WO2008086757A1 - Dispositif et procédé de commande d'accès à un document électronique - Google Patents

Dispositif et procédé de commande d'accès à un document électronique Download PDF

Info

Publication number
WO2008086757A1
WO2008086757A1 PCT/CN2008/070108 CN2008070108W WO2008086757A1 WO 2008086757 A1 WO2008086757 A1 WO 2008086757A1 CN 2008070108 W CN2008070108 W CN 2008070108W WO 2008086757 A1 WO2008086757 A1 WO 2008086757A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
electronic document
role
basic unit
data
Prior art date
Application number
PCT/CN2008/070108
Other languages
English (en)
Chinese (zh)
Inventor
Donglin Wang
Original Assignee
Beijing Sursen Co., Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Sursen Co., Ltd filed Critical Beijing Sursen Co., Ltd
Publication of WO2008086757A1 publication Critical patent/WO2008086757A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself

Definitions

  • the present invention relates to the field of electronic documents, and in particular, to an apparatus and method for access control of an electronic document. Background of the invention
  • ACL access control list
  • the security technology designed for electronic document systems mainly protects against external threats, and lacks prevention against internal threats.
  • the leakage of sensitive information of enterprises is caused by intentional or unintentional internal users.
  • embodiments of the present invention provide an apparatus and method for access control of an electronic document, which solves the problem that the security of the electronic document is not high in use.
  • the electronic document is composed of at least two basic units, and the basic unit provided with the authority has at least one authority;
  • a document processing module configured to divide an electronic document into basic units, define a user set and a permission set of the basic unit, and establish a correspondence between a user and a right of the basic unit;
  • the permission control module is configured to determine whether the user requesting access has the right to perform corresponding operations on a basic unit, and if so, allows the user to perform corresponding operations on the basic unit; otherwise, the user's request is rejected.
  • an apparatus and method for access control of an electronic document in the process of processing an electronic document, or in the process of maintaining an electronic document processed according to the method , the electronic document can be divided into basic units with operation authority, the user is defined, and the user is given the right to the basic unit.
  • the permission of the element, if owned, allows the user to access the base unit; otherwise the user is denied access to the base unit.
  • the embodiment of the present invention can effectively control the access authority of the internal or external user to the basic unit included in the electronic document, and reduce the granularity of the security control in the electronic document to a more detailed basic unit level, and utilize the electronic document.
  • the access control technology implements the enterprise's document protection strategy, thus solving the problem of low security of electronic documents in use.
  • FIG. 1 is a schematic structural diagram of an access control apparatus for an electronic document according to an embodiment of the present invention.
  • FIG. 1 is a schematic flowchart diagram of an access control method for an electronic document according to an embodiment of the present invention.
  • FIG. 3 is a schematic structural diagram of an apparatus for processing an electronic document according to an embodiment of the present invention.
  • FIG. 4 is a schematic flowchart diagram of a method for processing an electronic document according to an embodiment of the present invention.
  • FIG. 5 is a schematic structural diagram of an apparatus for processing an electronic document according to Embodiment 1 of the present invention.
  • FIG. 6 is a schematic flowchart diagram of a method for processing an electronic document according to Embodiment 1 of the present invention.
  • FIG. 7 is a schematic flowchart of using an electronic document in Embodiment 1 of the present invention.
  • FIG. 8 is a schematic structural diagram of an apparatus for processing an electronic document according to Embodiment 2 of the present invention.
  • FIG. 9 is a schematic flowchart diagram of a method for processing an electronic document according to Embodiment 2 of the present invention.
  • FIG. 10 is a schematic flowchart of using an electronic document in Embodiment 2 of the present invention.
  • FIG. 11 is a schematic structural diagram of an apparatus for processing an electronic document according to Embodiment 3 of the present invention.
  • FIG. 12 is a schematic flowchart diagram of a method for processing an electronic document according to Embodiment 3 of the present invention.
  • FIG. 13 is a schematic flowchart of using an electronic document in Embodiment 3 of the present invention.
  • FIG. 14 is a schematic flowchart diagram of a method for processing a budget grant voucher according to an embodiment of the present invention.
  • FIG. 15 is a schematic flowchart of using a budget grant voucher in an embodiment of the present invention.
  • 16 is a schematic diagram of a budget allocation voucher in an embodiment of the present invention.
  • FIG. 17 is a schematic flowchart diagram of a method for processing an electronic report according to an embodiment of the present invention.
  • FIG. 18 is a schematic flow chart of verifying basic unit rights of an electronic report according to an embodiment of the present invention.
  • FIG. 19 is a schematic flowchart of data permission verification of an electronic report according to an embodiment of the present invention. Mode for carrying out the invention
  • An apparatus and method for performing access control on an electronic document in the process of processing an electronic document, or in maintaining an electronic document processed according to the method, dividing the electronic document into basic units, and defining the The set of permissions for the base unit, defines the set of users, and establishes the correspondence between the permissions of the user and the base unit.
  • FIG. 1 is a schematic structural diagram of an access control apparatus for an electronic document according to an embodiment of the present invention.
  • the device is used to control the access rights of the electronic document.
  • the device includes: a document processing module 101 and an authority control module 102.
  • the document processing module 101 is configured to divide the electronic document into basic units, define a set of users and a set of permissions of the basic unit, and establish a correspondence between the rights of the user and the basic unit.
  • FIG. 2 is a schematic flowchart diagram of an access control method for an electronic document according to an embodiment of the present invention. As can be seen from Figure 2, the method includes:
  • Step 201 Divide the electronic document into a basic unit, define a user set and a permission set of the foregoing basic unit, and establish a correspondence between the user and the authority of the basic unit.
  • the permission of the basic unit if owned, allows the user to access the above basic unit; otherwise the access of the user is denied.
  • An apparatus and method for processing an electronic document according to an embodiment of the present invention in the process of processing an electronic document, or in maintaining an electronic document processed according to the method, dividing the electronic document into basic units and defining the basic unit A collection of permissions, defining a collection of users, establishing a correspondence between the permissions of the user and the base unit.
  • Fig. 3 is a schematic structural view of an apparatus for processing an electronic document according to an embodiment of the present invention.
  • the device is used to create an electronic document with access control.
  • the device comprises: a document setting module 301, a document output module 302.
  • the unit setting module 301 is configured to divide the electronic document into basic units, define a set of rights of the user set and the basic unit, and establish a correspondence between the rights of the user and the basic unit.
  • the document output module 302 is used to output an electronic document output by the unit setting module 301 including the above-mentioned corresponding relationship.
  • FIG. 4 is a schematic flow chart of a method for processing an electronic document according to an embodiment of the present invention. This method is used to create an electronic document with access control, as seen in Figure 4, which includes:
  • Step 401 Divide the electronic document into basic units, define a user set and a permission set of the basic unit, and establish a correspondence between the user and the rights of the basic unit.
  • Step 402 Output an electronic document having the above correspondence.
  • an apparatus and method for processing an electronic document provided by the present invention will be described in detail by way of embodiments.
  • Fig. 5 is a schematic structural view of an apparatus for processing an electronic document according to a first embodiment of the present invention.
  • the apparatus includes: a template selection module 501, a unit setting module 502, a set definition module 503, a relationship establishing module 504, and a document output module 505.
  • the template selection module 501 is configured to select a template used by the electronic document in the process of processing the electronic document or in maintaining the electronic document processed according to the method.
  • the unit setting module 502 is for dividing the electronic document output by the template selection module 501 into basic units.
  • the set definition module 503 is configured to define a set of permissions of the basic unit and define a set of users in the electronic document including the basic unit output by the unit setting module 502.
  • the set definition module includes: a rights set definition unit 5031, and a user set definition unit 5033.
  • the permission set definition unit 5031 is configured to define a permission set of the basic unit in the electronic document including the basic unit output by the unit setting module 502.
  • the user set definition unit 5033 is for defining a set of users in the electronic document including the basic unit output by the unit setting module 502.
  • the relationship establishing module 504 is configured to establish a correspondence between the rights of the user and the basic unit in the electronic document including the above set output by the set definition module 503.
  • the document output module 505 is used to output an electronic document output by the relationship establishing module 504 including the above-mentioned corresponding relationship.
  • FIG. 6 is a schematic flowchart diagram of a method for processing an electronic document according to Embodiment 1 of the present invention. As can be seen from Figure 6, the method includes: Step 601: Select a template of an electronic document.
  • the user first determines the template used by the electronic document.
  • Templates for electronic documents are stored as template files and managed in the form of a directory tree.
  • the template of the electronic document includes information such as the name, identification (ID), character format, paragraph format, and page format of all controls in the current electronic document.
  • the electronic document uses a layout template, such as a SEF format template, and the parser that uses the corresponding layout template on the client parses and displays the data.
  • the above template definition information is stored in a template file, such as an xef file.
  • the document data can be stored in an encrypted data file, such as an encrypted sfd file; or it can be stored in a database.
  • the user can create an electronic document template for the electronic document to be processed and create a new directory or a specified directory for the newly created electronic document template.
  • the user can also download an electronic document template containing the structure of the directory tree from the web server, directly import it locally, automatically generate a local directory tree, and display it in the electronic document filling tool.
  • the user can perform local maintenance on the imported form template directory tree, such as delete, add, rename template files, delete, add, rename directories, and so on.
  • Step 602 Divide the electronic document into basic units.
  • the electronic document needs to be divided into multiple basic units, so that when the user accesses the electronic document, the access process is refined to access different basic units in the electronic document.
  • the basic unit can be divided according to the functional area in the electronic document, and the way to divide the electronic document into different basic units can be implemented by using user controls.
  • the functional area in the electronic document can refer to, for example: The basic unit of payment unit, payment unit, appropriation amount, purpose, payment unit bank seal and bank accounting entry in the certificate (revenue certificate).
  • the user control corresponding to each basic unit is identified by a globally unique identifier, which generally refers to the user control ID, and the user control ID uniquely represents a user control in the current electronic document system.
  • a globally unique identifier may also be formed by adding a domain name of the current system or other manners conforming to the corresponding naming convention on the basis of the above-mentioned user control ID.
  • the properties of the user control are preset in advance, the flexibility is not strong. Therefore, preferably, the way to divide the document into different basic units can be implemented by using a custom control. Users can customize the various properties of the custom control, so the custom control is more suitable for the application to display dynamic content, especially the custom control design can be used by different applications.
  • Step 603 Define a permission set (PERMISSIONS) of the basic unit, and define a user set (USERS). This step specifically includes:
  • Sub-step 1 Define the permission set, that is, define the operation permission information of the basic unit, and record the possible operation authority for each basic unit.
  • a permission set refers to a set of operation rights for accessing a basic unit in an electronic document system, wherein the operation authority is an operable right to a certain data or document, such as display, printing, and editing of a basic unit of an electronic document. ;
  • the permissions for display and printing are inseparable, and because some basic units are not editable, editing permissions cannot be set.
  • the above editing rights to the basic unit include filling, adding, deleting, modifying, etc. of the data in the basic unit.
  • the electronic document can be divided into a plurality of basic units, each of which has multiple operating rights, and the operating rights can be different, for example, some basic units have delete rights, and other basic units do not.
  • Operation authority can be regarded as basic order Meta attribute characteristics.
  • Substep 2 Define a collection of users to bind different roles to different users.
  • a user collection is a collection of users who can independently access documents, data, or other resources represented by data in an electronic document system.
  • the user is the subject of the operation of the document, and may be a person, a computer, etc., which may be an account in the electronic document system.
  • the order of the above sub-steps is not fixed, that is, the definition order of the sets is not fixed.
  • Step 604 Establish a correspondence between the rights of the user and the basic unit
  • the establishment of this correspondence can be achieved by assigning the rights of the basic unit to the users in the user collection, which describes the mapping of the user and the basic unit rights.
  • This correspondence may be a many-to-many relationship, or a one-to-many, many-to-one, or one-to-one relationship. That is to say, one user has multiple operation rights of multiple basic units, and each operation authority of each basic unit can also be owned by multiple users.
  • the permission obtained by the user through the correspondence is the union of all the operation permission sets of all the basic units. In fact, some users may not have access to any permissions, but some may not be assigned to any user.
  • the user when the user uses the electronic document, that is, after the user logs in, the user reduces the granularity of the security control to a more detailed basic unit level according to the different rights of the basic unit that he owns, and the corresponding relationship is accessed by the user in the electronic When the document is used, it is the basic unit permission check.
  • Step 605 Output an electronic document including the above correspondence.
  • FIG. 7 is a schematic flowchart of using an electronic document according to Embodiment 1 of the present invention. As can be seen from Figure 7, the process includes:
  • Step 701 When the user performs an operation on the basic unit, determine whether the user has the right The base unit performs the authority to operate accordingly; if there is a jump to step 702, otherwise jumps to step 703.
  • Step 702 The user obtains the corresponding authority, and the user can use the acquired permission to operate the basic unit, and end the permission verification process.
  • Step 703 The user does not obtain the corresponding authority, and the electronic document prompts the user that the user does not have the corresponding authority, and ends the permission verification process.
  • the access control apparatus and method for an electronic document in the embodiment can be used to divide the electronic document into a plurality of basic units in the process of processing an electronic document or in maintaining an electronic document processed according to the method.
  • Each basic unit may have multiple operational rights, define different users, assign different basic units of different basic units to different users, and if allowed, allow the user to access the basic unit; otherwise, the user is denied access to the said Basic unit. Therefore, the embodiment of the present invention can effectively control the access authority of the internal or external user to the basic unit included in the electronic document, and reduce the granularity of the security control in the electronic document to a more detailed basic unit level, and utilize the electronic document.
  • the access control technology implements the enterprise's document protection strategy, thus solving the problem of low security of electronic documents in use.
  • the role set is further defined, and the different functions of the different basic units are bound to different roles, and different roles are assigned to different users, thereby effectively controlling the basics of the user in the electronic document. Access to the unit.
  • FIG. 8 is a schematic structural view of an apparatus for processing an electronic document according to a second embodiment of the present invention.
  • the device includes: a template selection module 801, a unit setting module 802, a set definition module 803, a relationship establishing module 804, and a document output module 805.
  • the template selection module 801 has the same function as the corresponding module in the first embodiment.
  • the unit setting module 802 has the same function as the corresponding module in the first embodiment.
  • the set definition module 803 is configured to define a set of rights of the above basic unit, define a set of users, and further define a set of roles in the electronic document including the basic unit output by the unit setting module 802.
  • the set definition module includes: a permission set definition unit 8031, a role set definition unit 8032, and a user set definition unit 8033.
  • the permission set definition unit 8031 has the same function as the corresponding unit in the first embodiment.
  • the role set definition unit 8032 is for defining a set of roles in the electronic document including the basic unit output by the unit setting module 802.
  • the user set definition unit 8033 has the same function as the corresponding unit in the first embodiment. In the actual application, the order of the foregoing permission set definition unit 8031, the role set definition unit 8032, and the user set definition unit 8033 is not fixed.
  • the relationship establishing module 804 is configured to establish a correspondence between the roles and the rights of the basic unit in the electronic document including the above set output by the set definition module 803; and establish a correspondence between the user and the role.
  • the relationship establishing module includes: a privilege role relationship establishing unit 8041 and a role user relationship establishing unit 8042.
  • the privilege role relationship establishing unit 8041 is configured to establish a correspondence relationship between the role and the authority of the basic unit in the electronic document including the above set output by the set definition module 803. The establishment of such a correspondence can be achieved by assigning the rights of the basic unit to the roles in the role set.
  • the role user relationship establishing unit 8042 is configured to establish a correspondence between the user and the role in the electronic document including the above set output by the set definition module 803. This correspondence can be established by assigning roles to users in the user collection.
  • the document output module 805 has the same function as the corresponding module in the first embodiment.
  • FIG. 9 is a schematic flowchart of a method for processing an electronic document according to Embodiment 2 of the present invention. As can be seen from Figure 9, the method includes:
  • Step 901 Select a template of the electronic document. This step is the same as the corresponding step in the first embodiment.
  • Step 902 Divide the electronic document into basic units. This step is the same as the corresponding step in the first embodiment.
  • Step 903 Define a permission set of the basic unit, define a user set, and further define a role set (ROLES). This step specifically includes:
  • Sub-step 1 Define a permission set. This sub-step is the same as the corresponding sub-step in the first embodiment.
  • Sub-steps 2 Define a set of roles to bind different operational permissions for different base units for different roles.
  • a role collection is a collection of roles. Roles are used to represent job responsibilities in a system, such as company managers, accountants, etc., which reflect the user's permissions. Introducing roles into rights management establishes the link between users and access rights.
  • Sub-step 3 Define user collections to bind different roles to different users. This sub-step is the same as the corresponding sub-step in the first embodiment.
  • the order of the above sub-steps is not fixed, that is, the definition order of the sets is not fixed.
  • Step 904 Establish a correspondence between the role and the authority of the basic unit; and establish a correspondence between the user and the role.
  • This step specifically includes:
  • Sub-step 1 establish the correspondence between the role and the permissions of the basic unit.
  • the establishment of this correspondence can be achieved by assigning the rights of the basic unit to the roles in the role set, which describes the mapping of the roles to the basic unit permissions.
  • This correspondence can be Many-to-many relationships can also be one-to-many, many-to-one, or one-to-one relationships, that is, a role has multiple operation rights for multiple basic units, and each operation authority of each basic unit is also Can be owned by multiple roles.
  • the privilege obtained by the role through the correspondence is the union of all the set of operating privilege of all its basic units. In fact, some roles exist, but they may not have any permissions; some permissions may not be assigned to any role.
  • Sub-step 2. Establish the correspondence between the user and the role.
  • the establishment of this correspondence can be achieved by assigning roles to users in the user collection, which describes the mapping of users to roles.
  • This correspondence can also be a many-to-many relationship, that is, one user has multiple roles, and each role can be owned by multiple users.
  • the privilege obtained by the user through this correspondence is the union of all the privilege collections of all the roles. In fact, some roles exist, but they are not assigned to any user; while some users are defined, they do not acquire any roles, so the user does not have any permissions.
  • the above correspondence can be stored in a fixed file, and the 4 bar file is stored in an appropriate place for maintenance, such as in a database or in an encrypted sec format file.
  • the user when the user uses the electronic document, that is, after the user logs in, the user obtains the different rights of the basic unit according to the role he owns, and reduces the granularity of the security control to a more detailed basic unit level, and the corresponding relationship is in the user.
  • accessing an electronic document it is the basic unit permission check.
  • Step 905 Output the above electronic document including the above correspondence.
  • FIG. 10 is a schematic flowchart of using an electronic document according to Embodiment 2 of the present invention. As can be seen from Figure 10, the process includes:
  • Step 1001 When the user logs in, obtain all the roles owned by the user. The user also has a corresponding relationship with each character that is owned, and the corresponding relationship is a dynamic relationship. Department.
  • Step 1002 When the user performs an operation on the basic unit, it is determined whether the role possessed by the user has the right to perform corresponding operations on the basic unit; if there is a jump to step 1004, otherwise the process proceeds to step 1003.
  • Step 1003 Continue to traverse the remaining roles, determine whether the other roles possessed by the user have the right to perform corresponding operations on the basic unit; if there is a jump to step 1004, otherwise jump to step 1005.
  • Step 1004 The user obtains the corresponding authority, and the user can use the acquired permission to operate the basic unit, and end the permission verification process.
  • Step 1005 The user does not obtain the corresponding authority, and the electronic document prompts the user that the user does not have the corresponding authority, and ends the permission verification process.
  • the access control apparatus and method for applying the electronic document in the embodiment may be further, in the process of processing the electronic document, or in the process of maintaining the electronic document processed according to the method, on the basis of the first embodiment, further Introduced the concept of role, through the middle bridge of roles, separated the direct connection between the user and the basic unit's authority, so that the user's change only involves the adjustment of the role, regardless of the basic unit's permissions, the same basic unit's permission changes only It involves the adjustment of the role, regardless of the user. Therefore, the embodiment of the present invention solves the problem that the security of the electronic document is not high in use, and also improves the flexibility of access control of the electronic document.
  • the inheritance of the rights is implemented by increasing the self-association between the roles.
  • FIG. 11 is a schematic structural diagram of an apparatus for processing an electronic document according to Embodiment 3 of the present invention.
  • the apparatus includes: a template selection module 1101, a unit setting module 1102, a set definition module 1103, a relationship establishing module 1104, and a document output module 1105.
  • the template selection module 1101, the unit setting module 1102, the relationship establishing module 1104, and the document output module 1105 have the same functions as the corresponding modules in the second embodiment.
  • the set definition module 1103 is configured to define, in the electronic document including the basic unit output by the unit setting module 1102, a permission set of the basic unit, define a role set, define a user set, and further define a self-association between the characters.
  • the set definition module 1103 includes: a rights set definition unit 11031, a role set definition unit 11032, and a user set definition unit 11033.
  • the permission set definition unit 11031 and the user set definition unit 11033 have the same functions as the corresponding units in the second embodiment.
  • the role set definition unit 11032 is configured to define a set of roles in the electronic document including the basic unit output by the unit setting module, and further to increase the self-association between the characters.
  • FIG. 12 is a schematic flowchart of a method for processing an electronic document according to Embodiment 2 of the present invention. As can be seen from Figure 12, the method includes:
  • Step 1201 Select a template of an electronic document. This step is the same as the corresponding step in the second embodiment.
  • Step 1202 Divide the electronic document into basic units. This step is the same as the corresponding step in the second embodiment.
  • Step 1203 Define a permission set of the basic unit (PERMISSIONS), define a role set (ROLES), define a user set (USERS), and further define a self-association between the roles.
  • Sub-steps 1, 3 are the same as the corresponding sub-steps in the second embodiment.
  • Sub-step 2 define the role set, and increase the self-association between the roles, in order to bind the different operation rights of different basic units for different roles, and realize the inheritance of the rights between the roles.
  • the self-association of a role is to establish an inheritance relationship between the roles, that is, the role can have The company manager has all the rights of accounting, so you can define the company manager role as the sub-role of the accounting role, that is, the accounting role is the parent role of the company manager role.
  • Step 1204 Establish a correspondence between the roles and the rights of the basic unit; and establish a correspondence between the user and the role. This step is the same as the corresponding step in the second embodiment.
  • Step 1205 Output the above electronic document including various correspondences. This step is the same as the corresponding step in the second embodiment.
  • FIG. 13 is a schematic flowchart of using an electronic document according to Embodiment 3 of the present invention. As can be seen from Figure 13, the process includes:
  • Step 1301 When the user logs in, all the roles owned by the user are obtained.
  • Step 1302 When the user performs an operation on the basic unit, it is determined whether the role possessed by the user has the right to perform corresponding operations on the basic unit; if there is a jump to step 1305, otherwise the process proceeds to step 1303.
  • Step 1303 Continue to traverse the remaining roles, determine whether the other roles possessed by the user have the right to perform corresponding operations on the basic unit; if there is a jump to step 505, otherwise go to step 1304.
  • step 1304 the parent roles of each role owned by the roles are sequentially invoked to determine whether the user has the right to operate the basic unit. If there is a jump to step 1305, the process jumps to step 1306.
  • the calling of the parent roles at each level of each character is preferably performed recursively.
  • Step 1305 The user obtains the corresponding authority, and the user can use the acquired permission to operate the basic unit, and end the permission verification process.
  • Step 1306 The user does not obtain the corresponding authority, and the electronic document prompts the user that the user does not have the corresponding authority, and ends the permission verification process.
  • the present invention can be applied to various specific scenarios using electronic documents.
  • Electronic filing and approval system electronic filing and approval is mainly based on electronic documents, workflow and security technologies, mainly through document control content, through workflow control process, security technology throughout the system; electronic document system can follow A variety of workflow systems, such as mail-based workflows, database-based workflows, XML-based workflows, etc., create excellent electronic filing and approval solutions.
  • the invention can be applied to an electronic document of a budget grant voucher.
  • the present invention will be described in more detail by taking an electronic document of a budget allocation voucher as an example.
  • the present invention is described by way of example only, and is not intended to limit the scope of the present invention.
  • Figure 14 is a flow chart showing the processing method of the budget appropriation voucher in the embodiment of the present invention. As can be seen from Figure 14, the method includes:
  • Step 1401 Select a template of the electronic document of the budget grant voucher.
  • the user Before the user processes the electronic document of the budget grant certificate, the user must first determine the electronic document.
  • the user can create an electronic document template for the electronic document to be processed, or download an electronic document template containing the information of the directory tree structure from the network server, and directly import it locally, which is not described in detail here.
  • Step 1402 Divide the electronic document into basic units.
  • FIG. 16 is a schematic diagram of a budget allocation voucher in an embodiment of the present invention.
  • the electronic document of the budget allocation voucher is divided into six basic units, including: payment unit 1601, payment unit 1602, allocation amount 1603, usage 1604, payment unit bank seal 1605, and bank accounting entries.
  • Different basic units such as 1606.
  • Step 1403 Define a permission set of the basic unit, define a role set, and define a user set. This step specifically includes:
  • Sub-step 1 Define the permission set, that is, define the operation permission information of the basic unit.
  • Each basic unit has several kinds of rights.
  • the rights include displaying, editing, and printing the area covered by each basic unit.
  • the editing includes the functions of filling in, modifying, deleting content, and adding content.
  • Sub-steps 2 Define a set of roles to bind different operational permissions for different base units for different roles.
  • the role is used to indicate the job responsibilities in a system, for example: In a payment unit A and a collection unit B, the electronic documents of the budget allocation certificate are usually maintained by the respective manager and accountant, and the manager is established. And accounting two roles.
  • Sub-step 3 Define user collections to bind different roles to different users.
  • the user is the subject of the operation of the document, and may be a person, a computer, etc., which may be an account in the electronic document system.
  • the user is the subject of the operation of the document, and may be a person, a computer, etc., which may be an account in the electronic document system.
  • Zhang Sanhe Four or two people will maintain the electronic documents of this budget allocation certificate.
  • Wang Wu and Zhao Liu will maintain the electronic documents of the budget allocation certificate, and then establish Zhang San, Li Si, Wang Wu and Zhao. Six of these four users.
  • Step 1404 Establish a correspondence between the roles and the rights of the basic unit; and establish a correspondence between the user and the role.
  • This step specifically includes:
  • Sub-step 1 Establish the correspondence between the role and the permissions of the basic unit.
  • the principle of access to electronic documents is:
  • the payment unit A's manager can edit the basic unit such as the payment unit and the amount of the grant according to his or her own role, but does not allow editing of the payee unit. At the same time, the entire electronic document can be displayed or printed.
  • the accounting unit of payment unit A can display or print the entire electronic document according to the role it owns, but does not allow editing of any basic unit.
  • Receiving unit B's manager can edit the basic unit such as the payee unit and the amount of the grant according to his or her own role, but does not allow editing of the paying unit.
  • the entire electronic document can be displayed or printed.
  • the accountant of the payee B can display or print the entire electronic document based on the role he or she owns, but does not allow editing of any basic unit.
  • Sub-step 2. Establish the correspondence between the user and the role.
  • the managerial responsibility of the payment unit A is held by Zhang San
  • the accounting duties are held by Li Si
  • the manager of the receiving unit B is held by Wang Wu
  • the accounting duties are held by Zhao Liu
  • Zhang San assigned the manager role of the payment unit A
  • the accounting role of the payment unit A to Li Si assigned the manager role of the payment unit B to Wang Wu
  • the accounting role of the payment unit B to Zhao Liu is assigned the accounting role of the payment unit A to Li Si
  • the manager role of the payment unit B to Wang Wu assign the accounting role of the payment unit B to Zhao Liu.
  • Step 1405 Output the above electronic document including various correspondences.
  • FIG. 15 is a schematic flowchart of using a budget allocation certificate according to an embodiment of the present invention.
  • the process includes:
  • Step 1501 When the user logs in, all the roles owned by the user are obtained.
  • Zhang San logs in with his own account he gets the role that the user has, that is, gets the manager role of payment unit A.
  • Li Si logs in with his own account he obtains the role that the user has, that is, the accounting role of the payment unit A.
  • Wang Wu logs in with his own account number he acquires the role owned by the user, that is, acquires the manager role of the payee unit B.
  • Zhao Liu logs in with his own account he obtains the role that the user has, that is, the accounting role of the payment unit B.
  • Step 1502 When the user performs an operation on the basic unit, it is determined whether the role possessed by the user has the right to perform corresponding operations on the basic unit; if there is a jump to step 1504, otherwise the process proceeds to step 1503.
  • Zhang San wants to modify the content of the payment unit, then the electronic document judges that his role is the manager of the payment unit A, and does not have the right to modify the basic unit, then jumps to step 1503 and continues to traverse his remaining roles. .
  • Li Si wishes to modify the content of the payment unit, then the electronic document judges that his role is the accountant of payment unit A, and does not have the right to modify the basic unit. Then, go to step 1503 and continue to traverse his remaining roles.
  • Zhao Liu wishes to modify the content of the appropriation amount, then the electronic document judges that his role is the accountant of the receiving unit B, and does not have the right to modify the basic unit, then jump Go to step 1503 and continue to traverse his remaining characters.
  • Step 1503 Continue to traverse the remaining roles, determine whether other roles possessed by the user have the right to perform corresponding operations on the basic unit; if there is a jump to step 1504, otherwise jump to step 1505.
  • Zhang San does not have the remaining roles, the user does not have the right to modify the basic unit of the receiving unit, and then jumps to step 1505, and the electronic document prompts that Zhang does not have the corresponding authority.
  • Zhao Six does not have the remaining roles, the user does not have the right to modify the basic unit of the grant amount, and then jumps to step 1505, and the electronic document prompts that Zhao Six does not have the corresponding authority.
  • Step 1504 The user obtains the corresponding authority, and the user can use the acquired permission to operate the basic unit, and end the permission verification process.
  • Step 1505 The user does not obtain the corresponding authority, and the electronic document prompts the user that the user does not have the corresponding authority, and ends the permission verification process.
  • the electronic document is taken as an example to explain the present invention in more detail. However, those skilled in the art are not intended to limit the scope of the invention.
  • FIG. 17 is a schematic flowchart of the processing method of the electronic report in the embodiment of the present invention. As can be seen from Figure 17, the main processes include:
  • Step 1701 Set the basic unit and various operations of the basic unit for the electronic document. Select a document template for the electronic document of the electronic report, and divide the electronic document into different basic units, each of which has a unique identifier.
  • Controls As an integral part of an electronic document, each control is identified by a globally unique identifier.
  • the electronic document adopts a layout template, such as a template in the SEF format, and at the same time, the parser that uses the corresponding layout template on the client parses and displays the data.
  • a layout template such as a template in the SEF format
  • the above-mentioned layout template definition information is stored in a template file, such as an xef file; the document data can be stored in an encrypted data file, such as an encrypted sfd file, or can be stored in a database.
  • Step 1702 establishing operation authority information on the basic unit, recording possible operation rights to the basic unit, such as display, printing, editing, etc.; for some basic units, the display and print permissions are uniformly inseparable, and Editing permissions cannot be set because some basic units are not editable.
  • the above editing rights to the basic unit include: filling, adding, deleting, modifying, and the like.
  • the type of operation authority can be recorded in a database table.
  • Step 1703 adding data type and data information in the system; if the database exists, the above information may preferably be stored in a table of the database.
  • the data type records the types of data that need to be controlled in the system, such as company, department, project, customer, etc.;
  • Data refers to the specific business object, which is the data instance of each data type.
  • the above department can be divided into Beijing sales department.
  • Xi'an Sales Department, etc. the above data refers to all data values related to data permissions.
  • Step 1704 establishing an association between the basic unit and the data type, which is a many-to-many relationship
  • a table can be created in the database, which is a configuration table describing all data types supported by a basic unit, for example, if the electronic document is a sales order, the order is The basic unit related to the customer is associated with the customer and may involve assigning permissions by customer and so on.
  • Step 1705 adding data to the role association, preferably may be a table in the database, the table records different data that different roles in the system can access, and can directly find all the basics according to the specified basic unit. The requirements of the unit-related data; the table truly implements the role management of the role of the data.
  • Step 1706 Establish a correspondence between the role and the operation authority of the basic unit; the correspondence may be a many-to-many relationship, or may be a one-to-many, many-to-one, or one-to-one relationship. That is to say, a role has multiple operation rights of multiple basic units, and each operation authority of each basic unit can also be owned by multiple roles; in fact, although some roles exist, they may not acquire any Permissions; and some permissions may not be assigned to any role.
  • the user After the user logs in, the user obtains the different rights of the corresponding basic unit according to the role he owns, and reduces the granularity of the security control to a more detailed basic unit level.
  • the corresponding relationship is Basic unit permission check.
  • a table can be created in the database to describe which operating privileges each role can have.
  • Step 1707 On the basis of step 1705, establish a correspondence between the role and the operation of the data; preferably, a data permission list may be established in the database to record the corresponding relationship.
  • This correspondence is the data permission check when the user accesses the electronic document of the system.
  • the data check may be performed at the same time as or after the completion of the basic unit authority check.
  • the storage of data in the electronic document which can be directly found according to the specified basic unit
  • the data of the electronic document is preferably described by the Extensible Markup Language (XML), so the data can be output in different formats supported by XML to meet the application of different terminals.
  • Document data is stored and displayed separately, data and display can be freely combined; each document can correspond to multiple data storage structures, and multiple data storage structures can be coexisted on one document, and each data storage structure is independent of the appearance of the electronic document.
  • the electronic document system supports the user-defined data schema XML Schema, which can fully reuse the existing data storage structure to build a new data storage structure that meets the needs; the users of the document system can control the documents.
  • Scripts are stored with stored data storage structures to implement complex business logic.
  • Step 1708 assign a role to the user
  • This correspondence is also a many-to-many relationship. That is to say, one user has multiple roles, and each role can also be owned by multiple users; in fact, some roles exist but are not assigned to any users; while some users are defined, I didn't get any roles, so I don't have any permissions.
  • This correspondence is stored in a fixed file, and the 4 bar file is stored in the appropriate place for maintenance, such as in a database or in an encrypted sec format file.
  • the user obtains the basic unit authority according to the role he has, and performs the verification of the basic unit authority in the process of obtaining the right. At the same time, the data authority verification can also be performed on the basis of the basic unit permission check.
  • Data privilege is a further description of the basic unit privilege. It is the function privilege of the role above the specified basic unit. The privilege that the user finally obtains is the intersection of the basic unit privilege and the data privilege.
  • Step 1709 Implement the inheritance of the privilege by increasing the self-association of the role.
  • the self-association of the role refers to establishing a relationship between the roles, that is, the role may have a step 1710, an exclusive relationship to the basic unit or/and the data setting authority, and an inclusion relationship, preferably by adding a self-association. It is mutually exclusive to define which basic units or/and the operational rights of the data, and which basic units or/and the operational rights of the data are mutually contained.
  • Step 1711 Complete establishment of an electronic document access authority control.
  • FIG. 18 is a schematic flowchart of a basic unit authority check of an electronic report according to an embodiment of the present invention.
  • the basic unit authority check described in step 1706 above is visible in Figure 18.
  • the process requires the following steps:
  • Step 1801 When the user logs in, all the roles owned by the user are obtained. The user also establishes a mapping relationship with each role that is owned, and the mapping relationship is a dynamic relationship.
  • Step 1802 Determine whether the role possessed by the user has the right to perform corresponding operations on the basic unit; if there is a transfer step 1805, if there is no transfer step 1803.
  • Step 1803 Continue to traverse the remaining roles, and determine that if the traversal of all the remaining characters still does not obtain the permission, then go to step 1804, otherwise go to step 1805.
  • step 1804 the parent roles of each role owned by the role are sequentially invoked to determine whether the user has the right to operate the basic unit. If the permission is obtained, go to step 1805; otherwise, go to step 1806.
  • the calling of the parent roles at each level of each character is preferably performed in a recursive manner.
  • Step 1805 The user obtains the corresponding authority, and the user can use the acquired permission to operate the basic unit, and end the permission verification process.
  • Step 1806 The user does not obtain the corresponding permission, and the permission verification process is ended.
  • FIG. 19 is a data permission check of an electronic report according to an embodiment of the present invention. Schematic diagram of the process.
  • the data permission check in step 1707 of the embodiment refers to a process in which the user obtains all the data having the data operation authority.
  • the specific steps of the data verification include:
  • Step 1901 The user logs in, and the electronic document system acquires all the data from where the data is stored.
  • Step 1902 It is judged that if the data does not have the control of the data operation authority, then the authority to acquire the data is not needed, and according to the principle of "not determined to be valid", the process proceeds to step 1906 to automatically obtain the permission, that is, the corresponding acquisition is obtained by default. Permission; if it exists, go to step 1903.
  • Step 1903 Obtain a corresponding role of the data operation permission from the data permission list; the data permission list records information of the role having the data operation authority.
  • Step 1904 Determine whether the role owned by the current user is in the role of the data permission list corresponding to the data operation authority. If yes, go to step 1906; otherwise, go to step 1905.
  • Step 1905 Obtain a data permission list corresponding to the operation authority of the parent data of the data, and determine whether the role owned by the current user is in the data permission list of the foregoing levels. If yes, go to step 1906, otherwise go to the step. 1907.
  • the data permission list of the parent data of the level of obtaining the data is preferably performed in a recursive manner.
  • Step 1906 The user obtains the permission, and ends the data verification process.
  • Step 1907 The user does not obtain the permission, and the data verification process ends.
  • the data can be stored in a page in memory.
  • Methods such as ACL technology can be used together to further enhance the security of electronic documents.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Physics & Mathematics (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Human Resources & Organizations (AREA)
  • Strategic Management (AREA)
  • General Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • Health & Medical Sciences (AREA)
  • Tourism & Hospitality (AREA)
  • Operations Research (AREA)
  • Marketing (AREA)
  • Economics (AREA)
  • Data Mining & Analysis (AREA)
  • Quality & Reliability (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)
  • Document Processing Apparatus (AREA)

Abstract

L'invention concerne un procédé de commande d'accès à un document électronique composé de deux unités de base d'établissement de sphère de compétence qui établissent au moins une sphère de compétence. Lorsque l'utilisateur met en œuvre les unités de base du document électronique, il détermine s'il faut accorder la sphère de compétence ou non. L'invention concerne également un procédé de commande d'accès à un document électronique, qui comprend; un module de traitement de document pouvant diviser le document électronique en unités de base, définir le groupe d'utilisateurs et le groupe de la sphère de compétence des unités de base, et établir la relation correspondantes entre l'utilisateur et la sphère de compétence de l'unité de base; et un module de contrôle de sphère de compétence pour déterminer si l'utilisateur demandant l'accès jouit de la compétence requise pour effectuer l'action correspondante par rapport à quelque unité. Si la réponse est affirmative, l'utilisateur effectue l'action correspondante, sinon sa demande est rejetée. Cela règle le problème selon lequel les documents électroniques n'offrent pas de sécurité effective pendant l'utilisation.
PCT/CN2008/070108 2007-01-16 2008-01-15 Dispositif et procédé de commande d'accès à un document électronique WO2008086757A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 200710062771 CN101226573B (zh) 2007-01-16 2007-01-16 一种控制电子文档的访问权限的方法
CN200710062771.3 2007-01-16

Publications (1)

Publication Number Publication Date
WO2008086757A1 true WO2008086757A1 (fr) 2008-07-24

Family

ID=39635670

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070108 WO2008086757A1 (fr) 2007-01-16 2008-01-15 Dispositif et procédé de commande d'accès à un document électronique

Country Status (2)

Country Link
CN (1) CN101226573B (fr)
WO (1) WO2008086757A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174174A (zh) * 2022-06-24 2022-10-11 百融至信(北京)征信有限公司 控制电子管理平台的方法和装置

Families Citing this family (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101539922A (zh) * 2008-03-18 2009-09-23 北京书生国际信息技术有限公司 一种文档库系统的权限实现方法
CN103329121B (zh) * 2011-01-28 2016-11-02 惠普发展公司,有限责任合伙企业 文档管理系统和方法
CN102185836A (zh) * 2011-04-15 2011-09-14 哈尔滨工业大学 基于信息流模型的单机电子文档保护系统
WO2012083735A1 (fr) * 2011-09-15 2012-06-28 华为技术有限公司 Procédé et système de gestion de modèles de documents
CN103150517B (zh) * 2013-02-06 2016-01-20 杭州电子科技大学 涉密电子文件存储归档方法、用户权限与文件开放权限匹配校验方法
CN103488755B (zh) * 2013-09-24 2017-06-09 华为技术有限公司 一种文件系统访问方法及设备
CN103632082B (zh) * 2013-12-10 2016-08-17 惠州华阳通用电子有限公司 一种通用权限管理系统及方法
CN108280353B (zh) * 2017-01-05 2021-12-28 珠海金山办公软件有限公司 一种安全文档操作的判断方法及装置
CN107301335A (zh) * 2017-07-01 2017-10-27 成都牵牛草信息技术有限公司 基于角色的表单操作权限授权方法
CN107358093A (zh) * 2017-07-11 2017-11-17 成都牵牛草信息技术有限公司 通过第三方字段对表单字段的字段值进行授权的方法
CN108255799B (zh) * 2018-01-03 2022-10-21 北京帕克国际工程咨询股份有限公司 建筑工程项目管理表单智能生成系统和方法
CN109145621B (zh) * 2018-08-14 2021-09-14 创新先进技术有限公司 文档管理方法及装置
CN110188166B (zh) * 2019-05-15 2021-10-15 北京字节跳动网络技术有限公司 文档搜索方法、装置及电子设备
CN110609814A (zh) * 2019-09-26 2019-12-24 珠海格力电器股份有限公司 文档在线浏览方法、存储介质及系统
CN110717195A (zh) * 2019-09-30 2020-01-21 珠海格力电器股份有限公司 一种错误数据处理方法、存储介质及终端设备
CN113177190A (zh) * 2021-04-28 2021-07-27 维沃移动通信有限公司 文档内容分享的方法和电子设备
CN113361231B (zh) * 2021-07-06 2024-05-28 北京字跳网络技术有限公司 信息引用方法、系统、装置和电子设备
CN116108423B (zh) * 2023-04-12 2023-06-20 福昕鲲鹏(北京)信息科技有限公司 开放版式文档ofd的权限管理方法及装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1558594A (zh) * 2004-01-14 2004-12-29 哈尔滨工业大学 一种电子文档的保密、认证、权限管理与扩散控制的处理方法
WO2005076576A2 (fr) * 2004-02-03 2005-08-18 Sandisk Secure Content Solutions, Inc. Protection du contenu de donnees numeriques
CN1728631A (zh) * 2004-07-27 2006-02-01 英业达股份有限公司 加密电子文件传送方法及结构

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1558594A (zh) * 2004-01-14 2004-12-29 哈尔滨工业大学 一种电子文档的保密、认证、权限管理与扩散控制的处理方法
WO2005076576A2 (fr) * 2004-02-03 2005-08-18 Sandisk Secure Content Solutions, Inc. Protection du contenu de donnees numeriques
CN1728631A (zh) * 2004-07-27 2006-02-01 英业达股份有限公司 加密电子文件传送方法及结构

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115174174A (zh) * 2022-06-24 2022-10-11 百融至信(北京)征信有限公司 控制电子管理平台的方法和装置
CN115174174B (zh) * 2022-06-24 2024-04-12 百融至信(北京)科技有限公司 控制电子管理平台的方法和装置

Also Published As

Publication number Publication date
CN101226573A (zh) 2008-07-23
CN101226573B (zh) 2011-01-12

Similar Documents

Publication Publication Date Title
WO2008086757A1 (fr) Dispositif et procédé de commande d'accès à un document électronique
US7748046B2 (en) Security claim transformation with intermediate claims
US7827598B2 (en) Grouped access control list actions
Tari et al. A role-based access control for intranet security
US7748027B2 (en) System and method for dynamic data redaction
US7921452B2 (en) Defining consistent access control policies
AU2009322747B2 (en) Secure document management
US10263994B2 (en) Authorized delegation of permissions
US20090319529A1 (en) Information Rights Management
US20070162400A1 (en) Method and apparatus for managing digital content in a content management system
US20090205018A1 (en) Method and system for the specification and enforcement of arbitrary attribute-based access control policies
MX2008014856A (es) Traduccion de politica de control de acceso a base de papel a politica de autorizacion de recurso.
US20110016151A1 (en) Method and apparatus for privilege control in docbase management system
US20060259614A1 (en) System and method for distributed data redaction
US11947485B2 (en) Board portal subsidiary management system, method, and computer program product
JP2020053091A (ja) 個人番号管理装置、個人番号管理方法、および個人番号管理プログラム
AU2022341301A1 (en) Data management and governance systems and methods
CN110245499A (zh) Web应用权限管理方法及系统
CN116633636A (zh) 一种企业信息系统中的分级访问控制方法
Mohamed et al. Extended authorization policy for graph-structured data
Hommel Using XACML for privacy control in SAML-based identity federations
US11616782B2 (en) Context-aware content object security
Petrovska et al. Soa approach-identity and access management for the risk management platform
JP2007004610A (ja) 複合的アクセス認可方法及び装置
Cisco Overview of Cisco Administrative Policy Engine

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700772

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08700772

Country of ref document: EP

Kind code of ref document: A1