WO2009024037A1 - Method for generating and adjusting authority limit relation data and managing system thereof - Google Patents

Method for generating and adjusting authority limit relation data and managing system thereof Download PDF

Info

Publication number
WO2009024037A1
WO2009024037A1 PCT/CN2008/071263 CN2008071263W WO2009024037A1 WO 2009024037 A1 WO2009024037 A1 WO 2009024037A1 CN 2008071263 W CN2008071263 W CN 2008071263W WO 2009024037 A1 WO2009024037 A1 WO 2009024037A1
Authority
WO
WIPO (PCT)
Prior art keywords
level
group
relationship
sub
command set
Prior art date
Application number
PCT/CN2008/071263
Other languages
French (fr)
Chinese (zh)
Inventor
Wei Zhang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009024037A1 publication Critical patent/WO2009024037A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks

Definitions

  • the present invention relates to the field of communications, and more particularly to a method and a management system for generating and adjusting privilege relationship data. Background technique
  • User authority is one of the important data of the computer system.
  • the management of user rights mainly completes the control of the user accessing the device. Specifically: the device command is given the privilege attribute, and the user is given a certain privilege when logging in. The user can only execute the command that matches the privilege, so that the user's operation on the device is limited to a certain range.
  • Some schemes have a total of 16 levels, and the device commands can be dynamically assigned to one of 16 levels, or the user's level.
  • the relationship between 0 and 15 levels is from small to large. A high level command cannot be executed. In practical applications, commands are generally distributed by default to three levels of 16 levels, 0, 1, and 15.
  • Types can include multiple commands. Each user is given a type attribute when logging in. All commands in the type can be executed, and commands other than those cannot be executed.
  • the basic group permissions model implemented in Microsoft defines the basic administrator (admi nist ra tor ) , backup Opera tor s (backup operator), guest ( Gue sts ) and other basic command sets, the newly created group can contain one or more of these command sets, the user belongs to a certain Group, to achieve the user's authority authorization, the command set can not be flexibly subdivided, which has little to do with the PC command itself, and does not require more subdivision.
  • Inter-group permissions are inclusive and side-by-side.
  • Microsoft local also implements permission control based on a certain resource, mainly determined by its PC application scenario (persons monopolize certain resources on the device to complete some work, generally have nothing to do with other people's exclusive resources; at the same time have authorization for others The function, but the default is that other unrelated people have no permission); and the network devices generally work together in cooperation with each other, so the authorization is generally based on the command operation capability, and the control of resource access can be included through the filter pair.
  • the execution of commands for certain resource names is restricted.
  • the subdivision permission is not flexible.
  • the level is divided into 15 levels, of which level 15 is the highest level, and all the command sets are included, and at this time, a permission level is required, and the authority basically contains commands of 14 levels. More than 1 level 5, for this case, only some of the 15 levels of commands can be added to level 14, and this operation changes the original level 14 content, very inconvenient, and in the original 14
  • the level of content is not allowed to be adjusted, there is no room for permission to adjust and subdivide permissions. If the number of levels is allowed to increase or decrease, you can increase the number of levels to 16 levels. At this time, adjust the contents of the original 15 levels to level 16. Re-set the level 15 command set as needed, but this way, the command The amount of adjustment is large, especially when subdividing at a low level.
  • the authority relationship model is simple and complicated to maintain. For the command-level permission model, only the permission inclusion relationship between the levels is maintained, which makes it impossible to superimpose the user rights of the two levels. Because the permission model based on type definition has no inheritance relationship, the executable command sets between different users are difficult to support each other. Because the authorization of adding one command needs to change the type definition of two users, it is necessary to manually maintain the type 2 Permissions contain relationships. And Microsoft's basic group permission model can't flexibly subdivide permissions, only a few basic permissions contain combinations, and You cannot remove some of the useless permissions from the included group permissions. Summary of the invention
  • An object of the embodiments of the present invention is to provide a method and a management system for generating and adjusting privilege relationship data, so as to implement a more flexible privilege subdivision.
  • an embodiment of the present invention provides a method for generating rights relation data, including the following steps:
  • the commands in the command set of the main level are divided into sub-levels included in the main level, wherein the command set with a high sub-level includes all the commands in the command set lower than its sub-level.
  • the embodiment of the present invention further provides a method for adjusting the privilege relationship data, including: when the privilege subdivision adjustment is needed, determining a command set corresponding to the lowest main level among all the levels involved in the privilege subdivision adjustment, Adjust the command set corresponding to the sub-level and sub-level included in the main level.
  • the embodiment of the present invention further provides a privilege relationship data management system, including: a main level recording module, configured to record a priority relationship of a main level, and record a correspondence relationship between command sets of each main level and a main level;
  • a main level command set storage module connected to the main level record module, for storing command sets of each main level
  • the sub-level recording module is connected to the main level recording module, and is used to record the priority relationship of each sub-level corresponding to each main level, and record the correspondence between each sub-level and the main level and the command sets of each sub-level and sub-level relationship;
  • a sub-level command collection storage module that stores a set of commands for each sub-level.
  • the embodiment of the present invention makes the permission subdivision more flexible by further dividing the sub-levels at the main level.
  • FIG. 2 is a schematic diagram of a management system for authority relationship data according to Embodiment 3 of the present invention. detailed description
  • Embodiments of the present invention increase the flexibility of privilege subdivision by adding several sub-levels on a per fixed level basis.
  • the command set with a high main level includes all commands in the command set lower than its main level; when the main level is the same, the command set with a high sub-level includes all commands in the command set lower than its sub-level.
  • groups can be added under the sub-level, and commands between command sets belonging to groups belonging to the same sub-level do not overlap.
  • the rights management model can be defined as follows:
  • the level identifier is defined as: Primary level identifier. Sub-level identifier; This level identifier uniquely identifies a sub-level.
  • the level identifier is defined as: primary level identifier. sublevel identifier. group identifier; the level identifier is unique.
  • a permission inheritance relationship reduction table may be added, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, where the first relationship item and the second relationship item are included.
  • Write a group (specifically, the group can be uniquely determined by writing a level identifier), the sub-level or the main level of the group in the first relationship item is higher than the group in the second relationship item, and each first relationship item
  • the group in the group corresponds to a group of one or more second relationship items, the first relationship item A group in a group cannot execute a command in a command set of a group of one or more second relationship items corresponding thereto.
  • the content in parentheses is the command contained in the command set corresponding to the main level, sub-level, or group.
  • the level representation should include the complete master level, sublevels, and groups.
  • the corresponding position of the group When the corresponding position of the group is 0, it means the command set containing the entire sub-level, for example: 3. 2. 0 The corresponding command set is ( a - 1).
  • the command set corresponding to the main level or the sub-level of the high level contains the command set corresponding to the main level or the sub-level of the lower level, for example: Group 3.
  • the command set corresponding to the group contains the group 2. 2. 0, group 2. 1 . 0 corresponds to the set of commands. Command sets between groups belonging to the same sub-level do not overlap, for example: 3. 1. 2 and 3. 1. The command set between 1. 1 does not overlap.
  • the permission inheritance relationship reduction table can be set, as shown in the following table:
  • the information contained in Table 2 is: The command in the command set corresponding to the group 1.1.2 is removed from the command set corresponding to the group 3.1.2, in the command set corresponding to the group 3.1.1. Remove the commands in the command set corresponding to group 1. 1. 1.
  • the set of commands that can be executed is (a - f), and because there is a permission inheritance relationship reduction table, the set of commands that can be executed is (cf), By setting the permission inheritance relationship reduction table, you can assign permissions more flexibly.
  • the privilege level of each device in the network is generally assigned by the primary server in the network or obtained from the primary server (for example: verifying the privilege level downloaded by the server), but for a specific device
  • the primary server in the network can only be assigned a privilege level of 1 - 15 and a network device is assigned a level of 4 .
  • the external level 4 is mapped to the internal level 3. 1. 1.
  • Step 1 Set the primary level, sub-level, and priority relationship between the levels, where the sub-level belongs to the main level;
  • Step 2 Setting a command set, each main level and sub-level respectively corresponding to a command set; Step 3, dividing all commands into command sets of each main level, where the main level The high command set includes all the commands in the command set lower than its main level; Step 4, the commands in the command set of the main level are divided into sub-levels included in the main level, where the sub-level high command set Includes all commands in the command set that are lower than their child level.
  • Step 5 Set a command set corresponding to the group and the group, and divide the command in the command set of the sub-level into a command set of the group, where the group belongs to the sub-level and belongs to a group of the same sub-level
  • the commands between the command collections do not overlap.
  • Step 6 Set a rights inheritance relationship reduction table, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, and write the group in the first relationship item and the second relationship item, where the first The sub-level or main level of the group in the relationship item is higher than the group in the second relationship item, and the group in each first relationship item corresponds to one of the one or more second relationship items, the first relationship A group in an item cannot execute a command in a command set of a group of one or more second relationship items corresponding thereto.
  • Steps 5 and 6 above are based on actual needs, that is, you can set only the primary level and the child level, or you can set only the primary level, sub-level, and group, or set the primary level, sub-level, group, and permission inheritance relationship reduction table.
  • the mapping relationship between the external permission level and the internal permission level may be further set, that is, the mapping relationship between the external permission level of the device and the primary level or sub-level or group is established.
  • the data can be adjusted according to the actual needs.
  • the following describes the process of adjusting the permission relationship data, including the following steps:
  • the command set corresponding to the lowest level of the main level including all the commands involved in the permission subdivision adjustment is determined, and the command set corresponding to the sub level and the sub level included in the main level is adjusted.
  • the adjusting the command set corresponding to the sub-level and the sub-level included in the main level may be Specifically, the command included in the command set of the original sub-levels is kept unchanged, and a command set including all the commands involved in the permission subdivision adjustment is added, and each sub-level is reset according to the inclusion relationship between the command sets. The order of the high and low.
  • the foregoing adjustment process may further include: an operation of adjusting a group included in the sub-level and a command in a command set corresponding to each group.
  • the operation may be specifically: adding or subtracting a group, re-dividing the corresponding command set of each group; or maintaining the number of groups unchanged, and re-dividing the corresponding command set of each group.
  • the foregoing adjustment process may further include: modifying an operation of the rights inheritance relationship reduction table, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, where the first relationship item and the second relationship item are included Write a group, the sub-level or the main level of the group in the first relationship item is higher than the group in the second relationship item, and the group in each first relationship item corresponds to one or more second relationship items
  • the group of the first relationship item cannot execute a command in the command set of the group of the one or more second relationship items corresponding thereto.
  • the method further includes: modifying an operation of mapping the external authority of the device to the primary level or sub-level or group.
  • FIG. 2 it is a schematic diagram of a rights relationship data management system according to Embodiment 3 of the present invention, which includes:
  • the primary level recording module 1 is configured to record the priority relationship of the primary level, and record the correspondence between the command sets of the main level and the main level;
  • the main level command set storage module 2 is connected to the main level record module, and is configured to store a command set of each main level;
  • the sub-level recording module 3 is connected to the main level recording module, and is used for recording the priority relationship of each sub-level corresponding to each main level, and recording the corresponding relationship between the sub-level and the sub-level command set;
  • the sub-level command set storage module 4 is configured to store a command set of each sub-level.
  • the system can further include:
  • a group recording module 5 connected to the sub-level recording module, for recording a corresponding group of each sub-level;
  • the group command collection storage module 6 is connected to the group record module and is used to store a set of commands of each group.
  • the system can further include:
  • the permission inheritance relationship reduction module 7 is connected to the main level record module and/or the child level record module and/or the group record module, and is configured to store a rights inheritance relationship cut table, where the rights inheritance relationship cut table includes the first relationship And a second relationship item, the group is written in the first relationship item and the second relationship item, and a sub-level or a main level of the group in the first relationship item is higher than a group in the second relationship item And the group in each of the first relationship items corresponds to the group of the one or more second relationship items, and the group in the first relationship item cannot execute the command of the group of the one or more second relationship items corresponding thereto The commands in the collection.
  • the rights inheritance relationship cut table includes the first relationship And a second relationship item, the group is written in the first relationship item and the second relationship item, and a sub-level or a main level of the group in the first relationship item is higher than a group in the second relationship item
  • the group in each of the first relationship items corresponds to the group of the one or more second relationship items, and
  • the system can further include:
  • the mapping relationship module 8 is connected to the main level recording module and/or the sub-level recording module and/or the group recording module, and is used for recording a mapping relationship between the external authority of the device and the main level or sub-level or group.
  • the permission data model and the permission relationship data generation method and the adjustment relationship data management system provided by the embodiment of the invention make the authority adjustment more convenient, the authority subdivision more flexible, and the authority maintenance function more powerful:

Abstract

A method for generating and adjusting authority limit relation data and a managing system thereof are disclosed. Some sub-levels are defined on each fixed-level. The command set with the higher main-level includes all commands in the command set with the main-level which is lower than the higher main-level. The command set with the higher sub-level includes all commands in the command set with the sub-level which is lower than the higher sub-level. Further, the group can be added under the sub-level. The commands between the command sets of group depending on the same sub-level are not overlapping. Further authority limit inheriting relationreduction table can be set.

Description

权限关系数据的生成和调整方法及管理系统 技术领域  Method and management system for generating and adjusting authority relationship data
本发明涉及通信领域, 尤其是一种权限关系数据的生成和调整方法及 管理系统。 背景技术  The present invention relates to the field of communications, and more particularly to a method and a management system for generating and adjusting privilege relationship data. Background technique
用户权限是计算机系统的重要数据之一, 用户权限的管理主要完成对 用户访问设备的控制。 具体地: 设备命令被赋予权限属性, 用户登陆时被 赋予一定的权限, 该用户只能执行与其权限相符合的命令, 这样用户对设 备的操作就被限制在一定范围之内了。  User authority is one of the important data of the computer system. The management of user rights mainly completes the control of the user accessing the device. Specifically: the device command is given the privilege attribute, and the user is given a certain privilege when logging in. The user can only execute the command that matches the privilege, so that the user's operation on the device is limited to a certain range.
现有技术中, 对用户权限的管理存在多种方案, 例如:  In the prior art, there are various solutions for managing user rights, for example:
有的方案一共有 16个级别, 设备的命令可以被动态指定为 16个级别 中的一个, 也可以指定用户的级别。 0到 15级别之间的关系是由小到大的 己级别高的命令不可以执行。 在实际的应用中, 一般缺省地把命令分布到 1 6个级别中到 0、 1、 15的 3个级别上。  Some schemes have a total of 16 levels, and the device commands can be dynamically assigned to one of 16 levels, or the user's level. The relationship between 0 and 15 levels is from small to large. A high level command cannot be executed. In practical applications, commands are generally distributed by default to three levels of 16 levels, 0, 1, and 15.
有的方案实现为命令可以属于多个类型, 类型可以包括多条命令, 每 个用户登陆时被赋予类型属性, 可以执行该类型中的所有命令, 之外的命 令不能执行。  Some schemes are implemented as commands that can belong to multiple types. Types can include multiple commands. Each user is given a type attribute when logging in. All commands in the type can be executed, and commands other than those cannot be executed.
还有的方案实现为将命令被分布到 4个级别上, 设备的命令可以被动 态指定为 4个级别的一个, 可以指定用户的级别。 1到 4级别之间的关系 令, 但是比自己级别高的命令不可以执行。  Other schemes are implemented to distribute commands to four levels. The device's commands can be passively assigned to one of four levels, and the user's level can be specified. Relationships between levels 1 and 4, but commands that are higher than their own level cannot be executed.
在微软实现的基本组权限模型 , 定义了 基本的管理员 ( admi n i s t ra tor ) 、 backup Opera tor s (备份操作员 ) 、 访客 ( Gue s t s ) 等几个基本命令集合, 新创建的组可以包含这几个命令集合的一个或多 个, 用户属于某个组, 实现用户的权限授权, 命令集合不能灵活地细分, 这与 PC机命令本身就很少有关系, 不需要更多的细分。 组间权限是包含 关系和并列关系。 微软本地还实现了基于某个资源的权限控制, 主要是其 PC应用场景决定的(个人在设备上独占某些资源完成一些工作, 同其他人 独占的资源一般没有关系; 同时具有对其他人授权的功能, 但是缺省为其 他无关系的人无权限); 而网络设备一般各个资源间是相互协同完成工作 的, 所以授权一般是基于命令操作能力的, 对资源访问的控制可以通过滤 器对包含某些资源名字的命令执行进行限制完成。 The basic group permissions model implemented in Microsoft defines the basic administrator (admi nist ra tor ) , backup Opera tor s (backup operator), guest ( Gue sts ) and other basic command sets, the newly created group can contain one or more of these command sets, the user belongs to a certain Group, to achieve the user's authority authorization, the command set can not be flexibly subdivided, which has little to do with the PC command itself, and does not require more subdivision. Inter-group permissions are inclusive and side-by-side. Microsoft local also implements permission control based on a certain resource, mainly determined by its PC application scenario (persons monopolize certain resources on the device to complete some work, generally have nothing to do with other people's exclusive resources; at the same time have authorization for others The function, but the default is that other unrelated people have no permission); and the network devices generally work together in cooperation with each other, so the authorization is generally based on the command operation capability, and the control of resource access can be included through the filter pair. The execution of commands for certain resource names is restricted.
在实现本发明的过程中, 发明人发现现有技术至少存在如下问题: In the process of implementing the present invention, the inventors have found that the prior art has at least the following problems:
1、 细分权限不灵活。 在级别数量确定的情况下, 例如, 级别划分为 1 5级, 其中 15级为最高级, 包含全部的命令集合, 而此时需要一权限级 另' J , 该权限基本包含的命令比 14级多又比 1 5级少, 针对此种情况, 只能 将 15级中的部分命令加入到 14级中, 而这样操作改变了原有的 14级的 内容, 很不方便, 而在原有的 14 级的内容不允许调整的情况下, 就没有 权限调整和细分权限的空间。 如果级别数量允许增减, 可以将级别数量增 加为 16级, 此时, 将原有 15级的内容调整到 1 6级上, 根据需要重新设 置 1 5级的命令集合, 但这种方式, 命令调整量很大, 尤其在低级别处进 行细分时。 1. The subdivision permission is not flexible. In the case where the number of levels is determined, for example, the level is divided into 15 levels, of which level 15 is the highest level, and all the command sets are included, and at this time, a permission level is required, and the authority basically contains commands of 14 levels. More than 1 level 5, for this case, only some of the 15 levels of commands can be added to level 14, and this operation changes the original level 14 content, very inconvenient, and in the original 14 In the case where the level of content is not allowed to be adjusted, there is no room for permission to adjust and subdivide permissions. If the number of levels is allowed to increase or decrease, you can increase the number of levels to 16 levels. At this time, adjust the contents of the original 15 levels to level 16. Re-set the level 15 command set as needed, but this way, the command The amount of adjustment is large, especially when subdividing at a low level.
2、 权限关系模型简单, 维护复杂。 对于命令级别的权限模型, 只维 护了级别之间的权限包含关系, 导致 2个级别的用户权限无叠加成为不可 能。 而基于类型定义的权限模型因为没有继承关系, 不同用户之间的可执 行的命令集合很难相互支持, 因为增加一个命令的授权, 需要改两个用户 的类型定义, 需要人为地维护 2类型之间的权限包含关系。 而微软的基本 组权限模型也不能灵活地细分权限, 只有几个基本权限的包含组合, 而且 不能将包含的组权限中去掉一些无用的权限的功能。 发明内容 2. The authority relationship model is simple and complicated to maintain. For the command-level permission model, only the permission inclusion relationship between the levels is maintained, which makes it impossible to superimpose the user rights of the two levels. Because the permission model based on type definition has no inheritance relationship, the executable command sets between different users are difficult to support each other. Because the authorization of adding one command needs to change the type definition of two users, it is necessary to manually maintain the type 2 Permissions contain relationships. And Microsoft's basic group permission model can't flexibly subdivide permissions, only a few basic permissions contain combinations, and You cannot remove some of the useless permissions from the included group permissions. Summary of the invention
本发明实施例的目的是提供一种权限关系数据的生成和调整方法及 管理系统, 以实现更加灵活的权限细分。  An object of the embodiments of the present invention is to provide a method and a management system for generating and adjusting privilege relationship data, so as to implement a more flexible privilege subdivision.
为实现上述目的, 本发明实施例提供了一种权限关系数据的生成方 法, 包括如下步骤:  To achieve the above objective, an embodiment of the present invention provides a method for generating rights relation data, including the following steps:
设置主级别、 子级别以及各级别间的优先级关系, 其中子级别从属于 主级别;  Set the primary level, the sub-level, and the priority relationship between the levels, where the sub-level belongs to the main level;
设置命令集合, 各个主级别和子级别分别与一命令集合对应; 将所有命令划分到各个主级别的命令集合中, 其中, 主级别高的命令 集合包括所有比其主级别低的命令集合中的命令;  Setting a command set, each main level and sub-level respectively corresponding to a command set; all commands are divided into command sets of each main level, wherein the command set with a high main level includes all commands in a command set lower than its main level ;
将主级别的命令集合中的命令, 划分到该主级别包含的子级别中, 其 中, 子级别高的命令集合包括所有比其子级别低的命令集合中的命令。  The commands in the command set of the main level are divided into sub-levels included in the main level, wherein the command set with a high sub-level includes all the commands in the command set lower than its sub-level.
本发明实施例还提供了一种权限关系数据的调整方法, 包括: 当需 要进行权限细分调整时, 确定包含权限细分调整所涉及的全部命令的级别 中最低的主级别对应的命令集合, 调整该主级别所包含的子级别及子级别 对应的命令集合。  The embodiment of the present invention further provides a method for adjusting the privilege relationship data, including: when the privilege subdivision adjustment is needed, determining a command set corresponding to the lowest main level among all the levels involved in the privilege subdivision adjustment, Adjust the command set corresponding to the sub-level and sub-level included in the main level.
本发明实施例还提供了一种权限关系数据管理系统, 包括: 主级别记录模块, 用于记录主级别的优先级关系, 并记录各主级别与 主级别的命令集合的对应关系;  The embodiment of the present invention further provides a privilege relationship data management system, including: a main level recording module, configured to record a priority relationship of a main level, and record a correspondence relationship between command sets of each main level and a main level;
主级别命令集合存储模块, 与所述主级别记录模块连接, 用于存储各 主级别的命令集合;  a main level command set storage module, connected to the main level record module, for storing command sets of each main level;
子级别记录模块, 与所述主级别记录模块连接, 用于记录各主级别对 应的各子级别的优先级关系, 并记录各子级别与主级别以及各子级别与子 级别的命令集合的对应关系; 子级别命令集合存储模块, 用于存储各子级别的命令集合。 The sub-level recording module is connected to the main level recording module, and is used to record the priority relationship of each sub-level corresponding to each main level, and record the correspondence between each sub-level and the main level and the command sets of each sub-level and sub-level relationship; A sub-level command collection storage module that stores a set of commands for each sub-level.
由上述技术方案可知, 本发明实施例通过在主级别下进一步划分子级 别使得权限细分更加灵活。  It can be seen from the above technical solutions that the embodiment of the present invention makes the permission subdivision more flexible by further dividing the sub-levels at the main level.
下面通过附图和实施例, 对本发明的技术方案做进一步的详细描述。 附图说明  The technical solution of the present invention will be further described in detail below through the accompanying drawings and embodiments. DRAWINGS
图 1为本发明实施例一的权限关系数据的生成流程图;  1 is a flowchart of generating permission relationship data according to Embodiment 1 of the present invention;
图 2为本发明实施例三的权限关系数据的管理系统示意图。 具体实施方式  FIG. 2 is a schematic diagram of a management system for authority relationship data according to Embodiment 3 of the present invention. detailed description
本发明的实施例通过在每个固定级别基础上增加定义若干子级别, 从 而增加权限细分的灵活性。 其中, 主级别高的命令集合包括所有比其主级 别低的命令集合中的命令; 主级别相同时, 子级别高的命令集合包括所有 比其子级别低的命令集合中的命令。 进一步的可以在子级别下增加组, 从 属于同一子级别的组的命令集合间的命令不重叠。  Embodiments of the present invention increase the flexibility of privilege subdivision by adding several sub-levels on a per fixed level basis. The command set with a high main level includes all commands in the command set lower than its main level; when the main level is the same, the command set with a high sub-level includes all commands in the command set lower than its sub-level. Further, groups can be added under the sub-level, and commands between command sets belonging to groups belonging to the same sub-level do not overlap.
权限管理模型可以釆用如下方式定义:  The rights management model can be defined as follows:
级别标识定义为: 主级别标识 .子级别标识; 该级别标识唯一确定一 子级别。  The level identifier is defined as: Primary level identifier. Sub-level identifier; This level identifier uniquely identifies a sub-level.
在进一步划分组的情况下, 可以釆用如下方式定义:  In the case of further grouping, it can be defined as follows:
级别标识定义为: 主级别标识 .子级别标识 .组标识; 该级别标识唯一 确定一组  The level identifier is defined as: primary level identifier. sublevel identifier. group identifier; the level identifier is unique.
为了更好的进行命令集合的划分, 可以增设权限继承关系裁减表, 所 述权限继承关系裁减表中包括第一关系项和第二关系项, 在所述第一关系 项和第二关系项中写入组 (具体可以通过写入级别标识来唯一确定组) , 所述第一关系项中的组的子级别或主级别高于所述第二关系项中的组, 每 个第一关系项中的组对应一个或多个第二关系项中的组, 所述第一关系项 中的组无法执行与其对应的一个或或多个第二关系项中的组的命令集合 中的命令。 In order to better divide the command set, a permission inheritance relationship reduction table may be added, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, where the first relationship item and the second relationship item are included. Write a group (specifically, the group can be uniquely determined by writing a level identifier), the sub-level or the main level of the group in the first relationship item is higher than the group in the second relationship item, and each first relationship item The group in the group corresponds to a group of one or more second relationship items, the first relationship item A group in a group cannot execute a command in a command set of a group of one or more second relationship items corresponding thereto.
下面通过一个具体实例来进一步说明本发明实施例的权限关系模型, 为了简化描述, 仅以 3个主级别的情况为例, 每个主级别下划分 2个子级 另' h 每个子级别下进一步划分 2个组, 其中级别的高低关系 (优先关系) 按数字大小排列, 所涉及的命令为 12条( a - 1 ) , 具体如下表: The following is a specific example to further illustrate the privilege relationship model of the embodiment of the present invention. To simplify the description, only three main levels are taken as an example, and each sub-level is divided into two sub-levels and another sub-level is further divided. 2 groups, where the level of high-low relationship (priority relationship) is arranged by number, the order involved is 12 (a - 1), as shown in the following table:
Figure imgf000007_0001
Figure imgf000007_0001
Figure imgf000007_0002
Figure imgf000007_0002
在上述表项中, 括号中的内容为主级别、 子级别或组所对应的命令集 合所包含的命令。  In the above table, the content in parentheses is the command contained in the command set corresponding to the main level, sub-level, or group.
在实际的应用中, 级别的表示方法应该包含完整的主级别、 子级别和 组,  In practical applications, the level representation should include the complete master level, sublevels, and groups.
组对应的位置为 0时,表示包含整个子级别的命令集合, 例如: 3. 2. 0 对应的命令集合为 ( a - 1)。  When the corresponding position of the group is 0, it means the command set containing the entire sub-level, for example: 3. 2. 0 The corresponding command set is ( a - 1).
级别高的主级别或子级别对应的命令集合包含级别低的主级别或子 级别对应的命令集合, 例如: 组 3. 1. 0对应的命令集合包含组 2. 2. 0, 组 2. 1. 0对应的命令集合。 从属于同一子级别的组间的命令集合不重叠, 例 如: 3. 1. 2和 3. 1. 1之间的命令集合不重叠。 进一步的, 可以设置权限继承关系裁减表, 如下表所示: The command set corresponding to the main level or the sub-level of the high level contains the command set corresponding to the main level or the sub-level of the lower level, for example: Group 3. The command set corresponding to the group contains the group 2. 2. 0, group 2. 1 . 0 corresponds to the set of commands. Command sets between groups belonging to the same sub-level do not overlap, for example: 3. 1. 2 and 3. 1. The command set between 1. 1 does not overlap. Further, the permission inheritance relationship reduction table can be set, as shown in the following table:
Figure imgf000008_0001
Figure imgf000008_0001
表二中所包含的信息为: 在组 3. 1. 2 所对应的命令集合中去除组 1. 1. 2对应的命令集合中的命令, 在组 3. 1. 1所对应的命令集合中去除组 1. 1. 1对应的命令集合中的命令。  The information contained in Table 2 is: The command in the command set corresponding to the group 1.1.2 is removed from the command set corresponding to the group 3.1.2, in the command set corresponding to the group 3.1.1. Remove the commands in the command set corresponding to group 1. 1. 1.
当某个用户被指定的级别为 3. 1. 2后,原本可以执行的命令集合为( a - f ) ,而由于存在权限继承关系裁减表,其可以执行的命令集合为( c-f ) , 通过设置权限继承关系裁减表, 可以更加灵活的分配权限。  When a user is assigned a level of 3.1.2, the set of commands that can be executed is (a - f), and because there is a permission inheritance relationship reduction table, the set of commands that can be executed is (cf), By setting the permission inheritance relationship reduction table, you can assign permissions more flexibly.
对于组网的设备来说, 网络中的各个设备的权限级别一般是由网络中 的主服务器统一分配或从主服务器中获取的 (例如: 验证服务器下载的权 限级别), 而对于某个具体设备来说, 无法根据实际需要去灵活分配权限, 针对上述情况, 可以在每个网络设备中建立外部权限级别和内部权限级别 的映射关系,将网络中的主服务器统一分配的权限级别(即外部权限级别) 根据需要映射到每个网络设备自身设定的权限级别(即内部权限级别)上。  For a networked device, the privilege level of each device in the network is generally assigned by the primary server in the network or obtained from the primary server (for example: verifying the privilege level downloaded by the server), but for a specific device In this case, you cannot flexibly assign permissions based on actual needs. For the above situation, you can establish a mapping relationship between the external privilege level and the internal privilege level in each network device, and uniformly assign the privilege level (that is, external privilege) to the primary server in the network. Level) Map to the permission level (that is, the internal permission level) set by each network device according to its needs.
例如, 网络中的主服务器只能分配 1 - 15的权限级别, 某个网络设备 分配的级别为 4 , 通过在该设备中建立映射关系, 将外部级别 4映射为内 部级别 3. 1. 1。 当该设备的使用需求发生变化时, 再修改该映射关系, 重 新建立与内部级别的映射。  For example, the primary server in the network can only be assigned a privilege level of 1 - 15 and a network device is assigned a level of 4 . By establishing a mapping relationship in the device, the external level 4 is mapped to the internal level 3. 1. 1. When the usage requirements of the device change, modify the mapping relationship and re-establish the mapping with the internal level.
实施例一  Embodiment 1
下面介绍一下权限关系数据的生成流程,如图 1所示, 包括如下步骤: 步骤 1、 设置主级别、 子级别以及各级别间的优先级关系, 其中子级 别从属于主级别;  The following describes the process of generating the privilege relationship data. As shown in Figure 1, the following steps are included: Step 1. Set the primary level, sub-level, and priority relationship between the levels, where the sub-level belongs to the main level;
步骤 2、设置命令集合, 各个主级别和子级别分别与一命令集合对应; 步骤 3、 将所有命令划分到各个主级别的命令集合中, 其中, 主级别 高的命令集合包括所有比其主级别低的命令集合中的命令; 步骤 4、 将主级别的命令集合中的命令, 划分到该主级别包含的子级 别中, 其中, 子级别高的命令集合包括所有比其子级别低的命令集合中的 命令。 Step 2: Setting a command set, each main level and sub-level respectively corresponding to a command set; Step 3, dividing all commands into command sets of each main level, where the main level The high command set includes all the commands in the command set lower than its main level; Step 4, the commands in the command set of the main level are divided into sub-levels included in the main level, where the sub-level high command set Includes all commands in the command set that are lower than their child level.
步骤 5、 设置组及组对应的命令集合, 将所述子级别的命令集合中的 命令划分到所述组的命令集合中, 所述组从属于所述子级别, 从属于同一 子级别的组的命令集合间的命令不重叠。  Step 5: Set a command set corresponding to the group and the group, and divide the command in the command set of the sub-level into a command set of the group, where the group belongs to the sub-level and belongs to a group of the same sub-level The commands between the command collections do not overlap.
步骤 6、 设置权限继承关系裁减表, 所述权限继承关系裁减表中包括 第一关系项和第二关系项, 在所述第一关系项和第二关系项中写入组, 所 述第一关系项中的组的子级别或主级别高于所述第二关系项中的组, 每个 第一关系项中的组对应一个或多个第二关系项中的组, 所述第一关系项中 的组无法执行与其对应的一个或或多个第二关系项中的组的命令集合中 的命令。  Step 6: Set a rights inheritance relationship reduction table, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, and write the group in the first relationship item and the second relationship item, where the first The sub-level or main level of the group in the relationship item is higher than the group in the second relationship item, and the group in each first relationship item corresponds to one of the one or more second relationship items, the first relationship A group in an item cannot execute a command in a command set of a group of one or more second relationship items corresponding thereto.
上述步骤 5和步骤 6是根据实际需要而定, 即可以只设置主级别和子 级别, 也可以只设置主级别、 子级别和组, 或者设置主级别、 子级别、 组 和权限继承关系裁减表。  Steps 5 and 6 above are based on actual needs, that is, you can set only the primary level and the child level, or you can set only the primary level, sub-level, and group, or set the primary level, sub-level, group, and permission inheritance relationship reduction table.
另外, 如果应用权限关系数据设备为组网设备, 可以进一步的设置外 部权限级别和内部权限级别的映射关系, 即建立设备外部权限级别与所述 主级别或子级别或组的映射关系。  In addition, if the application rights relational data device is a networking device, the mapping relationship between the external permission level and the internal permission level may be further set, that is, the mapping relationship between the external permission level of the device and the primary level or sub-level or group is established.
实施例二  Embodiment 2
在权限数据建立后, 可以根据实际需要的变化, 进行数据调整, 下面 介绍一下权限关系数据的调整的流程, 包括如下步骤:  After the permission data is created, the data can be adjusted according to the actual needs. The following describes the process of adjusting the permission relationship data, including the following steps:
当需要进行权限细分调整时, 确定包含权限细分调整所涉及的全部命 令的级别最低的主级别对应的命令集合, 调整该主级别所包含的子级别及 子级别对应的命令集合。  When the permission subdivision adjustment is required, the command set corresponding to the lowest level of the main level including all the commands involved in the permission subdivision adjustment is determined, and the command set corresponding to the sub level and the sub level included in the main level is adjusted.
其中, 所述调整该主级别所包含的子级别及子级别对应的命令集合可 以具体为: 保持原有各子级别的命令集合所包含的命令不变, 增设包含所 述权限细分调整所涉及的全部命令的命令集合, 按照命令集合间的包含关 系重新设定各子级别的高低顺序。 The adjusting the command set corresponding to the sub-level and the sub-level included in the main level may be Specifically, the command included in the command set of the original sub-levels is kept unchanged, and a command set including all the commands involved in the permission subdivision adjustment is added, and each sub-level is reset according to the inclusion relationship between the command sets. The order of the high and low.
在上述调整过程中还可以包括: 对所述子级别包含的组及各组对应的 命令集合中的命令进行调整的操作。 该操作可以具体为: 增加或减少组, 重新划分各组对应的命令集合; 或保持组的个数不变, 重新划分各组对应 的命令集合。  The foregoing adjustment process may further include: an operation of adjusting a group included in the sub-level and a command in a command set corresponding to each group. The operation may be specifically: adding or subtracting a group, re-dividing the corresponding command set of each group; or maintaining the number of groups unchanged, and re-dividing the corresponding command set of each group.
在上述调整过程中还可以包括: 修改权限继承关系裁减表的操作, 所 述权限继承关系裁减表中包括第一关系项和第二关系项, 在所述第一关系 项和第二关系项中写入组, 所述第一关系项中的组的子级别或主级别高于 所述第二关系项中的组, 每个第一关系项中的组对应一个或多个第二关系 项中的组, 所述第一关系项中的组无法执行与其对应的一个或或多个第二 关系项中的组的命令集合中的命令。  The foregoing adjustment process may further include: modifying an operation of the rights inheritance relationship reduction table, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, where the first relationship item and the second relationship item are included Write a group, the sub-level or the main level of the group in the first relationship item is higher than the group in the second relationship item, and the group in each first relationship item corresponds to one or more second relationship items The group of the first relationship item cannot execute a command in the command set of the group of the one or more second relationship items corresponding thereto.
对于联网设备来说, 还可以包括: 修改设备外部权限与所述主级别或 子级别或组之间的映射关系的操作。  For a networked device, the method further includes: modifying an operation of mapping the external authority of the device to the primary level or sub-level or group.
实施例三  Embodiment 3
如图 2所示, 其为本发明实施例 3的权限关系数据管理系统示意图, 包括:  As shown in FIG. 2, it is a schematic diagram of a rights relationship data management system according to Embodiment 3 of the present invention, which includes:
主级别记录模块 1 , 用于记录主级别的优先级关系, 并记录各主级别 与主级别的命令集合的对应关系;  The primary level recording module 1 is configured to record the priority relationship of the primary level, and record the correspondence between the command sets of the main level and the main level;
主级别命令集合存储模块 2 , 与所述主级别记录模块连接, 用于存储 各主级别的命令集合;  The main level command set storage module 2 is connected to the main level record module, and is configured to store a command set of each main level;
子级别记录模块 3 , 与所述主级别记录模块连接, 用于记录各主级别 对应的各子级别的优先级关系, 并记录各子级别与子级别的命令集合的对 应关系;  The sub-level recording module 3 is connected to the main level recording module, and is used for recording the priority relationship of each sub-level corresponding to each main level, and recording the corresponding relationship between the sub-level and the sub-level command set;
子级别命令集合存储模块 4 , 用于存储各子级别的命令集合。 该系统还可以进一步包括: The sub-level command set storage module 4 is configured to store a command set of each sub-level. The system can further include:
组记录模块 5 , 与所述子级别记录模块连接, 用于记录各子级别的对 应组;  a group recording module 5, connected to the sub-level recording module, for recording a corresponding group of each sub-level;
组命令集合存储模块 6 , 与所述组记录模块连接, 用于存储各组的命 令集合。  The group command collection storage module 6 is connected to the group record module and is used to store a set of commands of each group.
该系统还可以进一步包括:  The system can further include:
权限继承关系裁减模块 7 , 与所述主级别记录模块和 /或子级别记录 模块和 /或组记录模块连接, 用于存储权限继承关系裁减表, 所述权限继 承关系裁减表中包括第一关系项和第二关系项, 在所述第一关系项和第二 关系项中写入组, 所述第一关系项中的组的子级别或主级别高于所述第二 关系项中的组, 每个第一关系项中的组对应一个或多个第二关系项中的 组, 所述第一关系项中的组无法执行与其对应的一个或多个第二关系项中 的组的命令集合中的命令。  The permission inheritance relationship reduction module 7 is connected to the main level record module and/or the child level record module and/or the group record module, and is configured to store a rights inheritance relationship cut table, where the rights inheritance relationship cut table includes the first relationship And a second relationship item, the group is written in the first relationship item and the second relationship item, and a sub-level or a main level of the group in the first relationship item is higher than a group in the second relationship item And the group in each of the first relationship items corresponds to the group of the one or more second relationship items, and the group in the first relationship item cannot execute the command of the group of the one or more second relationship items corresponding thereto The commands in the collection.
该系统还可以进一步包括:  The system can further include:
映射关系模块 8 , 与所述主级别记录模块和 /或子级别记录模块和 / 或组记录模块连接, 用于记录设备外部权限与所述主级别或子级别或组之 间的映射关系。  The mapping relationship module 8 is connected to the main level recording module and/or the sub-level recording module and/or the group recording module, and is used for recording a mapping relationship between the external authority of the device and the main level or sub-level or group.
基于本发明实施例提供的权限数据模型及权限关系数据的生成方法 及、 调整方法、 及权限关系数据管理系统, 使得权限调整更加方便, 权限 细分更加灵活, 权限维护功能更强大:  The permission data model and the permission relationship data generation method and the adjustment relationship data management system provided by the embodiment of the invention make the authority adjustment more convenient, the authority subdivision more flexible, and the authority maintenance function more powerful:
通过引入子级别, 减少了权限调整时的命令调整量, 在权限调整时, 可以釆用将少数命令调整在同级别的子级别上完成, 而不用将多数的命令 调整到低级别上, 或者增加级别个数, 并对整个级别顺序及命令集合进行 调整, 减少了命令调整的数量。  By introducing sub-levels, the amount of command adjustments during privilege adjustment is reduced. When privilege adjustment is made, it is possible to adjust a few commands to be adjusted at the same level of sub-levels, without adjusting most commands to a lower level, or increasing The number of levels, and the entire level order and command set are adjusted, reducing the number of command adjustments.
通过引入组增加互斥权限管理, 使得 2个用户权限无交叉成为可能, 通过引入权限关系继承裁减表, 实现了高低级别权限之间的互斥; 通过与外部权限级别建立映射关系, 灵活的与其它设备权限管理方案 兼容。 例如, 当各个厂商的权限属性定义不兼容时, 有的方案的 1 5 级是 最高级, 有的方案则 3级是最高级别, 在共同组网使用一个服务器对用户 授权时, 现有技术便无法解决上述问题, 从而导致级别定义不能为 2个系 统同时正确理解, 而利用本发明实施例的外部权限级别和内部权限级别的 映射机制, 便可以灵活的解决上述问题。 By introducing a group to increase mutual exclusion rights management, it is possible to make two user rights without crossover. By introducing a permission relationship to inherit the cut table, mutual exclusion between high and low level rights is achieved. Flexible with other device rights management schemes by establishing a mapping relationship with external privilege levels. For example, when the license attribute definitions of various vendors are incompatible, the 15th level of some schemes is the highest level, and the others of the 3rd level are the highest level. When a server is used to authorize users in a common network, the existing technology is used. The above problem cannot be solved, so that the level definition cannot be correctly understood by the two systems at the same time, and the above-mentioned problem can be flexibly solved by using the mapping mechanism of the external privilege level and the internal privilege level in the embodiment of the present invention.
最后应说明的是: 以上实施例仅用以说明本发明的技术方案而非对其 进行限制, 尽管参照较佳实施例对本发明进行了详细的说明, 本领域的普 通技术人员应当理解: 其依然可以对本发明的技术方案进行修改或者等同 替换, 而这些修改或者等同替换亦不能使修改后的技术方案脱离本发明技 术方案的精神和范围。  It should be noted that the above embodiments are only intended to illustrate the technical solutions of the present invention and are not to be construed as limiting the embodiments of the present invention. The technical solutions of the present invention may be modified or equivalently substituted, and the modified technical solutions may not deviate from the spirit and scope of the technical solutions of the present invention.

Claims

权 利 要 求 书 Claim
1、 一种权限关系数据的生成方法, 其特征在于, 包括:  A method for generating a privilege relationship data, comprising:
设置主级别、 子级别以及各级别间的优先级关系, 其中子级别从属于主 级别;  Set the primary level, the child level, and the priority relationship between the levels, where the child level is subordinate to the primary level;
设置命令集合, 各个主级别和子级别分别与一命令集合对应;  Setting a command set, each main level and sub level respectively corresponding to a command set;
将所有命令划分到各个主级别的命令集合中, 其中, 主级别高的命令集 合包括所有比其主级别低的命令集合中的命令;  All commands are divided into command sets of each main level, where the command set with a high main level includes all commands in the command set lower than its main level;
将主级别的命令集合中的命令, 划分到该主级别包含的子级别中, 其中, 子级别高的命令集合包括所有比其子级别低的命令集合中的命令。  The commands in the command set of the main level are divided into sub-levels included in the main level, wherein the command set with a high sub-level includes all the commands in the command set lower than the sub-level.
2、 根据权利要求 1所述的方法, 其特征在于, 还包括:  2. The method according to claim 1, further comprising:
设置组及组对应的命令集合, 将所述子级别的命令集合中的命令划分到 所述组的命令集合中, 所述组从属于所述子级别, 从属于同一子级别的组的 命令集合间的命令不重叠。  Setting a command set corresponding to the group and the group, and dividing the command in the command set of the sub-level into the command set of the group, the group being subordinate to the sub-level, and the command set belonging to the group belonging to the same sub-level The commands between the two do not overlap.
3、 根据权利要求 2所述的方法, 其特征在于, 还包括:  3. The method according to claim 2, further comprising:
设置权限继承关系裁减表, 所述权限继承关系裁减表中包括第一关系项 和第二关系项, 在所述第一关系项和第二关系项中写入组, 所述第一关系项 中的组的子级别或主级别高于所述第二关系项中的组, 每个第一关系项中的 组对应一个或多个第二关系项中的组, 所述第一关系项中的组无法执行与其 对应的一个或或多个第二关系项中的组的命令集合中的命令。  Setting a rights inheritance relationship reduction table, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, and writing a group in the first relationship item and the second relationship item, where the first relationship item is included The sub-level or main level of the group is higher than the group in the second relationship item, and the group in each first relationship item corresponds to one of the one or more second relationship items, in the first relationship item A group cannot execute a command in a command set of a group of one or more second relationship items corresponding thereto.
4、 根据权利要求 1或 2或 3所述的方法, 其特征在于, 还包括: 将设备外部权限级别与所述主级别或子级别或组建立映射关系。  The method according to claim 1 or 2 or 3, further comprising: establishing a mapping relationship between the external authority level of the device and the primary level or sub-level or group.
5、 一种权限关系数据的调整方法, 其特征在于, 当需要进行权限细分调 整时, 确定包含权限细分调整所涉及的全部命令的级别中最低的主级别对应 的命令集合, 调整该主级别所包含的子级别及子级别对应的命令集合。  A method for adjusting the authority relationship data, wherein when the permission subdivision adjustment is needed, determining a command set corresponding to the lowest main level among all the levels involved in the permission subdivision adjustment, and adjusting the main The set of commands corresponding to the sublevels and sublevels included in the level.
6、 根据权利要求 5所述的方法, 其特征在于, 所述调整该主级别所包含 的子级别及子级别对应的命令集合, 包括: 保持原有各子级别的命令集合不变, 增设包含所述权限细分调整所涉及 的全部命令的命令集合, 按照命令集合间的包含关系重新设定各子级别的高 低顺序。 The method according to claim 5, wherein the adjusting the command set corresponding to the sub-level and the sub-level included in the main level comprises: The command set of the original sub-levels is kept unchanged, and a command set including all the commands involved in the permission subdivision adjustment is added, and the order of each sub-level is reset according to the inclusion relationship between the command sets.
7、 根据权利要求 5或 6所述的方法, 其特征在于, 还包括: 对所述子级 别包含的组及各组对应的命令集合进行调整。  The method according to claim 5 or 6, further comprising: adjusting a group included in the sub-level and a command set corresponding to each group.
8、 根据权利要求 7所述的方法, 其特征在于, 所述对所述子级别包含的 组及各组对应的命令集合中的命令进行调整, 包括:  The method according to claim 7, wherein the adjusting the commands in the group and the command set corresponding to each group in the sub-level includes:
增加或减少组, 并重新划分各组对应的命令集合; 或保持组的个数不变, 并重新划分各组对应的命令集合。  Increase or decrease the group, and re-divide the corresponding command set of each group; or keep the number of groups unchanged, and re-divide the corresponding command set of each group.
9、 根据权利要求 5或 6所述的方法, 其特征在于, 还包括: 修改权限继 承关系裁减表, 所述权限继承关系裁减表中包括第一关系项和第二关系项, 在所述第一关系项和第二关系项中写入组, 所述第一关系项中的组的子级别 或主级别高于所述第二关系项中的组, 每个第一关系项中的组对应一个或多 个第二关系项中的组, 所述第一关系项中的组无法执行与其对应的一个或多 个第二关系项中的组的命令集合中的命令。  The method according to claim 5 or 6, further comprising: modifying a rights inheritance relationship reduction table, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, Writing a group in a relationship item and a second relationship item, wherein a sub-level or a main level of the group in the first relationship item is higher than a group in the second relationship item, and the group in each first relationship item corresponds to A group of one or more second relationship items, the group of the first relationship items being unable to execute a command in a command set of the group of the one or more second relationship items corresponding thereto.
10、 根据权利要求 7所述的方法, 其特征在于, 还包括: 修改权限继承 关系裁减表的操作。  10. The method according to claim 7, further comprising: modifying an operation of the rights inheritance relationship reduction table.
1 1、 根据权利要求 5或 6所述的方法, 其特征在于, 还包括: 修改设备 外部权限与所述主级别或子级别或组之间的映射关系的操作。  1 1. The method according to claim 5 or 6, further comprising: an operation of modifying a mapping relationship between the external authority of the device and the primary level or sub-level or group.
12、 一种权限关系数据管理系统, 其特征在于, 包括:  12. A rights relationship data management system, comprising:
主级别记录模块, 用于记录主级别的优先级关系, 并记录各主级别与主 级别的命令集合的对应关系;  The main level recording module is configured to record the priority relationship of the main level, and record the correspondence between the command sets of the main level and the main level;
主级别命令集合存储模块, 与所述主级别记录模块连接, 用于存储各主 级别的命令集合;  a main level command set storage module, connected to the main level record module, for storing a command set of each main level;
子级别记录模块, 与所述主级别记录模块连接, 用于记录各主级别对应 的各子级别的优先级关系,并记录各子级别与子级别的命令集合的对应关系; 子级别命令集合存储模块, 用于存储各子级别的命令集合。 a sub-level recording module is connected to the main-level recording module, and is configured to record a priority relationship of each sub-level corresponding to each main level, and record a correspondence between each sub-level and a sub-level command set; A sub-level command collection storage module that stores a set of commands for each sub-level.
1 3、 根据权利要求 12所述的系统, 其特征在于, 还包括:  The system according to claim 12, further comprising:
组记录模块, 与所述子级别记录模块连接, 用于记录各子级别的对应组; 组命令集合存储模块, 与所述组记录模块连接, 用于存储各组的命令集 合。  The group record module is connected to the sub-level record module for recording a corresponding group of each sub-level; the group command set storage module is connected to the group record module for storing a command set of each group.
14、 根据权利要求 1 3所述的系统, 其特征在于, 还包括:  14. The system according to claim 13, further comprising:
权限继承关系裁减模块, 与所述主级别记录模块和 /或子级别记录模块 和 /或组记录模块连接, 用于存储权限继承关系裁减表, 所述权限继承关系 裁减表中包括第一关系项和第二关系项, 在所述第一关系项和第二关系项中 写入组, 所述第一关系项中的组的子级别或主级别高于所述第二关系项中的 组, 每个第一关系项中的组对应一个或多个第二关系项中的组, 所述第一关 系项中的组无法执行与其对应的一个或或多个第二关系项中的组的命令集合 中的命令。  The permission inheritance relationship reduction module is connected to the main level record module and/or the child level record module and/or the group record module, and is configured to store a rights inheritance relationship cut table, where the rights inheritance relationship cut table includes the first relationship item And a second relationship item, the group is written in the first relationship item and the second relationship item, and a sub-level or a main level of the group in the first relationship item is higher than a group in the second relationship item, a group in each first relationship item corresponds to a group of one or more second relationship items, and a group in the first relationship item cannot execute a command of a group of one or more second relationship items corresponding thereto The commands in the collection.
15、 根据权利要求 12、 1 3或 14所述的系统, 其特征在于, 还包括: 映射关系模块, 与所述主级别记录模块和 /或子级别记录模块和 /或组 记录模块连接, 用于记录设备外部权限与所述主级别或子级别或组之间的映 射关系。  The system according to claim 12, 13 or 14, further comprising: a mapping relationship module, connected to the main level recording module and/or the sub-level recording module and/or the group recording module, The mapping relationship between the external authority of the device and the primary level or sub-level or group.
PCT/CN2008/071263 2007-08-23 2008-06-11 Method for generating and adjusting authority limit relation data and managing system thereof WO2009024037A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2007101206726A CN100563176C (en) 2007-08-23 2007-08-23 A kind of generation of authority relation data and method of adjustment and management system
CN200710120672.6 2007-08-23

Publications (1)

Publication Number Publication Date
WO2009024037A1 true WO2009024037A1 (en) 2009-02-26

Family

ID=39193062

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071263 WO2009024037A1 (en) 2007-08-23 2008-06-11 Method for generating and adjusting authority limit relation data and managing system thereof

Country Status (2)

Country Link
CN (1) CN100563176C (en)
WO (1) WO2009024037A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100563176C (en) * 2007-08-23 2009-11-25 华为技术有限公司 A kind of generation of authority relation data and method of adjustment and management system
CN101834878B (en) * 2010-01-29 2012-08-29 陈时军 Multiuser system privilege management method and instant messaging system applying same
CN101976314B (en) * 2010-09-21 2012-08-01 用友软件股份有限公司 Access control method and system
CN105516136B (en) * 2015-12-08 2019-05-24 深圳市口袋网络科技有限公司 Right management method, device and system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH1021196A (en) * 1996-06-28 1998-01-23 Toshiba Corp Operator command control method
CN1395176A (en) * 2001-07-06 2003-02-05 神达电脑股份有限公司 Virtual library management system and method
CN1859153A (en) * 2005-07-22 2006-11-08 上海华为技术有限公司 Method for setting user's power in communication system
CN101141297A (en) * 2007-08-23 2008-03-12 华为技术有限公司 Authority relation data generating and regulating method and management system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH1021196A (en) * 1996-06-28 1998-01-23 Toshiba Corp Operator command control method
CN1395176A (en) * 2001-07-06 2003-02-05 神达电脑股份有限公司 Virtual library management system and method
CN1859153A (en) * 2005-07-22 2006-11-08 上海华为技术有限公司 Method for setting user's power in communication system
CN101141297A (en) * 2007-08-23 2008-03-12 华为技术有限公司 Authority relation data generating and regulating method and management system

Also Published As

Publication number Publication date
CN100563176C (en) 2009-11-25
CN101141297A (en) 2008-03-12

Similar Documents

Publication Publication Date Title
JP4926485B2 (en) User access control system and method for content in network
US20240086375A1 (en) Flexible Permission Management Framework For Cloud Attached File Systems
JP5646490B2 (en) Back up and restore security information for selected database objects
JP5356221B2 (en) Convert role-based access control policies to resource authorization policies
US8346952B2 (en) De-centralization of group administration authority within a network storage architecture
US20090276840A1 (en) Unified access control system and method for composed services in a distributed environment
WO2014153759A1 (en) Method and device for managing access control permission
WO2012083735A1 (en) Document template management method and system
WO2009115003A1 (en) A document base system authority control method and device
WO2008086757A1 (en) Control device of accessing e-document and method as the same
US7774310B2 (en) Client-specific transformation of distributed data
JP2006099779A (en) Right management
WO2010028583A1 (en) Method and apparatus for managing the authority in workflow component based on authority component
CN111835820A (en) System and method for realizing cloud management
WO2009024037A1 (en) Method for generating and adjusting authority limit relation data and managing system thereof
WO2017211161A1 (en) Resource management method and device based on software defined network
KR100673329B1 (en) User Role / Permission Setting System using Certificate in Grid Environment and Its Method
CN111611220A (en) File sharing method and system based on hierarchical nodes
US8631123B2 (en) Domain based isolation of network ports
Zou et al. Multi-tenancy access control strategy for cloud services
WO2016127773A1 (en) Update method and device
Hemmes et al. Cacheable decentralized groups for grid resource access control
Merlo et al. Cooperative access control for the grid
US11868494B1 (en) Synchronization of access management tags between databases
KR102100806B1 (en) Method for interface access and management via gateway in big data platform

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08757674

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08757674

Country of ref document: EP

Kind code of ref document: A1