WO2009024037A1 - Procédé pour générer et ajuster des données de relation de limite d'autorité et son système de gestion - Google Patents

Procédé pour générer et ajuster des données de relation de limite d'autorité et son système de gestion Download PDF

Info

Publication number
WO2009024037A1
WO2009024037A1 PCT/CN2008/071263 CN2008071263W WO2009024037A1 WO 2009024037 A1 WO2009024037 A1 WO 2009024037A1 CN 2008071263 W CN2008071263 W CN 2008071263W WO 2009024037 A1 WO2009024037 A1 WO 2009024037A1
Authority
WO
WIPO (PCT)
Prior art keywords
level
group
relationship
sub
command set
Prior art date
Application number
PCT/CN2008/071263
Other languages
English (en)
Chinese (zh)
Inventor
Wei Zhang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009024037A1 publication Critical patent/WO2009024037A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks

Definitions

  • the present invention relates to the field of communications, and more particularly to a method and a management system for generating and adjusting privilege relationship data. Background technique
  • User authority is one of the important data of the computer system.
  • the management of user rights mainly completes the control of the user accessing the device. Specifically: the device command is given the privilege attribute, and the user is given a certain privilege when logging in. The user can only execute the command that matches the privilege, so that the user's operation on the device is limited to a certain range.
  • Some schemes have a total of 16 levels, and the device commands can be dynamically assigned to one of 16 levels, or the user's level.
  • the relationship between 0 and 15 levels is from small to large. A high level command cannot be executed. In practical applications, commands are generally distributed by default to three levels of 16 levels, 0, 1, and 15.
  • Types can include multiple commands. Each user is given a type attribute when logging in. All commands in the type can be executed, and commands other than those cannot be executed.
  • the basic group permissions model implemented in Microsoft defines the basic administrator (admi nist ra tor ) , backup Opera tor s (backup operator), guest ( Gue sts ) and other basic command sets, the newly created group can contain one or more of these command sets, the user belongs to a certain Group, to achieve the user's authority authorization, the command set can not be flexibly subdivided, which has little to do with the PC command itself, and does not require more subdivision.
  • Inter-group permissions are inclusive and side-by-side.
  • Microsoft local also implements permission control based on a certain resource, mainly determined by its PC application scenario (persons monopolize certain resources on the device to complete some work, generally have nothing to do with other people's exclusive resources; at the same time have authorization for others The function, but the default is that other unrelated people have no permission); and the network devices generally work together in cooperation with each other, so the authorization is generally based on the command operation capability, and the control of resource access can be included through the filter pair.
  • the execution of commands for certain resource names is restricted.
  • the subdivision permission is not flexible.
  • the level is divided into 15 levels, of which level 15 is the highest level, and all the command sets are included, and at this time, a permission level is required, and the authority basically contains commands of 14 levels. More than 1 level 5, for this case, only some of the 15 levels of commands can be added to level 14, and this operation changes the original level 14 content, very inconvenient, and in the original 14
  • the level of content is not allowed to be adjusted, there is no room for permission to adjust and subdivide permissions. If the number of levels is allowed to increase or decrease, you can increase the number of levels to 16 levels. At this time, adjust the contents of the original 15 levels to level 16. Re-set the level 15 command set as needed, but this way, the command The amount of adjustment is large, especially when subdividing at a low level.
  • the authority relationship model is simple and complicated to maintain. For the command-level permission model, only the permission inclusion relationship between the levels is maintained, which makes it impossible to superimpose the user rights of the two levels. Because the permission model based on type definition has no inheritance relationship, the executable command sets between different users are difficult to support each other. Because the authorization of adding one command needs to change the type definition of two users, it is necessary to manually maintain the type 2 Permissions contain relationships. And Microsoft's basic group permission model can't flexibly subdivide permissions, only a few basic permissions contain combinations, and You cannot remove some of the useless permissions from the included group permissions. Summary of the invention
  • An object of the embodiments of the present invention is to provide a method and a management system for generating and adjusting privilege relationship data, so as to implement a more flexible privilege subdivision.
  • an embodiment of the present invention provides a method for generating rights relation data, including the following steps:
  • the commands in the command set of the main level are divided into sub-levels included in the main level, wherein the command set with a high sub-level includes all the commands in the command set lower than its sub-level.
  • the embodiment of the present invention further provides a method for adjusting the privilege relationship data, including: when the privilege subdivision adjustment is needed, determining a command set corresponding to the lowest main level among all the levels involved in the privilege subdivision adjustment, Adjust the command set corresponding to the sub-level and sub-level included in the main level.
  • the embodiment of the present invention further provides a privilege relationship data management system, including: a main level recording module, configured to record a priority relationship of a main level, and record a correspondence relationship between command sets of each main level and a main level;
  • a main level command set storage module connected to the main level record module, for storing command sets of each main level
  • the sub-level recording module is connected to the main level recording module, and is used to record the priority relationship of each sub-level corresponding to each main level, and record the correspondence between each sub-level and the main level and the command sets of each sub-level and sub-level relationship;
  • a sub-level command collection storage module that stores a set of commands for each sub-level.
  • the embodiment of the present invention makes the permission subdivision more flexible by further dividing the sub-levels at the main level.
  • FIG. 2 is a schematic diagram of a management system for authority relationship data according to Embodiment 3 of the present invention. detailed description
  • Embodiments of the present invention increase the flexibility of privilege subdivision by adding several sub-levels on a per fixed level basis.
  • the command set with a high main level includes all commands in the command set lower than its main level; when the main level is the same, the command set with a high sub-level includes all commands in the command set lower than its sub-level.
  • groups can be added under the sub-level, and commands between command sets belonging to groups belonging to the same sub-level do not overlap.
  • the rights management model can be defined as follows:
  • the level identifier is defined as: Primary level identifier. Sub-level identifier; This level identifier uniquely identifies a sub-level.
  • the level identifier is defined as: primary level identifier. sublevel identifier. group identifier; the level identifier is unique.
  • a permission inheritance relationship reduction table may be added, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, where the first relationship item and the second relationship item are included.
  • Write a group (specifically, the group can be uniquely determined by writing a level identifier), the sub-level or the main level of the group in the first relationship item is higher than the group in the second relationship item, and each first relationship item
  • the group in the group corresponds to a group of one or more second relationship items, the first relationship item A group in a group cannot execute a command in a command set of a group of one or more second relationship items corresponding thereto.
  • the content in parentheses is the command contained in the command set corresponding to the main level, sub-level, or group.
  • the level representation should include the complete master level, sublevels, and groups.
  • the corresponding position of the group When the corresponding position of the group is 0, it means the command set containing the entire sub-level, for example: 3. 2. 0 The corresponding command set is ( a - 1).
  • the command set corresponding to the main level or the sub-level of the high level contains the command set corresponding to the main level or the sub-level of the lower level, for example: Group 3.
  • the command set corresponding to the group contains the group 2. 2. 0, group 2. 1 . 0 corresponds to the set of commands. Command sets between groups belonging to the same sub-level do not overlap, for example: 3. 1. 2 and 3. 1. The command set between 1. 1 does not overlap.
  • the permission inheritance relationship reduction table can be set, as shown in the following table:
  • the information contained in Table 2 is: The command in the command set corresponding to the group 1.1.2 is removed from the command set corresponding to the group 3.1.2, in the command set corresponding to the group 3.1.1. Remove the commands in the command set corresponding to group 1. 1. 1.
  • the set of commands that can be executed is (a - f), and because there is a permission inheritance relationship reduction table, the set of commands that can be executed is (cf), By setting the permission inheritance relationship reduction table, you can assign permissions more flexibly.
  • the privilege level of each device in the network is generally assigned by the primary server in the network or obtained from the primary server (for example: verifying the privilege level downloaded by the server), but for a specific device
  • the primary server in the network can only be assigned a privilege level of 1 - 15 and a network device is assigned a level of 4 .
  • the external level 4 is mapped to the internal level 3. 1. 1.
  • Step 1 Set the primary level, sub-level, and priority relationship between the levels, where the sub-level belongs to the main level;
  • Step 2 Setting a command set, each main level and sub-level respectively corresponding to a command set; Step 3, dividing all commands into command sets of each main level, where the main level The high command set includes all the commands in the command set lower than its main level; Step 4, the commands in the command set of the main level are divided into sub-levels included in the main level, where the sub-level high command set Includes all commands in the command set that are lower than their child level.
  • Step 5 Set a command set corresponding to the group and the group, and divide the command in the command set of the sub-level into a command set of the group, where the group belongs to the sub-level and belongs to a group of the same sub-level
  • the commands between the command collections do not overlap.
  • Step 6 Set a rights inheritance relationship reduction table, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, and write the group in the first relationship item and the second relationship item, where the first The sub-level or main level of the group in the relationship item is higher than the group in the second relationship item, and the group in each first relationship item corresponds to one of the one or more second relationship items, the first relationship A group in an item cannot execute a command in a command set of a group of one or more second relationship items corresponding thereto.
  • Steps 5 and 6 above are based on actual needs, that is, you can set only the primary level and the child level, or you can set only the primary level, sub-level, and group, or set the primary level, sub-level, group, and permission inheritance relationship reduction table.
  • the mapping relationship between the external permission level and the internal permission level may be further set, that is, the mapping relationship between the external permission level of the device and the primary level or sub-level or group is established.
  • the data can be adjusted according to the actual needs.
  • the following describes the process of adjusting the permission relationship data, including the following steps:
  • the command set corresponding to the lowest level of the main level including all the commands involved in the permission subdivision adjustment is determined, and the command set corresponding to the sub level and the sub level included in the main level is adjusted.
  • the adjusting the command set corresponding to the sub-level and the sub-level included in the main level may be Specifically, the command included in the command set of the original sub-levels is kept unchanged, and a command set including all the commands involved in the permission subdivision adjustment is added, and each sub-level is reset according to the inclusion relationship between the command sets. The order of the high and low.
  • the foregoing adjustment process may further include: an operation of adjusting a group included in the sub-level and a command in a command set corresponding to each group.
  • the operation may be specifically: adding or subtracting a group, re-dividing the corresponding command set of each group; or maintaining the number of groups unchanged, and re-dividing the corresponding command set of each group.
  • the foregoing adjustment process may further include: modifying an operation of the rights inheritance relationship reduction table, where the rights inheritance relationship reduction table includes a first relationship item and a second relationship item, where the first relationship item and the second relationship item are included Write a group, the sub-level or the main level of the group in the first relationship item is higher than the group in the second relationship item, and the group in each first relationship item corresponds to one or more second relationship items
  • the group of the first relationship item cannot execute a command in the command set of the group of the one or more second relationship items corresponding thereto.
  • the method further includes: modifying an operation of mapping the external authority of the device to the primary level or sub-level or group.
  • FIG. 2 it is a schematic diagram of a rights relationship data management system according to Embodiment 3 of the present invention, which includes:
  • the primary level recording module 1 is configured to record the priority relationship of the primary level, and record the correspondence between the command sets of the main level and the main level;
  • the main level command set storage module 2 is connected to the main level record module, and is configured to store a command set of each main level;
  • the sub-level recording module 3 is connected to the main level recording module, and is used for recording the priority relationship of each sub-level corresponding to each main level, and recording the corresponding relationship between the sub-level and the sub-level command set;
  • the sub-level command set storage module 4 is configured to store a command set of each sub-level.
  • the system can further include:
  • a group recording module 5 connected to the sub-level recording module, for recording a corresponding group of each sub-level;
  • the group command collection storage module 6 is connected to the group record module and is used to store a set of commands of each group.
  • the system can further include:
  • the permission inheritance relationship reduction module 7 is connected to the main level record module and/or the child level record module and/or the group record module, and is configured to store a rights inheritance relationship cut table, where the rights inheritance relationship cut table includes the first relationship And a second relationship item, the group is written in the first relationship item and the second relationship item, and a sub-level or a main level of the group in the first relationship item is higher than a group in the second relationship item And the group in each of the first relationship items corresponds to the group of the one or more second relationship items, and the group in the first relationship item cannot execute the command of the group of the one or more second relationship items corresponding thereto The commands in the collection.
  • the rights inheritance relationship cut table includes the first relationship And a second relationship item, the group is written in the first relationship item and the second relationship item, and a sub-level or a main level of the group in the first relationship item is higher than a group in the second relationship item
  • the group in each of the first relationship items corresponds to the group of the one or more second relationship items, and
  • the system can further include:
  • the mapping relationship module 8 is connected to the main level recording module and/or the sub-level recording module and/or the group recording module, and is used for recording a mapping relationship between the external authority of the device and the main level or sub-level or group.
  • the permission data model and the permission relationship data generation method and the adjustment relationship data management system provided by the embodiment of the invention make the authority adjustment more convenient, the authority subdivision more flexible, and the authority maintenance function more powerful:

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

L'invention porte sur un procédé de génération et d'ajustement de données de relation de limite d'autorité et sur son système de gestion. Certains sous-niveaux sont définis sur chaque niveau fixe. Le jeu d'instructions avec le niveau principal supérieur comprend toutes les instructions dans le jeu d'instructions avec le niveau principal qui est inférieur au niveau principal supérieur. Le jeu d'instructions avec le sous-niveau supérieur comprend toutes les instructions dans le jeu d'instructions avec le sous-niveau qui est inférieur au sous-niveau supérieur. En outre, le groupe peut être ajouté sous le sous-niveau. Les instructions entre les jeux d'instructions de groupe dépendant du même sous-niveau ne se chevauchent pas. En outre, une table de réduction de relation d'héritage de limite d'autorité peut être définie.
PCT/CN2008/071263 2007-08-23 2008-06-11 Procédé pour générer et ajuster des données de relation de limite d'autorité et son système de gestion WO2009024037A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2007101206726A CN100563176C (zh) 2007-08-23 2007-08-23 一种权限关系数据的生成和调整方法及管理系统
CN200710120672.6 2007-08-23

Publications (1)

Publication Number Publication Date
WO2009024037A1 true WO2009024037A1 (fr) 2009-02-26

Family

ID=39193062

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/071263 WO2009024037A1 (fr) 2007-08-23 2008-06-11 Procédé pour générer et ajuster des données de relation de limite d'autorité et son système de gestion

Country Status (2)

Country Link
CN (1) CN100563176C (fr)
WO (1) WO2009024037A1 (fr)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100563176C (zh) * 2007-08-23 2009-11-25 华为技术有限公司 一种权限关系数据的生成和调整方法及管理系统
CN101834878B (zh) * 2010-01-29 2012-08-29 陈时军 多用户系统权限管理方法和应用该方法的即时通信系统
CN101976314B (zh) * 2010-09-21 2012-08-01 用友软件股份有限公司 权限控制方法和系统
CN105516136B (zh) * 2015-12-08 2019-05-24 深圳市口袋网络科技有限公司 权限管理方法、装置和系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH1021196A (ja) * 1996-06-28 1998-01-23 Toshiba Corp オペレータコマンド制御方法
CN1395176A (zh) * 2001-07-06 2003-02-05 神达电脑股份有限公司 虚拟图书馆管理系统及方法
CN1859153A (zh) * 2005-07-22 2006-11-08 上海华为技术有限公司 通信系统中用户权限设置方法
CN101141297A (zh) * 2007-08-23 2008-03-12 华为技术有限公司 一种权限关系数据的生成和调整方法及管理系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH1021196A (ja) * 1996-06-28 1998-01-23 Toshiba Corp オペレータコマンド制御方法
CN1395176A (zh) * 2001-07-06 2003-02-05 神达电脑股份有限公司 虚拟图书馆管理系统及方法
CN1859153A (zh) * 2005-07-22 2006-11-08 上海华为技术有限公司 通信系统中用户权限设置方法
CN101141297A (zh) * 2007-08-23 2008-03-12 华为技术有限公司 一种权限关系数据的生成和调整方法及管理系统

Also Published As

Publication number Publication date
CN101141297A (zh) 2008-03-12
CN100563176C (zh) 2009-11-25

Similar Documents

Publication Publication Date Title
JP4926485B2 (ja) ネットワーク内のコンテンツに対するユーザーアクセス制御システム及び方法
US20240086375A1 (en) Flexible Permission Management Framework For Cloud Attached File Systems
JP5646490B2 (ja) 選択されたデータベースオブジェクトのセキュリティ情報のバックアップおよび復元
JP5356221B2 (ja) 役割ベースのアクセス制御ポリシーの資源許可ポリシーへの変換
US20090276840A1 (en) Unified access control system and method for composed services in a distributed environment
WO2014153759A1 (fr) Procédé et dispositif de gestion d'autorisation de contrôle d'accès
US10372483B2 (en) Mapping tenat groups to identity management classes
WO2012083735A1 (fr) Procédé et système de gestion de modèles de documents
JP2007316724A (ja) 計算機システム、管理計算機及びプログラム配布方法
WO2008086757A1 (fr) Dispositif et procédé de commande d'accès à un document électronique
US7774310B2 (en) Client-specific transformation of distributed data
WO2010028583A1 (fr) Procédé et appareil de gestion d’autorité dans un composant de flux des tâches sur la base d’un composant d’autorité
CN111835820A (zh) 一种实现云管理的系统及方法
WO2009024037A1 (fr) Procédé pour générer et ajuster des données de relation de limite d'autorité et son système de gestion
WO2017211161A1 (fr) Procédé et dispositif de gestion de ressources basés sur un réseau défini par logiciel
KR100673329B1 (ko) 그리드 환경에서 인증서를 이용한 사용자 역할/권한 설정 시스템 및 그 방법
CN111611220A (zh) 一种基于层级式节点的文件共享方法及系统
US8631123B2 (en) Domain based isolation of network ports
Zou et al. Multi-tenancy access control strategy for cloud services
WO2016127773A1 (fr) Procédé et dispositif de mise à jour
Hemmes et al. Cacheable decentralized groups for grid resource access control
Merlo et al. Cooperative access control for the grid
US11868494B1 (en) Synchronization of access management tags between databases
CN113051240A (zh) 一种应用于nas设备之间的文件共享方法及装置
JP2002032255A (ja) ユーザ情報管理プログラムを記録したコンピュータ読み取り可能な記録媒体及びデータベース管理システムのユーザ情報管理装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08757674

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08757674

Country of ref document: EP

Kind code of ref document: A1