TW554278B - Method and system for controlling the access right of information system - Google Patents

Abstract

The present invention provides a system for controlling the access right of information system, which includes a right control server and a data service server; wherein the right control server includes a right database and a connection processing module. The right database is used to record the registration data and the right configuration for each user in the information system, wherein the registration data includes an user identification object, a group object, an organization object, a role object, and the right configuration is based on these objects. The connection processing module is used to query the right database according to the user's registration data to decide the access right range for the user when the user logins the information system; wherein the data service server includes a query module and a plurality of service modules. The query module is used to send a right query request to the right control server after an user logins the information system, so that the right control server will query the access right range for the user based on the user's registration data. Each of the plurality of service modules can provide a specific function. The present invention also provides a method for controlling the user's right on an information system with the above-mentioned system.

Description

5 ^ 4278 V. Description of the invention ()) Field of the invention The present invention relates to a system, in particular a method for controlling the authority of an information system, "role" and "M organization, s =" group ", The "user" and the system use the authority control method of the above four types of objects and the authority of the system user. The interaction and relationship of θ to control the background of the invention of management assets and control of power and eight restrictions / Lu "is the function of the management and control of users in the Beicheng system. With eight cases, the b official mechanism can be a stand-alone information system software module or two types of V: i: 糸 uniformly executes authority control. At present, the authority control mechanism can be divided into ^ ,,,, and one by "use "The person" is the basis for determining the authority, and the other is the group "as the basis for determining the authority. The group" Γ "is the basis for determining the authority, or" role-playing ", and the classification is based on the" position ". Those who have the same job nature or the same position are grouped and classified. However, under the operation of these two types of authority control mechanisms, the following inconveniences and dilemmas are often caused to system administrators. First, the “user” is used to determine the authority. The basics are too cumbersome to define. Under the realistic situation of internal staff rotations or frequent departures, system managers need to deal with a large list of permissions and data.

554278 ~ V. Description of the invention (2) Protection is not only time-consuming and laborious, but often there are omissions and omissions, and the cost of protection is also high. Second, those who use "groups" as the basis for judging permissions are widely used. Common definitions are: "general staff", "purchasing staff" ... and so on. The original meaning of its original design was to extract the data content of the authority table. But often because the system functions are increasing, the permission division needs to be more delicate. Abandon the original group and set a group set to adapt to it. As a result, the definition of group organization is more disruptive to the original design and makes it difficult for system managers to organize differences. For example, the “Group plus function operations:“ Assessment of personnel information ”function category management permission, and the“ Account registration ”function operation are classified as“ accounting limits. ”In order to control the above changes, The system manager needs to add the "group" of the "manager", and the addition according to the function needs to be "personnel manager", "accounting manager" and "general manager" group ". Second, some authority control mechanisms do not take enterprise structure into consideration, which not only fails to meet the status quo in terms of control, but is also very inconvenient. / 、 The above two types of methods operate in a small-scale environment with simple functions and only a small amount of resources. However, for more complex enterprise information software woven into the enterprise management, property management, financial management, etc., for companies with a large scope and frequent personnel changes, the excessively expensive dimension t is too reasonable to define. Continuing to expand and increase the group classification, 'Increasingly narrower and better, to master each group' ", but now the" personnel and economic manager "right has been defined and demanded, and the three types of L-level organizations are also managed and managed. Traditional or forceful judgment methods (such as extensive ERP) or group work rights

Page 6

^ &54; 54278 5. Description of the invention (3) Limitation of division and control, the effective control of the information system manager, and it will lead to difficulties in the management, maintenance, and administration of capital ... In view of this, the invention of this invention has been developed after continuous research and testing. " The present invention provides a "group", "use system, using these four i: ί 之 ϊ ί comprehensive consideration of the lack of authority control mechanism authority control mechanism; and: j connection relationship, 'to solve the current simplicity And direct maintenance methods .., to provide a poor invention system manager a more inventive summary. One of the objectives of January is to provide a method for controlling information. The meaning of maintenance makes it possible to reduce the limit of the cost. The other purpose is to provide a way to control the right of the information system. "Eight distribution times ::: The basis of accurate authority determination, making it possible to clearly define In order to achieve the above-mentioned purpose of the invention, the present invention proposes a management-information system user authority system, which includes two servers and a data service server. The permission control server includes a permission database and a group of === groups. The limited database is used to record the login information of the user of the information and its permission settings ^, and the login information includes a usage page 7 ^ 4 278 Five 'invention description (4): identification objects, a group of objects, an organization object, a character object, among which the permission setting is based on these objects. The link processing model is used by the user to register the user. In the information system, according to the use jitter, query the "right" database to determine the user's identity. The server of the shellfish material service includes an inquiry module and a plurality of services. The inquiry module is used. When a user logs in to the information system, the authority server sends a permission query to the marginal official server to make the right = control server to query the user's permission according to the user's login information = a. Each of the plurality of service modules can provide a predetermined function. .... Furthermore, the present invention provides a method for controlling user rights of an information system using the above system. y ,, '^ In order to familiarize the skilled person with the purpose, features, and effects of the present invention, the following specific embodiments and the accompanying drawings are used to explain the invention in detail, as described below: Invention Detailed Description In order to fully disclose the present invention, a detailed description is given below with reference to the drawings. / Figure 1 shows a schematic diagram of a system environment for implementing one of the methods of the present invention. In the information system 100, a plurality of client computers 101 communicate with a service and control sub-system through a local area network (LAN) 105.

554278

The 11 users of the connection information σ-hole system 1 00 can use the client computer 1 0 1 through the local network 5 to use the services and control the many data and services provided by the sub-system 11. The service and government system i 丨 includes the data service server 3 and the authority control server 1 5. The information service server 13 includes a plurality of service modules 1 31 and an inquiry module 135. The plurality of service modules 131 can provide different functions, so that users of the information system 100 can perform different tasks. The query module 135 is used to issue a limited query request to the authority control server 15 after a user logs in to the information system, so that the authority control server 15 queries the user's authority range based on the user registration data. . The authority control server 15 includes a authority database 51 and a link processing module 1 5 5. The authority database 1 51 is used to record the information of each user and its authority settings. The login data includes an identification object, a group object, an organization object, and a permission setting system. These items are based. The link processing module 1 5 5 is when the user logs into the information system 丨 〇〇, according to the user's login data, query the authority database 丨 5 i, the link processing branch group 1 5 5 contains the identification object processing sub-mode Group 丨 5 5 丨, group object processing sub-module 1 553, organization object processing sub-module 1 555, and character object processing sub-module 1 557. The operation of these object processing sub-modules determines the user. Range of permissions. The above data service server can further include a permission data cache storage block, which is used to store the link processing module.

Page 9 554278 V. Description of the invention (6) — The scope of the user's authority to provide access to the information system 100: the user can quickly open various information services in the information system 100; 2 authority. : In addition to the local network described above, the method of the present invention can also be used in every other information system. Any information that has the requirements of the authority control mechanism can be seen. The method of the present invention can be used as the authority control mechanism, and 3 = = The software of the system can be used by the method of the present invention as its authority to control the staff of the watch industry: as described-"user" is an operator or enterprise of the information system 100, $ ί'I—ϊ 用Correspondence—User login account. "System ^ User" is a unique value and cannot be repeated. The above-mentioned "group" is a collection of users with the same characteristics (such as the collection of senior personnel). The above-mentioned "role" is a collection of 100 users of the information system @ i organization (inside, for example: Ruo :: " Finance Department Teller 3 "). There are two transcripts in the Γ4: the matter, that is, the third division management 1 "and" the first: heavy \ Yi 5 Hai should have "quotation in the third division in the early post"% division division manager 2 "two roles . Each "role in the system is a unique value and cannot be repeated. The" role "as described in Chapter 11 of an enterprise) is a collection of users of the information system 100 (organization units compiled in the example, which can be in the standard format) The internal organization of an organization or pro-fA is a collection of roles of the unit. The second figure shows the "group", "user,

Page 10 554278 Γ System Description (7) Role "," Organization "Mapping. "Group" and is a many-to-many relationship; a group can contain multiple users; users can also participate in multiple groups. "User" and "horn ^ R | also mouth J Μ 食 矜, 丨 Shino group. I user" and "^ Θ color" is a one-to-many relationship; one user can play multiple roles (ie , Meaning "multiple jobs", but a role can only be played by a user. "Organization" and "role" have a one-to-many relationship; an organizational unit / bit can contain multiple roles, but a role can only belong to one organizational unit. Organization "and, ▼ — _ *… contain multiple roles’ but one role can only belong to one. The third picture shows a practical example of the relationship shown in the second picture. "", "User 2" and "User 4" belong to "Group 1," "," User 4 "and" User 5 "belong to" Group 2, > ... "," Role 2 "and" Role "3 of 1", "User of 3" and "Using only U" "" Department 1 "has" role 1 ", moonlight 2" and 1 role 3 "three vacancies, respectively," user 1 "also serves as" role 1 " "And" role 2 "(meaning" π ")," user 2 "plays" role 3 "," Ar 2 "in" department 2 "^ Γ β 〔1¾ Μ left 47. Eight Γί · ϊ Γ Mr ΓΟ 丄. The role of a disguise is to use "Role 4" and User Z "to perform | Role 3", | Department: "Role 5" has two vacancies, and "User 2" plays "Role 4", "User 3" plays "role 5", of which "& q person 2" has the roles of "department 1 role 3" and "department 2 role 4" respectively; "department 3" has "role 6" and "role "7" two jobs, "User 4" plays "role 6", "User 5" plays "role" Figures 4A to 4J show user registration data according to the embodiment of the present invention The user registration data includes identification objects, group speaking objects, organization objects, role objects, and the permission setting is based on these objects. The data content of the four objects and the relationship between the four objects are in a table. Recorded, including: user data table 袼, group data table

Page 11 554278 V. Description of the invention (8) Grid, group user profile, grid ^ grid, unit data table, and so on. Forms, department data tables, system work project asset role contribution tables, role data tables r only quiver form, authority data authority database 151 recorded in Putian Water Margin Form. Each of the information system 100's identification objects includes a name, which is recorded in the-user data form of the recruitment / identification number and μ ^ authority database 151; 2 ^ 4A picture is not ° 1 〇〇 ^ ^ ^ ^ Λ Λ, Γγ # ^ m is the group data distinguished by \ person recorded in a group data table, and it is called, as shown in Figure 4B. , 'Ι 3 group identification number and group name 100. The organization object recorded by ΪΙΠΓΛ includes the information system = it is recorded in a department data table, and its ^ record contains the department identification number and its corresponding At the organizational level, the single in ΓΓ is recorded in a single: data table, and its record contains the early name corresponding to the unit identification. They are shown in Figures 4C and 4D, respectively. nnYou: The role object recorded in f database 1 51 contains a description of the vacancy of the organizational structure of the information system 100 user collection. The description contains organizational structure data, job information and serial number data, as shown in Figure 4. As shown. The organizational structure data in Figure 4E is the department identification number in the department object. The job information in Figure 4E is a description of each job in the f information system and user collection. It is recorded in the job information table, and the record contains the job information.

Page 12 554278 V. Description of the invention (9) Business identification 5 Tiger and job title, as shown in Figure 4F. The serial number data in ®4 ^ is the serial number data used to distinguish the plural belonging to the same part of the same department when there are multiple job identification numbers ′ j earlier than a department identification number. The above role name asks "Department + Position + Serial Number". 4 The relationship between the user identification object and the group identification object recorded in the authority database 151 is widely recorded in a group user data table, which includes the group identification number and the corresponding user identification number. , As shown in Figure 4G. The relationship between the user identification object and the role identification object recorded in the authority poor library 1 51 is recorded in a user role data table, which includes the user identification number and the corresponding role identification number. As shown in Figure 4. The correspondence between the user identification number and the organization identification number recorded in the authority database 1 51 does not have a single table record. It can be compared by querying the map. Figure 4. The user role data table and Figure 4. Ε role information form. The authority database recorded in the authority database 1 51 includes an authority data table and a system work item data table 其中, where the system work item data table includes the work item identification number and the work; Shown as four I. The authority data table is used to establish the relationship between the system work item and the authority use object, and its record package is used as the project identification number and authority use object identification number. Object identification number can

Page 13 554278 5. Description of the invention (ίο) Department identification number, a role identification number and one designated as a user identification number and a group identification number. The fifth figure shows the fourth A to fourth j Data sheet 袼 association diagram. It also shows the correspondence between "users", "groups", "and" organizational units "in the information system. "Figure 6 shows a method of controlling user rights implemented in the above system. Step 60 After the user enters the user identification number to log in to the system, step 61 is a step of issuing a permission query request, which is issued by the data service server 13 and transmitted to the permission control server 15 so that the permission control server 5 targets Specific users query their permission settings. Then, the query authority database program 63 is executed, which includes: step 631 user identification object processing step, step 633 group object processing step, step 635 role object processing step, step 637 organization object processing step, and step 639 permission data. Steps of querying the form to confirm the work items for which the user has authority. Step 6 5 is a step of returning the right and limiting the confirmation list, which is the permission control server i 5 and returns the work item that the user has permission obtained in step 639 to the data service server 13. 'Step 631 The user identification object processing step is to query the authority database with the user's identification number logged into the information system 丨 51 A user data table in Figure 1 (as shown in Figure 4A) to confirm whether the user is If the user is a legal user of the information system, if the user is not a user of the system, the process proceeds to step 67 to leave the system. Step 6 3 3 The group object processing step is to query a group user data table in the permission database by using the user's alias of the user who logs into the information system.

Page 554278

Fifth, the invention description (π) grid, to confirm the miscellaneous materials that the user has pondered ▲ w $ dead / Γ correspondence, < _ group identification number. Step 635 Character object processing step, waiting for ri # 成 现 ^ ^ # +4 Α Φ π / Query the character identification horn corresponding to a user character rich person in the Lühai Mangbei library using the user identification number. "Pure" confirms the use step 637 to organize the object processing steps. The user role ID is used to query the 1 ~ 1 grid in the authority database to confirm the department ID to which the user belongs. Step 639: The data table query step is identified by step 631, user identification object processing step, step 633 group object processing step, step 635 role object processing step, step 637 organization object processing step. Identification number, group identification number, 1-color identification number, and door identification number 'query a permission data table in the permission database to confirm that the user has permission to work items. The above method for controlling and managing user permissions may also include a permission data cache storage block storage step, which is a step of storing the permission confirmation items returned in the step in the permission data cache storage area of the data service server ^ block "When the user wants to open a certain function operation in the system, the system and the user can quickly query the user's function operation permission from the cache storage block" without repeating steps 6 0 1 to 6 1 7. An application software system and an example of an enterprise are used to illustrate the implementation of the method of the present invention, and compared with the current authority control mechanism to highlight the benefits of the present invention. ^ Suppose there is a company X with a total of 丨 0 employees, which are {Employee Name (Employee Identification Number) 丨 A (〇 〇 1), B (0 0 2), C (0 0 3),

Page 15 554278 V. Description of the invention (12) D (004), E (005), F (006), G (007), H (008), 1 (009), J (0 1 0)}. The organization structure of the enterprise is shown in Figure 7. There are three departments in the organization's organization: {unit name (unit identification number) | general manager's office (PO), administrative department (AD), and business department (βυ)}. After the establishment of the department, there will be one general manager and one secretary in the General Manager's Office, and one in the administration department, one manager and one expense manager. A "personnel manager" and a "vacation contractor", a "manager", a "engineering assistant", two "engineers" and "business representatives" in the "business department", , One. Employees and their positions should not be {position (employee name) | general manager (A), general manager's secretary j B), manager of the administrative department (C), expense canceller (D), personnel management (E) 'Leaving vacation contractor (F), business department manager (c), engineering ^ ΐΛ 程 师 (H), engineer (", business representative (; Erbei) c concurrently serves as administrative department manager and business department Manager. There is a poor information management section in the X enterprise seal. ^, 1. Satoshi, its work items and use rights are described as the basis for determining the rights. The content of the rights data table with "users" as the rights Practice one is to use "

law. The user data table is shown in Fig. 9A, and the basis is not met ', which meets the premise of enterprise x. The current practice is based on the basic method, and the figure in Figure A is added. Because "group" is used to determine the authority data form "this is the" miscellaneous group tribute form and group users of fresh bamboo group "(or" role ") is based on, position ,,

Page 16 554278 V. Description of the invention (13) Q knife ’satisfies the authority and related information table of the premise of X enterprise. If the content uses the authority control method provided by the present invention, it is based on ", / group", "user", "role", and "organization" as a hindrance to Qundan, so its data form includes a user data form, A group of information 1, a group of user data forms, a department data form, a unit + 袼, a job data form, a role data form, a data sheet ^ data form, and record their permissions settings in An authority data table is the same as the user data table in Figure 9A. For the sake of simplicity, the group of 10 employees are all assigned to an "employees: Figure X-A and Figure X-B. In addition, because of the increase of" organization "and group" group "color" The basis of the two-judgment discrimination, so its data form adds one or two grids, one unit data form,-job data form, -corner ^ = grid, -user corner, data table, as shown in Figure 11c to Figure 11G. two. The rights of employees in company X are not listed in the table. The limit information is recorded in Figure 11. The authority data is now assumed that there is a person in company X who is looking for a good management camp. Personnel changes are released. · User C (0 03) is prepared to be the manager of the business department and the management department. You just shy away. When the above-mentioned case occurred, the new job employee K (〇u) showed that the required change in the contents of the material form was ^; " the official's authority and β-related assets were related to the present invention. The method mentioned is for comparison: Compare the benefits of the current authority management system.乂 'To highlight the advantages and effects of the present invention First, the method of discriminating on the basis of "use of anti-inflammatory users" will be explained. When 554278 V. Description of the invention (14) The above cases occurred, the contents of the quarter table (see Figure + \ 心 者 * 更 ㈣ and related information-EI XI) to meet the above cases. If it occurs, \ "Xiong ^ group" is the basis for judging the authority, then when the above case situation is shown in Figure 12}, the second person needs to change the authority and related data table contents (such as Kou Dingyi J to meet the above case) When you are born, you win the right two: clarify the right: the basis of discrimination ', then when the above case situation occurs fourteenth) you need to change the authority and the content of the relevant information table (Figure τ) to meet the above case. As mentioned above, Fu Yibu T2, grasping the authority management structure mentioned in the present invention, indeed, Γ2: ... the maintenance of authority data. The 4 benefits mentioned above are more significant for enterprises with complex functional systems and high frequency of operations. “Secondly, the protection of the authority control mechanism has only its shortcomings in actual operation. And it's easy to turn it over in the company's staff: 过;: lai system r ::: judgment == wrong ,: send = in the content, we = group: solid r color "user 4 in K" "jf The basic traditional approach also aims at proposing "departments": not only changed: ", but also the collection of" role ": to achieve the lack of flexibility and dynamics, but also to structure the requirements for authority control. King M, various enterprise organizations 554278 5. Invention description (15) Although the present invention has been disclosed above with several preferred embodiments, it is not intended to limit the present invention. Anyone who is familiar with this technology will not depart from the invention. Within the spirit and scope, various changes and retouches can be made, and all changes and retouches made are within the scope of the patent application attached to the present invention.

Page 19 554278

Brief Description of the Drawings The first figure shows one of the methods for implementing the present invention, and the second figure shows the correspondence between "group" color and "organization" according to the present invention. The third figure shows the authority control system according to the present invention. , "User", "The four object relationships in the angular system. Figures 4A to 4J show the authority database data table. Figure 5 shows the ridges of Figures 4A to 4j. The sixth figure shows a correlation diagram determined according to the method of the present invention. The seventh figure shows an embodiment according to the present invention: = ^ steps, the flow chart limits the control data. "Beixun system work item and its ninth A and ninth B Figure 10A and Figure 10C of the data table on the basis of the authority determination based on grid 0 users are displayed in tables. "Group" is the data for determining the authority

Figures 11A and 11 are shown in Figure 12. Figure 12 shows the work with "User Protection." Figure 13 shows the work with "Group". The fourteenth figure shows the data table according to the embodiment of the present invention by the present invention. The data table dimension which is the basis of authority discrimination The data table dimension which is the basis of authority discrimination The data table dimension which is the basis of authority discrimination

554278 Simple illustration of protection work. Main component number 1 0 0 Information system 1 01 Client computer 11 Service and control sub-system 1 3 Data service server 1 3 1 Service module 135 Inquiry module 1 5 Permission control server 1 5 1 Permission database 1 5 5 Link processing module 1 5 5 1 Identification object processing sub-module 1 5 5 3 Group object processing sub-module 1 5 5 5 Organization object processing sub-module 1 5 5 7 Role object processing sub-module 6 0 User Log in to the system Step 6 1 Issue permission query request Step 6 3 Query permission database program 6 3 1 User identification object processing step 6 3 3 Group object processing step 6 3 5 Role object processing step

Page 21 554278 Simple illustration of the diagram 6 3 7 Organization object processing steps 6 3 9 Permission data table query step 6 5 Return permission confirmation list step 6 7 Exit the system

1IHH Page 22

Claims (1)

554278 VI. Scope of Patent Application 1 · A system for controlling and managing the user rights of an information system,-Among them: The installation includes a rights control server and a data service server. The rights control server includes a A permission database and a link processing module, wherein the permission database is used to record the login data and permission settings of each user of the information system, and the login data includes an identification object, a group object, a Organizational objects, a role object, where the remote permission setting is based on these objects; where i the link processing module is to query the permission database when the user logs in to the information system according to = user's registration data, The link processing module includes an identification object processing sub-module, a group of objects f = sub-module ^, an organization object processing sub-module, and a character object processing sub-module '' board group 'to process the sub-module through these objects. The operation of the group to determine the scope of the user's authority; the data service server, which includes: After a user logs in to the information system, the PP: ^ limited official server sends a permission query request, so that the authority queries the user ^ function service pull group based on the user login data, each of which The service module can provide a pre-determined data cache, the breeding service server's step-by-step package, and a storage block, which is used to store the link processing. 554278 6. Scope of patent application The scope of the user's authority obtained by the module query. 3. The system for controlling and managing user rights in a one-ton system as described in item 1 of the scope of patent application, wherein the authority database records ^ user identification objects include each user of the information system The user identification number and user name are recorded in a user data form. 4. As described in item 1 of the scope of patent application for control, multiple users in the authority database follow the user authority. The system part of the system contains the group data of the information system, which is the group identification number and the group name1. For example, the organization unit data of the system user collection of user rights in the scope of patent application No. 1 'The record contains the information of the unit in the department with a unit identification number and its "such as the system of user rights in the scope of patent application No. 1, the organization structure of the first user collection, job title, such as the scope of patent application The system of user rights in No. 6 is described as a group of data table items, in which the group structure is described, and the door data is based on the identification number and its unit data. The application described in the table should be used for the name of the unit, in which the job title of the corner structure and the serial number are used for the description, in which the group refers to the control of the fabric records and the description of the department corresponding to a department. Based on the control of the organization structure, the Beixun system Lu Jilu records the group of objects according to different characteristics, including group management, an information system that includes the information, including department data and data tables, and records of the organization. Hierarchy, whose records contain management of an information system including the information system ' 554278 VI. Scope of patent application The department in the door object identifies Shanghai. 8 The system used to control and manage a user of an information system as described in item 6 of the right to use stomachers in iron name 丨 a ton faction >, where the job data is 1 of the information system ^ Descriptions of each job are recorded in a job data sheet. The second record contains job identification numbers and job names. The application of the month of application is exclusive ^ Ganwei Item 6 is used to control and manage an information system __ ^ system, where the serial number data is when there are multiple belonging to the 21 ^ door should go to a single When the department identification number is used, it is the numbering data used to distinguish the multiple positions; °]. The information system used to control and manage an information system described in item 1 of Zhongwei, in which the relationship between the user identification object and the group identification object is recorded in the group user data table, which includes 3 groups. Group identification number and its corresponding user identification number. As described in item i of the scope of patent application, a system for controlling and managing user rights of an information system, wherein the relationship between the user identification object and the role identification object is recorded in a user role data table, which It contains the user identification number and its corresponding role identification number. 2. As described in item 丨 of the patent scope, the system for controlling and managing an information system ^ user rights 'where the user identification number and the group, the correspondence between the identification numbers' can be queried by comparison. The user role information form and the role information form are learned. 13. The system for controlling and managing user function operation permissions in an information system as described in item 丨 of the scope of patent application, wherein the permission database includes a permission data table and a system work item data table. Page 25 554278 VI. Scope of patent application 1 4 · The system for controlling and managing the functions and functions of users in a capital system as described in item 丨 3 of the scope of patent application, where the system works ^ is a data form system Contains work item identification number and work item name. Item 15 · The system for controlling and controlling the user as described in Item 13 of the scope of the patent application-times "Θ =: 17. The relationship between a project and its authority use object, which records the work item identification number and authority use object identification number. 3 kJ 1 6 · Used to control management as described in item 5 of the scope of patent application-1 ^ user rights in the system System, where the authority data table is marked ^ $ is the object identification number, which can be specified as one of a user identification number, two reading identification numbers, a role identification number, and a group identification number. Gate 1 A method for controlling and managing user rights in an information system, which is applicable to an information system with multiple work items and multiple users. The control system of the information system includes a data service server. And a permission control server, the method includes the steps: the citizen (A) issues a permission query request, which is transmitted from the data service server to the permission control server, so that the permission control is directed to a specific Users query their permissions μ. ™ Query the permissions database, which is a package; a user identification object management step: a group object processing step,-role object processing step :,: group; object processing steps and- Permission data table query step m ^ ^ > Work items with permission from the user; (C) Return the permission confirmation list, ^ rp ^ ^ ^ ^ This is the step (B) query for the permission control server The work items that the user / user has permission to return are returned 554278 19. The method of user rights in the information system as claimed in item 17 of the scope of patent application. The processing steps of the user are identified by the user's user data table, and the legal users are identified. The one described above is used to control and manage an asset, in which the user's identity is identified by a nickname to query whether a user in the authority database is the information system. A method for controlling and managing user rights in an information system, wherein the group object processing step 2 is to query a group & user data table 以 in the rights database with the user's identification number to confirm the use The group identification number corresponding to the person. 2 1 · A method for controlling and managing user rights in an information system as described in item 7 of the patent application scope, wherein the character object processing step ^ queries the authority database with the user's identification number A ^ role tribute table is used to confirm the role identification number corresponding to the user. 22. A method for controlling user rights in the system as described in item 7 of the scope of the patent application, wherein the organization object processing step is to query the authority data by the corresponding role identification number of the user A role information form in the library, by which Shique identifies the department identification number of the user. " 554278 6. Scope of patent application 2 3. A method for controlling and managing users 7 in an information system as described in item 17 of the scope of patent application, wherein the step of querying the authority data table is based on the location of the user Corresponding user identification number, group identification number, role identification number and department identification number, query a permission data table in the permission database to confirm that the user has permission to work 0 Page 28