WO2019029502A1 - 系统中对授权操作者进行授权的方法 - Google Patents
系统中对授权操作者进行授权的方法 Download PDFInfo
- Publication number
- WO2019029502A1 WO2019029502A1 PCT/CN2018/099069 CN2018099069W WO2019029502A1 WO 2019029502 A1 WO2019029502 A1 WO 2019029502A1 CN 2018099069 W CN2018099069 W CN 2018099069W WO 2019029502 A1 WO2019029502 A1 WO 2019029502A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- authorized
- role
- user
- operator
- employee
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 238000013475 authorization Methods 0.000 title abstract description 43
- 238000007726 management method Methods 0.000 description 12
- 230000008569 process Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 6
- 230000007246 mechanism Effects 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000007792 addition Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000003672 processing method Methods 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 238000012937 correction Methods 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000000366 juvenile effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
- G06Q10/105—Human resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/28—Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Definitions
- the present invention relates to an authorization method for a management software system such as an ERP, and more particularly to a method for authorizing an authorized operator in a system.
- Role-based access control is one of the most researched and matured database rights management mechanisms in recent years. It is considered to be an ideal candidate to replace traditional mandatory access control (MAC) and autonomous access control (DAC).
- the basic idea of role-based access control (RBAC) is to divide different roles according to different functional positions in the enterprise organization view, encapsulate the access rights of database resources in roles, and indirectly access database resources by being assigned different roles.
- the role-based permission control mechanism can manage the access rights of the system simply and efficiently, which greatly reduces the burden and cost of the system rights management, and makes the system rights management more in line with the business management specifications of the application system.
- the traditional role-based user rights management method adopts the "role-to-user one-to-many" association mechanism, and its "role” is group/class nature, that is, one role can simultaneously correspond to/associate multiple users, and the role is similar to the post.
- the authorization of user rights under this association mechanism is basically divided into the following three forms: 1, as shown in Figure 1, directly authorized to the user, the disadvantage is that the workload is large, the operation is frequent and troublesome; As shown in Figure 2, the role (class/group/post/work type) is authorized (a role can be associated with multiple users), and the user obtains the permission through the role; 3. As shown in Figure 3, the above two methods are combined. .
- both 2 and 3 need to authorize the role of the class/group nature, and the way of authorization through the role of class/group/post/work type has the following disadvantages: 1.
- the above two processing methods not only require a long time for the role authorization in the case of a large number of role permissions, but also are easy to make mistakes, the user is cumbersome and troublesome to operate, and is also prone to errors resulting in loss to the system user.
- the object of the present invention is to overcome the deficiencies of the prior art, and to provide a method for authorizing an authorized operator in a system, which can set a plurality of authorized operators, and can respectively enable respective authorized operators who have a clear understanding of the rights of each authorized person.
- the authorized person authorizes the corresponding authority, making the authorization operation less prone to error.
- a method for authorizing an authorized operator in the system including: a system operator (which may also be expressed as "a privileged operator having the authority to select/set an authorized operator") Selecting (or setting) one or more authorized operators; setting one or more authorized persons for each authorized operator respectively (or setting one or more authorized persons for each authorized operator separately by the system operator); Each authorized operator separately sets a right for each authorized person who needs to set a right among all authorized persons corresponding to the authorized operator; the authorized person performs a corresponding operation according to the authority set for the authorized person.
- the authorized operator includes one or more of a role, a user, an employee, a group, and a class, the role is an independent individual, not a group/class, and a role can only associate with a unique user in the same time period.
- a user associates one or more roles; the user obtains the rights of his associated role; the authorized person includes one or more of a role, a user, an employee, a group, and a class, the role is an independent individual
- a role can only be associated with a unique user at the same time, while a user is associated with one or more roles; the user gains access to their associated role.
- the role belongs to the department, and the role is authorized according to the working content of the role, and the name of the role is unique under the department, and the role is The number is unique in the system; when the user is transferred, the user is associated with the original role, and the user is associated with the new role.
- the method for authorizing the authorized operator in the system further comprises: recording authorized operation information of the authorized operator.
- the authorized person corresponding to each authorized operator does not include the authorized operator.
- the authorized operator when the authorized operator is set as the authorized operator, if the authorized person is selected as the department, all the roles/users/employees/groups/classes under the department are the authorized persons corresponding to the authorized operator, The subsequently added role/user/employee/group/class under the department is also the authorized person corresponding to the authorized operator.
- a method of authorizing an authorized operator in the system including: a system operator (which may also be expressed as "privileged operator having the authority to select/set an authorized operator") to select one or more authorized operators; Authorizing the operator to set one or more authorized rights for granting the authorized person; each authorized operator respectively grants each of the authorized rights corresponding to the authorized operator to the authorized authority of the authorized person to be set to A corresponding authorized person; the authorized person performs a corresponding operation according to the granted authorized right.
- a system operator which may also be expressed as "privileged operator having the authority to select/set an authorized operator”
- the authorized operator includes one or more of a role, a user, an employee, a group, and a class
- the role is an independent individual, not a group/class, and a role can only associate with a unique user in the same time period.
- a user associates one or more roles; the user gains access to their associated role.
- the authorized person includes one or more of a role, a user, an employee, a group, and a class, the role is an independent individual, not a group/class, and a role can only associate a unique user in the same time period, and one A user associates one or more roles; the user gains access to their associated role.
- the authorized person corresponding to each authorized operator does not include the authorized operator.
- Methods for authorizing authorized operators in the system including:
- the system operator (which may also be expressed as "privileged operator with the authority to select/set the authorized operator") selects one or more authorized operators;
- Each authorized operator separately grants one or more authorized rights of all authorized rights corresponding to the authorized operator to each authorized authorized person corresponding to the authorized operator;
- the authorized person performs a corresponding operation according to the authorized authority granted.
- Steps (1) to (5) are sequentially performed, or steps (1), (3), (2), (4), and (5) are sequentially performed.
- the authorized person corresponding to each authorized operator does not include the authorized operator.
- the authorized operator includes one or more of a role, a user, an employee, a group, and a class
- the role is an independent individual, not a group/class, and a role can only associate with a unique user in the same time period.
- a user associates one or more roles; the user gains access to their associated role.
- the authorized person includes one or more of a role, a user, an employee, a group, and a class, the role is an independent individual, not a group/class, and a role can only associate a unique user in the same time period, and one A user associates one or more roles; the user gains access to their associated role.
- the beneficial effects of the present invention are as follows: (1) In the present invention, a plurality of authorized operators can be set, and the corresponding authorized operators who have a clear understanding of the rights of each authorized person can authorize the authorized rights of the authorized persons, so that the authorized operation is not performed. Error-prone.
- the deputy general manager in charge of sales is set as the authorized operator, and the deputy general manager in charge of sales authorizes the salesperson within the company; the deputy general manager in charge of finance is set as the authorized operator, so that the financial manager is responsible
- the deputy general manager authorizes the financial personnel in the finance department; sets the general manager as the authorized operator, allows the general manager to authorize the manager of each department; and allows the authorized operator who knows more about the “authorized authority and related authorized person”
- the relevant authorization of the “associated licensee” will make the authorization work more in line with the actual management needs of the enterprise.
- a plurality of authorized operators can be provided in the present invention, which reduces the authorized workload of each authorized operator and makes the authorization less prone to error.
- the authorization operation information of the recording system operator and/or the authorized operator in the present invention includes one or more of an authorized operator, an authorized person, an authorized authority, and an authorized time, etc., so as to facilitate Responsible for any errors or other circumstances.
- the authorized operator cannot authorize himself, and the authorized operator is not allowed to grant unrelated (or disallowed) rights to himself, thereby improving the information security of the company.
- the traditional rights management mechanism defines the role as a group, a job type, a class, etc.
- the role is a one-to-many relationship with the user. In the actual system use process, it is often necessary to perform the user's authority during the operation process. Adjustments, for example, when the employee permissions are changed, the permissions of an employee associated with the role change. We cannot change the permissions of the entire role because of the change of the individual employee permissions, because the role is also associated with other permissions. Staff. So in response to this situation, either create a new role to satisfy the employee whose permissions have changed, or directly authorize (disengage the role) from the employee based on the permission requirements.
- the above two processing methods not only require a long time for the role authorization in the case of a large number of role permissions, but also are easy to make mistakes, the user is cumbersome and troublesome to operate, and is also prone to errors resulting in loss to the system user.
- the role since the role is an independent individual, the role permission can be changed to achieve the goal.
- the method of the present application seems to increase the workload when the system is initialized, it can be made by copying and the like to make the role or authorization more efficient than the traditional group-based role, because the role of the group is not considered.
- the application scheme will make the permission setting clear and clear; especially after the system is used for a period of time (the user/role authority changes dynamically), the application scheme can greatly improve the system usage for the system user.
- the efficiency of the rights management makes the dynamic authorization simpler, more convenient, clearer and clearer, and improves the efficiency and reliability of the permission setting.
- the traditional group-based role authorization method is error-prone, and the method of the present application greatly reduces the probability of authorization errors, because the method of the present application only needs to consider the role as an independent individual, without considering the traditional method to associate the role of the group. What are the commonalities of multiple users? Even if the authorization error occurs, it only affects the user associated with the role, while the traditional group-based role affects all users associated with the role. Even if a permission authorization error occurs, the correction method of the present application is simple and short, and the traditional group-type role needs to consider the commonality of all users associated with the role when correcting the error, and not only the modification when there are many function points. Troublesome, complicated, very error-prone, and in many cases only new roles can be created.
- the method of the present application is as follows: the transferred user associates several roles.
- the user When adjusting the post, the user is first unlinked from the original role (the canceled roles can be re-associated to other users), and then the user is The new role can be associated.
- the operation is simple and will not go wrong.
- FIG. 1 is a schematic diagram of a manner in which a system directly authorizes a user in the background art
- FIG. 2 is a schematic diagram of a manner in which a system authorizes a group/class role in the background art
- FIG. 3 is a schematic diagram of a manner in which a system directly authorizes a user and authorizes a group/class role role in the background art
- FIG. 5 is a schematic diagram of a manner in which a system authorizes a user through an independent individual role
- FIG. 6 is a schematic flow chart of still another embodiment of the present invention.
- FIG. 7 is a schematic flow chart of still another embodiment of the present invention.
- a method for authorizing an authorized operator in the system includes: S11. The system operator selects one or more authorized operators.
- the authorized operator includes one or more of a role, a user, an employee, a group, and a class.
- the roles are independent individuals, not groups/classes, and one role can only associate with a unique user at the same time, and one user associates with one or more roles; the user obtains the rights of his associated role.
- a role is created or a role is selected for a role after the role is created, the role belongs to the department, and the role is authorized according to the work content of the role, and the name of the role is unique under the department, and the number of the role is in the system. The only one.
- Role definition The role does not have the nature of group/class/category/post/job/work, but a non-collection nature, the role is unique, the role is an independent independent entity; in the enterprise application is equivalent Job number (The job number here is not a post, one post may have multiple employees at the same time, and one job number can only correspond to one employee at the same time).
- a company system can create the following roles: general manager, deputy general manager 1, deputy general manager 2, Beijing sales manager, Beijing sales manager, Beijing sales manager, Shanghai sales engineer 1, Shanghai sales Engineer 2, Shanghai Sales Engineer 3, Shanghai Sales Engineer 4, Shanghai Sales Engineer 5...
- general manager deputy general manager 1, deputy general manager 2, Beijing sales manager, Beijing sales manager, Shanghai sales engineer 1, Shanghai sales Engineer 2, Shanghai Sales Engineer 3, Shanghai Sales Engineer 4, Shanghai Sales Engineer 5...
- Zhang San serves as the company's deputy general manager 2, and also serves as a sales manager in Beijing, then Zhang The three roles to be associated are Deputy General Manager 2 and Beijing Sales Manager. Zhang San has the rights to these two roles.
- roles are group/class/post/position/work type, and one role can correspond to multiple users.
- the concept of "role" in this application is equivalent to the post number/station number, and is similar to the role in the film and television drama: a character can only be played by one actor at the same time (childhood, juvenile, middle-aged). And an actor may be decorated with multiple angles.
- the user When the user adjusts the post, the user is associated with the original role, and the user is associated with the new role, and the user automatically loses the rights of the original role and automatically obtains the rights of the new role.
- the user When an employee joins a job, the user automatically obtains the associated role right after the user associates the role with the corresponding user. When the employee leaves the job, the user automatically loses the original association after canceling the relationship between the user corresponding to the user and the role associated with the user. The permissions of the role.
- the role After the role is created, you can associate the role in the process of creating the user, or you can associate it at any time after the user is created. After the user associates the role, the relationship with the role can be released at any time, and the relationship with other roles can be established at any time.
- One employee corresponds to one user, one user corresponds to one employee, and the employee determines (acquires) permissions through the role associated with the corresponding user.
- the employee and the user are bound for life, and after the user corresponds to the employee, the user belongs to the employee, and the user cannot associate with other employees; if the employee leaves the job, the user cannot correspond to other employees, and after the employee re-joins, The employee still uses the original user.
- One or more authorized persons are respectively set for each authorized operator.
- the authorized person includes one or more of a role, a user, an employee, a group, and a class, the role is an independent individual, not a group/class, and a role can only associate a unique user in the same time period, and one A user associates one or more roles; the user gains access to their associated role.
- the authorized operator When the authorized operator is set as the authorized person, if the authorized person is selected as the department, all the roles/users/employees/groups/classes/templates under the department are the authorized persons corresponding to the authorized operator, The subsequent added roles/users/employees/groups/classes under the department are also the authorized persons corresponding to the authorized operator, thereby realizing a quick selection of a large number of roles/users/employees/groups/classes, and improving the authorization efficiency.
- the authorized operator corresponding to each authorized operator does not include the authorized operator.
- Each authorized operator sets permissions for each authorized person who needs to set permissions among all authorized persons corresponding to the authorized operator.
- each authorized operator separately sets permissions for each authorized person who needs to set permissions among all authorized persons corresponding to the authorized operator, which is equivalent to each authorized operator respectively granting the corresponding authority to the authorized operation.
- Each of the licensees corresponding to the person who needs to set the authority is equivalent to each authorized operator respectively granting the corresponding authority to the authorized operation.
- authorizing the operator to set the authority on the authorized person includes authorizing the operator to set the column name, the form field, the time attribute field corresponding data, the form field value corresponding data, the menu, the statistical list, the column list of the statistical list,
- the time attribute column corresponds to one or more of the rights to operate the data and the statistical list column value corresponding data.
- authorizing the operator to set permissions for the authorized person includes authorizing the operator to set attendance rules (such as attendance time, attendance location, and attendance mode, etc.) for the authorized person.
- authorizing the operator to set the authority for the authorized person includes authorizing the operator to schedule the authorized person (such as setting the authorized person to work/no work, commuting time, etc.).
- authorizing the operator to set permissions for the authorized person includes authorizing the operator to dispatch the authorized person (eg, assigning a production task, an after-sale task, a sales order task, etc. to the authorized person).
- sales manager 1 For example, in the system, there are sales manager 1, salesperson 1, salesperson 2 and other roles under the sales department.
- the system operator selects the sales manager 1 as the authorized operator, and selects the salesperson 1 and the salesperson 2 as the authorized person for the sales manager 1, and the sales manager 1 sets the authority for viewing/modifying the customer of the household appliance industry for the salesperson 1
- the salesperson 2 sets the authority to view/modify the customers in the chemical industry, and the salesperson 1 can view/modify the customer of the household appliance industry according to the set authority, and the salesperson 2 can view/modify the customers of the chemical industry according to the set authority.
- the method for authorizing an authorized operator in the system further includes: recording authorized operation information of the authorized operator, the authorized operation information including one or more of an authorized operator, an authorized person, an authorized authority, and an authorized time. .
- a method for authorizing an authorized operator in the system includes: S21.
- the system operator selects one or more authorized operators.
- the authorized operator includes one or more of a role, a user, an employee, a group, and a class.
- the roles are independent individuals, not groups/classes.
- One role can only be associated with a unique user at a time, and one user is associated with one or more roles; the user gains access to its associated role.
- a role is created or a role is selected for a role after the role is created, the role belongs to the department, and the role is authorized according to the work content of the role, and the name of the role is unique under the department, and the number of the role is in the system. The only one.
- the user When an employee joins a job, the user automatically obtains the associated role right after the user associates the role with the corresponding user. When the employee leaves the job, the user automatically loses the original association after canceling the relationship between the user corresponding to the user and the role associated with the user. The permissions of the role.
- the role After the role is created, you can associate the role in the process of creating the user, or you can associate it at any time after the user is created. After the user associates the role, the relationship with the role can be released at any time, and the relationship with other roles can be established at any time.
- One employee corresponds to one user, one user corresponds to one employee, and the employee determines (acquires) permissions through the role associated with the corresponding user.
- the employee and the user are bound for life, and after the user corresponds to the employee, the user belongs to the employee, and the user cannot associate with other employees; if the employee leaves the job, the user cannot correspond to other employees, and after the employee re-joins, The employee still uses the original user.
- Each authorized operator separately grants the authorized authority of the authorized person to all the authorized rights corresponding to the authorized operator to the corresponding authorized person.
- each authorized operator separately grants the authorized authority of the authorized person to all the authorized rights corresponding to the authorized operator, which is equivalent to each authorized operator respectively
- the corresponding authorized person grants one or more authorized rights of the authorized person among all the authorized rights corresponding to the authorized operator.
- the authorized person includes one or more of a role, a user, an employee, a group, and a class, the role is an independent individual, not a group/class, and a role can only associate a unique user in the same time period, and one A user associates one or more roles; the user gains access to their associated role.
- the authorized operator corresponding to each authorized operator does not include the authorized operator.
- the authorized person performs a corresponding operation according to the granted authorized authority.
- sales manager 1 For example, in the system, there are sales manager 1, salesperson 1, salesperson 2, and salesperson 3 under the sales department.
- the system operator selects the sales manager 1 as the authorized operator, and sets the permission for the sales manager 1 to view/modify the customers of the household appliance industry and view/modify the rights of the customers in the chemical industry as authorized rights, and the sales manager 1 will view/modify
- the customer's authority in the household appliance industry is granted to the salesperson 1 and the salesperson 2.
- the authority to view/modify the customers in the chemical industry is awarded to the salesperson 3, and the salesperson 1 and the salesperson 2 can view/modify according to the authorized authority granted.
- Customers in the household appliance industry, salesperson 3 can view/modify customers in the chemical industry based on the authorized authority granted.
- authorizing all operational rights related to finance in the system to the deputy general manager responsible for finance which is authorized by the deputy general manager according to the work needs of the finance department staff/role; authorizes all operational rights involved in the system to the after-sales service.
- the deputy general manager responsible for the after-sales service is authorized by the deputy general manager according to the work needs of the after-sales staff/role.
- the method for authorizing an authorized operator in the system further includes: recording authorized operation information of the authorized operator, the authorized operation information including one or more of an authorized operator, an authorized person, an authorized authority, and an authorized time. .
- a method for authorizing an authorized operator in the system includes: S31.
- the system operator selects one or more authorized operators.
- the authorized operator includes one or more of a role, a user, an employee, a group, and a class.
- the roles are independent individuals, not groups/classes.
- One role can only be associated with a unique user at a time, and one user is associated with one or more roles; the user gains access to its associated role.
- a role is created or a role is selected for a role after the role is created, the role belongs to the department, and the role is authorized according to the work content of the role, and the name of the role is unique under the department, and the number of the role is in the system. The only one.
- the user When an employee joins a job, the user automatically obtains the associated role right after the user associates the role with the corresponding user. When the employee leaves the job, the user automatically loses the original association after canceling the relationship between the user corresponding to the user and the role associated with the user. The permissions of the role.
- the role After the role is created, you can associate the role in the process of creating the user, or you can associate it at any time after the user is created. After the user associates the role, the relationship with the role can be released at any time, and the relationship with other roles can be established at any time.
- One employee corresponds to one user, one user corresponds to one employee, and the employee determines (acquires) permissions through the role associated with the corresponding user.
- the employee and the user are bound for life, and after the user corresponds to the employee, the user belongs to the employee, and the user cannot associate with other employees; if the employee leaves the job, the user cannot correspond to other employees, and after the employee re-joins, The employee still uses the original user.
- the authorized person includes one or more of a role, a user, an employee, a group, and a class, the role is an independent individual, not a group/class, and a role can only associate a unique user in the same time period, and one A user associates one or more roles; the user gains access to their associated role.
- the authorized operator When the authorized operator is set as the authorized person, if the authorized person is selected as the department, all the roles/users/employees/groups/classes under the department are the authorized persons corresponding to the authorized operator, under the department The subsequently added role/user/employee/group/class is also the authorized person corresponding to the authorized operator, thereby achieving a quick selection of a large number of roles/users/employees/groups/classes, and improving the authorization efficiency.
- the authorized operator corresponding to each authorized operator does not include the authorized operator.
- Each authorized operator respectively grants one or more authorized rights of all authorized rights corresponding to the authorized operator to each authorized authorized person corresponding to the authorized operator.
- each authorized operator respectively grants one or more authorized rights of all authorized rights corresponding to the authorized operator to each authorized authorized person corresponding to the authorized operator, which is equivalent to each The authorized operator respectively grants each authorized right of the authorized authority corresponding to the authorized operator to one or more authorized persons of all the authorized persons corresponding to the authorized operator.
- the authorized person performs a corresponding operation according to the granted authorized authority.
- sales manager 1 For example, in the system, there are sales manager 1, salesperson 1, salesperson 2, salesperson 3, and salesperson 4 under the sales department.
- the system operator selects the sales manager 1 as the authorized operator, selects the salesperson 1, the salesperson 2, the salesperson 3, and the salesperson 4 as the authorized person for the sales manager 1, and sets the customer who views/modifies the home appliance industry for the sales manager 1.
- the method for authorizing an authorized operator in the system further includes: recording authorized operation information of the authorized operator, the authorized operation information including one or more of an authorized operator, an authorized person, an authorized authority, and an authorized time. .
Abstract
Description
Claims (10)
- 系统中对授权操作者进行授权的方法,其特征在于,包括:系统操作者选择一个或多个授权操作者;分别为每个授权操作者设置一个或多个被授权者;每个授权操作者分别为该授权操作者对应的所有被授权者中需要设置权限的每个被授权者设置权限;所述被授权者根据为其设置的权限执行相应操作。
- 根据权利要求1所述的系统中对授权操作者进行授权的方法,其特征在于,所述授权操作者包括角色、用户、员工、组和类中的一种或多种,所述角色是独立的个体,而非组/类,同一时段一个角色只能关联唯一的用户,而一个用户关联一个或多个角色;用户获得其关联的角色的权限;所述被授权者包括角色、用户、员工、组和类中的一种或多种,所述角色是独立的个体,而非组/类,同一时段一个角色只能关联唯一的用户,而一个用户关联一个或多个角色;用户获得其关联的角色的权限。
- 根据权利要求2所述的系统中对授权操作者进行授权的方法,其特征在于,在角色创建时或角色创建后为该角色选择一个部门,则该角色归属于该部门,根据角色的工作内容对角色进行授权,且该角色的名称在该部门下唯一,该角色的编号在系统中唯一;所述用户调岗时,取消用户与原角色的关联,将用户与新角色进行关联。
- 根据权利要求1所述的系统中对授权操作者进行授权的方法,其特征在于,系统中对授权操作者进行授权的方法还包括:记录授权操作者的授权操作信息。
- 根据权利要求1所述的系统中对授权操作者进行授权的方法,其特征在于,每个授权操作者对应的被授权者不包括该授权操作者。
- 根据权利要求1所述的系统中对授权操作者进行授权的方法,其特征在于,当为授权操作者设置被授权者时,若将被授权者选择为部门时,该部门下的全部角色/用户/员工/组/类都为该授权操作者对应的被授权者,该部门下后续增加的角色/用户/员工/组/类也为该授权操作者对应的被授权者。
- 系统中对授权操作者进行授权的方法,其特征在于,包括:系统操作者选择一个或多个授权操作者;分别为每个授权操作者设置一个或多个用于授予被授权者的被授权权限;每个授权操作者分别将该授权操作者对应的所有被授权权限中每个需要设置被授权者的被授权权限授予给相应的被授权者;所述被授权者根据被授予的被授权权限执行相应操作。
- 根据权利要求7所述的系统中对授权操作者进行授权的方法,其特征在于,所述授权操作者包括角色、用户、员工、组和类中的一种或多种,所述角色是独立的个体,而非组/类,同一时段一个角色只能关联唯一的用户,而一个用户关联一个或多个角色;用户获得其关联的角色的权限;所述被授权者包括角色、用户、员工、组和类中的一种或多种,所述角色是独立的个体,而非组/类,同一时段一个角色只能关联唯一的用户,而一个用户关联一个或多个角色;用户获得其关联的角色的权限。
- 系统中对授权操作者进行授权的方法,其特征在于,包括:系统操作者选择一个或多个授权操作者;分别为每个授权操作者设置一个或多个用于授予被授权者的被授权权限;分别为每个授权操作者设置一个或多个被授权者;每个授权操作者分别为该授权操作者对应的每个需要授权的被授权者授予该授权操作者对应的所有被授权权限中的一个或多个被授权权限;所述被授权者根据被授予的被授权权限执行相应操作。
- 根据权利要求9所述的系统中对授权操作者进行授权的方法,其特征在于,所述授权操作者包括角色、用户、员工、组和类中的一种或多种,所述角色是独立的个体,而非组/类,同一时段一个角色只能关联唯一的用户,而一个用户关联一个或多个角色;用户获得其关联的角色的权限;所述被授权者包括角色、用户、员工、组和类中的一种或多种,所述角色是独立的个体,而非组/类,同一时段一个角色只能关联唯一的用户,而一个用户关联一个或多个角色;用户获得其关联的角色的权限。
Priority Applications (11)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
KR1020207006591A KR20200033961A (ko) | 2017-08-07 | 2018-08-06 | 시스템에서 권한 부여 조작자에 대해 권한 부여하는 방법 |
AU2018314918A AU2018314918A1 (en) | 2017-08-07 | 2018-08-06 | Method for authorizing authorization operator in system |
EA202190489A EA202190489A1 (ru) | 2017-08-07 | 2018-08-06 | Способ предоставления прав авторизирующим операторам в системе |
JP2020505859A JP2020530616A (ja) | 2017-08-07 | 2018-08-06 | システムにおいて承認操作者を承認する方法 |
MX2020001461A MX2020001461A (es) | 2017-08-07 | 2018-08-06 | Procedimiento para autorizar a un operador de autorizacion en un sistema. |
EP18845045.6A EP3668041A4 (en) | 2017-08-07 | 2018-08-06 | AUTHORIZATION PROCESS OF AUTHORIZATION OPERATOR IN A SYSTEM |
BR112020002560-7A BR112020002560A2 (pt) | 2017-08-07 | 2018-08-06 | método para autorizar um operador de autorização em um sistema |
PE2020000191A PE20200626A1 (es) | 2017-08-07 | 2018-08-06 | Procedimiento para autorizar a un operador de autorizacion en un sistema |
US16/637,251 US11824865B2 (en) | 2017-08-07 | 2018-08-06 | Method for authorizing authorization operator in system |
PH12020500213A PH12020500213A1 (en) | 2017-08-07 | 2020-01-28 | Method for authorizing authorization operator in system |
CONC2020/0001306A CO2020001306A2 (es) | 2017-08-07 | 2020-02-05 | Procedimiento para autorizar a un operador de autorización en un sistema |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710668229.6 | 2017-08-07 | ||
CN201710668229.6A CN107395611A (zh) | 2017-08-07 | 2017-08-07 | 系统中对授权操作者进行授权的方法 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019029502A1 true WO2019029502A1 (zh) | 2019-02-14 |
Family
ID=60354402
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2018/099069 WO2019029502A1 (zh) | 2017-08-07 | 2018-08-06 | 系统中对授权操作者进行授权的方法 |
Country Status (13)
Country | Link |
---|---|
US (1) | US11824865B2 (zh) |
EP (1) | EP3668041A4 (zh) |
JP (1) | JP2020530616A (zh) |
KR (1) | KR20200033961A (zh) |
CN (2) | CN107395611A (zh) |
AU (1) | AU2018314918A1 (zh) |
BR (1) | BR112020002560A2 (zh) |
CO (1) | CO2020001306A2 (zh) |
EA (1) | EA202190489A1 (zh) |
MX (1) | MX2020001461A (zh) |
PE (1) | PE20200626A1 (zh) |
PH (1) | PH12020500213A1 (zh) |
WO (1) | WO2019029502A1 (zh) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107358093A (zh) * | 2017-07-11 | 2017-11-17 | 成都牵牛草信息技术有限公司 | 通过第三方字段对表单字段的字段值进行授权的方法 |
CN107395611A (zh) * | 2017-08-07 | 2017-11-24 | 成都牵牛草信息技术有限公司 | 系统中对授权操作者进行授权的方法 |
CN109033810A (zh) * | 2018-08-08 | 2018-12-18 | 郑州市景安网络科技股份有限公司 | 一种权限管理系统 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130104046A1 (en) * | 2011-10-21 | 2013-04-25 | International Business Machines Corporation | Role Engineering Scoping and Management |
CN103605916A (zh) * | 2013-12-06 | 2014-02-26 | 山东高速信息工程有限公司 | 一种基于组织的rbac访问控制模型 |
CN104050401A (zh) * | 2013-03-12 | 2014-09-17 | 腾讯科技(深圳)有限公司 | 用户权限管理方法及系统 |
CN105184144A (zh) * | 2015-07-31 | 2015-12-23 | 上海玖道信息科技股份有限公司 | 一种多系统权限管理方法 |
CN107395611A (zh) * | 2017-08-07 | 2017-11-24 | 成都牵牛草信息技术有限公司 | 系统中对授权操作者进行授权的方法 |
Family Cites Families (29)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6202066B1 (en) * | 1997-11-19 | 2001-03-13 | The United States Of America As Represented By The Secretary Of Commerce | Implementation of role/group permission association using object access type |
JP2000132625A (ja) * | 1998-10-23 | 2000-05-12 | Ntt Communicationware Corp | ワークフロー管理システム |
US7113923B1 (en) * | 1999-02-03 | 2006-09-26 | Electronic Data Systems Corporation | System and method of managing an office of programs |
JP2001155062A (ja) * | 1999-11-26 | 2001-06-08 | Hitachi Ltd | ワークフロー到着予測システム、方法、および該方法に係るプログラムを記憶した記憶媒体 |
JP3677448B2 (ja) * | 2000-11-30 | 2005-08-03 | 住商情報システム株式会社 | 認証関係管理システム及びこれに用いるサーバ装置、認証関係管理方法、記録媒体 |
US6985955B2 (en) * | 2001-01-29 | 2006-01-10 | International Business Machines Corporation | System and method for provisioning resources to users based on roles, organizational information, attributes and third-party information or authorizations |
US7340469B1 (en) * | 2004-04-16 | 2008-03-04 | George Mason Intellectual Properties, Inc. | Implementing security policies in software development tools |
JP2006012044A (ja) * | 2004-06-29 | 2006-01-12 | Canon Sales Co Inc | ユーザ認証装置及び方法、ユーザ認証システム、プログラム、並びに記録媒体 |
US20060048224A1 (en) * | 2004-08-30 | 2006-03-02 | Encryptx Corporation | Method and apparatus for automatically detecting sensitive information, applying policies based on a structured taxonomy and dynamically enforcing and reporting on the protection of sensitive data through a software permission wrapper |
US20060218394A1 (en) * | 2005-03-28 | 2006-09-28 | Yang Dung C | Organizational role-based controlled access management system |
US20070214497A1 (en) * | 2006-03-10 | 2007-09-13 | Axalto Inc. | System and method for providing a hierarchical role-based access control |
US9455990B2 (en) * | 2006-07-21 | 2016-09-27 | International Business Machines Corporation | System and method for role based access control in a content management system |
US8402514B1 (en) * | 2006-11-17 | 2013-03-19 | Network Appliance, Inc. | Hierarchy-aware role-based access control |
US7827615B1 (en) * | 2007-01-23 | 2010-11-02 | Sprint Communications Company L.P. | Hybrid role-based discretionary access control |
US8745087B2 (en) * | 2007-10-01 | 2014-06-03 | Eka Labs, Llc | System and method for defining and manipulating roles and the relationship of roles to other system entities |
PT104012B (pt) | 2008-04-03 | 2010-03-31 | Univ Do Minho | Painel estrutural misto madeira-vidro e seu processo de produção |
US8181230B2 (en) * | 2008-06-30 | 2012-05-15 | International Business Machines Corporation | System and method for adaptive approximating of a user for role authorization in a hierarchical inter-organizational model |
JP5195139B2 (ja) * | 2008-08-05 | 2013-05-08 | 株式会社大林組 | 情報共有システム及びユーザ登録方法 |
CN102004868A (zh) | 2009-09-01 | 2011-04-06 | 上海杉达学院 | 一种基于角色访问控制的信息系统数据存储层及组建方法 |
US8965801B2 (en) * | 2010-03-31 | 2015-02-24 | International Business Machines Corporation | Provision of support services as a service |
CN101951377A (zh) | 2010-09-21 | 2011-01-19 | 用友软件股份有限公司 | 分层授权管理方法和装置 |
CN102468971A (zh) * | 2010-11-04 | 2012-05-23 | 北京北方微电子基地设备工艺研究中心有限责任公司 | 权限管理方法和装置、权限控制方法和装置 |
US8983877B2 (en) * | 2011-03-21 | 2015-03-17 | International Business Machines Corporation | Role mining with user attribution using generative models |
US9679264B2 (en) * | 2012-11-06 | 2017-06-13 | Oracle International Corporation | Role discovery using privilege cluster analysis |
US9734250B2 (en) * | 2014-07-23 | 2017-08-15 | David Kelsey | Digital asset management for enterprises |
CN106485388A (zh) * | 2015-09-01 | 2017-03-08 | 北京奇虎科技有限公司 | 业务审批系统的权限管理方法和装置 |
US10032045B2 (en) * | 2015-10-30 | 2018-07-24 | Raytheon Company | Dynamic runtime field-level access control using a hierarchical permission context structure |
CN106570656A (zh) * | 2016-11-11 | 2017-04-19 | 南京南瑞继保电气有限公司 | 一种基于rbac模型的分级授权方法 |
CN106918542B (zh) * | 2017-04-22 | 2023-03-14 | 河南理工大学 | 热冷冲击下煤体渗透率测试装置及测试方法 |
-
2017
- 2017-08-07 CN CN201710668229.6A patent/CN107395611A/zh active Pending
-
2018
- 2018-08-06 EP EP18845045.6A patent/EP3668041A4/en active Pending
- 2018-08-06 JP JP2020505859A patent/JP2020530616A/ja active Pending
- 2018-08-06 KR KR1020207006591A patent/KR20200033961A/ko not_active Application Discontinuation
- 2018-08-06 AU AU2018314918A patent/AU2018314918A1/en not_active Abandoned
- 2018-08-06 MX MX2020001461A patent/MX2020001461A/es unknown
- 2018-08-06 PE PE2020000191A patent/PE20200626A1/es unknown
- 2018-08-06 WO PCT/CN2018/099069 patent/WO2019029502A1/zh active Search and Examination
- 2018-08-06 EA EA202190489A patent/EA202190489A1/ru unknown
- 2018-08-06 CN CN201810887157.9A patent/CN109033861B/zh active Active
- 2018-08-06 US US16/637,251 patent/US11824865B2/en active Active
- 2018-08-06 BR BR112020002560-7A patent/BR112020002560A2/pt not_active IP Right Cessation
-
2020
- 2020-01-28 PH PH12020500213A patent/PH12020500213A1/en unknown
- 2020-02-05 CO CONC2020/0001306A patent/CO2020001306A2/es unknown
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20130104046A1 (en) * | 2011-10-21 | 2013-04-25 | International Business Machines Corporation | Role Engineering Scoping and Management |
CN104050401A (zh) * | 2013-03-12 | 2014-09-17 | 腾讯科技(深圳)有限公司 | 用户权限管理方法及系统 |
CN103605916A (zh) * | 2013-12-06 | 2014-02-26 | 山东高速信息工程有限公司 | 一种基于组织的rbac访问控制模型 |
CN105184144A (zh) * | 2015-07-31 | 2015-12-23 | 上海玖道信息科技股份有限公司 | 一种多系统权限管理方法 |
CN107395611A (zh) * | 2017-08-07 | 2017-11-24 | 成都牵牛草信息技术有限公司 | 系统中对授权操作者进行授权的方法 |
Non-Patent Citations (1)
Title |
---|
See also references of EP3668041A4 * |
Also Published As
Publication number | Publication date |
---|---|
CN107395611A (zh) | 2017-11-24 |
EP3668041A4 (en) | 2020-12-30 |
US11824865B2 (en) | 2023-11-21 |
KR20200033961A (ko) | 2020-03-30 |
EP3668041A1 (en) | 2020-06-17 |
JP2020530616A (ja) | 2020-10-22 |
CO2020001306A2 (es) | 2020-05-15 |
US20200204559A1 (en) | 2020-06-25 |
BR112020002560A2 (pt) | 2020-08-04 |
PE20200626A1 (es) | 2020-03-11 |
EA202190489A1 (ru) | 2021-05-24 |
CN109033861A (zh) | 2018-12-18 |
AU2018314918A1 (en) | 2020-03-19 |
MX2020001461A (es) | 2020-09-18 |
CN109033861B (zh) | 2022-03-22 |
PH12020500213A1 (en) | 2020-10-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP3633567A1 (en) | Method for setting up approval role according to department by approval node in workflow | |
US11586758B2 (en) | Authorization method for form data acquired based on role | |
KR20190130639A (ko) | 사용자에 대한 역할의 일대일 매칭을 기반으로 하는 작업 흐름 제어 방법과 시스템 | |
WO2018214890A1 (zh) | 工作流审批节点按角色设置审批角色的方法 | |
KR20200017512A (ko) | 폼 필드값의 조작 권한을 권한부여하는 방법 | |
KR20200018665A (ko) | 기준 필드에 의거하여 승인 절차를 설정하는 방법 | |
JP7365609B2 (ja) | 全てのシステム使用者の最近の権限状態を表示する承認方法 | |
WO2018192557A1 (zh) | 基于角色对用户的一对一的权限授权方法和系统 | |
JP7231910B2 (ja) | フォームデータの操作権限を承認する方法 | |
US20200389463A1 (en) | Permission granting method and system based on one-to-one correspondence between roles and users | |
WO2019019981A1 (zh) | 系统中用户在信息交流单元的权限的设置方法 | |
WO2019034022A1 (zh) | 基于时间段的操作记录查看权限的设置方法 | |
WO2019029649A1 (zh) | 对使用者进行审批流程及其审批节点授权的方法 | |
WO2019029502A1 (zh) | 系统中对授权操作者进行授权的方法 | |
WO2018224023A1 (zh) | 系统中员工登录其账户后的权限显示方法 | |
WO2018205940A1 (zh) | 基于角色对用户的一对一的组织结构图生成及应用方法 | |
WO2019011162A1 (zh) | 快捷功能设置方法 | |
WO2019001322A1 (zh) | 基于角色的菜单授权方法 | |
WO2019020119A1 (zh) | 系统中用户/员工获取邮箱账号的方法 | |
WO2019007261A1 (zh) | 表单中的角色性质字段的字段值获取方法 | |
WO2019024899A1 (zh) | 监察审批操作、授权操作及表单操作的方法 | |
OA19448A (en) | Role acquisition-based method for authorizing form data. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 18845045 Country of ref document: EP Kind code of ref document: A1 |
|
DPE1 | Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101) | ||
ENP | Entry into the national phase |
Ref document number: 2020505859 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REG | Reference to national code |
Ref country code: BR Ref legal event code: B01A Ref document number: 112020002560 Country of ref document: BR |
|
ENP | Entry into the national phase |
Ref document number: 20207006591 Country of ref document: KR Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 2018845045 Country of ref document: EP Effective date: 20200309 |
|
ENP | Entry into the national phase |
Ref document number: 2018314918 Country of ref document: AU Date of ref document: 20180806 Kind code of ref document: A |
|
ENP | Entry into the national phase |
Ref document number: 112020002560 Country of ref document: BR Kind code of ref document: A2 Effective date: 20200206 |