WO2009005180A1 - Apparatus for real-time supporting rule group for integrated identity management - Google Patents

Apparatus for real-time supporting rule group for integrated identity management Download PDF

Info

Publication number
WO2009005180A1
WO2009005180A1 PCT/KR2007/003602 KR2007003602W WO2009005180A1 WO 2009005180 A1 WO2009005180 A1 WO 2009005180A1 KR 2007003602 W KR2007003602 W KR 2007003602W WO 2009005180 A1 WO2009005180 A1 WO 2009005180A1
Authority
WO
WIPO (PCT)
Prior art keywords
rule
group
user
editor
users
Prior art date
Application number
PCT/KR2007/003602
Other languages
French (fr)
Inventor
Sung Kwang Moon
Original Assignee
Nets Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nets Co., Ltd. filed Critical Nets Co., Ltd.
Publication of WO2009005180A1 publication Critical patent/WO2009005180A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]

Definitions

  • the present invention relates to an optimal rule group registration device having various types, and more particularly, to an apparatus for visually defining a rule by using a user interface (Ul) and applying a complex rule definition in real-time based on a database.
  • Ul user interface
  • group configuration according to user attributes such as a regular worker, a part-time worker, and the (ike is needed.
  • a manager selects a user and registers the user in a group to configure the group including member users.
  • the group configured by the manager is called a static group.
  • group management has limitations in that the static group scheme may cause a heavy load when the static group scheme is performed on a large number of organizations and users, and thus a working efficiency decreases.
  • a prompt group change according to a change in user information is impossible, and periodic rule application by arrangement processing and the like is performed, so that real-time application cannot be implemented.
  • Products developed by using the rule group scheme dynamically obtain included-in-group information according to requests of users by applying rules and immediately modify groups according to changed user information, so that parts of problems of the conventional static group scheme can be solved.
  • the rules are applied whenever a request is received, so that a system load is very heavy. Therefore, the rule group scheme is hardly used except for small organizations.
  • directory products based on a light-weight directory access protocol (LDAP) or products using the LDAP are provided with a rule grouping function according to user attributes.
  • the products only support an LDAP query level for attributes as rules, so that the products cannot set various group relationships and cannot designate a user who belongs to a particular organization or group as an object of the rule.
  • the query of the LDAP is directly described, so that a user who defines a rule group has to know about a low-level language, and this may decrease usability.
  • the present invention provides an apparatus for supporting a rule group developed to support various types of an optimal rule definition method by supporting a user static definition (that is, direct definition by a manager), a group rule and a user rule, and inclusion and exclusion rules.
  • a method of visually defining a rule by using a user interface (Ul) and a real-time application technique for a complex rule definition based on a database are provided.
  • an apparatus which supports a rule group in real-time for integrated identity management and is related to various types of an optimal rule group registration device, the apparatus including a rule group registration unit which includes a user interface for visual rule definition to provide logical relationships between sets using a tree structure so that a user intuitively designates a set operation by using the tree and classifying a logical relationship between lower sets as an upper node.
  • FIG. 1 is a view illustrating a user interface screen for inquiring rule group registration information.
  • FIG. 2 is a view illustrating an example of a method of defining a group rule.
  • FIG. 3 is a view illustrating an example of a rule group add page.
  • FIG. 4 is a view illustrating a screen for explaining descriptions and directions of each part of a rule editor.
  • FIGS. 5 to 9 are views illustrating a display window of a rule editor.
  • FIG. 10 is a user interface screen of a group attribute editor.
  • FIGS. 11 to 15 are views illustrating a group attribute editing window.
  • FIGS. 16 and 17 are views illustrating a user interface screen of a group inclusion editor.
  • FIGS. 18 and 19 are views illustrating a user interface screen of a group exclusion editor.
  • FIGS. 20 and 21 are views illustrating a user interface screen of a user attribute editor.
  • FIGS. 22 and 23 are views illustrating a user interface screen of a user inclusion editor.
  • FIG. 24 is a view illustrating a user interface screen of a user exclusion editor.
  • FIG. 25 is a view illustrating a user interface screen for rule group modification.
  • FIG. 26 is a view illustrating a user interface screen for member group inquiry.
  • FIG. 27 is a view illustrating a user interface screen for member user inquiry.
  • FIG. 28 is a structural view for explaining a rule group implementation method.
  • FIGS. 29 to 35 are flowcharts for explaining the rule group implementation method.
  • FIG. 36 is a flowchart for explaining optimal rule application of a rule optimizer of
  • FIG. 37 is a table for explaining the to-be-minimized number of cases where a rule group is updated when an organization/user is changed.
  • FIG. 38 is a table for explaining minimization of the number of rule groups to be updated during changing of organization/user.
  • FIG. 39 is a view for explaining a rule description method of a manager.
  • the present invention relates to an apparatus which applies a technique for supporting a dynamic group or rule group scheme in which when a manager defines a qualification of a member user of a group as a rule, a system dynamically searches for users who satisfy the rule so as to establish member users.
  • the apparatus according to the present invention provides a rule group function for allowing a manager to determine a qualification of member users and supports various rule designation methods.
  • FIG. 1 is a view illustrating a user interface screen for inquiring rule group registration information according to an embodiment of the present invention.
  • a rule group registration information inquiry screen there are four tabs (group, user, member group, and member user).
  • An example of information, which is inquired about at each tab, is described in the following table.
  • final member users of a rule group constitute a set of " ⁇ users directly designated by a manager ⁇ U ⁇ users who belong to a member group ⁇ U ⁇ users who satisfy a user rule ⁇ ".
  • the expression 'users directly designated by a manager' means users who are statically designated by a manager according to an existing static rule. Since the existing rule group can describe only a membership condition for a user, it has to be described in a condition form in order to include a particular user. Therefore, as the number of particular users who have to be included increases, a rule becomes complex, and it takes much time to apply the rule, so that it is not efficient. According to the present embodiment, a function of allowing a manager to directly designate users who have to be included to a rule group as in the static group scheme is always provided, so that a load on rule definition and application is decreased. In other words, the existing rule group has only dynamic characteristics while the rule group scheme according to the present embodiment has characteristics of the static group scheme.
  • the expression 'users who belong to a member group' constitute a set as a result of recursively performing an operation for a rule group in a particular level, by a rule (group rule) defined to obtain the member group.
  • a result set obtained by subtracting an exclusion set from an inclusion set is the operation result.
  • users who belong to the member group become members of the rule group.
  • the expression 'users who satisfy the user rule' constitute a result set obtained by recursively performing an operation on a rule set in the same level as a final result set, by defining a rule for obtaining users.
  • a result set obtained by subtracting an exclusion set from an inclusion set is the operation result.
  • rule set definition method including a group rule and a user rule
  • three methods as follows:
  • inclusion rule by attributes define attributes such as a name, code, status, and the like of a group and define a group which satisfies the attributes as a rule set; 2) inclusion rule by direct designation: select a group and define the selected group and lower groups as a rule set; and
  • exclusion rule by direct designation select a group and define the selected group and lower groups as an exclusion rule set.
  • a result of the exclusion rule precedes the inclusion rule in a rule set in the same level, and an operation result of a higher set precedes an operation result of a lower set.
  • the system according to the present embodiment provides an optimized rule engine to ensure a high performance under a complex rule and updates members in real-time in addition to obtaining members of the rule group using an arrangement operation. Therefore, by applying the functions of the system properly, various groups can be effectively configured.
  • the rule group is treated as an ordinary group, so that the rule group has various attributes like the ordinary group, provides a basic management function, and determines and inherits a policy and role.
  • a unique attribute for designating a rule and an additional management function for applying the attribute are provided.
  • the following table describes a unique attribute of a rule group.
  • a rule set includes a group rule set and a user rule set.
  • the group rule set includes a rule by attributes of a group, an inclusion rule by direct designation, and an exclusion rule by direct designation for a group to which users belong such as a group rule, and a result set is not configured with a group and includes users who belong to the group.
  • the user rule set includes a rule by user attributes, and an inclusion rule by direct designation, and exclusion rule by direct designation in a similar manner to the group rule set, and a result set is configured with users who satisfy the rule.
  • an exclusion rule precedes the inclusion rule.
  • the exclusion rule by attributes can be designed as the inclusion rule by using an additional logical expression. For example, when a rule group having users obtained by excluding 'part-time workers' from the total users as members, is to be configured, it is analyzed as a rule group including users who are not 'part-time workers'. Thereafter, including users who are not 'part-time workers' is designated as a rule, the same result set can be obtained.
  • FIG. 2 illustrates an example of a method of defining a group rule.
  • a result of defining a rule group is hierarchically represented as illustrated in FIG. 2, and when the rule group is directly designated, a precise group can be checked by using ToolTip.
  • the following table illustrates the rule group's own management operations.
  • Rule Group Registration Unit When an 'add' button 11 at an upper portion of a group tab of a rule group registration unit screen illustrated in FIG. 1 is clicked, a rule group add page is displayed as illustrated in FIG. 3.
  • a group rule editor 31 and a user rule editor 35 are provided.
  • a visual rule definition method is performed by providing logical relationships between sets using a tree structure so that the user may classify logical relationships between lower sets as higher nodes using the tree and can intuitively designate a set operation.
  • the visual rule definition method includes 1 ) displaying logical relationships between sets using a tree (intuitively displaying a set operation by classifying logical relationships between lower sets as higher nodes by using a tree structure, see FIGS. 8 and 9) and 2) attribute rule editing (intuitively editing a conditional expression in an in-order form, see FIG. 14).
  • the group rule editor 31 and the user rule editor 35 as a rule editor are commonly described and are also described according to rule types.
  • a rule can be configured as a logical combination of various lower rule sets by using the rule editor (31 or 35) illustrated in FIG. 3, and modifying and editing of relationships between rule sets can be easily performed. Descriptions and directions of each part of the rule editor 31 or 35 are explained with reference to FIG. 4.
  • a 'logic expression add position' button designates a position at which an AND/OR operation is added. For example, when 'lower' is selected and an AND button is clicked, a conditional node is added to a display window 33 as illustrated in FIG. 5.
  • FIG. 6 illustrates a case where a position is designated as highest in a state illustrated in FIG. 5, an OR button is clicked and an OR logical operation node is added to the highest position.
  • FIG. 7 the position is changed to 'modify' and the AND button is clicked, the OR node that is currently selected is changed to AND.
  • the 'AND' button is used to add or modify an AND logic expression in a method designated by the position combo. This operation returns a result of performing a conjunction ( f ⁇ ) operation on lower nodes.
  • the 'OR' button is used to add or modify an OR logic expression in a method designated by the position combo. This operation returns a result of performing a disjunction ( U ) operation on the lower nodes.
  • a 'set delete' button is used to delete a selected node and lower nodes thereof.
  • a function associated with movement can be designed in various ways. For example, movement between node layers may be performed by drag and drop. For example, in order to move a group exclusion rule to a lower position of the highest AND node as illustrated in FIG. 8, the group exclusion node is dragged by a mouse and is dropped on the AND node. In this manner, the entire lower tree is moved along with the rule set, so that a complex equation can be moved.
  • a 'condition object select' button is used to select a user rule or a group rule (31 or 35 in FIG. 3) according to rule types.
  • a 'rule type select' window is used to select one from among attribute, inclusion and exclusion.
  • a 'set modify' button is used when a node except for the AND/OR is selected by the rule editor, an editor which can edit a corresponding set is displayed at a lower portion of the rule editor.
  • a node which is currently selected as the corresponding set needs to be modified.
  • the 'set modify' button is clicked, a changed rule is applied to the currently selected node.
  • a condition object and a rule type are selected to edit a rule and a 'set add' button is clicked, a set is added to a lower portion of the currently selected AND/OR node.
  • a set is added to a highest node.
  • the 'set add' button is clicked to overwrite a highest node value.
  • a 'rule optimize' button in FIG. 8, is used when a rule is executed, and a depth of a node including an AND/OR node has a significant influence on a performance. Therefore, an unnecessary node depth needs to be reduced, and pointing this regard, rule optimization is needed.
  • an OR node in an OR tree having a single rule group set, an OR node is meaningless.
  • a manager can directly modify a rule.
  • an unnecessary conditional expression is simplified as described below and an optimal conditional query can be generated.
  • a rule for obtaining a member group is defined.
  • a final result set becomes a set of results obtained by recursively performing an operation for a rule set in the same level.
  • a result set obtained by subtracting an exclusion set from an inclusion set is an operation result.
  • users who belong to the member group become members of the rule group.
  • a rule set definition method includes three methods as follows:
  • inclusion rule by attributes define attributes such as a name, code, status, and the like of a group and define a group which satisfies the attributes as a rule group; 2) inclusion rule by direct designation: select a group and define the selected group or subordinate groups as a rule group; and
  • exclusion rule by direct designation select a group and define the selected group or subordinate groups as an exclusion rule group.
  • a result of the exclusion rule in a rule set precedes the inclusion rule in the same level, and an operation result of a higher set precedes an operation result of a lower set.
  • a Group Attribute Editor - FIG. 10 When an 'attribute editing select' button of the group rule editor 31 is pressed, a group attribute editing window 33 is displayed as a box region. In the group attribute editing window 33, an attribute rule can be edited by using buttons and value input windows.
  • An 'AND' button is used to add an AND operator to an expression select cursor portion (FIG. 11 ).
  • An 'OR' button is used to add an OR operator to an expression select cursor portion (FIG. 12).
  • a 'delete' button is used to delete a selected expression.
  • An 'attribute select' button is used to select a group attribute used for condition evaluation.
  • the group attribute used for condition evaluation may be selected from a specific file (for example, conf.xml).
  • An Operator select' button is used to select an evaluation operator.
  • a comparison operator is used to perform a string operation, a numeral comparison is avoided (according to the present embodiment, when a string is configured with only numerals, a numeral comparison is performed, and when a character is included in one side, a character comparison is performed).
  • a 'value input/select' box is used to input a comparison value.
  • a conditional attribute has a selective value
  • a desired value can be selected through the select box as illustrated in FIG. 13.
  • a 'designate' button is used to designate an input expression for an expression select cursor portion as illustrated in FIG. 14.
  • the expression select cursor is automatically moved to a next evaluation expression input position, so that a manager can easily designate continuous equations.
  • a group selection editor When 'include' in a rule type selection window of the rule editor illustrated in FIG. 4 is selected, a group selection editor is displayed as illustrated in FIG. 16. The group selection editor selects a group by using the following buttons.
  • a group selected by the group inquiry user interface is added to a rule.
  • 4 Lower A group selected by the group inquiry user interface is added to a lower group and added to the rule along with the lower group.
  • a group exclusion editor is displayed as illustrated in FIG. 18.
  • the exclusion group editor selects a group by using the following buttons similarly to the aforementioned group inclusion case.
  • a rule for obtaining users is edited.
  • a final result set becomes a set of result sets obtained by recursively performing an operation on a rule set in the same level.
  • a result set obtained by subtracting an exclusion set from an inclusion set is an operation result.
  • the user rule set includes 1 ) inclusion rule by user attributes (defining attributes such as user name, code, status, and the like, and defining users who satisfy the attributes as a rule set), 2) inclusion rule by direct designation (selecting users to define the users as an inclusion rule set), and 3) exclusion rule by direct designation (select users to define the users as an exclusion rule set).
  • the user rule editor 35 of FIG. 3 can edit an attribute rule, an inclusion rule, and an exclusion rule on a group to which a user belongs and edit an attribute rule, an inclusion rule, and an exclusion rule on the user.
  • the attribute rule editor may be configured to intuitively edit a conditional expression in an in-order from.
  • a user attribute editing window 37 When attribute editing of a user rule in the rule editor is selected, a user attribute editing window 37 is displayed.
  • the user attribute editing window 37 can edit an attribute rule by using a button and a value input window, and a using method is similar to the editing method performed by the group attribute editing window 33. However, a user attribute is displayed at the condition attribute instead of the group attribute, and therefore the rule can be edited by using the same method.
  • a rule set input as illustrated in FIG. 21 is added.
  • 'user selection editor' is displayed as illustrated in FIG. 22.
  • the user selection editor is used as described in the following table.
  • a user selection editor is displayed.
  • the user selection editor is used similarly to the case where the user inclusion editing is performed.
  • the 'add' button of the rule editor is clicked after selecting a user, a user exclusion group set designated as illustrated in FIG. 24 is added.
  • Restrictions on the rule definition method described above are set as follows.
  • group rule designation when only an exclusion rule but not an inclusion rule exists in the same level, a result obtained by excluding a group designated to be excluded from the total group becomes a result set. This is because rule application performed on the total group takes much time unless a proper inclusion rule is designated.
  • user rule designation when only an exclusion rule but not an inclusion rule exists in the same level, a result obtained by excluding a user designated to be excluded from the total users becomes a result set. This is because rule application performed on the total group takes much time unless a proper inclusion rule is designated.
  • Rule Group Modification When a 'modify' button in the rule group registration inquiry screen (see FIG. 3) is clicked, a rule group modification page is displayed as illustrated in FIG. 25.
  • a rule editor that designates a normal attribute as a value in the same method as that performed by a normal group and visually designates a rule in order to designate a rule similarly to a case where a rule group is added, is provided.
  • a 'member group' tab in the rule group registration inquiry screen (see FIG. 3) is clicked, and a list of groups which belong to a current rule group is displayed (see FIG. 26).
  • a member group is a group which satisfies the group rule, and a group which satisfies a rule associated with a group described in a user rule is not displayed at the member group.
  • a 'search' button is clicked after designating a search standard and inputting a keyword, a member group which begins with the keyword is selected from among member groups in the current rule group.
  • the search standard may be changed at an additional specific file (for example, conf.xml).
  • a 'member user' tab in the rule group registration inquiry screen (see FIG. 3) is clicked, a list of users who belong to a current rule group is displayed (see FIG. 27).
  • a member user inquires about a ⁇ users ⁇ U ⁇ users who belong to the member group ⁇ U ⁇ users who satisfy the user rule ⁇ list.
  • a 'search' button When a 'search' button is clicked after designating a search standard and inputting a keyword, a member user which begins with the keyword is selected from among member users in the current rule group.
  • a search value may be selected instead of inputting the keyword, and the search standard may be changed at the additional specific file (for example, conf.xml).
  • the aforementioned rule data is classified by using an efficient method applying Extensible Markup Language (XML) and a table, and rules are stored in an XML form using data type definition (DTD).
  • XML Extensible Markup Language
  • DTD data type definition
  • the group or user that is directly designated records a value in an in or ex node.
  • a practically designated value is stored in a database table, and the in/ex node stores only a key of corresponding information.
  • the value is stored as follows.
  • An ID of the table is an ID of the group or the user that is directly designated, and when the group or the user is deleted, a rule can be simply changed by simply deleting the group or the user from the table without re-configuring rule information stored as the XML.
  • a static storing method which is one of existing rule storing methods, demonstrates an ability to check a group member.
  • members of a group are calculated in advance and the result is stored.
  • the result is distributively stored in three_ways according to a rule to increase storage efficiency, and the number of stored records is optimized to minimize an inefficiency of the static storing method.
  • the included-in-group users are [(users who belong to a member group) U (member users) U (member static users)].
  • rule_groups select rule groups for update; for each fule_group in rule_groups ⁇ if (update_group) ⁇ delete member groups ; insert member groups ; ⁇ if (update_user) ⁇ delete member users ; insert member users ; ⁇ ⁇
  • a rule group is implemented on the basis of a database (since the light-weight directory access protocol (LDAP) does not support Join between entities, the LDAP is not a proper storage).
  • a rule stored as the XML is parsed into a static Structured Query Language (SQL) (also referred to as a parametered SQL) 44 by an SQL builder 42.
  • SQL Structured Query Language
  • a rule optimizer 48 sets an optimal parsing parameter to build an optimal SQL.
  • the management operations include operations such as add/modify/move of a group, add/modify/move of a user, and the like.
  • FIG. 29 schematically illustrates operations of the SQL builder 42.
  • the SQL builder 42 inquires about a node by inputting a conditional rule 40 expressed as the XML and calls a BuildUserSQL 422 or BuildGroupSQL 423 function according to the type of node.
  • FIG. 30 illustrates an operation algorithm of the BuildUserSQL 422.
  • An SQL for obtaining users by using a conditional definition for attributes, inclusion, included-in-group relationships of a user is built. It is checked whether or not a node exists (operation 4221 ), and when the node exists, a node type is checked (operation 4222). Since a scheme for building the SQL differs according to an AND condition or an OR condition according to the node type, a BuildUserAndSQL 4223 of a BuildUserOrSQL 4224 function is called according to the scheme. When the node type is a relationship node and a lower node exists (operation 4225), the BuildUserSQL 422 is recursively called (operation 4226).
  • FIG. 31 illustrates an operation algorithm of the BuildUserAndSQL 4223.
  • An SQL for selecting users is built by using the attributes, inclusion, and included-in-group relationships definition of users described in the AND condition form.
  • the SQL is configured in a form of a series of conditions and selects users who satisfy all of the conditions. If a user relationship node exists in the conditions, the BuildUserSQL 422 function is recursively called. If there is a group attribute or a group inclusion condition in the conditions, the BuildGroupSQL 423 function is called.
  • FIG. 32 illustrates an operation algorithm of the BuildUserOrSQL 4224.
  • the BuildUserOrSQL builds an SQL for obtaining all user sets which satisfy the conditions and for obtaining a union thereof. If a user relationship node existsjn the conditions, the BuildUserSQL 422 function is recursively called. If there is a group attribute or a group inclusion condition in the conditions, the BuildGroupSQL 423 function is called.
  • FIG. 33 illustrates an operation algorithm of the BuildGroupSQL 423.
  • the BuildGroupSQL 423 builds an SQL for obtaining a group by using a condition definition for attributes, inclusion, and included-in-group relationships of a group. Since a scheme of the built SQL is different according to an AND condition or an OR condition, according to the scheme, the BuildGroupAndSQL 4231 or the BuildGroupOrSQL 4232 function is called. If a lower node exists, the BuildGroupSQL 423 is recursively called.
  • FIG. 34 illustrates an operation algorithm of the BuildGroupAndSQL 4231.
  • the BuildGroupAndSQL 4231 builds an SQL for selecting a group by using the definition of attributes and inclusion relationships described in an AND condition form.
  • the SQL is configured in a form of a series of conditions and selects a group which satisfies all of the conditions. If a group relationship node existsjn the conditions, the BuildGroupSQL 423 function is recursively called.
  • FIG. 35 is an operation algorithm of the BuildGroupOrSQL 4232.
  • the BuildGroupOrSQL 4232 builds an SQL for obtaining all group sets which satisfy the conditions and for obtaining a union thereof. If a group relationship node exists in the conditions, the BuildGroupSQL 423 function is recursively called.
  • rule optimizer 48 of FIG. 28 optimizes rule application by using the following three operations.
  • First Operation Condition Query Optimization
  • (execution time) (execution time per task). This operation is performed to minimize the execution time per task.
  • Each task represents the number of rule groups to which a rule is applied.
  • the execution time per task is a time to convert a rule defined for each rule group into an SQL and execute the SQL.
  • the SQL builder performs the following optimization operations. 1 ) Each rule set is converted into a sub query. 2) Rule sets having the same type are unified into a single rule set. More specifically, when a group inclusion rule 1 and a group inclusion rule 2 exist in the same level, the two rules are unified into a single group inclusion rule and a query is built. 3) When a search range is wide, it is controlled so as not to use an index. Second Operation: Minimization of The Number of Rule Groups To Be Updated
  • (execution time) (the number of updates) x (execution time per task). This operation is performed to minimize the execution time per task.
  • the number of updates means the number of rule groups to be updated.
  • the rule optimizer performs optimization in the manner as illustrated in FIG. 37 in order to minimize the number of rule groups to be updated. Adding a group means updating only a rule group which designates an attribute inclusion rule to a group rule in rule groups. When an upper group of an added group is directly designated, the added group is included as a rule group member (®). When a user is added, whether the user is to be included as a rule group member is determined according to attribute/direct designation of an included-in group (®).
  • the updated records means records updated in a table for storing members of a rule member, that is, records having user IDs designated as members, and the optimization method is used in order to minimize the number of the updated records.
  • the computer readable recording medium is any data storage device that can store data which can be thereafter read by a computer system.
  • Examples of the computer readable recording medium include read-only memory (ROM), random-access memory (RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storage devices, and carrier waves (such as data transmission through the Internet).
  • the computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

Abstract

Provided is an apparatus for visually defining a rule by using a user interface and applying a complex rule definition in real-time on the basis of a database, in order to support an optimized rule group having various types. As demand for complex organization management increases and the need of properly managing users into groups increases, the apparatus is developed. The apparatus supports a dynamic group or rule group scheme in which, when a manager defines a qualification of a member user of a group as a rule, a system dynamically searches for a user who satisfies the rule so as to group member users. More specifically, the apparatus provides a rule group function of allowing the manager to designate the qualification of the member user and supports various rule designation schemes.

Description

APPARATUS FOR REAL-TIME SUPPORTING RULE GROUP FOR INTEGRATED
IDENTITY MANAGEMENT
TECHNICAL FIELD The present invention relates to an optimal rule group registration device having various types, and more particularly, to an apparatus for visually defining a rule by using a user interface (Ul) and applying a complex rule definition in real-time based on a database.
BACKGROUND ART
As demand for complex organization management increases, the need to property manage users in groups increases. In particular, group configuration according to user attributes such as a regular worker, a part-time worker, and the (ike is needed.
In order to perform group configuration, conventionally, a manager selects a user and registers the user in a group to configure the group including member users. As described above, the group configured by the manager is called a static group. However, in the conventional static group scheme in which the manager directly selects the users to form the group, group management has limitations in that the static group scheme may cause a heavy load when the static group scheme is performed on a large number of organizations and users, and thus a working efficiency decreases. In addition, a prompt group change according to a change in user information is impossible, and periodic rule application by arrangement processing and the like is performed, so that real-time application cannot be implemented.
On the other hand, there is a scheme in which when a manager defines a qualification of a member user of a group as a rule, a system dynamically searches for users who satisfy the rule to group member users. This scheme is called a dynamic group or a rule group.
Products developed by using the rule group scheme dynamically obtain included-in-group information according to requests of users by applying rules and immediately modify groups according to changed user information, so that parts of problems of the conventional static group scheme can be solved. However, the rules are applied whenever a request is received, so that a system load is very heavy. Therefore, the rule group scheme is hardly used except for small organizations. Similar to the products applied with the conventional rule group, directory products based on a light-weight directory access protocol (LDAP) or products using the LDAP are provided with a rule grouping function according to user attributes. However, the products only support an LDAP query level for attributes as rules, so that the products cannot set various group relationships and cannot designate a user who belongs to a particular organization or group as an object of the rule. Specifically, in the conventional scheme, the query of the LDAP is directly described, so that a user who defines a rule group has to know about a low-level language, and this may decrease usability.
DETAILED DESCRIPTION OF THE INVENTION
TECHNICAL PROBLEM
The present invention provides an apparatus for supporting a rule group developed to support various types of an optimal rule definition method by supporting a user static definition (that is, direct definition by a manager), a group rule and a user rule, and inclusion and exclusion rules.
Accordingly, a method of visually defining a rule by using a user interface (Ul) and a real-time application technique for a complex rule definition based on a database are provided.
TECHNICAL SOLUTION
According to an aspect of the present invention, there is provided an apparatus which supports a rule group in real-time for integrated identity management and is related to various types of an optimal rule group registration device, the apparatus including a rule group registration unit which includes a user interface for visual rule definition to provide logical relationships between sets using a tree structure so that a user intuitively designates a set operation by using the tree and classifying a logical relationship between lower sets as an upper node.
DESCRIPTION OF THE DRAWINGS FIG. 1 is a view illustrating a user interface screen for inquiring rule group registration information.
FIG. 2 is a view illustrating an example of a method of defining a group rule. FIG. 3 is a view illustrating an example of a rule group add page. FIG. 4 is a view illustrating a screen for explaining descriptions and directions of each part of a rule editor.
FIGS. 5 to 9 are views illustrating a display window of a rule editor.
FIG. 10 is a user interface screen of a group attribute editor. FIGS. 11 to 15 are views illustrating a group attribute editing window.
FIGS. 16 and 17 are views illustrating a user interface screen of a group inclusion editor.
FIGS. 18 and 19 are views illustrating a user interface screen of a group exclusion editor. FIGS. 20 and 21 are views illustrating a user interface screen of a user attribute editor.
FIGS. 22 and 23 are views illustrating a user interface screen of a user inclusion editor.
FIG. 24 is a view illustrating a user interface screen of a user exclusion editor. FIG. 25 is a view illustrating a user interface screen for rule group modification.
FIG. 26 is a view illustrating a user interface screen for member group inquiry.
FIG. 27 is a view illustrating a user interface screen for member user inquiry.
FIG. 28 is a structural view for explaining a rule group implementation method.
FIGS. 29 to 35 are flowcharts for explaining the rule group implementation method. FIG. 36 is a flowchart for explaining optimal rule application of a rule optimizer of
FIG. 28.
FIG. 37 is a table for explaining the to-be-minimized number of cases where a rule group is updated when an organization/user is changed.
FIG. 38 is a table for explaining minimization of the number of rule groups to be updated during changing of organization/user.
FIG. 39 is a view for explaining a rule description method of a manager.
BEST MODE
<Concept of Rule Group Management The present invention relates to an apparatus which applies a technique for supporting a dynamic group or rule group scheme in which when a manager defines a qualification of a member user of a group as a rule, a system dynamically searches for users who satisfy the rule so as to establish member users. Specifically, the apparatus according to the present invention provides a rule group function for allowing a manager to determine a qualification of member users and supports various rule designation methods.
FIG. 1 is a view illustrating a user interface screen for inquiring rule group registration information according to an embodiment of the present invention. Referring to FIG. 1 , at an upper portion of a rule group registration information inquiry screen, there are four tabs (group, user, member group, and member user). An example of information, which is inquired about at each tab, is described in the following table.
Figure imgf000005_0001
According to the apparatus according to the present invention as illustrated in the description of the above table, final member users of a rule group constitute a set of "{users directly designated by a manager} U {users who belong to a member group} U {users who satisfy a user rule}".
The expression 'users directly designated by a manager' means users who are statically designated by a manager according to an existing static rule. Since the existing rule group can describe only a membership condition for a user, it has to be described in a condition form in order to include a particular user. Therefore, as the number of particular users who have to be included increases, a rule becomes complex, and it takes much time to apply the rule, so that it is not efficient. According to the present embodiment, a function of allowing a manager to directly designate users who have to be included to a rule group as in the static group scheme is always provided, so that a load on rule definition and application is decreased. In other words, the existing rule group has only dynamic characteristics while the rule group scheme according to the present embodiment has characteristics of the static group scheme. The expression 'users who belong to a member group' constitute a set as a result of recursively performing an operation for a rule group in a particular level, by a rule (group rule) defined to obtain the member group. In the same level, a result set obtained by subtracting an exclusion set from an inclusion set is the operation result. In addition, users who belong to the member group become members of the rule group. The expression 'users who satisfy the user rule' constitute a result set obtained by recursively performing an operation on a rule set in the same level as a final result set, by defining a rule for obtaining users. In the same level, a result set obtained by subtracting an exclusion set from an inclusion set is the operation result.
In the above description, directly designating users by a manager corresponds to existing static designation, so that a detailed description thereof is omitted.
As a rule set definition method including a group rule and a user rule, there are three methods as follows:
1 ) inclusion rule by attributes: define attributes such as a name, code, status, and the like of a group and define a group which satisfies the attributes as a rule set; 2) inclusion rule by direct designation: select a group and define the selected group and lower groups as a rule set; and
3) exclusion rule by direct designation: select a group and define the selected group and lower groups as an exclusion rule set.
According to the present embodiment, a result of the exclusion rule precedes the inclusion rule in a rule set in the same level, and an operation result of a higher set precedes an operation result of a lower set.
Since an operation of examining a rule in order to obtain member users of a rule group is very costly, a manager has to designate an optimal rule in consideration of efficiency in order to minimize a decrease in system performance. The system according to the present embodiment provides an optimized rule engine to ensure a high performance under a complex rule and updates members in real-time in addition to obtaining members of the rule group using an arrangement operation. Therefore, by applying the functions of the system properly, various groups can be effectively configured.
<Definition of Rule Group>
The rule group is treated as an ordinary group, so that the rule group has various attributes like the ordinary group, provides a basic management function, and determines and inherits a policy and role. Here, a unique attribute for designating a rule and an additional management function for applying the attribute are provided. The following table describes a unique attribute of a rule group.
Figure imgf000007_0001
group in the same level.
- A rule set includes a group rule set and a user rule set.
* The group rule set includes a rule by attributes of a group, an inclusion rule by direct designation, and an exclusion rule by direct designation for a group to which users belong such as a group rule, and a result set is not configured with a group and includes users who belong to the group.
* The user rule set includes a rule by user attributes, and an inclusion rule by direct designation, and exclusion rule by direct designation in a similar manner to the group rule set, and a result set is configured with users who satisfy the rule.
- In the same level rule set, an exclusion rule precedes the inclusion rule.
- When only the exclusion rule but not the inclusion rule exists in the same level, a result set is obtained by subtracting users designated to be excluded from the total users. Therefore, unless a proper inclusion rule is designated, the operation performed on the total users may take much time.
As described above, the exclusion rule by attributes can be designed as the inclusion rule by using an additional logical expression. For example, when a rule group having users obtained by excluding 'part-time workers' from the total users as members, is to be configured, it is analyzed as a rule group including users who are not 'part-time workers'. Thereafter, including users who are not 'part-time workers' is designated as a rule, the same result set can be obtained.
FIG. 2 illustrates an example of a method of defining a group rule. A result of defining a rule group is hierarchically represented as illustrated in FIG. 2, and when the rule group is directly designated, a precise group can be checked by using ToolTip. The following table illustrates the rule group's own management operations.
Item Description
Figure imgf000009_0001
<Configuration and Operations of the Present Invention from the User Interface's Point of View>
1. Rule Group Registration Unit When an 'add' button 11 at an upper portion of a group tab of a rule group registration unit screen illustrated in FIG. 1 is clicked, a rule group add page is displayed as illustrated in FIG. 3. Here, in order for a user to visually designate a rule, a group rule editor 31 and a user rule editor 35 are provided. A visual rule definition method is performed by providing logical relationships between sets using a tree structure so that the user may classify logical relationships between lower sets as higher nodes using the tree and can intuitively designate a set operation.
In order for the user to perform the visual rule definition method by using the visual rule editor, the user directly designates a group by using a group selection editor. In addition, users can be directly designated by a user selection editor. The visual rule definition method includes 1 ) displaying logical relationships between sets using a tree (intuitively displaying a set operation by classifying logical relationships between lower sets as higher nodes by using a tree structure, see FIGS. 8 and 9) and 2) attribute rule editing (intuitively editing a conditional expression in an in-order form, see FIG. 14). Hereinafter, the group rule editor 31 and the user rule editor 35 as a rule editor are commonly described and are also described according to rule types.
(I ) RuIe Editor
A rule can be configured as a logical combination of various lower rule sets by using the rule editor (31 or 35) illustrated in FIG. 3, and modifying and editing of relationships between rule sets can be easily performed. Descriptions and directions of each part of the rule editor 31 or 35 are explained with reference to FIG. 4.
Referring to FIG. 4, a 'logic expression add position' button (position combo) designates a position at which an AND/OR operation is added. For example, when 'lower' is selected and an AND button is clicked, a conditional node is added to a display window 33 as illustrated in FIG. 5. FIG. 6 illustrates a case where a position is designated as highest in a state illustrated in FIG. 5, an OR button is clicked and an OR logical operation node is added to the highest position. In FIG. 7, the position is changed to 'modify' and the AND button is clicked, the OR node that is currently selected is changed to AND.
Returning to FIG. 4, the 'AND' button is used to add or modify an AND logic expression in a method designated by the position combo. This operation returns a result of performing a conjunction ( fϊ ) operation on lower nodes. The 'OR' button is used to add or modify an OR logic expression in a method designated by the position combo. This operation returns a result of performing a disjunction ( U ) operation on the lower nodes. A 'set delete' button is used to delete a selected node and lower nodes thereof.
A function associated with movement can be designed in various ways. For example, movement between node layers may be performed by drag and drop. For example, in order to move a group exclusion rule to a lower position of the highest AND node as illustrated in FIG. 8, the group exclusion node is dragged by a mouse and is dropped on the AND node. In this manner, the entire lower tree is moved along with the rule set, so that a complex equation can be moved.
Returning to FIG. 4, a 'condition object select' button is used to select a user rule or a group rule (31 or 35 in FIG. 3) according to rule types.
A 'rule type select' window is used to select one from among attribute, inclusion and exclusion.
A 'set modify' button is used when a node except for the AND/OR is selected by the rule editor, an editor which can edit a corresponding set is displayed at a lower portion of the rule editor. When editing of a set editor is completed, a node which is currently selected as the corresponding set needs to be modified. In this case, when the 'set modify' button is clicked, a changed rule is applied to the currently selected node.
In addition, when a condition object and a rule type are selected to edit a rule and a 'set add' button is clicked, a set is added to a lower portion of the currently selected AND/OR node. When the rule editor does not have any rule, a set is added to a highest node. When a general rule set but not the AND/OR exists at the highest node, the 'set add' button is clicked to overwrite a highest node value.
A 'rule optimize' button, in FIG. 8, is used when a rule is executed, and a depth of a node including an AND/OR node has a significant influence on a performance. Therefore, an unnecessary node depth needs to be reduced, and pointing this regard, rule optimization is needed. In particular, as illustrated in FIG. 8, in an OR tree having a single rule group set, an OR node is meaningless. In FIG. 9, a manager can directly modify a rule. However, when the 'rule optimize' button is clicked, an unnecessary conditional expression is simplified as described below and an optimal conditional query can be generated.
Now, the group rule editor 31 and the user rule editor 35 illustrated in FIG. 3 will be described in detail.
(2) Group Rule Editing
A rule for obtaining a member group is defined. A final result set becomes a set of results obtained by recursively performing an operation for a rule set in the same level. In the same level, a result set obtained by subtracting an exclusion set from an inclusion set is an operation result. In addition, users who belong to the member group become members of the rule group.
A rule set definition method includes three methods as follows:
1 ) inclusion rule by attributes: define attributes such as a name, code, status, and the like of a group and define a group which satisfies the attributes as a rule group; 2) inclusion rule by direct designation: select a group and define the selected group or subordinate groups as a rule group; and
3) exclusion rule by direct designation: select a group and define the selected group or subordinate groups as an exclusion rule group.
According to the present embodiment, a result of the exclusion rule in a rule set precedes the inclusion rule in the same level, and an operation result of a higher set precedes an operation result of a lower set.
Each editor user interface (Ul) is described as follows.
(A) Group Attribute Editor - FIG. 10 When an 'attribute editing select' button of the group rule editor 31 is pressed, a group attribute editing window 33 is displayed as a box region. In the group attribute editing window 33, an attribute rule can be edited by using buttons and value input windows. An 'AND' button is used to add an AND operator to an expression select cursor portion (FIG. 11 ). An 'OR' button is used to add an OR operator to an expression select cursor portion (FIG. 12). A 'delete' button is used to delete a selected expression.
An 'attribute select' button is used to select a group attribute used for condition evaluation. The group attribute used for condition evaluation may be selected from a specific file (for example, conf.xml).
An Operator select' button is used to select an evaluation operator. Here, since a comparison operator is used to perform a string operation, a numeral comparison is avoided (according to the present embodiment, when a string is configured with only numerals, a numeral comparison is performed, and when a character is included in one side, a character comparison is performed). An operator can set = (equality comparison), < (the left side is smaller than the right side), <= (the left side is smaller than or equal to the right side), > (the left side is larger than the right side), >= (the left side is larger than or equal to the right side), <> (two sides are different from each other), like (a portion of an attribute value is a comparison value), begins (an attribute value begins with a comparison value), and the like.
A 'value input/select' box is used to input a comparison value. When a conditional attribute has a selective value, a desired value can be selected through the select box as illustrated in FIG. 13.
A 'designate' button is used to designate an input expression for an expression select cursor portion as illustrated in FIG. 14. When the expression is designated, the expression select cursor is automatically moved to a next evaluation expression input position, so that a manager can easily designate continuous equations.
When an attribute is designated and the 'add' button of the rule editor is clicked, an input rule set is added as illustrated in FIG. 15.
(B) Group Inclusion Editor - FIG. 16
When 'include' in a rule type selection window of the rule editor illustrated in FIG. 4 is selected, a group selection editor is displayed as illustrated in FIG. 16. The group selection editor selects a group by using the following buttons.
Button Description
< Add A group selected by the group inquiry user interface is added to a rule. 4 Lower A group selected by the group inquiry user interface is added to a lower group and added to the rule along with the lower group.
► Delete An added group is deleted.
When a group is selected and the 'add' button of the rule editor is clicked, an inclusion group set designated as illustrated in FIG. 17 is added.
(C) Group Exclusion Editor - FIG. 18
When 'exclude' in the rule type selection window of the rule editor illustrated in FIG. 4 is selected, a group exclusion editor is displayed as illustrated in FIG. 18. The exclusion group editor selects a group by using the following buttons similarly to the aforementioned group inclusion case.
Figure imgf000013_0001
When a group is selected and the 'add' button of the rule editor is clicked, an exclusion group set designated as illustrated in FIG. 19 is added.
(3) User Rule Editing
A rule for obtaining users is edited. A final result set becomes a set of result sets obtained by recursively performing an operation on a rule set in the same level. In the same level, a result set obtained by subtracting an exclusion set from an inclusion set is an operation result. The user rule set includes 1 ) inclusion rule by user attributes (defining attributes such as user name, code, status, and the like, and defining users who satisfy the attributes as a rule set), 2) inclusion rule by direct designation (selecting users to define the users as an inclusion rule set), and 3) exclusion rule by direct designation (select users to define the users as an exclusion rule set).
The user rule editor 35 of FIG. 3 can edit an attribute rule, an inclusion rule, and an exclusion rule on a group to which a user belongs and edit an attribute rule, an inclusion rule, and an exclusion rule on the user. The attribute rule editor may be configured to intuitively edit a conditional expression in an in-order from.
When the editing is performed on the group, a rule can be designated by using the same method as the group rule editing. User rule editing is now described.
(A) User Attribute Editor - FIG. 20
When attribute editing of a user rule in the rule editor is selected, a user attribute editing window 37 is displayed. The user attribute editing window 37 can edit an attribute rule by using a button and a value input window, and a using method is similar to the editing method performed by the group attribute editing window 33. However, a user attribute is displayed at the condition attribute instead of the group attribute, and therefore the rule can be edited by using the same method. When the attribute is designated and the 'add' button of the rule editor is clicked, a rule set input as illustrated in FIG. 21 is added.
(B) User Inclusion Editor
When 'include' is selected at the rule editor, 'user selection editor' is displayed as illustrated in FIG. 22. The user selection editor is used as described in the following table.
Figure imgf000014_0001
Figure imgf000015_0001
When a user is selected and the 'add' button of the rule editor is clicked, a user inclusion group set designated as illustrated in FIG. 23 is added.
(C) User Exclusion Editor
When 'exclude' in the rule editor is selected, a user selection editor is displayed. The user selection editor is used similarly to the case where the user inclusion editing is performed. When the 'add' button of the rule editor is clicked after selecting a user, a user exclusion group set designated as illustrated in FIG. 24 is added.
Restrictions on the rule definition method described above are set as follows. During group rule designation, when only an exclusion rule but not an inclusion rule exists in the same level, a result obtained by excluding a group designated to be excluded from the total group becomes a result set. This is because rule application performed on the total group takes much time unless a proper inclusion rule is designated. During user rule designation, when only an exclusion rule but not an inclusion rule exists in the same level, a result obtained by excluding a user designated to be excluded from the total users becomes a result set. This is because rule application performed on the total group takes much time unless a proper inclusion rule is designated.
2. Rule Group Modification When a 'modify' button in the rule group registration inquiry screen (see FIG. 3) is clicked, a rule group modification page is displayed as illustrated in FIG. 25. In addition, a rule editor that designates a normal attribute as a value in the same method as that performed by a normal group and visually designates a rule in order to designate a rule similarly to a case where a rule group is added, is provided.
3. Member Group Inquiry
A 'member group' tab in the rule group registration inquiry screen (see FIG. 3) is clicked, and a list of groups which belong to a current rule group is displayed (see FIG. 26). A member group is a group which satisfies the group rule, and a group which satisfies a rule associated with a group described in a user rule is not displayed at the member group. When a 'search' button is clicked after designating a search standard and inputting a keyword, a member group which begins with the keyword is selected from among member groups in the current rule group. The search standard may be changed at an additional specific file (for example, conf.xml).
4. Member User Inquiry
A 'member user' tab in the rule group registration inquiry screen (see FIG. 3) is clicked, a list of users who belong to a current rule group is displayed (see FIG. 27). A member user inquires about a {users} U {users who belong to the member group} U {users who satisfy the user rule} list.
When a 'search' button is clicked after designating a search standard and inputting a keyword, a member user which begins with the keyword is selected from among member users in the current rule group. According to the search standard, a search value may be selected instead of inputting the keyword, and the search standard may be changed at the additional specific file (for example, conf.xml).
In the above description, from the user interface's point of view, the configuration and operations of the present invention are described in detail. Hereinafter, technical means applied to implement the apparatus and method (defining, editing, storing, and the like) of supporting the rule group in real-time according to an embodiment of the present invention will be described.
<1 > Rule Storing Method
(1 ) The aforementioned rule data is classified by using an efficient method applying Extensible Markup Language (XML) and a table, and rules are stored in an XML form using data type definition (DTD). When the table is used, a rule type which can be defined is limited due to a table structure and a record structure. However, when the XML is used, there is an advantage in that a complex rule can be freely defined in a hierarchical structure type regardless of the structures.
< !ELEHENT rule (and I or | prop | in | ex )>
< !ELEMENT and ( (prop i Ln I ex) + I and I or)+>
< !ELEHENT or ( (prop i in | ex)+ | and or) +>
< !ELEHENT prop EHPTY>
< !ATTLIST prop type (user I group) #REQUIRED>
< !ATTLIST prop expr CDATA #REQUIRED^-
< !ELEHENT in EHPTY>
< !ATTLIST in type (user I group) #REQUIRED>
< !ATTLIST in seq CDATA #REQUIRED>
< !ATTLIST in expr CDATA #REQUIRED>
< !ELEHENT ex EHPTY>
^!ATTLIST ex type (user I group) #REGUIRED>
^1ATTLIST ex seq CDATA #REQUIRED>
^!ATTLIST ex expr CDATA #REQUIRED>
(2) An attribute rule and a rule that is directly designated are additionally stored. The attribute rule is designated at an expr attribute of a prop node in the following manner. prop expr := ( prop expr ) <AND|OR> ( prop expr ) | prop op value prop := name of group or user attribute op := < I <= I > I >= I = I <> [like | begins value := attribute comparison value
The group or user that is directly designated records a value in an in or ex node. A practically designated value is stored in a database table, and the in/ex node stores only a key of corresponding information. The value is stored as follows. An ID of the table is an ID of the group or the user that is directly designated, and when the group or the user is deleted, a rule can be simply changed by simply deleting the group or the user from the table without re-configuring rule information stored as the XML.
Figure imgf000018_0002
Figure imgf000018_0001
<2> Real-Time Application Technique
(a) Rule Group Member Storing Method
A static storing method, which is one of existing rule storing methods, demonstrates an ability to check a group member. In the description, as in the static storing method, members of a group are calculated in advance and the result is stored. However, the result is distributively stored in three_ways according to a rule to increase storage efficiency, and the number of stored records is optimized to minimize an inefficiency of the static storing method. As described above, the included-in-group users are [(users who belong to a member group) U (member users) U (member static users)].
(2) Rule Group Operating Method
According to an adding and changing operation of a group or a user, the following algorithm is performed. rule_groups := select rule groups for update; for each fule_group in rule_groups { if (update_group) { delete member groups ; insert member groups ; } if (update_user) { delete member users ; insert member users ; } }
How efficient is the algorithm is the basis of determining the possibility of an application in real-time.
(2) Rule Group Implementing Method In order to implement an optimal performance, a rule group is implemented on the basis of a database (since the light-weight directory access protocol (LDAP) does not support Join between entities, the LDAP is not a proper storage). As illustrated in FIG. 28, a rule stored as the XML is parsed into a static Structured Query Language (SQL) (also referred to as a parametered SQL) 44 by an SQL builder 42. Here, according to management operations, a rule optimizer 48 sets an optimal parsing parameter to build an optimal SQL. The management operations include operations such as add/modify/move of a group, add/modify/move of a user, and the like.
An operation algorithm of the SQL builder 42 in FIG. 28 is described with reference to FIGS. 29 to 35.
FIG. 29 schematically illustrates operations of the SQL builder 42. The SQL builder 42 inquires about a node by inputting a conditional rule 40 expressed as the XML and calls a BuildUserSQL 422 or BuildGroupSQL 423 function according to the type of node.
FIG. 30 illustrates an operation algorithm of the BuildUserSQL 422. An SQL for obtaining users by using a conditional definition for attributes, inclusion, included-in-group relationships of a user is built. It is checked whether or not a node exists (operation 4221 ), and when the node exists, a node type is checked (operation 4222). Since a scheme for building the SQL differs according to an AND condition or an OR condition according to the node type, a BuildUserAndSQL 4223 of a BuildUserOrSQL 4224 function is called according to the scheme. When the node type is a relationship node and a lower node exists (operation 4225), the BuildUserSQL 422 is recursively called (operation 4226).
FIG. 31 illustrates an operation algorithm of the BuildUserAndSQL 4223. An SQL for selecting users is built by using the attributes, inclusion, and included-in-group relationships definition of users described in the AND condition form. The SQL is configured in a form of a series of conditions and selects users who satisfy all of the conditions. If a user relationship node exists in the conditions, the BuildUserSQL 422 function is recursively called. If there is a group attribute or a group inclusion condition in the conditions, the BuildGroupSQL 423 function is called.
FIG. 32 illustrates an operation algorithm of the BuildUserOrSQL 4224. The BuildUserOrSQL builds an SQL for obtaining all user sets which satisfy the conditions and for obtaining a union thereof. If a user relationship node existsjn the conditions, the BuildUserSQL 422 function is recursively called. If there is a group attribute or a group inclusion condition in the conditions, the BuildGroupSQL 423 function is called.
FIG. 33 illustrates an operation algorithm of the BuildGroupSQL 423. The BuildGroupSQL 423 builds an SQL for obtaining a group by using a condition definition for attributes, inclusion, and included-in-group relationships of a group. Since a scheme of the built SQL is different according to an AND condition or an OR condition, according to the scheme, the BuildGroupAndSQL 4231 or the BuildGroupOrSQL 4232 function is called. If a lower node exists, the BuildGroupSQL 423 is recursively called.
FIG. 34 illustrates an operation algorithm of the BuildGroupAndSQL 4231. The BuildGroupAndSQL 4231 builds an SQL for selecting a group by using the definition of attributes and inclusion relationships described in an AND condition form. The SQL is configured in a form of a series of conditions and selects a group which satisfies all of the conditions. If a group relationship node existsjn the conditions, the BuildGroupSQL 423 function is recursively called.
FIG. 35 is an operation algorithm of the BuildGroupOrSQL 4232. The BuildGroupOrSQL 4232 builds an SQL for obtaining all group sets which satisfy the conditions and for obtaining a union thereof. If a group relationship node exists in the conditions, the BuildGroupSQL 423 function is recursively called.
(3) Real-Time Application Method
Returning to FIG. 28, the rule optimizer 48 of FIG. 28 optimizes rule application by using the following three operations. First Operation: Condition Query Optimization
Here, (execution time) = (execution time per task). This operation is performed to minimize the execution time per task. Each task represents the number of rule groups to which a rule is applied. The execution time per task is a time to convert a rule defined for each rule group into an SQL and execute the SQL. In order to minimize the time to apply the rule, the SQL builder performs the following optimization operations. 1 ) Each rule set is converted into a sub query. 2) Rule sets having the same type are unified into a single rule set. More specifically, when a group inclusion rule 1 and a group inclusion rule 2 exist in the same level, the two rules are unified into a single group inclusion rule and a query is built. 3) When a search range is wide, it is controlled so as not to use an index. Second Operation: Minimization of The Number of Rule Groups To Be Updated
During Changing of Organization/User
Here, (execution time) = (the number of updates) x (execution time per task). This operation is performed to minimize the execution time per task. The number of updates means the number of rule groups to be updated. The rule optimizer performs optimization in the manner as illustrated in FIG. 37 in order to minimize the number of rule groups to be updated. Adding a group means updating only a rule group which designates an attribute inclusion rule to a group rule in rule groups. When an upper group of an added group is directly designated, the added group is included as a rule group member (®). When a user is added, whether the user is to be included as a rule group member is determined according to attribute/direct designation of an included-in group (®). When a particular group changes an included-in group (oldParlD!=newParlD), a rule group which is designated as a lower inclusion group member simultaneously by upper bounds of the oldParlD and the newParlD does not update included-in members. Rule groups of other groups (when a member tree is changed) are updated (©)
Third Operation: Minimization of The Number of Updated Records During Updating Rule Group
The updated records means records updated in a table for storing members of a rule member, that is, records having user IDs designated as members, and the optimization method is used in order to minimize the number of the updated records.
(D: After a group G that is to be modified is deleted from members, a rule is applied to only the group G. (D: After users who belong to the group G that is to be modified are deleted, a rule is applied only to the users who belong to the group G.
©: After the group G that is to be moved and a lower group thereof are deleted, a rule is applied only to groups which belong to the lower group.
(D: After the group G that is to be moved and users who belong to the lower group are deleted, a rule is applied only to the users who belong to the group G and a lower group thereof.
(E): Without deleting a member group, a rule is applied to only an added group G.
® : After deleting a user U, a rule is applied to only the U.
®: Without deleting a member user, a rule is applied to only an added user U. (3) Optimization according to Rule Describing Method of Manager
Since a rule designating method of an existing rule group has a limitation, it is difficult for a manager to describe an optimal condition. Using the introduced method, a complex rule can be effectively described. Therefore, the manager can effectively describe the rule by using the following method (see FIG. 39).
When remaining sets except for sets which satisfy attributes are to be obtained, an opposite of the attributes is designated. Namely, remaining users except for users, having a status of "T or '2', = (status < > '1 ') AND (status < > '2'). By using a group rule instead of a user rule, a result set is minimized. In addition, when a user needs to be subscribed/seceded, by using a user included-in-group instead of user rule designation, a query for rule application is minimized. A logical operation between sets by attributes is described as a single attribute rule. The invention can also be embodied as computer readable codes on a computer readable recording medium. The computer readable recording medium is any data storage device that can store data which can be thereafter read by a computer system. Examples of the computer readable recording medium include read-only memory (ROM), random-access memory (RAM), CD-ROMs, magnetic tapes, floppy disks, optical data storage devices, and carrier waves (such as data transmission through the Internet). The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.
INDUSTRIAL APPLICABILITY
Accordingly, by supporting a rule group in real-time, various user groups which satisfy complex conditions including group relationships in addition to user attributes can be efficiently defined. In addition, a group which immediately deals with changes in the user attributes and the group relationships can be operated, and a load on a system can be minimized by using an optimal rule application method. Therefore, usability of the system can be improved.

Claims

1. An apparatus which supports a rule group in real-time for integrated identity management and is related to various types of an optimal rule group registration device, the apparatus comprising a rule group registration unit which includes a user interface for visual rule definition to provide logical relationships between sets using a tree structure so that a user intuitively designates a set operation by using the tree and classifying logical relationships between lower sets as an upper node.
2. The apparatus of claim 1 , wherein the user interface of the rule group registration unit comprises a rule editor which is configured with a logical combination of various lower rule sets and easily performs modification and editing on relationships between rule sets, and wherein the rule editor comprises: a 'logic add position' button (position combo) for designating a position to which an AND/OR operation is added; an 'AND' button which is used to perform a conjunction ( D ) operation on lower nodes to add or modify an AND logical expression in a method designated by the position combo; an 'OR' button which is used to perform a disjunction ( U ) operation on the lower nodes to add or modify an OR logic expression in the method designated by the position combo; a 'set delete' button which is used to delete a selected node and a lower node thereof; a 'condition object select' button which selects a group rule editor that defines a rule for obtaining a member group, or a user rule editor that edits a rule for obtaining users, according to a rule type; and a 'rule type select' window which is used to select attributes, inclusion, or an exclusion editing function.
3. The apparatus of claim 2, wherein the rule editor further comprises a 'rule optimization' button which is used to reduce an unnecessary node depth of a node including AND/OR nodes to build an optimal condition query when a rule is executed.
4. The apparatus of claim 2, wherein, when the group rule editing is selected as the 'condition object select' button and group attributes, group inclusion, and group exclusion editing are selected at the 'rule type select' window, the rule editor provides: a group attribute editor which performs editing on an inclusion rule by attributes for defining attributes such as a name, code, and status of a group and designating a group which satisfies the attributes as a rule set; a group inclusion editor which performs editing on an inclusion rule by direct designation for selecting a group and designating the selected group and lower groups of the selected group as a rule set; and a group exclusion editor which performs editing on an exclusion rule by direct designation for selecting a group and designating the selected group and lower groups of the selected group as an exclusion rule set.
5. The apparatus of claim 2, wherein, when the user rule editing is selected as the 'condition object select' button and user attributes, user inclusion, and user exclusion editing are selected at the 'rule type select' window, the rule editor provides: a user attribute editor which performs editing on an inclusion rule by attributes for defining attributes such as a name, code, and status of a user and designating a user which satisfies the attributes as a rule set; a user inclusion editor which performs editing on an inclusion rule by direct designation for selecting a user and designating the selected user and lower users of the selected user as a rule set; and a group exclusion editor which performs editing on an exclusion rule by direct designation for selecting a user and designating the selected user and lower users of the selected user as an exclusion rule set.
6. The apparatus of claim 1 , wherein the rule group resignation unit further comprises a rule group modifying unit which provides a rule editor that designates a normal attribute as a value in the same method as that performed by a normal group and visually designates a rule in order to designate a rule similarly to a case where a rule group is added.
7. The apparatus of claim 1 , wherein the rule group registration unit further comprises a member group inquiry unit which displays a list of groups which belong to a current rule group, designates a search standard, inputting a keyword, and obtaining a member group which begins with the keyword from member groups in the current rule group.
8. The apparatus of claim 1 , wherein the rule group registration unit further comprises a member user inquiry unit which displays a list of users who belong to a current rule group and inquires about a {users} U {users who belong to the member group} U {users who satisfy the user rule} list so as to display the list.
9. A computer-readable medium having embodied thereon a computer program for the apparatus of any one of claims 1 to 8.
PCT/KR2007/003602 2007-07-04 2007-07-26 Apparatus for real-time supporting rule group for integrated identity management WO2009005180A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR10-2007-0067196 2007-07-04
KR1020070067196A KR100807354B1 (en) 2007-07-04 2007-07-04 Apparatus for real-time supporting rule group for integrated identity management

Publications (1)

Publication Number Publication Date
WO2009005180A1 true WO2009005180A1 (en) 2009-01-08

Family

ID=39383331

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2007/003602 WO2009005180A1 (en) 2007-07-04 2007-07-26 Apparatus for real-time supporting rule group for integrated identity management

Country Status (2)

Country Link
KR (1) KR100807354B1 (en)
WO (1) WO2009005180A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103593799B (en) 2012-08-16 2016-10-26 腾讯科技(深圳)有限公司 Natural person's information setting method, system and corresponding friend recommendation method, system
KR101757849B1 (en) * 2016-08-04 2017-07-14 주식회사 넷츠 Rule-group management apparatus and method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003216464A (en) * 2002-01-21 2003-07-31 Beacon Information Technology:Kk Set displaying system and computer program
KR20060049122A (en) * 2004-10-28 2006-05-18 마이크로소프트 코포레이션 Securing lightweight directory access protocol traffic
JP2006146559A (en) * 2004-11-19 2006-06-08 Nec Corp System, method, apparatus and program for managing dynamic organization

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003216464A (en) * 2002-01-21 2003-07-31 Beacon Information Technology:Kk Set displaying system and computer program
KR20060049122A (en) * 2004-10-28 2006-05-18 마이크로소프트 코포레이션 Securing lightweight directory access protocol traffic
JP2006146559A (en) * 2004-11-19 2006-06-08 Nec Corp System, method, apparatus and program for managing dynamic organization

Also Published As

Publication number Publication date
KR100807354B1 (en) 2008-02-28

Similar Documents

Publication Publication Date Title
US7620647B2 (en) Hierarchy global management system and user interface
US7769768B2 (en) Methods, apparatus and computer programs for visualization and management of data organization within a data processing system
US7822785B2 (en) Methods and apparatus for composite configuration item management in configuration management database
US9467344B2 (en) Mechanism to display graphical IT infrastructure using configurable smart navigation
US7015911B2 (en) Computer-implemented system and method for report generation
US7788305B2 (en) Hierarchy nodes derived based on parent/child foreign key and/or range values on parent node
US8959538B2 (en) Method and system for modeling of system content
US7627583B2 (en) Methods, apparatus and computer programs for visualization and management of data organisation within a data processing system
JP5710851B2 (en) System and method for impact analysis
KR101152988B1 (en) Contextual action publishing
US6631381B1 (en) System and method for referencing a user-generated copy of a catalog
US8671119B2 (en) Method and system for content management
US20120143879A1 (en) System and Method of Presenting Relevant Application Components to a User
JPH09297768A (en) Management device and retrieval method for document data base
WO2007030585A1 (en) Browse mode designer
US20100251156A1 (en) Facilitating Discovery and Re-Use of Information Constructs
US20140130005A1 (en) Mechanisms to persist hierarchical object relations
US11651017B2 (en) Method and apparatus for the conversion and display of data
CN108228846B (en) Resource file management method and device
US6598042B1 (en) System and method for query by category
US9767146B2 (en) Use of generated SQL for evaluation of decision point rules in a workflow system
US20160364426A1 (en) Maintenance of tags assigned to artifacts
JP2005316699A (en) Content disclosure system, content disclosure method and content disclosure program
WO2009005180A1 (en) Apparatus for real-time supporting rule group for integrated identity management
CN115169891B (en) Method for realizing workflow engine comprising multi-start-point multi-branch flow

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07793262

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07793262

Country of ref document: EP

Kind code of ref document: A1