TW554278B - Method and system for controlling the access right of information system - Google Patents
Method and system for controlling the access right of information system Download PDFInfo
- Publication number
- TW554278B TW554278B TW091109555A TW91109555A TW554278B TW 554278 B TW554278 B TW 554278B TW 091109555 A TW091109555 A TW 091109555A TW 91109555 A TW91109555 A TW 91109555A TW 554278 B TW554278 B TW 554278B
- Authority
- TW
- Taiwan
- Prior art keywords
- user
- group
- data
- identification number
- information system
- Prior art date
Links
Landscapes
- Storage Device Security (AREA)
Abstract
Description
5^4278 五、發明說明(】) 發明領域 本發明係有關於一種〃 ^ 一系統,特別是有關一 控管資訊系統權限的方法 「角色」以及「Μ織二、s =「群組」、「使用者」、 統,利用上述四種物件之^ 量的權限控管方法與系 訊系統使用者之權限。θ的交互作用與關係,來控管資 發明背景 入夺统及權八限控/吕」為貝成系統中管理控制使用者能否登 系統後所應職予何種功能作,(f— 配八案b官理機制其可為1立資訊系統軟體模組或搭 兩类V: i:糸統執行權限控,。目前權限控管機制可分為 ^、、,、一係以「使用者」為權限判別基礎,另一則以 群組」為權限判別基礎。而以Γ群組」為權限判別基礎 ,或稱「角色扮演」為基礎,實以「職位」為其分類依 據’將企業内具有相同工作性質或同等職位者予以集合分 類。然而,在此兩類權限控管機制的運作下,常對系統管 理者產生下述不便與困境。 其一,以「使用者」為權限判別基礎者,其定義過 於繁瑣。在企業内部人員工作輪調異動或晉用離職頻繁的 現實情況下,系統管理者需應付龐大的權限表袼資料維5 ^ 4278 V. Description of the invention ()) Field of the invention The present invention relates to a system, in particular a method for controlling the authority of an information system, "role" and "M organization, s =" group ", The "user" and the system use the authority control method of the above four types of objects and the authority of the system user. The interaction and relationship of θ to control the background of the invention of management assets and control of power and eight restrictions / Lu "is the function of the management and control of users in the Beicheng system. With eight cases, the b official mechanism can be a stand-alone information system software module or two types of V: i: 糸 uniformly executes authority control. At present, the authority control mechanism can be divided into ^ ,,,, and one by "use "The person" is the basis for determining the authority, and the other is the group "as the basis for determining the authority. The group" Γ "is the basis for determining the authority, or" role-playing ", and the classification is based on the" position ". Those who have the same job nature or the same position are grouped and classified. However, under the operation of these two types of authority control mechanisms, the following inconveniences and dilemmas are often caused to system administrators. First, the “user” is used to determine the authority. The basics are too cumbersome to define. Under the realistic situation of internal staff rotations or frequent departures, system managers need to deal with a large list of permissions and data.
554278 ~ 五、發明說明(2) 護,不但耗時費力,且常有疏忽遺漏之處,浪 護成本。 其二,以「群組」為權限判別基礎者,J 廣泛。常用的定義例如:『一般員工』、『經 購人員』…等。其原先設計之美意’在於以萃 化權限表格之資料内容。但常因為系統功能陸 加,權限劃分需更為細腻的情況下’捨棄原群 訂定一群組集合以適應之。導致群組織定義愈 破壞了原先設計之美意,且使系統管理者難以 織差異性。例如,原已分類『經理』之「群組 加功能作業:『考評人事資料』之功能作業屬 理』權限,『帳款登錄』之功能作業屬『會計 限。為能控管上述之變更,系統管理者則需將 『經理』之「群組」,依據功能作業之新增需 為『人事經理』、『會計經理』及『一般經理 「群組」。 二 再者,某些權限控管機制並沒有將企業^ 構納入考量,不僅管控上無法滿足現狀, 十分不便。 /、 上迷兩類万法在一功能作業單純的資 1 ^數規模較小的環境中運作,尚可勉強 系維ΐ。但對於較複雜的企業資訊軟體 織成Ϊ ί企業人管、物管、財管等,範圍 貝魔大且人事異動頻繁的企業而言, 費過多的維 t定義過於 理』、『採 取方式’簡 續擴充增 組分類’另 來愈狹卩益, 掌握各群組 」,但現增 『人事經 經理』權 原已定義 求,再拆分 』等三類 L位組織架 統管理上亦 體糸統或使 力判斷方式 (例如ERP 廣大)或組 類的工作權554278 ~ V. Description of the invention (2) Protection is not only time-consuming and laborious, but often there are omissions and omissions, and the cost of protection is also high. Second, those who use "groups" as the basis for judging permissions are widely used. Common definitions are: "general staff", "purchasing staff" ... and so on. The original meaning of its original design was to extract the data content of the authority table. But often because the system functions are increasing, the permission division needs to be more delicate. Abandon the original group and set a group set to adapt to it. As a result, the definition of group organization is more disruptive to the original design and makes it difficult for system managers to organize differences. For example, the “Group plus function operations:“ Assessment of personnel information ”function category management permission, and the“ Account registration ”function operation are classified as“ accounting limits. ”In order to control the above changes, The system manager needs to add the "group" of the "manager", and the addition according to the function needs to be "personnel manager", "accounting manager" and "general manager" group ". Second, some authority control mechanisms do not take enterprise structure into consideration, which not only fails to meet the status quo in terms of control, but is also very inconvenient. / 、 The above two types of methods operate in a small-scale environment with simple functions and only a small amount of resources. However, for more complex enterprise information software woven into the enterprise management, property management, financial management, etc., for companies with a large scope and frequent personnel changes, the excessively expensive dimension t is too reasonable to define. Continuing to expand and increase the group classification, 'Increasingly narrower and better, to master each group' ", but now the" personnel and economic manager "right has been defined and demanded, and the three types of L-level organizations are also managed and managed. Traditional or forceful judgment methods (such as extensive ERP) or group work rights
第6頁Page 6
^>54278 五、發明說明(3) 限劃分與控管, 訊系統管理者在櫂效的控制,且會導致資 因…士 科官理及維護上的困難。 本發明之產生^月有鑑於此,經過不斷研究測試後始有 者」、以。本發明提供一種以「群組」、「使用 制,利用這四i:ί之ϊ ί通盤考量的權限控管機 權限控管機制的缺失及;足及:j聯結關係、’來解決目前 簡便與直接的維護方法。,、,提供貧訊系統管理者更為 發明概要 /1月之一目的係提供一種用以控管資訊 的方法,其係以簡明的權限判別美_定、 權限表格資料維護的成刪疋義,使得能夠減低 限的方本Π之r另二目的係提供一種用以控管資訊系統權 ‘八配次:::精確的權限判別基礎定·,使得能夠明 確刀配貝汛糸統各使用者之作業權限。 為達成本發明上述目的,本發明提出一 管理-資訊系統之使用者權限的系統,其包二 伺服器及一資料服務伺服器。 椎限G制 其中該權限管制伺服器係包含一權限資料庫及一連 ===組。的限資料庫係用以記錄該資訊 用者的登錄資料與其權限設^,肖登錄資料係包含一使用 第7頁 ^4278 五 '發明說明(4) :身份識別物件、一群組物件、一組織物件、一角色物 仫其中忒權限設定係以該等物件為基礎。該連結處理模 料杏於使用者登人該資訊系統時,依據該使用 抖查詢該權”料庫,以決定該使用者的卿^ 藤其中貝料服務伺服器係包含一詢問模組及複數個服 ^組:該詢問模組係用卩當一使用者登入-資訊系統 丄對邊榷限官制伺服器發出一權限查詢要使得該權 =制伺服依據該使用者登錄f料查詢該使用者的權限 =a 。而该複數個服務模組中每一個皆可以提供一預定的 功能。 、 . 再者’本發明提供使用上述系統以管制一資訊系統 使用者權限的方法。 y、、’ ^為使—熟悉該項技藝人士瞭解本發明之目的、特徵及 功效,茲藉由下述具體實施例,並配合所附之圖式, 發明詳加說明,說明如后: 發明詳細說明 為充分揭露本發明,茲配合圖式詳細說明如下。 一 /圖一顯示實現本發明方法之一系統環境示意圖。在 資訊系統100中,複數個用戶端電腦101透過區域網路1〇5 (Local Area Network,LAN),與一服務及管制次系统^ &54; 54278 5. Description of the invention (3) Limitation of division and control, the effective control of the information system manager, and it will lead to difficulties in the management, maintenance, and administration of capital ... In view of this, the invention of this invention has been developed after continuous research and testing. " The present invention provides a "group", "use system, using these four i: ί 之 ϊ ί comprehensive consideration of the lack of authority control mechanism authority control mechanism; and: j connection relationship, 'to solve the current simplicity And direct maintenance methods .., to provide a poor invention system manager a more inventive summary. One of the objectives of January is to provide a method for controlling information. The meaning of maintenance makes it possible to reduce the limit of the cost. The other purpose is to provide a way to control the right of the information system. "Eight distribution times ::: The basis of accurate authority determination, making it possible to clearly define In order to achieve the above-mentioned purpose of the invention, the present invention proposes a management-information system user authority system, which includes two servers and a data service server. The permission control server includes a permission database and a group of === groups. The limited database is used to record the login information of the user of the information and its permission settings ^, and the login information includes a usage page 7 ^ 4 278 Five 'invention description (4): identification objects, a group of objects, an organization object, a character object, among which the permission setting is based on these objects. The link processing model is used by the user to register the user. In the information system, according to the use jitter, query the "right" database to determine the user's identity. The server of the shellfish material service includes an inquiry module and a plurality of services. The inquiry module is used. When a user logs in to the information system, the authority server sends a permission query to the marginal official server to make the right = control server to query the user's permission according to the user's login information = a. Each of the plurality of service modules can provide a predetermined function. .... Furthermore, the present invention provides a method for controlling user rights of an information system using the above system. y ,, '^ In order to familiarize the skilled person with the purpose, features, and effects of the present invention, the following specific embodiments and the accompanying drawings are used to explain the invention in detail, as described below: Invention Detailed Description In order to fully disclose the present invention, a detailed description is given below with reference to the drawings. / Figure 1 shows a schematic diagram of a system environment for implementing one of the methods of the present invention. In the information system 100, a plurality of client computers 101 communicate with a service and control sub-system through a local area network (LAN) 105.
554278554278
11連線資σ孔系統1 〇 〇之複數個使用者係可以用戶端電腦 1 Ο 1,透過區域網路丨〇 5,使用服務及管制次系統11所提供 的諸多資料與服務。 服務及官制次系統i丨係包含資料服務伺服器丨3及權限 管制伺服器1 5。 資Λ服務伺服為1 3包括複數個服務模組1 3 1及一詢問 模組135。複數個服務模組131係能提供不同的功能,使得 資訊系統1〇〇的使用者能夠進行不同的工作。詢問模組135 係用以當一使用者登入該資訊系統後,對權限管制伺服器 15發出一,限查詢要求,使得權限管制伺服器15依據該使 用者登錄資料,查詢該使用者的權限範圍。 權限管制伺服器15包括權限資料庫丨51及連結處理模 組1 5 5。權限資料庫1 5 1係用以記錄資訊系統丨〇 〇每一使用 者的登錄資料與其權限設定,其中登錄資料係包含一身份 識別物件、一群組物件、一組織物件、一 權限設定係以該等物件為基礎。 連結處理模組1 5 5係於使用者登入資訊系統丨〇 〇時, 依據该使用者的登錄資料,查詢權限資料庫丨5 i,連結處 理杈組1 5 5係包含身份識別物件處理次模組丨5 5丨、群組物 件處理次模組1 553、組織物件處理次模組1 555及角色物件 處理次模組1 557,藉由該等物件處理次模組之運作以決定 該使用者的權限範圍。 上述資料服務彳司服器係可以進一步包含一權限資料 快取儲存區塊,其係用以儲存連結處理模組丨5 5查詢得出The 11 users of the connection information σ-hole system 1 00 can use the client computer 1 0 1 through the local network 5 to use the services and control the many data and services provided by the sub-system 11. The service and government system i 丨 includes the data service server 3 and the authority control server 1 5. The information service server 13 includes a plurality of service modules 1 31 and an inquiry module 135. The plurality of service modules 131 can provide different functions, so that users of the information system 100 can perform different tasks. The query module 135 is used to issue a limited query request to the authority control server 15 after a user logs in to the information system, so that the authority control server 15 queries the user's authority range based on the user registration data. . The authority control server 15 includes a authority database 51 and a link processing module 1 5 5. The authority database 1 51 is used to record the information of each user and its authority settings. The login data includes an identification object, a group object, an organization object, and a permission setting system. These items are based. The link processing module 1 5 5 is when the user logs into the information system 丨 〇〇, according to the user's login data, query the authority database 丨 5 i, the link processing branch group 1 5 5 contains the identification object processing sub-mode Group 丨 5 5 丨, group object processing sub-module 1 553, organization object processing sub-module 1 555, and character object processing sub-module 1 557. The operation of these object processing sub-modules determines the user. Range of permissions. The above data service server can further include a permission data cache storage block, which is used to store the link processing module.
第9頁 554278 五、發明說明(6) — ,使用者的權限範圍,以提供登入資訊系統100之 :者開啟資訊系統100中各種資訊服務時可以快;二 權限。 :疋其 除前文所述之區域網路外,本發明方法亦可以每 2其他資訊系統,凡具有權限控管機制需求之資訊^見 皆可以本發明方法作為其權限控管之機制,且3 = =糸統之軟體,皆可以本發明方法作為其權限控管之機表 業員工气:述之-「使用者」係、為資訊系統100的操作人員或企 、$ ί ’I—ϊ用者對應—使用者登人帳號。系統^ 使用者」為一唯一值,不得重覆。 上述之「群組」係為一群使用者的集合 同特質之使用者集合(如資深人員之集合)。了為具相 ^ 4 4上述之「角色」係為資訊系統1 00使用者集合@ i w 織(内 舉例來說:若笫ϋ: "財務部出納3")。 内有兩名經Γ4:事,即為第三事業部 理1”及"第:重\ 義5亥早位内應有"第三事業部經 % —事業部經理2"兩個角色。系統内各「角色 為一唯一值,不得重覆。 角色」 如一企11 章述)之「組織」係為資訊系統100之使用者集合(例 時編制在之組織單位,其係可以為制式組織或臨 fA 其内部成貝即為該單位角色的集合。 第二圖顯示依據本發明「群組」、「使用者 、Page 9 554278 V. Description of the invention (6) — The scope of the user's authority to provide access to the information system 100: the user can quickly open various information services in the information system 100; 2 authority. : In addition to the local network described above, the method of the present invention can also be used in every other information system. Any information that has the requirements of the authority control mechanism can be seen. The method of the present invention can be used as the authority control mechanism, and 3 = = The software of the system can be used by the method of the present invention as its authority to control the staff of the watch industry: as described-"user" is an operator or enterprise of the information system 100, $ ί'I—ϊ 用Correspondence—User login account. "System ^ User" is a unique value and cannot be repeated. The above-mentioned "group" is a collection of users with the same characteristics (such as the collection of senior personnel). The above-mentioned "role" is a collection of 100 users of the information system @ i organization (inside, for example: Ruo :: " Finance Department Teller 3 "). There are two transcripts in the Γ4: the matter, that is, the third division management 1 "and" the first: heavy \ Yi 5 Hai should have "quotation in the third division in the early post"% division division manager 2 "two roles . Each "role in the system is a unique value and cannot be repeated. The" role "as described in Chapter 11 of an enterprise) is a collection of users of the information system 100 (organization units compiled in the example, which can be in the standard format) The internal organization of an organization or pro-fA is a collection of roles of the unit. The second figure shows the "group", "user,
第10頁 554278 Γ 係 發明說明(7)角色」、「組織」對應關係圖。「群組」與 為多對多的關係;—個群組可以包含複數個使=者 使用者亦可以參與多個群組。「使用者」與「角 ^ R|亦口J Μ食矜又,丨四野組。I使用者」與「^ Θ色」係為一對多的關係;一個使用者可以扮演多個角色(即,,身” 兼數職”之意),但一個角色只能被一個使用者所扮演。 「組織」與「角色」係為一對多的關係;一個組織單/位可 包含多個角色,但一個角色只能歸屬於一個組織單位。 組織」與 ,▼ — _* … 包含多個角色’但一個角色只能歸屬於 第三圖顯示第二圖所示關係之一實際例子。「 、「使用者2」及「使用者4」隸屬「群組1」, 」、「使用者4」及「使用者5」隸屬「群組2 , >… 、「角色2」及「角色3 者1」 用者3 使用 「使 只 U 」 ’ 」一 部門1」内有「角色1」、月色2」及1角色3」三職 缺,分別由「使用者1」兼任「角色1」及「角色2」(即” π之意),「使用者2」扮演「角色3」,「部門2」内 Ar “ ^ Γ β 〔 1¾ Μ 左47 . 八 Γί·ϊ Γ Mr ΓΟ 丄.一 扮 使用 佔缺,,之意) 有「角色4」及 使用者Z」物演|角色3」,|部門: 「角色5」兩職缺,分別由「使用者2 演「角色4」,「使用者3」扮演「角色5」,其中「& q 者2」分別兼任「部門1角色3」及「部門2角色4」兩缺; 「部門3」内有「角色6」及「角色7」兩職缺,分別由 「使用者4」扮演「角色6」’ 「使用者5」扮演「角色 第四A圖至第四J圖顯示依據本發明實施例之使用者 登錄資料表格。使用者登錄資料係包含身份識別物件、群 說物件、組織物件、角色物件,且該權限設定係以該等物 件為基礎。該四物件之資料内容及該四物件之相互關聯係 以表格記錄之,其包括:使用者資料表袼、群組資料表Page 10 554278 Γ System Description (7) Role "," Organization "Mapping. "Group" and is a many-to-many relationship; a group can contain multiple users; users can also participate in multiple groups. "User" and "horn ^ R | also mouth J Μ 食 矜, 丨 Shino group. I user" and "^ Θ color" is a one-to-many relationship; one user can play multiple roles (ie , Meaning "multiple jobs", but a role can only be played by a user. "Organization" and "role" have a one-to-many relationship; an organizational unit / bit can contain multiple roles, but a role can only belong to one organizational unit. Organization "and, ▼ — _ *… contain multiple roles’ but one role can only belong to one. The third picture shows a practical example of the relationship shown in the second picture. "", "User 2" and "User 4" belong to "Group 1," "," User 4 "and" User 5 "belong to" Group 2, > ... "," Role 2 "and" Role "3 of 1", "User of 3" and "Using only U" "" Department 1 "has" role 1 ", moonlight 2" and 1 role 3 "three vacancies, respectively," user 1 "also serves as" role 1 " "And" role 2 "(meaning" π ")," user 2 "plays" role 3 "," Ar 2 "in" department 2 "^ Γ β 〔1¾ Μ left 47. Eight Γί · ϊ Γ Mr ΓΟ 丄. The role of a disguise is to use "Role 4" and User Z "to perform | Role 3", | Department: "Role 5" has two vacancies, and "User 2" plays "Role 4", "User 3" plays "role 5", of which "& q person 2" has the roles of "department 1 role 3" and "department 2 role 4" respectively; "department 3" has "role 6" and "role "7" two jobs, "User 4" plays "role 6", "User 5" plays "role" Figures 4A to 4J show user registration data according to the embodiment of the present invention The user registration data includes identification objects, group speaking objects, organization objects, role objects, and the permission setting is based on these objects. The data content of the four objects and the relationship between the four objects are in a table. Recorded, including: user data table 袼, group data table
第11頁 554278 五、發明說明(8) 格、群組使用者資料矣炊 ^ 格、單位資料表格、使。表格、部門資料表 格、系統工作項目資角色貢料表格、角色資料表 r只曰貝抖表格、權限資 權限資料庫151所記錄之佶田水枓表格。 資訊系統1 00之每一個使身份識別物件係包含 名,其係以-使用者資料表格之記使錄用/識別號及μ ^ 權限資料庫151所記錚;二^四Α圖所不° 1 〇 〇 ^ ^ ^ ^ Λ Λ ,Γγ # ^ m 係以一群組資料表格圮錄之\人所區分之群組資料,其 稱,如第四Β圖所示。、’ ι 3群組識別號與群組名 1〇〇使ΪΙΠΓΛ所記錄之該組織物件係包含資訊系統 =匕料係以一部門資料表格記錄之, 其^己錄包含部門識別號與其所對應之組織層級,i中該單 ΓΓ:係以一單:資料表格記錄之,其記錄包含單位識別 唬一所對應之早位名稱。其分別如第四C圖及第四D圖所 示。 nn你Ϊ : f料庫1 51所記錄之該角色物件係包含資訊系統 1 00使用者集合之組織架構之職缺的描述,該描述包含組 織架構資料、職務資料及序號資料,如圖四£所示。 圖四E中的、组織架構資料係為上述部門物件中的該部門識 別號。 圖四E中的職務資料係為該f訊系、统使用者集合中各 職務的描述,其係以-職務資料表記錄之,其記錄包含職Page 11 554278 V. Description of the invention (8) Grid, group user profile, grid ^ grid, unit data table, and so on. Forms, department data tables, system work project asset role contribution tables, role data tables r only quiver form, authority data authority database 151 recorded in Putian Water Margin Form. Each of the information system 100's identification objects includes a name, which is recorded in the-user data form of the recruitment / identification number and μ ^ authority database 151; 2 ^ 4A picture is not ° 1 〇〇 ^ ^ ^ ^ Λ Λ, Γγ # ^ m is the group data distinguished by \ person recorded in a group data table, and it is called, as shown in Figure 4B. , 'Ι 3 group identification number and group name 100. The organization object recorded by ΪΙΠΓΛ includes the information system = it is recorded in a department data table, and its ^ record contains the department identification number and its corresponding At the organizational level, the single in ΓΓ is recorded in a single: data table, and its record contains the early name corresponding to the unit identification. They are shown in Figures 4C and 4D, respectively. nnYou: The role object recorded in f database 1 51 contains a description of the vacancy of the organizational structure of the information system 100 user collection. The description contains organizational structure data, job information and serial number data, as shown in Figure 4. As shown. The organizational structure data in Figure 4E is the department identification number in the department object. The job information in Figure 4E is a description of each job in the f information system and user collection. It is recorded in the job information table, and the record contains the job information.
第12頁 554278 五、發明說明(9) 務識別5虎及職務名稱,如圖四F所示。 ®四^中的序號資料係為當有複數個職務識別號 ’j早一部門識別號時,用以將該複數個屬於同一部之二 ,職務加以區分的編號資料。上述之角色名稱问 『部門+職務+序號』。 4 權限資料庫151所記錄之該使用者身份識別物件及嗜 群組識別物件之關聯係以一群組使用者資料表格記錄之广 其係包含群組識別號及其所對應之使用者識別號,如圖四 G所示。 權限貧料庫1 5 1所記錄之該使用者身份識別物件及該 角色識別物件之關聯係以一使用者角色資料表格記錄之, 其係包含使用者識別號及其所對應之角色識別號,如圖四 Η所示。 權限資料庫1 5 1所記錄之該使用者身份識別號及該組 織識別號之對應關係,並無單一表袼記錄之,其係可藉由 比對查詢圖四Η使用者角色資料表格及圖四Ε角色資料表格 得知。 權限資料庫1 51所記錄之該權限資料庫係包含一權限 資料表格及一系統工作項目資料表袼,其中該系統工作項 目資料表格係包含工作項目識別號及工;|乍項目名稱,如圖 四I所示。其中該權限資料表袼係、用以建立系統工作項目 與其權限使用對象之關係,其記錄包作項目識別號與 權限使用對象識別號’如圖四j所卞 上述權限資料表格記錄之該:用對象識別號係可以Page 12 554278 V. Description of the invention (9) Business identification 5 Tiger and job title, as shown in Figure 4F. The serial number data in ®4 ^ is the serial number data used to distinguish the plural belonging to the same part of the same department when there are multiple job identification numbers ′ j earlier than a department identification number. The above role name asks "Department + Position + Serial Number". 4 The relationship between the user identification object and the group identification object recorded in the authority database 151 is widely recorded in a group user data table, which includes the group identification number and the corresponding user identification number. , As shown in Figure 4G. The relationship between the user identification object and the role identification object recorded in the authority poor library 1 51 is recorded in a user role data table, which includes the user identification number and the corresponding role identification number. As shown in Figure 4. The correspondence between the user identification number and the organization identification number recorded in the authority database 1 51 does not have a single table record. It can be compared by querying the map. Figure 4. The user role data table and Figure 4. Ε role information form. The authority database recorded in the authority database 1 51 includes an authority data table and a system work item data table 其中, where the system work item data table includes the work item identification number and the work; Shown as four I. The authority data table is used to establish the relationship between the system work item and the authority use object, and its record package is used as the project identification number and authority use object identification number. Object identification number can
第13頁 554278 五、發明說明(ίο) 部門識別號、一角色識別號及 指定為一使用者識別號 一群組識別號中之一者 第五圖顯示第四A圖至第四j圖之資料表袼關聯圖。 其亦顯示出資訊系統中「使用者」、「群組」、「 及「組織單位」之間的對應關係。 」 、圖六顯示實施於上述系統之一種管制使用者權限的 方法。步驟6 0使用者輸入使用者識別號登入系統後,步驟 61為發出權限查詢要求步驟,其係由資料服務伺服器13發 出並傳送至權限管制伺服器1 5,使得權限管制伺服器丨5針 對特定使用者查詢其權限設定。繼之執行查詢權限資料庫 程序63,其係包含:步驟631使用者身份識別物件處理步 驟、步驟633群組物件處理步驟、步驟635角色物件處理步 驟、步驟637組織物件處理步驟及步驟639權限資料表格查 詢步驟,藉以確認該使用者所具有之權限之工作項目。步 驟6 5為傳回權,限確認列表步驟,其係為權限管制伺服器i 5 將步驟639查詢所得該使用者具有權限的工作項目傳回資 料服務伺服器1 3。 ' 步驟631使用者身份識別物件處理步驟,係以登入資 訊系統之該使用者之識別號查詢權限資料庫丨5 1中一使用 者資料表格(如圖四A ),藉以確認該使用者是否為該資 訊系統之合法使用者,若該使用者不為該系統之使用者, 則進入步驟67離開該系統。 步驟6 3 3群組物件處理步驟,係以登入資訊系統之該 使用者之谶別號查詢該權限資料庫中一群組使用者資料表Page 13 554278 5. Description of the invention (ίο) Department identification number, a role identification number and one designated as a user identification number and a group identification number. The fifth figure shows the fourth A to fourth j Data sheet 袼 association diagram. It also shows the correspondence between "users", "groups", "and" organizational units "in the information system. "Figure 6 shows a method of controlling user rights implemented in the above system. Step 60 After the user enters the user identification number to log in to the system, step 61 is a step of issuing a permission query request, which is issued by the data service server 13 and transmitted to the permission control server 15 so that the permission control server 5 targets Specific users query their permission settings. Then, the query authority database program 63 is executed, which includes: step 631 user identification object processing step, step 633 group object processing step, step 635 role object processing step, step 637 organization object processing step, and step 639 permission data. Steps of querying the form to confirm the work items for which the user has authority. Step 6 5 is a step of returning the right and limiting the confirmation list, which is the permission control server i 5 and returns the work item that the user has permission obtained in step 639 to the data service server 13. 'Step 631 The user identification object processing step is to query the authority database with the user's identification number logged into the information system 丨 51 A user data table in Figure 1 (as shown in Figure 4A) to confirm whether the user is If the user is a legal user of the information system, if the user is not a user of the system, the process proceeds to step 67 to leave the system. Step 6 3 3 The group object processing step is to query a group user data table in the permission database by using the user's alias of the user who logs into the information system.
第14頁 554278Page 554278
五、發明說明(π) 格,藉以確認該使用者所斟庫之雜▲ w $尸/Γ對應、< _組識別號。 步驟635角色物件處理步驟,待ri #成 现 ^ ^ # +4 Α Φ π / 係以该使用者之識別號查詢 吕亥榷限貝枓庫中一使用者角色資粗 者所對應之角色識別號角貝枓純’藉以確認該使用 乂驟637組織物件處理步驟,係以 該使用者角色識別號查詢該權限資料庫中一一資~1 格,藉以確認該使用者所屬之部門識別號。 、又 步驟639柘限資料表格查詢步驟係以步驟631使用者 身份識別物件處理步驟、步驟633群組物件處理步驟、步 驟635角色物件處理步驟、步驟637組織物件處理步驟所查 ϋ =用Ϊ身份識別號、群組識別號1色識別號及; 門識別號’查詢該權限資料庫中一權限資料表格,藉以確 認该使用者具有權限之工作項目。 上述控制管理使用者權限的方法,亦可以包含一權 限資料快取儲存區塊儲存步驟,其係將步驟以傳回之權限 確認項目儲存於該資料服務伺服器之權限資料快取儲存區^ 塊中’當使用者欲開啟該系統中某一項功能作業時,該系 統及可以從該快取儲存區塊中快速查詢該使用者之功能作 業權限’而無須重複施行步驟6 0 1至6 1 7。 兹以一應用軟體系統及一企業實例來說明本發明方 法之貫施’並配合現行權限控管機制予以比較,以突顯本 發明之效益。 ^ 假設有某一 X企業,其員工共有丨〇人,分別為{員工 姓名(員工識別號)丨A (〇 〇 1),B ( 0 0 2 ),C ( 0 0 3 ),Fifth, the invention description (π) grid, to confirm the miscellaneous materials that the user has pondered ▲ w $ dead / Γ correspondence, < _ group identification number. Step 635 Character object processing step, waiting for ri # 成 现 ^ ^ # +4 Α Φ π / Query the character identification horn corresponding to a user character rich person in the Lühai Mangbei library using the user identification number. "Pure" confirms the use step 637 to organize the object processing steps. The user role ID is used to query the 1 ~ 1 grid in the authority database to confirm the department ID to which the user belongs. Step 639: The data table query step is identified by step 631, user identification object processing step, step 633 group object processing step, step 635 role object processing step, step 637 organization object processing step. Identification number, group identification number, 1-color identification number, and door identification number 'query a permission data table in the permission database to confirm that the user has permission to work items. The above method for controlling and managing user permissions may also include a permission data cache storage block storage step, which is a step of storing the permission confirmation items returned in the step in the permission data cache storage area of the data service server ^ block "When the user wants to open a certain function operation in the system, the system and the user can quickly query the user's function operation permission from the cache storage block" without repeating steps 6 0 1 to 6 1 7. An application software system and an example of an enterprise are used to illustrate the implementation of the method of the present invention, and compared with the current authority control mechanism to highlight the benefits of the present invention. ^ Suppose there is a company X with a total of 丨 0 employees, which are {Employee Name (Employee Identification Number) 丨 A (〇 〇 1), B (0 0 2), C (0 0 3),
第15頁 554278 五、發明說明(12) D(004), E(005), F(006), G(007), H(008), 1(009), J ( 0 1 0 ) }。其企業組織架構如圖七,組織編制中有三個部 門’分別為{單位名稱(單位識別號)|總經理室(PO), 行政部(AD ),業務部(βυ ) }。部門設立後,於”總經理室” 内設π總經理”及”秘書”各一名,於,,行政部”内設,,經理"一 名、π費用核銷員” 一名、”人事管理員”一名及”差假承辦 員’’ 一名,於'’業務部”内設”經理”一名、”工程副理”一 名、"工程師”兩名及”業務代表,,一名。員工及其擔任職位 勿別為{職位(員工姓名)|總經理(A ),總經理室秘 書j B ),行政部經理(C ),費用核銷員(D ),人事管 理員(E ) ’差假承辦員(F ),業務部經理(c ),工程 ^ ΐΛ程師(H),工程師(",業務代表 (; 二二 貝工c兼任行政部經理及業務部經理。X企章 内有一貧訊管理款备Μ ^ '、 1、 聪糸統,其工作項目及使用權限描述如 為權限判別基礎之作 。以「使用者」為權限 之權限資料表格内容呈 現行作法一為以「使用Page 15 554278 V. Description of the invention (12) D (004), E (005), F (006), G (007), H (008), 1 (009), J (0 1 0)}. The organization structure of the enterprise is shown in Figure 7. There are three departments in the organization's organization: {unit name (unit identification number) | general manager's office (PO), administrative department (AD), and business department (βυ)}. After the establishment of the department, there will be one general manager and one secretary in the General Manager's Office, and one in the administration department, one manager and one expense manager. A "personnel manager" and a "vacation contractor", a "manager", a "engineering assistant", two "engineers" and "business representatives" in the "business department", , One. Employees and their positions should not be {position (employee name) | general manager (A), general manager's secretary j B), manager of the administrative department (C), expense canceller (D), personnel management (E) 'Leaving vacation contractor (F), business department manager (c), engineering ^ ΐΛ 程 师 (H), engineer (", business representative (; Erbei) c concurrently serves as administrative department manager and business department Manager. There is a poor information management section in the X enterprise seal. ^, 1. Satoshi, its work items and use rights are described as the basis for determining the rights. The content of the rights data table with "users" as the rights Practice one is to use "
法。使用者資料表格如圖九A 刻別基礎’則滿足x企業前提 現如圖九B。 現行作法二為、 基礎,另增加圖十A之雜L圖九。因以「群組」為權限判別 資料表格’此謂之「雜群組貢料表格及圖竹之群組使用者 鮮組」(或稱「角色」)係依,,職位,,law. The user data table is shown in Fig. 9A, and the basis is not met ', which meets the premise of enterprise x. The current practice is based on the basic method, and the figure in Figure A is added. Because "group" is used to determine the authority data form "this is the" miscellaneous group tribute form and group users of fresh bamboo group "(or" role ") is based on, position ,,
第16頁 554278 五、發明說明(13) Q刀’則滿足X企業前提假設之權限及相關資料表格 六 呈現如圖十C。 内容 若以本發明所提供之權限控管方法,則是以「、/ 組」、「使用者」、「角色」以及「組織」為通礙群旦 故其資料表格計有一使用者資料表格、一群組資ς 1, 一群組使用者資料表格、一部門資料表格、一單位+ 袼、一職務資料表格、一角色資料表格、一使 t料^ 料表格,並將其權限設定記錄於一權限資料表袼色資 該使用者資料表格係與圖九A相同。該群組資料其中 為簡化,將X企業之1 〇位員工均歸屬於一「員工大 :圖十-A及圖十—B所示。另因為增加「組織」」及群「組’ 色」兩榷限判別基礎,故其資料表格增加一 2 格、一單位資料表格、—職務資料表格、-角^= 格、-使用者角,資料表格,如圖十一c至圖十一G所二。 X企業中各員工之權限則纪俾 不〇 表中。 罹限則记錄於圖十一Η之權限資料 現假設X企業有一人塞罝私找仏 善扛營φ 人事異動發佈··使用者C ( 0 03 )备 录任業務部經理,章務部妳理触 免 擔任。 系務邛I理職缺改由新進員工K(〇u) 炫以上述案例發生時,系 料表格内容所需異動之作守業為^;"官理者對權限及β相關資 與本發明所提之方法作為比較::比較現打權限官理系統 益。 乂’以凸顯本發明之優勢與效 首先說明以「使用去炎 用者」為核限判別基礎之作法。當 554278 五、發明說明(14) 上述案例情況發生時,季 表格内容(如圖+ \ 心者*更動㈣及相關資料 — EI十一),以滿足上述案例。 發生時若,\「雄^組」為權限判別基礎,則當上述案例情況 圖十二},、以二理者需更動權限及相關資料表袼内容(如 口 丁 一 J ,以滿足上述案例。 生時右夺以二:明上權:判別基礎’則當上述案例情況發 十四)需更動權限及相關資料表格内容(如圖 τ ) 以滿足上述案例。 符彳卜T二上所述,抓用本發明所提之權限管理架構,確實 Γ2:…者對權限資料維護之工作。此4益的提 Z針對功能作業複雜的軟體系 事頻=高的企業來說,更為顯著」二 資Κ護ϊ 權限控管機制,在實際運作與 0士 η隻 有其不足之處。且容易在企業人員紐媸S翻 ‘提:過;:賴系統r:::判==錯,:發 =明内容中,我們=組:心實r色 「使用者4合K」「jf基礎之傳統作法,同時針對 提出「部門」:不僅改盖了 :」並針對「角色」之集合 :達到彈性動態的不足,亦 架構對權限控管的要求。 Μ王,各式企業組織 554278 五、發明說明(15) 雖然本發明已以數個較佳實施例揭露如上,然其並 非用以限定本發明,任何熟悉此技藝者,在不脫離本發明 之精神和範圍内,當可作各種之更動與潤飾,凡所做之各 種更動與潤飾皆在本發明後附之申請專利範圍内。Page 16 554278 V. Description of the invention (13) Q knife ’satisfies the authority and related information table of the premise of X enterprise. If the content uses the authority control method provided by the present invention, it is based on ", / group", "user", "role", and "organization" as a hindrance to Qundan, so its data form includes a user data form, A group of information 1, a group of user data forms, a department data form, a unit + 袼, a job data form, a role data form, a data sheet ^ data form, and record their permissions settings in An authority data table is the same as the user data table in Figure 9A. For the sake of simplicity, the group of 10 employees are all assigned to an "employees: Figure X-A and Figure X-B. In addition, because of the increase of" organization "and group" group "color" The basis of the two-judgment discrimination, so its data form adds one or two grids, one unit data form,-job data form, -corner ^ = grid, -user corner, data table, as shown in Figure 11c to Figure 11G. two. The rights of employees in company X are not listed in the table. The limit information is recorded in Figure 11. The authority data is now assumed that there is a person in company X who is looking for a good management camp. Personnel changes are released. · User C (0 03) is prepared to be the manager of the business department and the management department. You just shy away. When the above-mentioned case occurred, the new job employee K (〇u) showed that the required change in the contents of the material form was ^; " the official's authority and β-related assets were related to the present invention. The method mentioned is for comparison: Compare the benefits of the current authority management system.乂 'To highlight the advantages and effects of the present invention First, the method of discriminating on the basis of "use of anti-inflammatory users" will be explained. When 554278 V. Description of the invention (14) The above cases occurred, the contents of the quarter table (see Figure + \ 心 者 * 更 ㈣ and related information-EI XI) to meet the above cases. If it occurs, \ "Xiong ^ group" is the basis for judging the authority, then when the above case situation is shown in Figure 12}, the second person needs to change the authority and related data table contents (such as Kou Dingyi J to meet the above case) When you are born, you win the right two: clarify the right: the basis of discrimination ', then when the above case situation occurs fourteenth) you need to change the authority and the content of the relevant information table (Figure τ) to meet the above case. As mentioned above, Fu Yibu T2, grasping the authority management structure mentioned in the present invention, indeed, Γ2: ... the maintenance of authority data. The 4 benefits mentioned above are more significant for enterprises with complex functional systems and high frequency of operations. “Secondly, the protection of the authority control mechanism has only its shortcomings in actual operation. And it's easy to turn it over in the company's staff: 过;: lai system r ::: judgment == wrong ,: send = in the content, we = group: solid r color "user 4 in K" "jf The basic traditional approach also aims at proposing "departments": not only changed: ", but also the collection of" role ": to achieve the lack of flexibility and dynamics, but also to structure the requirements for authority control. King M, various enterprise organizations 554278 5. Invention description (15) Although the present invention has been disclosed above with several preferred embodiments, it is not intended to limit the present invention. Anyone who is familiar with this technology will not depart from the invention. Within the spirit and scope, various changes and retouches can be made, and all changes and retouches made are within the scope of the patent application attached to the present invention.
第19頁 554278Page 19 554278
圖式簡單說明 第一圖顯示實現本發明方法之一 第二圖顯示依據本發明「群組」 色」、「組織」對應關係圖。 第三圖顯示依據本發明權限控管 圖0 系統環境示意圖。 、「使用者」、「角 系統内四種物件關係 第四A圖至第四J圖顯示依據本發明 袼。 之權限資料庫資料表 第五圖顯示第四A圖至第四j圖之脊 第六圖顯示依據本發明方法決定關聯圖。 第七圖顯示依據本發明實施例:=^步,流程圖 限控制資料。 』之貝訊糸統工作項目及其 第九A圖及第九B圖以 格0 使用者」為權限判別基礎之資料表 第十A圖及苐十C圖顯示以 表格。 「群組」為權限判別基礎之資料Brief Description of the Drawings The first figure shows one of the methods for implementing the present invention, and the second figure shows the correspondence between "group" color and "organization" according to the present invention. The third figure shows the authority control system according to the present invention. , "User", "The four object relationships in the angular system. Figures 4A to 4J show the authority database data table. Figure 5 shows the ridges of Figures 4A to 4j. The sixth figure shows a correlation diagram determined according to the method of the present invention. The seventh figure shows an embodiment according to the present invention: = ^ steps, the flow chart limits the control data. "Beixun system work item and its ninth A and ninth B Figure 10A and Figure 10C of the data table on the basis of the authority determination based on grid 0 users are displayed in tables. "Group" is the data for determining the authority
第十一 A圖及第十一Η圖顯 第十二圖顯示以「使用者 護作業。 第十三圖顯示以「群組」 作業。 第十四圖顯示以本發明方 示依據本發明實施例資料表格。 」為權限判別基礎之資料表格維 為權限判別基礎之資料表格維護 法為權限判別基礎之資料表格維Figures 11A and 11 are shown in Figure 12. Figure 12 shows the work with "User Protection." Figure 13 shows the work with "Group". The fourteenth figure shows the data table according to the embodiment of the present invention by the present invention. The data table dimension which is the basis of authority discrimination The data table dimension which is the basis of authority discrimination The data table dimension which is the basis of authority discrimination
554278 圖式簡單說明 護作業。 主要元件編號 1 0 0資訊系統 1 01用戶端電腦 11服務及管制次系統 1 3資料服務伺服器 1 3 1服務模組 135詢問模組 1 5權限管制伺服器 1 5 1權限資料庫 1 5 5連結處理模組 1 5 5 1身份識別物件處理次模組 1 5 5 3群組物件處理次模組 1 5 5 5組織物件處理次模組 1 5 5 7角色物件處理次模組 6 0使用者登入系統步驟 6 1發出權限查詢要求步驟 6 3查詢權限資料庫程序 6 3 1使用者身份識別物件處理步驟 6 3 3群組物件處理步驟 6 3 5角色物件處理步驟554278 Simple illustration of protection work. Main component number 1 0 0 Information system 1 01 Client computer 11 Service and control sub-system 1 3 Data service server 1 3 1 Service module 135 Inquiry module 1 5 Permission control server 1 5 1 Permission database 1 5 5 Link processing module 1 5 5 1 Identification object processing sub-module 1 5 5 3 Group object processing sub-module 1 5 5 5 Organization object processing sub-module 1 5 5 7 Role object processing sub-module 6 0 User Log in to the system Step 6 1 Issue permission query request Step 6 3 Query permission database program 6 3 1 User identification object processing step 6 3 3 Group object processing step 6 3 5 Role object processing step
第21頁 554278 圖式簡單說明 6 3 7組織物件處理步驟 6 3 9權限資料表格查詢步驟 6 5為傳回權限確認列表步驟 6 7離開系統Page 21 554278 Simple illustration of the diagram 6 3 7 Organization object processing steps 6 3 9 Permission data table query step 6 5 Return permission confirmation list step 6 7 Exit the system
1IHH 第22頁1IHH Page 22
Claims (1)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW091109555A TW554278B (en) | 2002-05-08 | 2002-05-08 | Method and system for controlling the access right of information system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW091109555A TW554278B (en) | 2002-05-08 | 2002-05-08 | Method and system for controlling the access right of information system |
Publications (1)
Publication Number | Publication Date |
---|---|
TW554278B true TW554278B (en) | 2003-09-21 |
Family
ID=31974825
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW091109555A TW554278B (en) | 2002-05-08 | 2002-05-08 | Method and system for controlling the access right of information system |
Country Status (1)
Country | Link |
---|---|
TW (1) | TW554278B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100370737C (en) * | 2003-11-12 | 2008-02-20 | 鸿富锦精密工业(深圳)有限公司 | Managing system and method for user authority |
-
2002
- 2002-05-08 TW TW091109555A patent/TW554278B/en not_active IP Right Cessation
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN100370737C (en) * | 2003-11-12 | 2008-02-20 | 鸿富锦精密工业(深圳)有限公司 | Managing system and method for user authority |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109032458B (en) | Form data authorization method based on role acquisition | |
CA2436594A1 (en) | System and method of discovering information | |
CN111935073A (en) | Authority management method and system of cloud platform based on multi-organization architecture | |
JP7339634B2 (en) | How to set permissions to view operation records based on time zone | |
CN112463839A (en) | Enterprise information query method and system | |
CN102355481A (en) | Electronic document office system | |
Cheng | An object-oriented organizational model to support dynamic role-based access control in electronic commerce applications | |
TW554278B (en) | Method and system for controlling the access right of information system | |
Aftab et al. | RBAC architecture design issues in institutions collaborative environment | |
CN114331387A (en) | Cultural relic intelligent integrated service management system | |
Sun | Exploration and reflection on the construction of university archives management system under the background of information technology | |
Huang et al. | A multi-tenant software as a service model for large organization | |
Ma et al. | Extended RBAC model with task-constraint rules | |
Gao | Research and Implementation of Public Laboratory Information System Based on CS Structure | |
Belikova | Economic networking as implied in property law: certain aspects | |
Zhu | Exploring the Informationization of Land Reserve Archives Management | |
Ferreira et al. | Identity management: a comparative approach | |
Fan et al. | The Xi'an Construction Market Supervision Information System | |
Zhi | Design of a source data management system for data middle platform | |
CN118153676A (en) | Knowledge base-based data rapid carding method and system | |
JP2001134432A (en) | System for managing authority of office software use | |
Liang et al. | Role based workflow modeling | |
Wei | Application Research of Computer Big Data Technology in Enterprise Economic Management System | |
Sun et al. | Access Control Policy Management Based on Data Classification and Hierarchy | |
Wibowo | Legal aspects of land administration service with land computerization information systems in Sidoarjo |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GD4A | Issue of patent certificate for granted invention patent | ||
MM4A | Annulment or lapse of patent due to non-payment of fees |