TW200825832A - Controlling module for programs and method for the same - Google Patents

Controlling module for programs and method for the same Download PDF

Info

Publication number
TW200825832A
TW200825832A TW95145253A TW95145253A TW200825832A TW 200825832 A TW200825832 A TW 200825832A TW 95145253 A TW95145253 A TW 95145253A TW 95145253 A TW95145253 A TW 95145253A TW 200825832 A TW200825832 A TW 200825832A
Authority
TW
Taiwan
Prior art keywords
application
authority
data
control module
client
Prior art date
Application number
TW95145253A
Other languages
Chinese (zh)
Other versions
TWI328179B (en
Inventor
Wen-Chang Huang
Original Assignee
Fineart Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fineart Technology Co Ltd filed Critical Fineart Technology Co Ltd
Priority to TW95145253A priority Critical patent/TWI328179B/en
Publication of TW200825832A publication Critical patent/TW200825832A/en
Application granted granted Critical
Publication of TWI328179B publication Critical patent/TWI328179B/en

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The present invention relates to a module and a method for restricting operation of a program and a web page on a client. The module of the present invention comprises a input unit, a server and a client; wherein the input unit is for data input; the server can store and renew information for managing the programs and the web pages on the clients and the client can download the information aforementioned and act accordingly.

Description

200825832 九、發明說明: 【發明所屬之技術領域】 本發明為一種關於控制應用程式之模組與方法,更特 定言之’為一種關於限制客戶端應用程式操作權限之模组 與方法。 '' 【先前技術】 “因為資訊科技的發展,各企業均日漸依賴電腦協助其 業,的推展;但資訊科技的普及同時也伴隨著風險,來自 ,外:的攻擊,例如病毒、後門程式、系統漏洞攻擊等威脅 '、返之曰、,因此企業之資訊防護即成為重要課題。 關於資訊安全的威脅除了來自外部的攻擊,更 二:部的不當使用;相當多調查發現對於企業資訊安:的 因此===於貝工惡意的行為與非惡意的失誤操作, 臧貧安威脅之處’如何解決内部資訊安全問題,是 止業所必須面臨的重要安全課題。 疋 目前關於企業内部資訊安全營 夕 戶端構成一瞢理握纟日^ ^ 夕以伺服端與1客 成g理拉組,由中央词服端對於客 :為加以控管;是故市面上軟體多,作 制,對多台客戶端電腦加以 ,地吕理與控 級,為相對應限制之功能。唯目:;;#根據客戶端授權層 對企業内部對於外部資訊的=别f種控管模組,只能針 或自特定網址下載程式之::力取,例如對劉覽外一 絕程式操作或網頁的存取,而而^'僅能做到阻 而不-僅是限制特定功能操 5 200825832 作,例如目前監控模組尚不能 特定網頁資訊之儲存,剪貼網頁^ = = =於 :何在使用者在近用企業内部資訊時 使用止業貧源規畫(Enterprise Res(w . ” 統時,有效率管理使用者操作行為,:;二m吧系 或不當操作,造成資訊安全管理上之漏 ^、知作 之問題。 、’貫為急待解決 疋故本發明揭露一種可限 操作與管理盥更新相關避 而μ用程式與網頁 決上述問題 _限㈣之控制模組與方法,以解 【發明内容】 ㈣=明1Γ種關於控制客戶端程式與網頁操作之模 端㈣嗜至少包含一輸入端(c°nsole)、-飼服器 接收或傳遞變更權限指令;之功能為負責 輸入端所傳入之指令變更二能則包含:根據 知客戶料的更所儲存之權限資料、通 料;客事件’與更新儲存於客戶端之權限資 資料::器端之通知訊息取得更新之權限 模植应方、丰士义而應用長式的知作權限。藉由上述 本發明即可達到限制客戶端程式操作之目 作之ΐ:=露一種集中控管複數客戶端應用軟體操 :核組與方法,以達到即時與統-控制數客戶端之目 、。在關於本發明之一具體實施例中,飼服器端與客戶端 6 200825832 均包含一資料庫;上述資料廑 與控制指標,藉由權限資料組權限資料儲存表 間之互動對應關係,即可= 記錄與該控制指標 客戶端關於應用程式操作之權限資料。 -更新禝數 【實施方式】 本發明將配合其較佳實施例與隨附之圖示詳述於 :,應理解料本發明中所有之較佳實施例僅為例示之 用’因此除說明書中所诚夕+ 达之較么貫施例與參考圖示外, 發明亦可廣泛地應用在並他竇 丰 例中。且本發明並不受限 於任何實施例,應以隨附之申社直 μ ^ 订乏甲明專利耗圍及其同等領域而 疋。 第-圖為顯示關於本發明之—具體實施例,該控制模 組包含一輸入端100、-伺服器端2〇〇與-客戶端300,其、 :輸入端100功能為接收與傳輸受控管應用程式操作權限 扣令’飼服器端200則可儲存前述權限資料、於輸入端_ 與客戶端3GG間傳遞關於操作權限之資料與更新客戶端· 上儲存之操作權限資料;客戶端3〇〇則可根據飼服器所傳 來的變更權限事件訊息,更新客戶端上儲存之操作權限資 料,並據以限制客戶端上應用程式之操作權限。以上述架 構’控制模組即可限制客戶端之應用程式之操作。關於本 ^明之控制模組可適用於家庭、辦公室環境等内部網路環 兄中但並不限於此;該模組尚可以應用於任何有控制客 戶端應用程式操作需要之網路環境,例如圖書館、網路咖 啡廳等等空間。 7 200825832 關於上述實施例中控制模組之功能可以更詳述如下。 二述,,模組中輸人端刚,功能為接收與輸出使用者所 =才曰々’以通知飼服器端細變更資料庫中儲存之權限 貝二上述之輸入指令包含新增、修改、刪除關於限制或 開放又控官應用程式特定功能與查詢該項目狀 =令。更特定言之,上述變更權限指令中,關於限制^ 疋應用程式操作功能之項目包括:禁止列印特定資訊、禁 定:訊、禁用鍵盤、禁用另存新檔與禁用滑鼠: ^疋貝㈣功能;於另—具體實施例中,尚包括限制網 次^貝Λ存取功月色’其項目包括:禁止列印、帛用複製特定 貧訊、禁用鍵盤、禁用另存新構與禁用滑鼠拖吳資料、# 止以郵件傳送網頁、禁止檢視原始檔。 不 人關於本發明之—具體實施例中,上述輸人端為一使用 ^ "面,使用者可藉由點選介面上之選項,控管特定應用 程式之操作權限。使用者可點選使用者介面之功能鍵,例 =禁用較功能選項,即可開啟—視窗分區,該視窗内區 分數欄位包含該受控錄體名稱、類型與功能選項。使用 者:點選畫面上方之修改選項於視窗中輸人受控管之程式 名稱,即可開啟權限功能設定視窗,輸入權限功能設定資 Λ。上述權限功能設定視窗包含複數個預先設計之攔位, 使用者可根據各攔位對應之功能加以勾選,即可開啟或關 閉特疋功能’完成輸入端的輸入。 〇關於本發明之另一具體實施例為關於限制控制網頁之 喿作於$玄具體貫施例中,操作介面與上述控管特定應用 8 200825832 網 程式之操作介面相似,但使用者所輸入之控制標的為一 址 於本發明之具體實施例中,伺服器端2〇〇包含以下功 能:接收輸入端輸入之變更權限指令,儲存、更新與傳遞 關於客戶端之受控管應用程式權限資料。 伺服器200包含一資料接收與傳遞單元2〇1、—處理單 TC202與-資料庫單元2〇3。資料接收與傳遞單元加可接 ^自輸入端_之變更權限資訊’之後將資料傳遞予處 理早7L202,處理單元2〇2根據該變更權限資訊,除更改資 料庫單元203中之權限資料,並透過資料接收與傳遞單元 201發出變更權限通知,通知客戶端3〇〇該權限變更事件的 叙生。飼服器端200則於接收到客戶端3〇〇所傳回權限資料 下載請求後’即會傳送一變更權限資料予客戶端扇,以 更新客戶端300上儲存之應用軟體權限資料。上述之词服 器200亦包含如記憶體、作業系統、硬碟、顯示單元等之 =二ΤΓ技藝者應得以理解,為避免模糊本 " …點,故不头述。輸入端與客戶端亦同。 更特定言之’於關於本發明之—具體實施例中,上 述資料接收與傳遞單元2()1係利用Tcp通訊協定,通 ^:下載權限資料,並係以不同代號代表應用 件俜使_: 戶端權限資料更新之事 自上、、= 於本發明之另-具體實施例中, 鄉=與傳遞單元2G1所傳送之權限資料包含對 d客戶端受控管之應用程式或網頁之指標資料,以使客 9 200825832 戶端得以確定所要更新之權限資料。 上述用於儲存權限資料之資料庫2()3包含— 與控制指標,用以紀錄與更新/ 、 ί推限>料。於關於本發明之-具體實施财,上述資料 又至少包含兩資料表:資安行為(security—狀㈣與資安策 略(securuy一policy)執行權限資料操作限制功能,其中資 安行為(security一action)為紀錄包含但不限於受控管之應 用程式、指令、網址或網頁等之行為或模式,資安策: (SeCudty_p()licy)紀錄包含但不限於關於特定應用程式、 指令、網址或網頁之權限資料。資安行為子資料庫中至少 包含以下攔位:辨識表(id)為—指標攔位,用於與其他工作 表產生關聯、分類表(categ〇ry)用於紀錄應用程式、指 令、網址或網址之類型、標的名稱(targeuiame)用於紀錄 文控管應用程式執行檔名或受控管網址、標的類型 (target—type)用於紀錄受控管標的類型。表 則疋紀錄文控官應用程式或網址之權限限制資料。資安策 略表中罝化(value)攔為紀錄一指標資料,該指標與軟體行 為(software— action)中辨識(id)攔位中指標資料具相對應 關係,以使兩資料表產生關聯關係;解除行為(Disabled 一action)攔則是紀錄該應用程式或網址所要被限制之權 限,該攔位可寫入特定數值,表示該行為被管控,不能使 用。 客戶端模組300則至少包含以下功能:自伺服器端接受 成息、自飼服杰端下載權限資料與設定權限資料。於一具 10 200825832 二客戶端包含一權限控制單元,例如-另外植 體實施二=端戶端之功能。於另一具 料。上丄: 斗庫用於儲存客戶端權限資 ^ 述貝枓庫包括—組資料表與控制指標,其 ::::戶端受控管之應用程式資料,且各受控二 應關係,因此客服端方可於下載伺服器新權限資 =後’找出相對應之受控制應用程式權限f料並加以更' 關於本發明之另—具體實施财,控制模組可為上 述實施例之中控制模組之複數組合,以完成—多層次之^ 制模組;此多層次之控制模組可根據不同授權層級,_ 各飼服,可更動之權限資料,以達到分級管理之目的。於 该具體貫施例中,包含一中央伺服器與複數台 以及客戶端電腦。中央饲服器之資料庫儲存各周邊饲服;: 權限資料,周邊伺服器除儲存該周邊伺服器權限資料^ 儲存狀區域内客戶端上應用程式之權限資料。在夕 階㈣構下’由—中央伺服器統—管理各周邊舰器上ί 限:貝料之狀態與更新’周邊飼服器則根據不同需求,不 授權層級,開放不同之權限資料變更權限,以管理客 之應用程式,以此-控管架構即可達成分級,分區授權 資訊安全管理架構,管理客戶端電腦上應用程式之操作。 如此除可迅速更新複數台客戶端之㈣外,i可避免 動逐區更新伺服器權限資料時,所可能發生之錯誤。而 200825832 第二圖為顯示關於權限更新流程之具體實施例;使用 者可透過輸入端於步驟101輸入變更權限並更改伺服器端 之權限資料,並於後續步驟102發出訊息通知伺服器端該 變更權限資訊事件。步驟201表示伺服器端2〇〇收到上述變 更權限資訊,並於下一步驟202中,發出訊息通知客戶端 該變更權限事件的存在。客戶端於步驟3〇1中收到伺服器 端傳來之權限設定變更訊息後,即於後續步驟3〇2發送訊 息要求自伺服器端下載新權限設定。於後續步驟2〇3中, 資料庫根據由步驟302所傳來之訊息,取出上述更新後之 權限資料,並於步驟204將上述更新後之權限資料傳送給 客戶端。客戶端於步驟303中取得由伺服器端所傳送來之 新權限資料後’於步驟3G4中更新客戶端之權限設定。 於另-具體實施例中’關於本發明之權限更新流程尚可應 用於多部週邊伺服器之情形’在此實施例中,其更新流程 與第二圖所顯示之流程類似,但各周邊飼服器可由一= 伺服為官理,於本具體實施例中,舰器端之變更權限指 令為由中央伺服器端下載,但根據對各伺服 : 開放之權限,也可由夂仞日B认 人從用有所 伺服之輸入端輸入權限資料。是 :糟由一中央飼服器之設置,將複數個與第二圖相同之更 限管理。 卩了相刀層、分區之應用軟體操作權 本發明以較佳實施例說明如 癸日日成+并 * …六业并用以限定本 么明所主張之專利權利範圍。其 + Ψ m η ^ ^ 号〜侏邊乾圍當視後附之 月專利㈣及其相領域而定。凡熟悉此領域之技藝 12 200825832 者,在不脫離本專利精神或範圍内 於本發明所揭示精神下所完成之等效改飾’ 應包含在下述之申請專利範圍内。 ^又心且 【圖式簡單說明】 =一圖為顯示關於本發明之應用程式 圖。 心關於本發明之控管應用程式的方法流程 【主要元件符號說明】 第一圖 輸入端1 00 伺服器端200 二身料接枚與傳遞單元201 處理單元202 資料庫單元2〇3 客戶端3〇〇 第二圖 變更權限101 通知變更權限102 收到權限變更通知201 通知權限變更2〇2 脸=料庳取得新權限資料203 :’權限資料傳回2〇4 收到權限變更通知3〇1 權限設定3〇2 13 200825832 取得 新權 新權限設定 3 0 3 限設定生效 3 0 4 14200825832 IX. Description of the Invention: [Technical Field] The present invention is a module and method for controlling an application, and more specifically, a module and method for restricting the operation authority of a client application. ''[Previous technology] "Because of the development of information technology, companies are increasingly relying on computers to assist their industry; but the popularity of information technology is also accompanied by risks, attacks from outside, such as viruses, backdoors, System vulnerabilities and other threats are 'return', so the information protection of enterprises becomes an important issue. The threat of information security is not only from external attacks, but also the improper use of the department; quite a few investigations have found that for enterprise information security: Therefore, === in the case of beleague's malicious behavior and non-malicious mistakes, and how to solve the internal information security problem, it is an important security issue that must be faced by the industry. 疋Currently about internal information security The camp-side account constitutes a sensational day. ^^ The eve of the server and the 1 guest into the g-la group, from the central vocabulary to the customer: for control; therefore, the market has more software, system, right Multiple client computers are added, and the control level is the corresponding limited function. Only the target:;;# based on the client authorization layer for the internal information of the enterprise = Do not f control module, you can only download the program from a specific URL:: force, for example, access to a program or web page outside of Liu, but ^' can only resist - It is only limited to the specific function operation 5 200825832. For example, the current monitoring module can not store the specific webpage information, and the scrapbooking page ^ = = = in: Why the user uses the industry-lower source planning when using the internal information of the enterprise ( Enterprise Res (w. ” system, efficient management of user operations, :; two m bar system or improper operation, resulting in information security management leaks, knowledge of the problem. The invention discloses a control module and a method for limiting the operation and management, updating the related programs, and using the program and the webpage to solve the above problems. The invention discloses a control module and a method for solving the above problems. (4) = Ming 1 关于 About controlling the client program and the webpage The terminal end of the operation (4) has at least one input end (c° nsole), and the feeding device receives or transmits the change permission command; the function is responsible for the change of the command input to the input end, and the second function includes: according to the knowledge of the customer More stored rights , the general information; the customer event 'and the update of the privilege information stored in the client:: the notification message of the device end obtains the authority to update the application, and the long-term knowledge authority is applied by Feng Shiyi. By the above invention The goal of limiting the operation of the client program can be achieved: = a centralized control of the plurality of client application soft gymnastics: the core group and the method to achieve the purpose of the instant and unified control number client. In one embodiment, both the server and the client 6 200825832 include a database; the above data and control indicators, by the interaction relationship between the permission data group and the permission data storage table, can be recorded and Controlling the privilege information of the metric client regarding the operation of the application. - Updating the number of embodiments [Embodiment] The present invention will be described in detail with the preferred embodiment and the accompanying drawings. It should be understood that all of the present invention are preferred. The examples are for illustrative purposes only. Therefore, the invention can be widely applied to the example of the sinus sinus in addition to the examples and the reference drawings. Moreover, the present invention is not limited to any embodiment, and should be accompanied by the accompanying Shenshe. The first embodiment shows a specific embodiment of the present invention. The control module includes an input terminal 100, a server terminal 2A and a client terminal 300. The input terminal 100 functions as a receiving and transmitting control. The application operating authority deductions the 'feeding device end 200' to store the aforementioned permission data, transfer the information about the operating authority between the input terminal _ and the client 3GG, and update the operating permission data stored on the client; the client 3 〇〇According to the change permission event message sent by the feeding device, the operating permission data stored on the client is updated, and the operating authority of the application on the client is restricted accordingly. The above-mentioned architecture 'control module can limit the operation of the client application. The control module of the present invention can be applied to an internal network ring, such as a home or office environment, but is not limited thereto; the module can be applied to any network environment that controls the operation of the client application, such as a book. Pavilion, internet cafe, etc. 7 200825832 The function of the control module in the above embodiment can be described in more detail below. Secondly, the input terminal in the module is just the function of receiving and outputting the user's = 曰々 ' to notify the server to finely change the permissions stored in the database. The above input instructions include new and modified. Delete the specific function of the restriction or open and control app and query the item = order. More specifically, in the above-mentioned change permission command, the items related to the restriction of the application operation function include: prohibiting printing of specific information, prohibiting the message, disabling the keyboard, disabling the save of the new file, and disabling the mouse: ^ mussel (4) In another embodiment, the method further includes limiting the number of times of accessing the power of the moon. The items include: prohibiting printing, copying specific information, disabling the keyboard, disabling the new configuration, and disabling the mouse. Drag Wu information, # to send mail to the web page, prohibit viewing the original file. In the specific embodiment of the present invention, the input terminal is a " face, and the user can control the operation permission of the specific application by clicking the option on the interface. The user can click the function key of the user interface. For example, if the function option is disabled, the window partition can be opened. The window internal area score field contains the controlled record name, type and function options. User: Click the Modify option at the top of the screen to enter the name of the program in the window. You can open the privilege function setting window and enter the privilege function setting. The above privilege function setting window includes a plurality of pre-designed blocks, and the user can tick the function corresponding to each block to turn on or off the special function' to complete the input of the input. Another embodiment of the present invention is directed to restricting the control of a webpage. The operation interface is similar to the operation interface of the above-mentioned control-specific application 8 200825832 web application, but the user inputs The control target is a specific embodiment of the present invention. The server terminal 2 includes the following functions: receiving a change permission command inputted by the input terminal, and storing, updating, and transmitting the controlled pipe application permission data about the client. The server 200 includes a data receiving and transmitting unit 2〇1, a processing unit TC202, and a database unit 2〇3. The data receiving and transmitting unit can be connected to the input authority _ the change authority information 'after the data is transferred to the processing early 7L202, the processing unit 2 〇 2 according to the change authority information, in addition to changing the authority data in the database unit 203, and The change notification authority 201 issues a change authority notification to notify the client 3 of the change of the authority change event. After receiving the permission data download request from the client 3, the server terminal 200 transmits a change permission data to the client fan to update the application software permission data stored on the client 300. The above-mentioned word server 200 also includes such as memory, operating system, hard disk, display unit, etc. = ΤΓ ΤΓ ΤΓ 应 应 应 应 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 The input is the same as the client. More specifically, in the specific embodiment of the present invention, the above-mentioned data receiving and transmitting unit 2() 1 utilizes the Tcp communication protocol, and downloads the rights data, and uses different codes to represent the application components. : The update of the account authority data is from the above, and in another embodiment of the present invention, the rights information transmitted by the township and the delivery unit 2G1 includes an index of the application or webpage controlled by the client. Information to enable the client 9 200825832 to determine the authority information to be updated. The above-mentioned database 2 () 3 for storing permission data contains - and control indicators for recording and updating / , ί 推 limit > For the specific implementation of the present invention, the above information includes at least two data sheets: security behavior (security-like (four) and security strategy (securuy-policy) execution authority data operation restriction function, wherein the security behavior (security one Action) is a record or behavior that includes, but is not limited to, a controlled application, instruction, web address, or web page. (SeCudty_p()licy) records include, but are not limited to, specific applications, instructions, URLs, or The permission information of the webpage. The Zian behavior sub-database contains at least the following blocks: the identification table (id) is the indicator block, which is used to associate with other worksheets, and the classification table (categ〇ry) is used to record the application. , the type of the instruction, the URL or the URL, the name of the tag (targeuiame) is used to record the file name of the document control application or the controlled pipe URL, and the target type (target-type) is used to record the type of the controlled pipe label. Record the authority limit application of the document control application or website. The value of the security policy table is recorded as a indicator data, which is related to software behavior (softwa In the re-action, the indicator data in the identification (id) block has a corresponding relationship, so that the two data tables have an association relationship; the Disarmed Action (Disabled-action) block records the permission of the application or the website to be restricted. The block can be written to a specific value, indicating that the behavior is controlled and cannot be used. The client module 300 includes at least the following functions: receiving the interest rate from the server end, downloading the permission data and setting the permission data from the self-feeding service. In a 10 200825832 two client contains a privilege control unit, for example - another implant implementation of the two = end of the client function. In another material. Captain: bucket library for storing client permissions 枓 枓 枓The library includes a group data table and control indicators, which:::: application data of the terminal controlled tube, and each controlled relationship should be, so the customer service terminal can download the server new permission resource = after Corresponding controlled application permission f and more 'about the other embodiment of the present invention, the control module can be a plurality of combinations of control modules in the above embodiment to complete - multi-level ^ molding Group; this multi-level control module can be used according to different authorization levels, _ each feeding service, and can change the authority data to achieve the purpose of hierarchical management. In this specific embodiment, a central server and a plurality of stations are included. Client computer. The database of the central feeding device stores the surrounding feeding clothes;: Permission data, the peripheral server saves the permission information of the surrounding server ^ The permission information of the application on the client in the storage area. In the evening stage (4) Constructed by the "central server system" - management of each peripheral ship ί Limit: the state of the shell material and the update 'peripheral feeding machine according to different needs, do not authorize the level, open different permissions data change permissions to manage customers The application, with this control structure, can achieve grading, partitioning the information security management architecture, and managing the operation of the application on the client computer. In this way, in addition to quickly updating the plurality of clients (4), i can avoid errors that may occur when the server permission data is updated by the zone. The second figure of 200825832 is a specific embodiment for displaying the authority update process. The user can input the change authority and change the authority data of the server terminal through the input terminal, and send a message to the server to notify the change in the subsequent step 102. Permission information event. Step 201 indicates that the server terminal 2 receives the change permission information, and in the next step 202, sends a message to notify the client of the existence of the change permission event. After receiving the permission setting change message sent from the server in step 3〇1, the client sends a message request to download the new permission setting from the server in the subsequent step 3〇2. In the subsequent step 2〇3, the database retrieves the updated authority data according to the message sent from step 302, and transmits the updated authority data to the client in step 204. After the client obtains the new permission data transmitted by the server in step 303, the client updates the client's permission setting in step 3G4. In another embodiment, 'the case where the authority update process of the present invention is applicable to a plurality of peripheral servers' is used in this embodiment, and the update process is similar to the process shown in the second figure, but each peripheral feeding The server can be operated by a servo = servo. In the specific embodiment, the command to change the authority of the ship is downloaded by the central server, but according to the permission of each servo: it can also be recognized by the next day. Enter the permission data from the input with the servo. Yes: The setting of a central feeding device will be managed in the same way as the second picture. The application software operating rights of the phase cutter layer and the partition are described in the preferred embodiment. The present invention is described in terms of a preferred embodiment, such as the Japanese patent + and the sixth industry, and is used to limit the scope of patent rights claimed by the present invention. Its + Ψ m η ^ ^ number ~ 侏 干 围 围 围 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 。 The equivalent modifications made in the spirit of the present invention without departing from the spirit and scope of the present invention are intended to be included in the following claims. ^又心和 [Simplified description of the schema] = A diagram is an application diagram showing the invention. The method flow of the control application of the present invention [Main component symbol description] The first figure input terminal 100 The server end 200 The two body material connection and transfer unit 201 Processing unit 202 Database unit 2〇3 Client 3 〇〇Second figure change authority 101 Notification change authority 102 Receive permission change notification 201 Notification authority change 2〇2 Face=Material acquisition new authority data 203: 'Permission data return 2〇4 Receive permission change notification 3〇1 Permission setting 3〇2 13 200825832 Get new rights New permission setting 3 0 3 Limit setting effective 3 0 4 14

Claims (1)

200825832 十、申請專利範圍: 1 ·種應用程式控管模組,至少包含: 一輸入端,可輸入權限資料; :伺服器端’至少包含一資料庫與一輸出入單元,盆 料庫可儲存該權限資料與指標資料,用以執i 貝女仃為及資安策略模式,輸出入單 該權限資料; 伐H邈 ’至少包含一權限控管單元,可儲存、接收 ”傳遞該權限資料,並據以限制 體之操作權限。 &上之。亥應用軟 、2.如申請專利範圍第W之應用程式控管模組 入端為一择作被 T。亥輪 者輸入資料。 仏使用 3. ^申請專利範圍第丨項之應用程式控 限控管單元可限制 "中# 印資料。 1目4戶鳊上之應用軟體列 4. 如申請專利範圍第】項之應用程式控管模组 ▲ 限控管單元可限制使用者自該用、该權 製資料。 鲕上之應用軟體複 權 &如申請專利範圍第旧之應用程式控管模组,其中該 15 200825832 之應用軟體使 限控官單元可限制使用者對該客戶端上 用輸出入裝置輸入包含字元之指令。 6.如申請專利範圍第!項之應用程式控管模組,其中 限控管單元可限制使用者自該客戶端上之應用軟體 存資料。 7. 如申請專利範圍第1項之應用程式控管模組,其中該權 限控管單元可限制使用者對該客戶端上之應用軟體使 用指標裝置拖曳資料。 8. 如申請專利範圍第1項之應用程式控管模組,其中該權 限控官單兀可限制使用者檢視客戶端之網頁原始碼。 9·如申請專利範圍第丨項之應隸式控管模組,其中該權 限控官單元可限制使用者使用通訊軟體。 10·如申請專利範圍第9項之應用程式控管模組,其中該通 訊軟體至少包含電子郵件、即時通訊軟體。 11 ·種以控管模組限制應用程式操作權限之方法,至少 包含: 於飼服器端接收一變更權限資訊; 更改伺服器端之資料庫内權限資料,其中該資料庫可 16 200825832 儲存該權限資料與指標資料 安策略模式; 用以執行資安行為及資 客戶端於收到該伺服器端傳遞之變更權 載 限通知後,下 該權限資料; 更新客戶端之權限資料。 12·如申請專利範圍第11項所述以程式控管模 程式操作權限之方法,其中該客戶端: 控管單元。 組限制應用 包含一權限 13.如申請專利範圍第 4呆作權限之方法, 者列印資料。 11項所述以控管模組限 其中該權限控管單元,可限制使用 14.如申請專利範圍第 操作權限之方法, 者複製資料。 11項所述以控管模組限制應用程式 其中該權限控管單元,可限制使用 請專利範圍第η項所述以控管模組限制應用程式 :乍榷限之方法,其中該權限控管單元,可限制使用 者使用輸出入裝置輸入包含字元之指令。 16.如申請專利範圍第u項所述以控管模組限制應用程式 17 200825832 操作權限之方法’其中該權限控管單元,可限制使用 者儲存資料。 17. 如申請專利範圍第U項所述以控管模組限制應用程式 操作權限之方法’其中該權限控管單元,可限制使用 者用滑鼠拖曳資料。 18. 如申請專利範圍第u項所述以控管模組限制應用程式 操作權限之方法,其中該權限控管單元,可限制使用 者檢視網頁原始碼。 19. 如申請專利範圍第11項所述以控管模組限制應用程式 操作權限之方法,其中該權限控管單元可限制使用= 使用通訊軟體。 20·^申請專利範圍第19項所述以控管模組限制應用程式 刼作權限之方法,其中該通訊軟體至少包含電子郵 件、即時通訊軟體。 18200825832 X. Patent application scope: 1 · Application control module, at least: one input terminal, can input authority data; : server end ' contains at least one database and one input and output unit, the basin storage can be stored The authority data and the indicator data are used to implement the i-beauty and the capital security strategy mode, and output the access rights information; the cutting H邈' includes at least one authority control unit, which can store and receive the permission data. And according to the restrictions on the operation authority of the body. & on the. Hai application soft, 2. If the application of the patent scope of the W application control module is selected as the T. The rounder input data. 3. ^ The application control limit control unit of the application scope of the patent scope can limit the "zhong# printed data. 1 application of 4 households on the application software 4. Application control of the patent application scope] The module ▲ limit control unit can limit the user's own usage and the authority data. The application software re-ordination of the application software and the application control module of the old application scope, the 15 200825832 The application software allows the limit controller unit to restrict the user from inputting the command containing the character on the input/output device of the client. 6. For the application control module of the patent application scope item, the limit control unit can be Restricting users from storing software from the application software on the client. 7. Applying the application control module in the scope of patent application 1, wherein the permission control unit can restrict the user to use the application software on the client. The indicator device drags the data. 8. If the application control module of claim 1 is applied, the authority controller can restrict the user from viewing the webpage source code of the client. The escrow control module, wherein the privilege control unit can restrict the user to use the communication software. 10 · The application control module of the ninth application patent scope, wherein the communication software includes at least an email, an instant Communication software. 11 · A method for restricting the operation permission of an application by the control module, at least: receiving a change permission information on the feeding end; changing the servo The authority data in the database of the device end, wherein the database can store the permission data and the indicator data security strategy mode in 200825832; to execute the security security behavior and the client to receive the change permission limit on the server end After the notification, the permission data is updated; the authority information of the client is updated. 12. The method for controlling the operation authority of the program according to the scope of claim 11 of the patent application, wherein the client: the control unit. A privilege 13. If the method of applying for patents is the fourth method of privilege, the information is printed. The control module is limited to the privilege control unit in the 11 items, and the use of the privilege control unit can be restricted. 14. The method of copying the data. The control module limits the application program in the eleventh item, wherein the permission control unit can limit the use of the control module to limit the application as described in item η of the patent scope: the method of limitation, wherein the authority control The unit can restrict the user from inputting an instruction containing a character using the input/output device. 16. The application module is restricted by the control module as described in the scope of the patent application. 17 200825832 Method of operating authority' wherein the authority control unit limits the user to store data. 17. The method of restricting the operation authority of an application by the control module as described in the U through the scope of the patent application, wherein the authority control unit limits the user to drag the data with the mouse. 18. The method of restricting application operation authority by a control module as described in the scope of claim 5, wherein the permission control unit limits the user to view the webpage source code. 19. The method for restricting the operation authority of an application by the control module as described in claim 11 of the patent scope, wherein the authority control unit can restrict use = use of the communication software. 20·^ The patent application scope refers to the method for restricting the application of the application by the control module, wherein the communication software includes at least an electronic mail and an instant messaging software. 18
TW95145253A 2006-12-05 2006-12-05 Controlling module for programs and method for the same TWI328179B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW95145253A TWI328179B (en) 2006-12-05 2006-12-05 Controlling module for programs and method for the same

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW95145253A TWI328179B (en) 2006-12-05 2006-12-05 Controlling module for programs and method for the same

Publications (2)

Publication Number Publication Date
TW200825832A true TW200825832A (en) 2008-06-16
TWI328179B TWI328179B (en) 2010-08-01

Family

ID=44772155

Family Applications (1)

Application Number Title Priority Date Filing Date
TW95145253A TWI328179B (en) 2006-12-05 2006-12-05 Controlling module for programs and method for the same

Country Status (1)

Country Link
TW (1) TWI328179B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI512518B (en) * 2010-03-10 2015-12-11 Alibaba Group Holding Ltd Control method and system of plug - in authority
US9501638B2 (en) 2013-10-31 2016-11-22 Globalfoundries Inc Techniques for managing security modes applied to application program execution
TWI728637B (en) * 2020-01-02 2021-05-21 中華電信股份有限公司 Information security protection method and computer-readable medium

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106888202B (en) 2016-12-08 2020-02-21 阿里巴巴集团控股有限公司 Authorized login method and device

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI512518B (en) * 2010-03-10 2015-12-11 Alibaba Group Holding Ltd Control method and system of plug - in authority
US9501638B2 (en) 2013-10-31 2016-11-22 Globalfoundries Inc Techniques for managing security modes applied to application program execution
TWI728637B (en) * 2020-01-02 2021-05-21 中華電信股份有限公司 Information security protection method and computer-readable medium

Also Published As

Publication number Publication date
TWI328179B (en) 2010-08-01

Similar Documents

Publication Publication Date Title
US10579811B2 (en) System for managing multiple levels of privacy in documents
US9697373B2 (en) Facilitating ownership of access control lists by users or groups
US8037036B2 (en) Systems and methods for defining digital asset tag attributes
US7958148B2 (en) Systems and methods for filtering file system input and output
US7809699B2 (en) Systems and methods for automatically categorizing digital assets
US7958087B2 (en) Systems and methods for cross-system digital asset tag propagation
US7757270B2 (en) Systems and methods for exception handling
US7849328B2 (en) Systems and methods for secure sharing of information
CN102959558B (en) The system and method implemented for document policies
US7076805B2 (en) Digital data system
US20070288247A1 (en) Digital life server
US8141129B2 (en) Centrally accessible policy repository
US20170220814A1 (en) Digital rights management system implementing version control
US20070266032A1 (en) Systems and Methods for Risk Based Information Management
US20070113288A1 (en) Systems and Methods for Digital Asset Policy Reconciliation
US20070130218A1 (en) Systems and Methods for Roll-Up of Asset Digital Signatures
US20070112784A1 (en) Systems and Methods for Simplified Information Archival
WO2008055218A2 (en) Systems and methods for information organization
JP2010541082A (en) Spreadsheet workbook part library
US20090012987A1 (en) Method and system for delivering role-appropriate policies
US20180349269A1 (en) Event triggered data retention
TW200825832A (en) Controlling module for programs and method for the same
US10261941B2 (en) Digital aging system and method for operating same
JP4640776B2 (en) Information system setting device, information system setting method and program
JP2006048527A (en) System, method, server, and software for license management