute information is changed and/or abnormal operation occurs, wherein the user account attribute information is changed and comprises user position calling and user job leaving;
synchronizing the target user account related information modified by the access operation authority to all applications docked with the unified identity authentication platform, wherein the target user account related information comprises: and the target user account, corresponding target user account attribute information and target user account access operation authority.
2. The monitoring method according to claim 1, wherein the creating of the user account related information on the unified identity authentication platform at the front end specifically comprises:
and synchronizing the related information of the existing user account from an active directory AD domain or an office automation OA system to the unified identity authentication platform through a synchronization engine, a transaction mechanism and a preset communication protocol, so as to realize the creation of the related information of the user account.
3. The monitoring method of claim 2, further comprising:
and carrying out multi-dimensional recording on the synchronization success information and the synchronization failure information of the user account related information.
4. The monitoring method according to claim 1, wherein the creating of the user account related information on the unified identity authentication platform at the front end specifically further comprises:
establishing a new user account on the unified identity authentication platform by adopting a preset unified account naming standard;
and adding corresponding user account attribute information for the newly-built user account, and distributing corresponding access operation permission.
5. The monitoring method according to claim 4, wherein the creating of the user account on the unified identity authentication platform by using the preset unified account naming specification specifically comprises:
arranging and combining initial consonants and vowels in pinyin of user names, and simultaneously combining a uniform code coding table to obtain an initial user account;
the initial user account is sent to a server side, and the server side verifies the uniqueness and the legality of the initial user account;
and receiving a verification passing instruction fed back by the server side, and determining the initial user account as a user account newly established on the unified identity authentication platform.
6. The monitoring method according to claim 5, wherein a user account is newly created on the unified identity authentication platform by using a preset unified account naming specification, and the method specifically comprises the following steps:
and receiving a modified user account fed back by the server, and determining the modified user account as a newly-established user account on the unified identity authentication platform, wherein the modified user account is generated by superimposing a unique random number behind the initial user account when the server determines that the initial user account is repeated.
7. The monitoring method of claim 1, further comprising:
when a system administrator account logs in the unified identity authentication platform, receiving extension information of the user account attribute information sent by the system administrator account;
and adding the extended information into the attribute information of the user account, and synchronizing the attribute information of the user account added with the extended information into all the applications in the butt joint with the unified identity authentication platform.
8. The monitoring method of claim 1, further comprising:
receiving modification content aiming at the related information of the user account sent by the user account which has logged in the unified identity authentication platform;
and sending the modified content to a system administrator terminal for validity check, wherein the validity check content at least comprises: whether the modified content is information except the unique identity of the user account in the related information of the user account or not is judged;
and receiving a validity verification passing instruction fed back by the system administrator, modifying the related information of the user account according to the modification content, and synchronizing the modified related information of the user account to all applications in the joint with the unified identity authentication platform.
9. A monitoring device for a full life cycle of a user account is characterized by comprising:
an information creating unit, configured to create user account related information on a front-end unified identity authentication platform, where the user account related information includes: the method comprises the steps that a user account, corresponding user account attribute information and access operation authority are obtained;
the authority modification unit is used for modifying the access operation authority of the target user account with the changed user account attribute information and/or the abnormal operation when the user account attribute information is monitored to be changed and/or the abnormal operation is monitored on the unified identity authentication platform, wherein the user account attribute information is changed and comprises user position calling and user leaving;
an information synchronization unit, configured to synchronize information related to a target user account with access operation permission modified to all applications docked with the unified identity authentication platform, where the information related to the target user account includes: and the target user account, corresponding target user account attribute information and target user account access operation authority.
10. The monitoring device according to claim 9, wherein the information creating unit specifically includes:
and the first information creating subunit is used for synchronizing the related information of the existing user account from the active directory AD domain or the office automation OA system to the unified identity authentication platform through a synchronization engine, a transaction mechanism and a preset communication protocol, so as to create the related information of the user account.
11. The monitoring device according to claim 10, wherein the information creating unit further includes:
and the information recording subunit is used for carrying out multi-dimensional recording on the synchronization success information and the synchronization failure information of the user account related information.
12. The monitoring device according to claim 9, wherein the information creating unit further includes:
the second information creating subunit is used for creating a user account on the unified identity authentication platform by adopting a preset unified account naming standard;
and the permission allocation subunit is used for adding corresponding user account attribute information to the newly-built user account and allocating corresponding access operation permission.
13. The monitoring professional of claim 12, wherein the second information creating subunit is specifically configured to:
arranging and combining initial consonants and vowels in pinyin of user names, and simultaneously combining a uniform code coding table to obtain an initial user account;
the initial user account is sent to a server side, and the server side verifies the uniqueness and the legality of the initial user account;
and receiving a verification passing instruction fed back by the server side, and determining the initial user account as a user account newly established on the unified identity authentication platform.
14. The monitoring device according to claim 13, wherein the second information creating subunit is further configured to:
and receiving a modified user account fed back by the server, and determining the modified user account as a newly-established user account on the unified identity authentication platform, wherein the modified user account is generated by superimposing a unique random number behind the initial user account when the server determines that the initial user account is repeated.
15. The monitoring device of claim 9, further comprising:
the extended information receiving unit is used for receiving extended information of the user account attribute information sent by the system administrator account after the system administrator account logs in the unified identity authentication platform;
and the extended information adding unit is used for adding the extended information into the user account attribute information and synchronizing the user account attribute information added with the extended information into all the applications in the butt joint with the unified identity authentication platform.
16. The monitoring device of claim 9, further comprising:
a modified content receiving unit, configured to receive modified content for the information related to the user account sent by the user account that has logged in the unified identity authentication platform;
and the modified content auditing unit is used for sending the modified content to a system administrator terminal for validity auditing, wherein the validity auditing content at least comprises: whether the modified content is information except the unique identity of the user account in the related information of the user account or not;
and the modified content synchronization unit is used for receiving a validity verification passing instruction fed back by the system administrator, modifying the related information of the user account according to the modified content, and synchronizing the modified related information of the user account to all applications in the interface with the unified identity authentication platform.
CN202011533368.6A 2020-12-23 2020-12-23 Method and device for monitoring full life cycle of user account Pending CN114662084A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011533368.6A CN114662084A (en) 2020-12-23 2020-12-23 Method and device for monitoring full life cycle of user account

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011533368.6A CN114662084A (en) 2020-12-23 2020-12-23 Method and device for monitoring full life cycle of user account

Publications (1)

Publication Number Publication Date
CN114662084A true CN114662084A (en) 2022-06-24

Family

ID=82024504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011533368.6A Pending CN114662084A (en) 2020-12-23 2020-12-23 Method and device for monitoring full life cycle of user account

Country Status (1)

Country Link
CN (1) CN114662084A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114745203A (en) * 2022-05-13 2022-07-12 长扬科技(北京)有限公司 Method and device for monitoring full life cycle of user account

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114745203A (en) * 2022-05-13 2022-07-12 长扬科技(北京)有限公司 Method and device for monitoring full life cycle of user account

Similar Documents

Publication Publication Date Title
US11907359B2 (en) Event-based user state synchronization in a local cloud of a cloud storage system
US10003458B2 (en) User key management for the secure shell (SSH)
AU2013212636B2 (en) Application licensing using sync providers
US8185550B1 (en) Systems and methods for event-based provisioning of elevated system privileges
CN102947797B (en) The online service using directory feature extending transversely accesses and controls
JP5211160B2 (en) How to automatically manage computer network system downtime
CN101217368A (en) A network logging on system and the corresponding configuration method and methods for logging on the application system
CN109299333B (en) Block chain network account book member management method, device, equipment and storage medium
JP2006510991A (en) Distributed content management system
WO2002061653A9 (en) System and method for resource provisioning
CN114662084A (en) Method and device for monitoring full life cycle of user account
JP2009245268A (en) Business management system
CN112039910B (en) Method, system, equipment and medium for unified management of authentication and authority
WO2024146285A1 (en) Blockchain-based data processing method, device, and readable storage medium
CN107508810B (en) Authentication management method, device and system based on mobile office application
US9690913B2 (en) License management in a networked software application solution
CN114745203A (en) Method and device for monitoring full life cycle of user account
CN113421052A (en) Data sharing management method, system and computer readable storage medium
CN113162950A (en) Mobile application secondary authority authentication and management system based on i country network
CN111092864B (en) Session protection method, device, equipment and readable storage medium
CN116340902A (en) Domain control-based device activation method, system and readable storage medium
US7840615B2 (en) Systems and methods for interoperation of directory services
Cisco Administering the CiscoWorks2000 Server
CN109257213B (en) Method and device for judging computer terminal access verification failure
CN111400751A (en) Disaster recovery cloud storage system construction method based on block chain technology

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination