CN117540404A - Management authority matching method, device and system - Google Patents
Management authority matching method, device and system Download PDFInfo
- Publication number
- CN117540404A CN117540404A CN202311633290.9A CN202311633290A CN117540404A CN 117540404 A CN117540404 A CN 117540404A CN 202311633290 A CN202311633290 A CN 202311633290A CN 117540404 A CN117540404 A CN 117540404A
- Authority
- CN
- China
- Prior art keywords
- user
- authority
- rights
- authorities
- management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 230000007246 mechanism Effects 0.000 claims abstract description 43
- 230000008859 change Effects 0.000 claims abstract description 36
- 238000004891 communication Methods 0.000 claims abstract description 22
- 230000006399 behavior Effects 0.000 claims abstract description 21
- 238000012795 verification Methods 0.000 claims abstract description 12
- 206010000117 Abnormal behaviour Diseases 0.000 claims abstract description 10
- 238000007726 management method Methods 0.000 claims description 47
- 238000012544 monitoring process Methods 0.000 claims description 33
- 230000008569 process Effects 0.000 claims description 23
- 238000012508 change request Methods 0.000 claims description 19
- 238000012550 audit Methods 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 10
- 239000008186 active pharmaceutical agent Substances 0.000 claims description 9
- 230000006870 function Effects 0.000 claims description 7
- 230000001960 triggered effect Effects 0.000 claims description 7
- 230000000694 effects Effects 0.000 claims description 5
- 238000013461 design Methods 0.000 claims description 4
- 238000012552 review Methods 0.000 claims description 4
- 238000013475 authorization Methods 0.000 claims description 3
- 239000003086 colorant Substances 0.000 claims description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000000737 periodic effect Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000033001 locomotion Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003442 weekly effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
A management authority matching method, device and system are characterized by comprising the following steps: determining resources to be managed and corresponding authorities, and defining different user roles in a system; establishing an authority standard, defining responsibility and authority of each role in the system, determining resources and corresponding authorities required to be managed by designing the authority, and defining hierarchical structures of different user roles in the system; an effective identity verification mechanism is arranged; according to the role and the identity of the user, automatically distributing initial rights in a registration or initialization stage, and considering dynamically adjusting the rights according to the behavior and the requirements of the user; recording the authority use condition of each user, and timely finding out abnormal behaviors; and setting a strategy for periodically checking the rights, establishing an effective communication mechanism, responding in time, and implementing a rights revocation mechanism to revoke the rights in time. The invention introduces a permission adjustment mechanism, and the system dynamically adjusts the permission according to the actual behavior and responsibility of the user, so as to ensure that the permission is consistent with the change of the user work task.
Description
Technical Field
The invention belongs to the technical field of resource authority management, and particularly relates to a management authority matching method, device and system.
Background
With the development of modern science and technology, initial rights are unreasonably distributed, a dynamic adjustment mechanism is lacked, or an approval process is too complicated, so that some users have excessive rights, or some users cannot execute operations required by actual work. The lack of an automatic authority adjustment mechanism is complicated in the approval process, or the inspection period is too long, and when the user responsibility is changed or the role is changed, the authority adjustment is not followed in time. Lack of system resources and technology or importance to audit and monitoring, no effective audit and monitoring mechanism exists, the authority use condition of the user cannot be tracked, and potential safety problems are difficult to discover in time. Lack of training and documentation, or lack of a clear communication channel, results in insufficient knowledge of the user's rights change process and specifications. Lack of real-time monitoring of rights usage, or defects in the approval process. There is a risk of rights abuse that some users may accidentally or maliciously gain rights beyond their work needs. The flow design is unreasonable, the number of approval personnel is too large or too small, or the approval rule is not intelligent enough, so that the processing time of the permission change request is too long, and the normal work of a user is influenced.
Disclosure of Invention
This section is intended to outline some aspects of embodiments of the invention and to briefly introduce some preferred embodiments. Some simplifications or omissions may be made in this section as well as in the description summary and in the title of the application, to avoid obscuring the purpose of this section, the description summary and the title of the invention, which should not be used to limit the scope of the invention.
The present invention has been made in view of the above-mentioned or existing problems with the management right matching method.
In order to solve the technical problems, the invention provides the following technical scheme:
in a first aspect, an embodiment of the present invention provides a management right matching method, including: determining resources to be managed and corresponding authorities, and defining different user roles in a system; establishing an authority standard, defining responsibility and authority of each role in the system, determining resources and corresponding authorities required to be managed by designing the authority, defining hierarchical structures of different user roles in the system, and ensuring that low-level authorities are contained in high-level authorities; setting an identity verification mechanism to ensure that each user can be identified; according to the roles and identities of the users, initial rights are automatically allocated in a registration or initialization stage, and dynamic adjustment of rights according to the behaviors and requirements of the users is considered, so that timely reflection of the activities and role changes of the users in the system is ensured; recording the authority use condition of each user so as to track potential safety problems, and using a monitoring system to monitor the use condition of the authority of the user in real time and discover abnormal behaviors in time; and setting a policy for periodically checking the authority, ensuring that the authority is consistent with the change of the responsibility of the user, establishing an effective communication mechanism, enabling the user to give out a request for authority change and respond in time, and implementing an authority revocation mechanism, wherein the authority can be revoked in time when the user does not need the authority any more.
As a preferable scheme of the management right matching method, the invention comprises the following steps: the determining the resources to be managed and the corresponding authorities define different user roles in the system, and the determining comprises the following steps: determining platform resources to be managed, including user data and system settings, and API access and operation logs; classifying the resources according to types, and dividing the user data into personal information and historical records; the key user roles in the platform are identified, wherein the key user roles comprise an administrator, a common user and a developer, the responsibility of each role in the platform is clear, the administrator is responsible for configuring system settings, the common user is responsible for using core functions, and the developer is responsible for accessing APIs.
As a preferable scheme of the management right matching method, the invention comprises the following steps: defining authority standards, defining responsibility and authority of each role in the system, determining resources and corresponding authorities to be managed by designing the authority, defining hierarchical structures of different user roles in the system, and ensuring that low-level authorities are contained in high-level authorities, wherein the method comprises the following steps: in platform management, a common user has basic access and operation authority, views and edits personal information and participates in a business process, an administrator is responsible for system configuration and user management, user account management, system setting configuration and system operation monitoring, and an approver participates in a user of the approval process, participates in the approval process, and audits and approves related requests; making permission standards, wherein a common user can only access and edit personal information of the common user, access and edit documents related to work of the common user and data input and report viewing; the administrator has access and editing rights to all user information, full access and editing rights to all documents, and configures the system setup and monitoring system operation.
As a preferable scheme of the management right matching method, the invention comprises the following steps: the provision of an effective authentication mechanism to ensure that each user can be identified includes: all users are forced to start the two-factor identity authentication so as to improve the security of the system; and (3) further setting a verification mechanism for the common users with low management authorities, identifying different common users by using biological identification features, displaying red colors with different degrees during identification, wherein the dark red color represents the highest access authority level a, the red color represents the common access authority level b, the light red color represents the lowest access authority level c, and carrying out dynamic authorization according to the management authority level of the users.
As a preferable scheme of the management right matching method, the invention comprises the following steps: the automatic allocation of initial rights in registration or initialization stage according to the roles and identities of the users, and the dynamic adjustment of rights according to the behaviors and demands of the users are considered, including: creating a role template for each user role, defining the initial authority of the role in the system, wherein each template comprises the access authority of resources and the authority for executing specific operations; in the user registration or initialization stage, the system automatically allocates corresponding rights according to the roles of the users, the ordinary users are allocated with basic reading and editing rights, and the administrator obtains wider system configuration rights; using a dynamic rule engine, the engine automatically adjusts rights according to information, behaviors and requirements provided by a user; dynamically adjusting user rights according to the context information, and ensuring that a user can only access and operate resources related to the current task; implementing the approval process of the permission change to ensure that any permission adjustment is reasonably audited, and starting the approval process by the system when a user needs to access more sensitive information or execute higher-level operation; and the integrated learning algorithm automatically adjusts the authority according to the historical behaviors and preferences of the user, and automatically improves the authority of the user on certain types of resources when the system observes that the user frequently accesses the resources.
As a preferable scheme of the management right matching method, the invention comprises the following steps: recording the authority use condition of each user so as to track potential safety problems, monitoring the use condition of the authority of the user in real time by using a monitoring system, and timely discovering abnormal behaviors, wherein the method comprises the following steps: for each user, establishing an audit log to record the authority use condition of the user, wherein the recorded information comprises login time, accessed resources, executed operations and possible authority change; setting a mechanism for periodically generating an audit report, and checking the use condition of authorities in a system; the integrated monitoring system monitors the authority use condition of a user in real time, when a certain user is found to frequently request or use high-level authority, an alarm mechanism is triggered, a threshold value is set, and when the threshold value is exceeded, automatic alarm is triggered or the authority of the user is temporarily limited.
As a preferable scheme of the management right matching method, the invention comprises the following steps: the policy of setting the periodic examination permission ensures that the permission is consistent with the change of the user responsibility, establishes an effective communication mechanism, and enables the user to request permission change, and comprises the following steps: performing authority examination once every quarter or half year, paying special attention to the change of the user roles in regular examination, ensuring that new responsibilities and authorities are matched with the roles, and performing additional examination on the role change to prevent abuse of the authorities; a clear communication channel is established, so that an administrator and a user can know the flow and the regulation of the authority change in time, all related parties are ensured to clearly propose the authority change request, a network platform is established in the system, the user submits the authority change request on the network platform, and a system message notification is sent to remind the user to check the authority of the user and propose a necessary change request.
In a second aspect, an embodiment of the present invention provides a management authority matching system, which includes a role definition module, configured to determine resources to be managed and corresponding authorities, and define different user roles in the system;
the authority setting module is used for setting authority standards, defining the responsibility and authority of each role in the system, designing resources and corresponding authorities which need to be managed according to the determination of the authority, defining the hierarchical structures of different user roles in the system, and ensuring that the low-level authorities are contained in the high-level authorities; the identity verification module is used for setting an identity verification mechanism so as to ensure that each user can be identified; the permission adjustment module is used for automatically distributing initial permission in a registration or initialization stage according to the roles and identities of the users, and dynamically adjusting the permission according to the behaviors and demands of the users to ensure that the activities and role changes of the users in the system are reflected in time; the permission monitoring module is used for recording the permission use condition of each user so as to track potential safety problems, and the use monitoring system is used for monitoring the use condition of the user permission in real time and finding out abnormal behaviors in time; and the examination communication module is used for setting a strategy for periodically examining the authority, ensuring that the authority is consistent with the change of the responsibility of the user, establishing an effective communication mechanism, enabling the user to give out the request of the authority change, responding in time, and implementing the authority revocation mechanism, and when the user does not need the authority any more, the authority can be revoked in time.
In a third aspect, embodiments of the present invention provide a computer apparatus comprising a memory and a processor, the memory storing a computer program, wherein: the processor, when executing the computer program, implements any step of the above-described management right matching method.
In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium having a computer program stored thereon, wherein: the computer program when executed by a processor implements any of the steps of the management right matching method described above.
The beneficial effects of the invention are as follows: by introducing an intelligent authority adjustment mechanism, the system can dynamically adjust the authority according to the actual behaviors and responsibilities of the user, and ensure that the authority is consistent with the change of the user work task. By introducing an automatic audit and monitoring mechanism, the system can monitor the authority use condition of the user in real time and timely discover abnormal behaviors, so that the safety of the system is improved, and the potential risk is reduced. The design is simplified and the user-friendly authority change request flow is realized, the threshold for the user to request is reduced, the authority change request can be conveniently provided, and the user participation is increased. The policy of periodically checking the authority is set, and the manager and the user can know the flow and the regulation of the authority change in time through periodic reminding and notification, so that the authority hysteresis problem is reduced. And establishing a clear communication channel, providing training and documents, enabling users and administrators to know the basic principle and flow of authority management, and enhancing effective communication between the users and the management layer. The self-service authority changing function of the user is provided, so that the user can conveniently give out an authority changing request, the burden of authority management is relieved, and the flexibility of the system is improved. The introduction mechanism detects the rights which are not used for a long time, marks the rights as idle rights, realizes the automatic revocation of the abnormal rights, and improves the security of the system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art. Wherein:
fig. 1 is a flowchart of a management right matching method according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of a management authority matching system according to an embodiment of the present invention.
Fig. 3 is a flowchart of steps for authentication of a method, apparatus and system for matching management rights according to an embodiment of the present invention.
Fig. 4 is an internal structure diagram of a computer device of a method, a device and a system for matching management rights according to an embodiment of the present invention.
Detailed Description
In order that the above-recited objects, features and advantages of the present invention will become more readily apparent, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present invention, but the present invention may be practiced in other ways other than those described herein, and persons skilled in the art will readily appreciate that the present invention is not limited to the specific embodiments disclosed below.
Further, reference herein to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic can be included in at least one implementation of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments.
Examples
Referring to fig. 1 to 3, a first embodiment of the present invention provides a management right matching method, including:
s1: and determining resources to be managed and corresponding rights, and defining different user roles in the system.
Preferably, platform resources to be managed are determined, including user data, system settings, API access and operation logs, the resources are classified according to types, and the user data is divided into personal information and historical records; the key user roles in the platform are identified, wherein the key user roles comprise an administrator, a common user and a developer, the responsibility of each role in the platform is clear, the administrator is responsible for configuring system settings, the common user is responsible for using core functions, and the developer is responsible for accessing APIs.
Further, the administrator is responsible for configuring system settings, including security settings and notification settings, and other global settings, has complete access rights to all resources, and can configure user rights and system parameters; the common user uses the core function of the platform to execute conventional operations such as inquiry, editing and the like, and can only access and modify personal information of the common user and execute the core function operation; the developer is responsible for accessing the API of the platform, developing and integrating, has the authority to access the API, and may need a specific API key
S2: and (3) establishing a permission standard, defining the responsibility and the permission of each role in the system, determining resources and corresponding permissions which need to be managed by determining the design permission, and defining the hierarchical structures of different user roles in the system.
Preferably, in platform management, a common user has basic access and operation authority, views and edits personal information and participates in a business process, an administrator is responsible for system configuration and user management, user account management, system setting configuration and system operation monitoring, and an approver participates in a user of the approval process, participates in the approval process, and audits and approves related requests; making permission standards, wherein a common user can only access and edit personal information of the common user, access and edit documents related to work of the common user and data input and report viewing; the administrator has access and editing rights to all user information, full access and editing rights to all documents, and configures the system setup and monitoring system operation.
Further, the administrator has full access and editing rights to all user information on the platform, views and modifies personal information of any user, creates, modifies and deletes user accounts, including assigning roles and rights. Full access and editing rights to all documents: an administrator views and edits all documents and files on the platform, whether or not relevant to its work. The creation, modification, deletion and movement of the document can be performed, and the effective management of the document library is ensured. The rights to configure the system settings of the platform, including security settings and notification settings. System operating status, log records, and other information related to system health may be reviewed.
Further, the approver has the authority to participate in the approval process, and can receive and approve the related request. The method can audit and approve the request of a specific type, and ensure the smooth proceeding of the approval process.
S3: an efficient authentication mechanism is provided to ensure that each user can be identified.
Preferably, all users are forced to enable two-factor authentication so as to improve the security of the system; and (3) further setting a verification mechanism for the common users with low management authorities, identifying different common users by using biological identification features, displaying red colors with different degrees during identification, wherein the dark red color represents the highest access authority level a, the red color represents the common access authority level b, the light red color represents the lowest access authority level c, and carrying out dynamic authorization according to the management authority level of the users.
Further, after verifying the user identity, if the user identity is at the lowest management authority level c, the user will not grant further deep management rights to the user, and the access is terminated; if the user identity is the management authority b level, the user obtains further depth management rights and grants the first level of management rights; if the user identity is the highest access authority level a, the user obtains further depth management rights and grants secondary management rights.
Further, for a-level management authority users, secondary management rights are further extended, allowing configuration of system settings, access to advanced management tools and functions, providing advanced data analysis tools and the ability to generate detailed reports to help them understand data better, allowing them to create and manage custom workflows to meet organization specific needs, allowing them to pipeline more data sources and resources to support wider business needs; the system should be able to control and monitor the rights of users in real time to accommodate changes in their needs and behavior, and should adjust their access rights immediately if the rights level of users changes.
S4: according to the role and identity of the user, initial rights are automatically allocated in the registration or initialization stage, and dynamic rights adjustment according to the behavior and requirements of the user is considered.
Preferably, for each user role, a role template is created, the initial authority of the role in the system is defined, and each template contains the access authority of the resource and the authority for executing specific operation; in the user registration or initialization stage, the system automatically allocates corresponding rights according to the roles of the users, the ordinary users are allocated with basic reading and editing rights, and the administrator obtains wider system configuration rights; using a dynamic rules engine, the engine automatically adjusts permissions based on information, behavior, and requirements provided by the user.
Preferably, the user permission is dynamically adjusted according to the context information, so that the user can only access and operate the resources related to the current task; implementing the approval process of the permission change to ensure that any permission adjustment is reasonably audited, and starting the approval process by the system when a user needs to access more sensitive information or execute higher-level operation; and the integrated learning algorithm automatically adjusts the authority according to the historical behaviors and preferences of the user, and automatically improves the authority of the user on certain types of resources when the system observes that the user frequently accesses the resources.
Further, in the user registration or initialization stage, the system automatically allocates the ordinary user role template rights according to the ordinary user roles. The general user is assigned basic read and edit rights including read and edit of personal information and read and edit rights of documents related to work. The administrator is automatically assigned administrator role template permissions during the registration or initialization phase. The administrator obtains broader system configuration rights including reading and editing of all user information, reading and editing of all documents, and system setup and operation monitoring rights.
Further, when a user provides new information or changes in duty, the rules engine may automatically adjust the user's rights based on the information. If a user is assigned a new project, the rules engine may automatically adjust its document rights to access documents related to the project. The rule engine can dynamically adjust the authority of the user according to the behavior of the user in the system and the proposed authority change request. When a user frequently accesses a certain type of resource, the rule engine can automatically improve the authority of the user to the type of resource.
Further, if a user frequently accesses a particular project document, the user frequently accesses a certain project document in the system. The ensemble learning algorithm analyzes the user's historical behavior and preferences and finds that the user shows a high degree of interest in the project document. The system automatically improves the authority level of the user on the project document according to the prediction result, so that the user can access and edit related resources more conveniently.
S5: recording the authority use condition of each user so as to track potential safety problems, and monitoring the use condition of the authority of the user in real time by using a monitoring system to discover abnormal behaviors in time.
Preferably, for each user, an audit log is established to record the authority use condition of the user, and the recorded information comprises login time, accessed resources, executed operations and possible authority change; setting a mechanism for periodically generating an audit report, and checking the use condition of authorities in a system; the integrated monitoring system monitors the authority use condition of a user in real time, when a certain user is found to frequently request or use high-level authority, an alarm mechanism is triggered, a threshold value is set, and when the threshold value is exceeded, automatic alarm is triggered or the authority of the user is temporarily limited.
Further, a period for generating audit reports periodically is set, such as weekly or monthly. The report includes statistical information of authority use condition, user login times, accessed resources and operations, authority change records and the like. The system generates audit reports every week, and gathers user login conditions, the number of times of accessing resources and executing operations and specific operation information. The real-time monitoring frequency of the monitoring system on the use condition of the user permission is set, such as checking once per minute. The user's login, resource access, operation execution, and other actions are monitored. A threshold is set and an alert mechanism is triggered when the user requests or uses a high level of authority beyond the set threshold.
Further, if the user B frequently requests the high-level authority in a short time, the monitoring system detects that the request of the user B exceeds a set threshold value, and triggers an alarm mechanism. The mail is sent to inform the administrator to provide the specific behavior and request condition of the user B. According to the setting of the alarm mechanism, an alarm notification is automatically sent to the relevant personnel. If the user C requests the high-level authority for a plurality of times in a short time, the set threshold value is exceeded. The system automatically sends an alarm notification to an administrator, temporarily limits the high-level authority of the user C, and ensures the security.
S6: and setting a policy for periodically checking the authority, ensuring that the authority is consistent with the change of the user responsibility, and establishing an effective communication mechanism so that the user can request for authority change.
Preferably, a permission review is performed once a quarter or half year, with special attention paid to the change of user roles in the periodic review, ensuring that new responsibilities and permissions match their roles, and additional review is performed for role changes to prevent abuse of permissions; a clear communication channel is established, so that an administrator and a user can know the flow and the regulation of the authority change in time, all related parties are ensured to clearly propose the authority change request, a network platform is established in the system, the user submits the authority change request on the network platform, and a system message notification is sent to remind the user to check the authority of the user and propose a necessary change request.
Further, a network platform is built in the system, and an administrator and a user are notified through a system message.
And sending an email notification to remind related personnel to check the permission and make a change request. If the responsibility of the user A is changed, the user A receives a system message notification to remind to check the authority condition, the user A submits an authority change request on a system network platform, and an administrator examines the change request after receiving the notification.
Furthermore, a network platform is built in the system, and a user conveniently submits a permission change request. And the user submits a permission change request through the network platform, provides the reason and related information of the change, and carries out an approval process after receiving the request by an administrator so as to ensure that the change meets the regulation. If the user B needs to expand the authority of a certain type of resource, the user B logs in the system network platform and submits an authority change request, wherein the request comprises the reason and the detailed description of the authority expansion of the certain type of resource. And the administrator receives the request and performs an approval process to ensure reasonable change.
In a preferred embodiment, a management authority matching system, the system role definition module is used for determining resources to be managed and corresponding authorities and defining different user roles in the system; the authority setting module is used for setting authority standards, defining the responsibility and authority of each role in the system, designing resources and corresponding authorities which need to be managed according to the determination of the authority, defining the hierarchical structures of different user roles in the system, and ensuring that the low-level authorities are contained in the high-level authorities; the identity verification module is used for setting an effective identity verification mechanism so as to ensure that each user can be identified; the permission adjustment module is used for automatically distributing initial permission in a registration or initialization stage according to the roles and identities of the users, and dynamically adjusting the permission according to the behaviors and demands of the users to ensure that the activities and role changes of the users in the system are reflected in time; the permission monitoring module is used for recording the permission use condition of each user so as to track potential safety problems, and the use monitoring system is used for monitoring the use condition of the user permission in real time and finding out abnormal behaviors in time; and the examination communication module is used for setting a strategy for periodically examining the authority, ensuring that the authority is consistent with the change of the responsibility of the user, establishing an effective communication mechanism, enabling the user to give out the request of the authority change, responding in time, and implementing the authority revocation mechanism, and when the user does not need the authority any more, the authority can be revoked in time.
The above unit modules may be embedded in hardware or independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above units.
In one embodiment, a computer device, which may be a terminal, is provided that includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless mode can be realized through WIFI, an operator network, NFC (near field communication) or other technologies. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
It should be noted that the above embodiments are only for illustrating the technical solution of the present invention and not for limiting the same, and although the present invention has been described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications and equivalents may be made thereto without departing from the spirit and scope of the technical solution of the present invention, which is intended to be covered by the scope of the claims of the present invention.
Claims (10)
1. A management right matching method, comprising:
determining resources to be managed and corresponding authorities, and defining different user roles in a system;
establishing an authority standard, defining responsibility and authority of each role in the system, determining resources and corresponding authorities required to be managed by designing the authority, defining hierarchical structures of different user roles in the system, and ensuring that low-level authorities are contained in high-level authorities;
setting an identity verification mechanism to ensure that each user can be identified;
according to the roles and identities of the users, initial rights are automatically allocated in a registration or initialization stage, and dynamic adjustment of rights according to the behaviors and requirements of the users is considered, so that timely reflection of the activities and role changes of the users in the system is ensured;
recording the authority use condition of each user so as to track potential safety problems, and using a monitoring system to monitor the use condition of the authority of the user in real time and discover abnormal behaviors in time;
and setting a policy for periodically checking the authority, ensuring that the authority is consistent with the change of the responsibility of the user, establishing an effective communication mechanism, enabling the user to give out a request for authority change and respond in time, and implementing an authority revocation mechanism, wherein the authority can be revoked in time when the user does not need the authority any more.
2. The method for matching management rights according to claim 1, wherein said determining resources to be managed and corresponding rights defines different user roles in the system, comprising:
determining platform resources to be managed, including user data and system settings, and API access and operation logs;
classifying the resources according to types, and dividing the user data into personal information and historical records; the key user roles in the platform are identified, wherein the key user roles comprise an administrator, a common user and a developer, the responsibility of each role in the platform is clear, the administrator is responsible for configuring system settings, the common user is responsible for using core functions, and the developer is responsible for accessing APIs.
3. The method for matching management authorities according to claim 1, wherein said formulating authority criteria, defining the responsibility and authority of each role in the system, defining the resources to be managed and the corresponding authorities for the determination of the design authorities, defining the hierarchical structure of different user roles in the system, and ensuring the inclusion of low-level authorities in high-level authorities, includes:
in platform management, a common user has basic access and operation rights, views and edits personal information and participates in a business process; the administrator is responsible for system configuration and user management, managing user accounts and configuring system settings and monitoring system operation; the approver participates in the user of the approval process, participates in the approval process, and reviews and approves the related request; making permission standards, wherein a common user can only access and edit personal information of the common user, access and edit documents related to work of the common user and data input and report viewing; the administrator has access and editing rights to all user information, full access and editing rights to all documents, and configures the system setup and monitoring system operation.
4. The management rights matching method of claim 1, wherein said setting up an effective authentication mechanism to ensure that each user can be identified comprises:
all users are forced to start the two-factor identity authentication so as to improve the security of the system; and (3) further setting a verification mechanism for the common users with low management authorities, identifying different common users by using biological identification features, displaying red colors with different degrees during identification, wherein the dark red color represents the highest access authority level a, the red color represents the common access authority level b, the light red color represents the lowest access authority level c, and carrying out dynamic authorization according to the management authority level of the users.
5. The management right matching method as claimed in claim 1, wherein the automatically assigning the initial right in the registration or initialization stage according to the role and identity of the user, considering dynamically adjusting the right according to the behavior and demand of the user, comprises:
creating a role template for each user role, defining the initial authority of the role in the system, wherein each template comprises the access authority of resources and the authority for executing specific operations; in the user registration or initialization stage, the system automatically allocates corresponding rights according to the roles of the users, the ordinary users are allocated with basic reading and editing rights, and the administrator obtains wider system configuration rights; using a dynamic rule engine, the engine automatically adjusts rights according to information, behaviors and requirements provided by a user; dynamically adjusting user rights according to the context information, and ensuring that a user can only access and operate resources related to the current task; implementing the approval process of the permission change to ensure that any permission adjustment is reasonably audited, and starting the approval process by the system when a user needs to access more sensitive information or execute higher-level operation; and the integrated learning algorithm automatically adjusts the authority according to the historical behaviors and preferences of the user, and automatically improves the authority of the user on certain types of resources when the system observes that the user frequently accesses the resources.
6. The method for matching management authorities according to claim 1, wherein said recording the authority usage of each user for tracking potential security problems, using a monitoring system to monitor the usage of the user's authorities in real time and to discover abnormal behavior in time, comprises:
for each user, establishing an audit log to record the authority use condition of the user, wherein the recorded information comprises login time, accessed resources, executed operations and possible authority change; setting a mechanism for periodically generating an audit report, and checking the use condition of authorities in a system; the integrated monitoring system monitors the authority use condition of a user in real time, when a certain user is found to frequently request or use high-level authority, an alarm mechanism is triggered, a threshold value is set, and when the threshold value is exceeded, automatic alarm is triggered or the authority of the user is temporarily limited.
7. The method for matching management authorities according to claim 1, wherein said setting up a policy for periodically checking authorities ensures that authorities remain consistent with changes in user responsibilities, establishes an efficient communication mechanism for users to be able to make requests for changes in authorities, and comprises:
performing authority examination once every quarter or half year, paying special attention to the change of the user roles in regular examination, ensuring that new responsibilities and authorities are matched with the roles, and performing additional examination on the role change to prevent abuse of the authorities; a clear communication channel is established, so that an administrator and a user can know the flow and the regulation of the authority change in time, all related parties are ensured to clearly propose the authority change request, a network platform is established in the system, the user submits the authority change request on the network platform, and a system message notification is sent to remind the user to check the authority of the user and propose a necessary change request.
8. A management rights matching system, comprising:
the role definition module is used for determining resources to be managed and corresponding authorities and defining different user roles in the system;
the authority setting module is used for setting authority standards, defining the responsibility and authority of each role in the system, designing resources and corresponding authorities which need to be managed according to the determination of the authority, defining the hierarchical structures of different user roles in the system, and ensuring that the low-level authorities are contained in the high-level authorities;
the identity verification module is used for setting an identity verification mechanism so as to ensure that each user can be identified;
the permission adjustment module is used for automatically distributing initial permission in a registration or initialization stage according to the roles and identities of the users, and dynamically adjusting the permission according to the behaviors and demands of the users to ensure that the activities and role changes of the users in the system are reflected in time;
the permission monitoring module is used for recording the permission use condition of each user so as to track potential safety problems, and the use monitoring system is used for monitoring the use condition of the user permission in real time and finding out abnormal behaviors in time;
and the examination communication module is used for setting a strategy for periodically examining the authority, ensuring that the authority is consistent with the change of the responsibility of the user, establishing an effective communication mechanism, enabling the user to give out the request of the authority change, responding in time, and implementing the authority revocation mechanism, and when the user does not need the authority any more, the authority can be revoked in time.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the management rights matching method of any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor realizes the steps of the management right matching method of any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311633290.9A CN117540404A (en) | 2023-11-30 | 2023-11-30 | Management authority matching method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311633290.9A CN117540404A (en) | 2023-11-30 | 2023-11-30 | Management authority matching method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117540404A true CN117540404A (en) | 2024-02-09 |
Family
ID=89787944
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311633290.9A Pending CN117540404A (en) | 2023-11-30 | 2023-11-30 | Management authority matching method, device and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117540404A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118157997A (en) * | 2024-05-11 | 2024-06-07 | 华能信息技术有限公司 | User authority management method |
-
2023
- 2023-11-30 CN CN202311633290.9A patent/CN117540404A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN118157997A (en) * | 2024-05-11 | 2024-06-07 | 华能信息技术有限公司 | User authority management method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10326637B2 (en) | Functionality management via application modification | |
| US11151254B2 (en) | Secure communications gateway for trusted execution and secure communications | |
| US10824757B2 (en) | Social media and data sharing controls | |
| US8015563B2 (en) | Managing virtual machines with system-wide policies | |
| US8490152B2 (en) | Entitlement lifecycle management in a resource management system | |
| US7607164B2 (en) | Systems and processes for managing policy change in a distributed enterprise | |
| US20090205018A1 (en) | Method and system for the specification and enforcement of arbitrary attribute-based access control policies | |
| US20060143447A1 (en) | Managing elevated rights on a network | |
| US20070245348A1 (en) | Virtual machine self-service restrictions | |
| CN112182619A (en) | Service processing method and system based on user permission, electronic device and medium | |
| US11212291B2 (en) | Securing services and intra-service communications | |
| JP4676782B2 (en) | Information processing apparatus, operation permission data generation method, operation permission data generation permission determination method, operation permission data generation program, operation permission data generation permission determination program, and recording medium | |
| CN117540404A (en) | Management authority matching method, device and system | |
| US20220200995A1 (en) | Method and server for access verification in an identity and access management system | |
| US8010456B2 (en) | Policy based application provisioning in a collaborative computing environment | |
| JP4723930B2 (en) | Compound access authorization method and apparatus | |
| CN116383804A (en) | Authority management method, device, equipment, medium and program product | |
| JP2006302041A (en) | Information management device, information management method, and information management program | |
| AU2004279184B2 (en) | System and method for providing REA model based security | |
| Perkins et al. | Consider identity and access management as a process, not a technology | |
| JP2022144297A (en) | Service providing system, information processing system, information processing method, and program | |
| US7568036B2 (en) | Adaptive management method with automatic scanner installation | |
| Rivington et al. | A service oriented architecture for authorization of unknown entities in a grid environment | |
| WO2012173599A1 (en) | System and method for controlling access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |