WO2019029648A1

WO2019029648A1 - Improved rbac right mechanism-based approval task transfer method

Info

Publication number: WO2019029648A1
Application number: PCT/CN2018/099767
Authority: WO
Inventors: 陈达志
Original assignee: 成都牵牛草信息技术有限公司
Priority date: 2017-08-10
Filing date: 2018-08-09
Publication date: 2019-02-14
Also published as: CN109165524A; CN109165524B; CN107480512A

Abstract

An improved RBAC right control mechanism-based approval task transfer method, comprising: creating roles in a system, the roles being independent individual roles, the independent individual roles being able to only be associated with a unique user in the same period, and one user being associated with one or more independent individual roles; a transferring party acquiring an approval task in an approval process; and the transferring party transferring the approval task to a transferred party, the transferred party being an independent individual role.

Description

Approval task transfer method based on improved RBAC permission control mechanism

Technical field

The invention relates to a management method for an approval task in a management system such as ERP and CRM, and particularly relates to an approval task handover method based on an improved RBAC authority control mechanism.

Background technique

Role-based access control (RBAC) is one of the most researched and matured database rights management mechanisms in recent years. It is considered to be an ideal candidate to replace traditional mandatory access control (MAC) and autonomous access control (DAC). Traditional autonomous access control has high flexibility but low security. Forced access control is highly secure but too restrictive. Role-based access control combines both ease of management and reduces the complexity, cost, and probability of errors. Therefore, it has been greatly developed in recent years. The basic idea of role-based access control (RBAC) is to divide different roles according to different functional positions in the enterprise organization view, encapsulate the access rights of database resources in roles, and indirectly access database resources by being assigned different roles.

A large number of tables and views are often built in large application systems, which makes the management and authorization of database resources very complicated. It is very difficult for the user to directly manage the access and permissions of the database resources. It requires the user to have a very thorough understanding of the database structure and is familiar with the use of the SQL language, and once the application system structure or security requirements have changed, To carry out a large number of complex and cumbersome authorization changes, it is very easy to have some security vulnerabilities caused by unexpected authorization errors. Therefore, designing a simple and efficient rights management method for large-scale application systems has become a common requirement for system and system users.

The role-based permission control mechanism can manage the access rights of the system simply and efficiently, which greatly reduces the burden and cost of the system rights management, and makes the system rights management more in line with the business management specifications of the application system.

However, the traditional role-based user rights management adopts the "role-to-user one-to-many" association mechanism, and the "role" is group/class nature, that is, one role can simultaneously correspond to/associate multiple users, and the role is similar to the post/ The concept of position/work type, the authorization of user rights under this association mechanism is basically divided into the following three forms: 1. As shown in Figure 1, the user is authorized directly, the disadvantage is that the workload is large, the operation is frequent and troublesome; Employee changes (such as transfer, resignation, etc.), all the rights involved in the employee must be adjusted accordingly, especially for company management personnel, which involve a lot of permissions, the task of authority adjustment is large, complicated, error-prone or Missing, affecting the normal operation of the company, and even causing unpredictable losses.

2. As shown in Figure 2, the role (class/group/post/work type) is authorized (a role can be associated with multiple users), the user obtains the permission through the role, and the system operation subject is the group/class nature role; As shown in Figure 3, the above two methods are combined.

In the above expressions, both 2 and 3 need to authorize the role of the class/group nature, and the way of authorization through the role of class/group/post/work type has the following disadvantages: 1. The operation when the user rights change is difficult: In the actual system use process, the user's authority is often adjusted during the operation of the enterprise. For example, when the employee's authority changes, the employee's authority associated with the role changes. We cannot change the individual employee's authority. And change the permissions of the entire role, because the role is also associated with other employees whose permissions have not changed. So in response to this situation, either create a new role to satisfy the employee whose permissions have changed, or directly authorize (disengage the role) from the employee based on the permission requirements. The above two processing methods not only require a long time for the role authorization in the case of a large number of role permissions, but also are easy to make mistakes, the user is cumbersome and troublesome to operate, and is also prone to errors resulting in loss to the system user.

When the employee/user's permissions change, either the employee/user leaves the role or the role is added to meet the job requirements. The defect of the first method is the same as the above-mentioned "direct authorization to the user" method. In the second way, the new role involves the creation, association, and authorization of the role. Especially in the case of a large number of roles and a large number of users associated with the role, it is difficult to remember which users are associated with the role.

2. It is difficult to remember the specific permissions contained in the role for a long time: if the role has more permission functions, it will be difficult to remember the specific permissions of the roles, and it is more difficult to remember the difference in permissions between the roles with similar permissions. The permissions of a role are also easily confused; if you want to associate a new user, you cannot accurately determine how the association should be selected.

3, because the user permissions change, it will cause more and more role creation (if you do not create a new role, it will greatly increase the authorization of the user directly), it is more difficult to distinguish the specific differences of the roles of each role.

4. When adjusting the post, if you want to assign a lot of rights of the transferred users to other users, you must separate the rights of the transferred users and create roles to associate with others. Users, such an operation is not only complicated and time consuming, but also prone to errors.

In the traditional management system, there is usually a transfer function for the approval task. However, the approval task is directly transferred to a specific user/employee. When the transferred user/employee leaves or adjusts the post, it needs to return the approval task and re-approve. The transfer of tasks, the large amount of work and the lag or omission of task processing, may bring unpredictable losses to the enterprise.

technical problem

The object of the present invention is to overcome the deficiencies of the prior art and provide an approval task handover method based on the improved RBAC authority control mechanism.

Technical solution

The object of the present invention is achieved by the following technical solutions: an approval task handover method based on the improved RBAC permission control mechanism, including the following steps:

(1) Create a role in the system, the role is an independent individual nature role, rather than a group/class nature role, an independent individual nature role can only be associated with a unique user at the same time, and one user is associated with one or more independent Individual nature role;

(2) The transferee obtains the approval task in the approval process;

(3) The transferor transfers the approval task to the transferred person, and the transferred person is an independent individual character in the system.

Steps (1) to (3) are sequentially performed, or steps (2), (1), and (3) are sequentially performed.

The transferee includes one of an employee, a user, a group/class nature role, and an independent individual nature role.

The transferee also includes a step to complete the transfer note when transferring the approval task.

The method for transferring the approval task based on the improved RBAC authority control mechanism further includes a step of the transferee selecting whether to accept the transfer. If the transfer is not accepted, the transfer fails.

Once the transferee transfers the approval task to the transferred person, the approval task is processed by the transferred person.

The method for transferring the approval task based on the improved RBAC permission control mechanism further includes a step of the transferee re-transferring the approval task.

Once the transferee transfers the approval task to the transferred person, the transferee cannot forward the approval task again.

Once the transferee transfers the approval task to the transferred person, the transferred person cannot transfer the approval task again, but can return it to the original transferee.

One user corresponds to one employee, one employee corresponds to one user, and the employee obtains the rights of the corresponding user-associated role. If the employee needs to adjust the post, it also includes an employee adjustment management step, which includes: (1) canceling the employee corresponding user Association with the original role; (2) Associate the user corresponding to the employee with the corresponding new role after the transfer, and the employee automatically obtains the approval task for the new role.

The approval process includes a start node, at least one approval node, and an end node: a start node: an approval process start; an approval node: an approver approves the approval task; and an end node: the approval process ends.

Beneficial effect

The beneficial effects of the present invention are as follows: (1) The transferred person adopts an independent individual role, and when the employee corresponding to the user associated with the role of the transferee leaves the job and adjusts the post, the original association is simply removed, and the user corresponding to the new employee is associated with The role of the transferred person can automatically obtain all the submitted approval tasks of the role. The assignment of the role is realized by the association of the role, the workload is small, the use is convenient, and the seamless docking can be realized without approval. Lag or omission of task transfer to ensure that urgent tasks are handled in a timely manner to avoid affecting the normal operation of the enterprise.

For example, if the general manager has difficulty in processing an approval task, has no time to process it, or is unwilling to handle it, he can forward the approval task to his assistant role “Assistant General Manager 1”, and the employee corresponding to the user currently associated with his assistant role can help him or her. The approval task.

Example of resignation: the user associated role of the employee Zhang San “production worker 1”. When Zhang San leaves the post, the system administrator (or the corresponding administrator) directly cancels the association between the user corresponding to Zhang San and the role of “production worker 1”. Zhang San automatically lost the approval task of “production worker 1” being transferred, avoiding the delay in the transfer of approval tasks, and Zhang San could still view and process the submitted approval tasks after leaving the company, resulting in chaotic management; the newly recruited employee Li Si succeeded Zhang San When working directly, the user corresponding to Li Si is directly associated with “production worker 1”, and Li Si automatically obtains the approval task that “production worker 1” is currently transferred, and no need to re-submit the approval task for Li Si. Simple and fast, greatly reducing the workload.

Example of transfer: The employee Zhang San should be transferred from the production department to the after-sales department. The system administrator (or the corresponding administrator) cancels the association between the user corresponding to Zhang San and the original character “production worker 1”, and then links to the new after-sales department. The role of "after-sales service personnel 3", Zhang San automatically obtained the "after-sales service personnel 3" role is currently transferred to the approval task.

(2) The role of the application is a one-to-one relationship to the user. One role can only be associated with a unique user at the same time, and one user is associated with one or more roles. The advantage of this is that as long as the user is associated with the role, Permissions (that is, users gain access to their associated roles), and the role's permission changes are much less than the user permissions in the traditional mechanism. The number of roles of the nature of the independent body (the nature of the post number/station number) is small. Although the employee turnover is large, the change of the post number/station number is small (even if there is no change in a certain period of time, that is, the role does not change), This will greatly simplify the user's rights management and reduce the overhead of the system.

(3) The operation of dynamic management, on-the-job adjustment, etc. is simple and convenient, high in efficiency and high in reliability: the application of the entry/departure/adjustment in the authority management is simple, and the user/user does not need to reset the permission when the user/user changes, the user only The role needs to be canceled or associated: the user who is no longer in the role cancels the role association, and the user who takes over the role is associated with the role of the role number, and the user associated with the role automatically obtains the role approval task and Operational privileges eliminate the need to reauthorize roles, greatly improving the efficiency, security, and reliability of system setup.

For example: due to Zhang San’s resignation or transfer, Zhang San will no longer work as a “buyer 3”, and Zhang will cancel the association with “Purchaser 3”; Li Si will take over as “Purchaser”. 3) The role of this role, only need to associate Li Si with the role, then Li Si automatically obtained the approval task and operation authority of the role of "Purchaser 3".

(4) The traditional rights management mechanism defines the role as a group, a job type, a class, etc. The role is a one-to-many relationship with the user. In the actual system use process, the user's authority is often required in the operation process. Adjustments, for example, when the employee permissions are changed, the permissions of an employee associated with the role change. We cannot change the permissions of the entire role because of the change of the individual employee permissions, because the role is also associated with other permissions. Staff. So in response to this situation, either create a new role to satisfy the employee whose permissions have changed, or directly authorize (disengage the role) from the employee based on the permission requirements. The above two processing methods not only require a long time for the role authorization in the case of a large number of role permissions, but also are easy to make mistakes, the user is cumbersome and troublesome to operate, and is also prone to errors resulting in loss to the system user.

However, under the method of the present application, since the role is an independent individual, the role permission can be changed to achieve the goal. Although the method of the present application seems to increase the workload when the system is initialized, it can be made by copying or the like to make the role or authorization more efficient than the traditional group/class nature, because the group/class role is not considered. In the commonality of the related users, the application scheme will make the permission setting clear and clear; especially after the system is used for a period of time (the user/role authority changes dynamically), the application scheme can greatly improve the system usage for the system user. The efficiency of the rights management makes the dynamic authorization simpler, more convenient, clearer and clearer, and improves the efficiency and reliability of the permission setting.

(5) The traditional group/class role authorization method is error-prone, and the method of the present application greatly reduces the probability of authorization error, because the method of the present application only needs to consider the role as an independent individual, without considering the traditional method to associate the role of the group. What are the commonalities of multiple users? Even if the authorization error occurs, it only affects the user associated with the role, while the traditional group-based role affects all users associated with the role. Even if a permission authorization error occurs, the correction method of the present application is simple and short, and the traditional group-type role needs to consider the commonality of all users associated with the role when correcting the error, and not only the modification when there are many function points. Troublesome, complicated, very error-prone, and in many cases only new roles can be created.

(6) Under the traditional group-based role authorization method, if the role has more privilege function points, it takes a long time to remember the specific privilege of the role, and it is more difficult to remember the privilege difference between the roles with similar privilege. If you want to associate a new user, you cannot accurately determine how to select the association. The role of the method of the present application itself has the nature of the job number/station number, and the choice is clear at a glance.

(7) When adjusting the post, if you want to assign a lot of rights of the transferred users to other users, you must separate the rights of the transferred users and create roles to associate with others. Users, such an operation is not only complicated and time consuming, but also prone to errors.

The method of the present application is as follows: the transferred user associates several roles. When adjusting the post, the user is first unlinked from the role in the original department (the canceled roles can be re-associated to other users), and then Associate users with roles in the new department. The operation is simple and will not go wrong.

DRAWINGS

1 is a schematic diagram of a manner in which a system directly authorizes a user in the background art;

2 is a schematic diagram of a manner in which a system authorizes a group/class role in the background art;

3 is a schematic diagram of a manner in which a system directly authorizes a user and authorizes a group/class role role in the background art;

4 is a schematic diagram of a manner in which a system authorizes a user through an independent individual role;

Figure 5 is a schematic diagram of the approval process of the present invention;

FIG. 6 is a flowchart of a method for transferring an approval task according to the present invention.

BEST MODE FOR CARRYING OUT THE INVENTION

The technical solution of the present invention will be described in further detail below with reference to the accompanying drawings, but the scope of protection of the present invention is not limited to the following.

As shown in FIG. 5, the approval process includes a start node, at least one approval node (such as 5 approval nodes in FIG. 5), and an end node: a start node: an approval process starts; an approval node: an approver approves an approval task. End node: The approval process ends.

When the approval node approver approves the approval task, the approval task can be forwarded, and the transferred person can help the transferor complete the approval task.

Specifically, as shown in FIG. 6, the approval task handover method based on the improved RBAC permission control mechanism includes the following steps: creating a role in the system, as shown in FIG. 4, the role is an independent individual role, instead of Group/class nature role, an independent individual nature role can only be associated with a unique user at the same time, and one user is associated with one or more independent individual nature roles; the user obtains the rights of its associated role (the approved approval task is also authorized) a form).

The transferor obtains the approval task in the approval process, and the transferee may be one of an employee, a user, a group/class nature role, and an independent individual nature role; the transferor transfers the approval task to the transferred person, the The person being transferred is an independent individual role in the system. The transferor may fill in the transfer remarks when submitting the approval task, so as to explain the reason for the transfer and the precautions to the transferee.

The system can be designed as follows: the transferred person can choose whether to accept the transfer. If the transfer is not accepted, the transfer fails. The approval task is still handled by the original transferor, and can be handled by the original transferor or re-transferred by the original transferor.

The system can also be designed such that once the transferee transfers the approval task to the transferred person, the approval task is processed by the transferred person, that is, the transfer is successful (the transferee cannot refuse).

Further, the system can be designed as: the transferred person can re-submit the approval task; or can be designed: once the transferee transfers the approval task to the transferred person, the transferred person cannot transfer the approval task again, but can return it to the authorized task. The original transferee.

When a role (independent individual role) is created or a role is selected for the role after the role is created, the role belongs to the department, and the role is authorized according to the work content of the role, and the name of the role is unique under the department. The number of this role is unique in the system.

One user corresponds to one employee, one employee corresponds to one user, and the employee obtains the rights of the corresponding user-associated role (independent individual role); if the employee needs to adjust the post, it also includes an employee adjustment management step, including: () The association between the user corresponding to the employee and the original role is cancelled; (2) the user corresponding to the employee is associated with the corresponding new role after the transfer, and the employee automatically obtains the approval task for the new role.

The transferred person adopts the independent individual role. When the employee corresponding to the user of the transferee is resigned or transferred, the original association is simply released, and the user corresponding to the new employee is automatically associated with the role of the transferred person. All the roles that have been transferred are approved by the role. The assignment of the roles is achieved by the association of the roles. The workload is small, easy to use, and seamlessly connected. There is no lag or omission in the transfer of approval tasks to ensure urgent tasks. Get timely treatment to avoid affecting the normal operation of the company.

The following is an analysis of the advantages of authorizing a user through an independent individual role: the user determines (acquires) the right through its association with the role (independent individual role), and if the user's permission is to be modified, by adjusting the role's possession Permission to achieve the purpose of changing the permissions of the user associated with the role. Once a user associates a role, that user has all the operational rights and audit/approval tasks for that role.

The relationship of the role (independent individual role) to the user is one-to-one (when the role is associated with one user, other users can no longer associate the role; if the role is not associated with the user, it can be selected by other users; At the same time, a character can and can only be associated with one user). A user's relationship to a role is one-to-many (one user can associate multiple roles at the same time).

Role definition: The role does not have the nature of group/class/category/post/job/work, but a non-collection nature, the role is unique, the role is an independent independent entity; in the enterprise application is equivalent Job number (The job number here is not a post, one post may have multiple employees at the same time, and one job number can only correspond to one employee at the same time).

For example: a company system can create the following roles: general manager, deputy general manager 1, deputy general manager 2, Beijing sales manager, Beijing sales manager, Beijing sales manager, Shanghai sales engineer 1, Shanghai sales Engineer 2, Shanghai Sales Engineer 3, Shanghai Sales Engineer 4, Shanghai Sales Engineer 5... User-role relationship: If the company employee Zhang San serves as the company's deputy general manager 2, and also serves as a sales manager in Beijing, then Zhang The three roles to be associated are Deputy General Manager 2 and Beijing Sales Manager. Zhang San has the rights and tasks of these two roles.

The concept of traditional roles is group/class/post/position/work type, and one role can correspond to multiple users. The concept of the "role" (independent individual role) of this application is equivalent to the post number/station number, and is also similar to the role in the film and television drama: a character can only be in the same time period (childhood, juvenile, middle age...) Played by an actor, and an actor may be decorated with multiple angles.

After creating a role (independent individual role), you can associate the role in the process of creating the user, or you can associate it at any time after the user is created. After the user associates the role, the relationship with the role can be released at any time, and the relationship with other roles can be established at any time.

The role (independent individual character role) is composed of: post name + post number. For example: workshop production workers 1, workshop production workers 2, workshop production workers 3... roles are independent individuals, equivalent to the concept of job number and station number, different from the role in the traditional authority management system, the concept of role in the traditional system It is the group/class nature of the position/position/work type.

The following example shows the relationship between employees, users and roles (independent individual roles) after entering the company: 1. New entry: The employee is newly hired, and the corresponding job number/worker is directly selected for the user (employee). The role of the number can be associated, for example: Zhang San joined the company (the company assigned a three-user for Zhang San), the work content is in the sales department, responsible for the sales of refrigerator products in Beijing area (the corresponding role is sales one) Under the role of "Sales Engineer 5", Zhang San users can directly select the role of "Sales Engineer 5".

2. Adding positions: After working for a period of time, Zhang also arranged for Zhang San to be responsible for the sales of regional TV products in Beijing (the corresponding role is to sell the role of “Sales Engineer 8” under the Ministry of Sales) and concurrently as the head of the after-sales department (corresponding to the after-sales department) In the role of supervisor 1, the three users added the roles of “sales engineer 8” under the sales department and “sales department supervisor 1” under the after-sales department. At this time, Zhang San employees associated three roles, respectively. In order to sell a "Sales Engineer 5", "Sales Engineer 8" and "After Sales Department Supervisor 1" under the after-sales department, Zhang San users have the rights and tasks of these three roles.

3. Reducing the position: After a while, the company decided to let Zhang San serve as the post-sales manager (corresponding to the role of “after-sales manager” in the after-sales department) and no longer take up other jobs. Then Zhang San user is associated with the role of “after-sales manager” in the after-sales department, and cancels the three roles previously associated (Sales Engineer 5 under Sales, Sales Engineer 8 and “After Sales Manager 1” under the after-sales department) At this time, Zhang San users only have the authority and tasks of the role of “after-sales manager” under the after-sales department.

4, the adjustment of the role permissions (for the adjustment of the permissions of the role itself): If the company decides to increase the authority of the after-sales manager, then only need to increase the authorization of the role of the after-sales manager, then Zhang San users because of the after-sales department The authority of the manager has increased, and the permissions of Zhang San users have also increased.

5. Resignation: After one year, Zhang San resigned, and the relationship between Zhang San users and the post-sales department manager of the after-sales department can be cancelled.

For example: in the dynamic operation of the company, the entry and exit of the staff are often continued, but the change of the post number/station number is very small (even within a certain period of time).

Traditional authorization method: In the case of a large number of system functions, authorization in the traditional group/class role, not only the authorization workload is large, complicated, but also easy to make mistakes, even if it is wrong, it is not easy to find in a short time. It is easy to cause damage to the system user.

Authorization method of the present application: This application authorizes the role of the nature of the post number/station number, and the user determines the (acquired) authority by associating the role, and the control of the user authority is realized by a simple user-role relationship. It makes the permission control simple, easy to operate, clear and clear, and greatly improves the authorization efficiency and authorization reliability.

The above is only a preferred embodiment of the present invention, and it should be understood that the present invention is not limited to the forms disclosed herein, and is not to be construed as being limited to the other embodiments, but may be used in various other combinations, modifications and environments. Modifications can be made by the techniques or knowledge of the above teachings or related art within the scope of the teachings herein. All changes and modifications made by those skilled in the art are intended to be within the scope of the appended claims.

Claims

The approval task handover method based on the improved RBAC authority control mechanism is characterized in that it comprises the following steps:

Create roles in the system, the roles are independent individual roles, not group/class nature roles. In the same period, an independent individual character can only associate with a unique user, and a user associates with one or more independent individual roles. ;

The transferee obtains the approval task in the approval process;

The transferee forwards the approval task to the transferred person, which is an independent individual role in the system.
The method for transferring an approval task based on the improved RBAC authority control mechanism according to claim 1, wherein the transferee includes one of an employee, a user, a group/class nature role, and an independent individual nature role.
The method for transferring an approval task based on the improved RBAC authority control mechanism according to claim 1, wherein the transferor further includes a step of filling in the transfer note when transferring the approval task.
The method for transferring an approval task based on the improved RBAC authority control mechanism according to claim 1, further comprising: a step of the transferee selecting whether to accept the transfer, and if the transfer is not accepted, the transfer fails.
The approval task handover method based on the improved RBAC authority control mechanism according to claim 1, wherein the approval task is processed by the transferred person once the transferee transfers the approval task to the transferred person.
The method for transferring an approval task based on the improved RBAC authority control mechanism according to claim 1, further comprising the step of transferring the approval task again by the transferee.
The method for transferring an approval task based on the improved RBAC authority control mechanism according to claim 1, wherein once the transferee transfers the approval task to the transferred person, the transferred person cannot transfer the approval task again.
The method for transferring an approval task based on the improved RBAC authority control mechanism according to claim 1, wherein once the transferee transfers the approval task to the transferred person, the transferred person cannot transfer the approval task again, but can return it to the transfer task. The original transferee.
The method for transferring an approval task based on the improved RBAC authority control mechanism according to claim 1, wherein one user corresponds to one employee, one employee corresponds to one user, and the employee obtains the permission of the corresponding user-associated role;

If the employee needs to adjust the post, it also includes an employee transfer management step, which includes: (1) canceling the association between the user corresponding to the original role and the original role;

(2) Associate the user corresponding to the employee with the corresponding new role after the transfer, and the employee automatically obtains the approval task for the new role.
The method for transferring an approval task based on the improved RBAC authority control mechanism according to claim 1, wherein the approval process comprises a start node, at least one approval node, and an end node:

Start node: the approval process begins;

Approval node: The approver approves the approval task;

End node: The approval process ends.