CN101320415B - Control system and method for application program - Google Patents
Control system and method for application program Download PDFInfo
- Publication number
- CN101320415B CN101320415B CN 200710108577 CN200710108577A CN101320415B CN 101320415 B CN101320415 B CN 101320415B CN 200710108577 CN200710108577 CN 200710108577 CN 200710108577 A CN200710108577 A CN 200710108577A CN 101320415 B CN101320415 B CN 101320415B
- Authority
- CN
- China
- Prior art keywords
- client
- data
- information security
- server end
- permissions data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a control and management system of an application program and a method thereof. The invention modifies the authority data which is stored on a server terminal and related to a client application program and a webpage operation via an input terminal. In addition, according to the authority data, the invention can realize the exchange and update of authority data between the server terminal and the client, so as to realize the management of operational authority for the application program on the client.
Description
Technical field
The present invention is a kind of control-management system and its method about application program, specifically, is a kind of System and method for about restriction client application operating right.
Background technology
Because the development of Information technology, each enterprise all day by day relies on the expansion of its business of computer assisted; But the universal while of Information technology also is accompanied by risk, and from the attack of outside, for example threats such as virus, backdoor programs, system vulnerability attack also increase day by day thereupon, thus the message protection of enterprise be important topic.
About the threat of information security except attack from the outside, more may be from the improper use of inside; Quite a lot of investigation is found to come from the behavior of employee's malice and the operation error of non-malice in fact for the threat source of enterprise information security, therefore enterprises is about the improper use and the Information Access behavior of application software, real in hiding the information security threats part, how to solve the internal information safety problem, be enterprise the important safety problem that must face.
About the enterprises information security management, how to constitute a control-management system at present with server end and client, by the central server end for the keyholed back plate in addition of the operation behavior on the client; Can reach strange lands management and control so software is many on the market, to many client computers in addition monitoring in real time with according to the client authorization level, be the function of corresponding restriction.But present described this control-management system, can only be at the access of enterprises for external information, for example to browsing external web page, or limited from the behavior that particular web site downloads, and only can accomplish to block the access of procedure operation or webpage, and can not only be restricting specific function operation, for example supervisory system still can not be accomplished and can browse external web page but for the storage of particular webpage information at present, clips and pastes the function that operation such as webpage is limited.Therefore how the user when using enterprises information, when for example enterprise staff uses Enterprise Resource programming (ERP:Enterprise Resource Planning) system, efficient management user operation behavior, prevent user's malicious operation or improper operation, cause the leak in the information security management, real is problem anxious to be solved.
Summary of the invention
The present invention discloses a kind of control system and method that limits application program and web page operation and management and renewal associated rights data on the client, to address the above problem.
The embodiment of the invention provides a kind of application program control-management system, comprises at least: an input end, can import permissions data; One server end, at least comprise a server end database and an output/input unit, wherein said server end database can store described permissions data and pointer data, in order to carry out information security behavior and information security policy pattern, described output/input unit can receive and transmit described permissions data; One client, at least comprise an authority controlling and managing unit, can store, receive and transmit described permissions data, and limit the operating right of the described application software on the described client according to this, wherein said authority controlling and managing unit comprises a client database, is used to carry out described storage; One server end computer-readable storage media is arranged at described server end; And a client computer readable memory media, be arranged at described client; Wherein said server end computer-readable storage media comprises the instruction that an instruction, that can receive the change permissions data can be changed permissions data in the described server end database, and the instruction that can transmit described change authority notice; And described client computer readable memory media comprises one can be in the instruction of receiving that described change permissions data is downloaded in described change authority notice back, and a renewable described client permissions data and be stored in the instruction of described client database.
The present invention discloses a kind of System and method for about control client-side program and web page operation, and the present invention comprises an input end (console), a server end (server) and a client (client) at least; Wherein the function of input end is for being responsible for receiving or transmitting the instruction of change authority; The function of server end then comprises: according to the stored permissions data of the modification of orders server end that input end imported into, notice client described change permission event, be stored in the permissions data of client with renewal; Client then can obtain the permissions data of renewal according to the announcement information of server end, and limits the operating right of client application according to this.By said system and method, the present invention can reach the purpose of restriction client-side program operation.
The present invention also discloses a kind of System and method for of concentrated keyholed back plate plurality of subscriber application software operation, to reach the purpose of controlling the number client in real time with unification.In about a specific embodiment of the present invention, server end and client all comprise a database; Above-mentioned database comprises with one group of permissions data storage table and steering needle, by record on the permissions data storage table and the interactive corresponding relation between described steering needle, can and upgrade plurality of subscriber in the server end unified management about application program operation permission data.
Description of drawings
Fig. 1 shows about application program control-management system of the present invention.
Fig. 2 shows the method flow diagram about keyholed back plate application program of the present invention.
Description of drawings:
Input end 10
Server end 20
Data Receiving and transfer unit 21
Processing unit 22
Database Unit 23
Client 30
Change authority 101
Notice change authority 102
Receive that permission modification notifies 201
Notice permission modification 202
Obtain new permissions data 203 at database
Pass new permissions data back 204
Receive that permission modification notifies 301
Download new authority setting 302
Obtain new authority setting 303
New authority setting comes into force 304
Embodiment
The present invention will cooperate its preferred embodiment and accompanying drawing, and details are as follows, be understood that preferred embodiments all among the present invention only is the usefulness of example, therefore except that preferred embodiment described in the instructions and referenced in schematic, the present invention also can be widely used among other embodiment.And the present invention is not limited to any embodiment, should be with claim scope and equivalent fields thereof and decide.
Fig. 1 shows that described control system comprises an input end 10, a server end 20 and a client 30 about a specific embodiment of the present invention, and wherein input end 10 functions are instructed by keyholed back plate application program operating right for receiving with transmission; 20 of server ends can store aforementioned permissions data, input end 10 and 30 transmission of client about the data of operating right with upgrade the operating right data that store on the client 30; 30 of clients can be upgraded the operating right data that store on the client according to the change permission event information that server transmitted, and limit the operating right of application program on the client according to this.With above-mentioned framework, control system can limit the operation of the application program of client.Applicable in the internal network environment such as family, office environment, but be not limited to this about control system of the present invention; Described system still can be applied to any network environment that control client application action need is arranged, for example library, network coffee shop or the like space.
About control system in the foregoing description function can more details are as follows.Input end 10 in the above-mentioned control system, and function is reception and output user institute input instruction, with the permissions data that stores in the announcement server end 20 change databases; That above-mentioned input instruction comprises is newly-increased, revise, deletion is instructed about restriction or the open keyholed back plate application program specific function and the change authority of the described project status of inquiry of being subjected to.More particular words it, in the instruction of above-mentioned change authority, comprise about the project of restriction application-specific operating function: non-print customizing messages, forbidding duplicate customizing messages, forbidding keyboard, forbidding and deposit functions such as new file and forbidding mouse drag customizing messages in addition; In another specific embodiment, still comprise restriction info web access facility, its project comprises: non-print, forbidding duplicate customizing messages, forbidding keyboard, forbidding deposit in addition new file with forbidding mouse drag data, forbid transmitting webpage, forbidding inspecting original shelves with mail.
In a specific embodiment of the present invention, above-mentioned input end is user's interface, and the user can be by clicking the option on the interface, the operating right of keyholed back plate application-specific.The user can click the function key of user's interface, and for example the disable particular functionality option can be opened a window subregion, and described window inner region fraction fields comprises described keyholed back plate dbase, type and the function choosing-item of being subjected to.The user can click the modification option of picture top and import the program name that is subjected to keyholed back plate in window, can open privilege feature and set window, input privilege feature set information.Above-mentioned privilege feature is set window and is comprised a plurality of fields of design in advance, and the user can be chosen according to the function of each field correspondence, can open or close specific function, finishes the input of input end.
About another specific embodiment of the present invention is that in described specific embodiment, operation-interface is similar to the operation-interface of above-mentioned keyholed back plate application-specific about the operation of restriction control webpage, but the control target that the user imported is a network address.
In specific embodiments of the invention, server end 20 comprises following function: receive the change authority instruction of input end input, store, upgrade with transmission and be subjected to keyholed back plate application program permissions data about client.
Server 20 comprises a Data Receiving and transfer unit 21, a processing unit 22 and a Database Unit 23.Data Receiving and transfer unit 21 can receive the change authority information from input end 10, afterwards data transfer is given processing unit 22, processing unit 22 is according to described change authority information, permissions data in the change Database Unit 23, and send the change authority by Data Receiving and transfer unit 21 and notify, the generation of notice client 30 described permission modification incidents.20 of server ends receive client 30 pass the permissions data download request back after, promptly can transmit a change permissions data and give client 30, to upgrade the application software permissions data that stores on the client 30.Above-mentioned server 20 also comprises other member as internal memory, operating system, hard disk, display unit etc., yet that this area has a people of common knowledge is deserved to understand, for avoiding fuzzy focus of the present invention, so do not give unnecessary details.Input end and client are also together.
More particular words it, in about a specific embodiment of the present invention, above-mentioned Data Receiving and transfer unit 21 utilize the TCP communications protocol, notice client 30 is downloaded permissions data, and represents application program permissions data and network address permissions data with different code names; And the incident that notice client permissions data is upgraded is used udp protocol.In about another specific embodiment of the present invention, the permissions data that is transmitted from above-mentioned Data Receiving and transfer unit 21 comprises corresponding to client and is subjected to the application program of keyholed back plate or the pointer data of webpage, so that client is determined the permissions data that will upgrade.
The above-mentioned database 23 that is used to store permissions data comprises one group of tables of data and steering needle, in order to record and the application program permissions data of upgrading about storing on the client.In about a specific embodiment of the present invention, above-mentioned tables of data comprises two tables of data at least: information security behavior (security_action) is carried out authority data manipulation limitation function with information security policy (security_policy), wherein information security behavior (security_action) is behavior or the pattern of record including but not limited to the application program that is subjected to keyholed back plate, instruction, network address or webpage etc., and information security policy (security_policy) is noted down including but not limited to the permissions data about application-specific, instruction, network address or webpage.At least comprise following field in the information security behavior subdata base: identification table (id) is an index field, is used for producing type, target title (target_name) related, that sorted table (category) is used to note down application program, instruction, network address or network address with other worksheet and is used for record and is subjected to keyholed back plate application program execute file name or controlled pipe network location, target type (target_typ) to be used for noting down to be subjected to keyholed back plate target type.The Security_policy table then is the authority restricting data that record is subjected to keyholed back plate application program or network address.Quantize (value) hurdle in the information security policy table and be record one pointer data, the corresponding relation of pointer data tool in identification (id) field in described pointer and the software action (software_action) is so that two tables of data generation incidence relation; Releasing behavior (Disabled_action) hurdle then is that record described application program or network address are wanted confined authority, and described field can write special value, represents that described behavior by management and control, can not use.
30 of client comprise following function at least: receive information, download permissions data and set permissions data from server end from server end.In one embodiment, client comprises a control of authority unit, and a control of authority program of implanting in addition for example is to implement the function of above-mentioned client.In another specific embodiment, client comprises a database and is used to store the client permissions data.Above-mentioned database comprises one group of tables of data and steering needle, wherein tables of data record client is subjected to the application data of keyholed back plate, and the data of each controlled target comprise the corresponding relation of controlling index tool of same controlled system target on a steering needle and the server end, therefore the customer side can be found out corresponding controlled application program permissions data and also be upgraded after the new permissions data of Download Server.
In another specific embodiment of the present invention, control system can be the plural number combination of control system among the foregoing description, to finish a multi-level control system; This multi-level control system can limit the permissions data that each server can change according to different authorization hierarchy, to reach the purpose of differentiated control.In described specific embodiment, comprise a central server and plural platform peripheral server and client computer.Each peripheral server permissions data of the database storage of central server, peripheral server remove to store described peripheral server permissions data, also store in the specific region permissions data of application program on the client.Under above-mentioned multistage layer architecture, state and renewal by permissions data on each peripheral server of central server unified management, peripheral server is then according to different demands, different authorization hierarchy, open different permissions data change authorities with the application program of administrative client, can be reached classification with this keyholed back plate framework, the information security management framework of subregion mandate, the operation of application program on the administrative client computer.So except that can upgrading rapidly the authority of plural platform client, and can avoid need be manually district by district during update service device permissions data, contingent mistake.
Fig. 2 shows about the authority specific embodiment of new technological process more; The user can be by input end in step 101 input change authority and change the permissions data of server end, and sends the described change authority information of information announcement server end incident at subsequent step 102.Step 201 expression server end 20 is received above-mentioned change authority information, and in next step 202, sends the existence of the described change permission event of information notice client.Client is received the authority setting modification information that server end transmits in step 301 after, promptly send information requirements and download new authority setting from server end at subsequent step 302.In subsequent step 203, database root is according to by the information that step 302 transmitted, and take out the permissions data after the above-mentioned renewal, and the permissions data after step 204 is with above-mentioned renewal sends client to.Client obtains the new permissions data that is sent by server end in step 303 after, in step 304, upgrade the authority setting of client.
In another specific embodiment, about authority of the present invention more new technological process still can be applicable to the situation of the peripheral server of multi-section, in this embodiment, the more shown flow process of new technological process and Fig. 2 is similar for it, but each peripheral server can be by a central service management, and in this specific embodiment, the instruction of the change authority of server end is downloaded by the central server end, but according to each server or authority that the user opened, also can be by the input end input permissions data of each server.Hereat, a plurality of more new technological process identical with Fig. 2 are made up mutually, can reach the application software operation rights management of layering, subregion by the setting of a central server.
The present invention illustrates as above that with preferred embodiment so it is not in order to limit the patent right scope that the present invention advocated.Its scope of patent protection when on the claim scope and etc. same domain decide.All people with the common knowledge in this area, in not breaking away from this patent spirit or scope, change of being done or retouching all belong to the equivalence of being finished under the disclosed spirit and change or design, and should be included in the claim scope.
Claims (7)
1. application program control-management system comprises at least:
One input end can be imported permissions data;
One server end, at least comprise a server end database and an output/input unit, wherein said server end database can store described permissions data and pointer data, in order to carry out information security behavior and information security policy pattern, described output/input unit can receive and transmit described permissions data, this server end database comprises information security behavioral data table and information security policy tables of data, this information security behavioral data table record is subjected to the network address of keyholed back plate or the behavior or the pattern of webpage, and this information security policy tables of data record is about the permissions data of particular web site or webpage;
One client, at least comprise an authority controlling and managing unit, can store, receive and transmit described permissions data, and limit the operating right of the described application program on the described client according to this, wherein said authority controlling and managing unit comprises a client database, be used to carry out described storage, described authority controlling and managing unit can limit the webpage source code that the user inspects client;
One server end computer-readable storage media is arranged at described server end; And
One client computer readable memory media is arranged at described client.
2. according to right request 1 described application program control-management system, it is characterized in that described authority controlling and managing unit can limit the user because of certain purpose, the application software output data on described client; Wherein above-mentioned output comprises at least with the indicator device towing data, and described purpose comprises at least and is used to duplicate, prints, stores.
3. according to right request 1 described application program control-management system, it is characterized in that described authority controlling and managing unit can limit the user and use bitcom.
4. method with control-management system limits application operating right comprises at least:
Receive a change authority information at server end;
Permissions data in the database of change server end, wherein said database can store described permissions data and pointer data, in order to carry out information security behavior and information security policy pattern, the database of this server end comprises information security behavioral data table and information security policy tables of data, this information security behavioral data table record is subjected to the network address of keyholed back plate or the behavior or the pattern of webpage, and this information security policy tables of data record is about the permissions data of particular web site or webpage;
Client is downloaded described permissions data after receiving the change authority notice that described server end transmits;
Upgrade the permissions data of client, and be stored in the database of client, inspect the webpage source code of client by this permissions data restriction user.
5. according to right request 4 described methods with control-management system limits application operating right, it is characterized in that, can limit the user because of certain purpose, from described client output data: wherein above-mentioned output comprises at least with the indicator device towing data, and described purpose comprises at least and is used to duplicate, prints, stores.
6. according to right request 4 described methods, it is characterized in that, can limit the described application program operating right on the described client with control-management system limits application operating right.
7. according to right request 4 described methods, it is characterized in that, can limit the user and use bitcom with control-management system limits application operating right.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710108577 CN101320415B (en) | 2007-06-06 | 2007-06-06 | Control system and method for application program |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200710108577 CN101320415B (en) | 2007-06-06 | 2007-06-06 | Control system and method for application program |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101320415A CN101320415A (en) | 2008-12-10 |
| CN101320415B true CN101320415B (en) | 2011-11-16 |
Family
ID=40180459
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200710108577 Active CN101320415B (en) | 2007-06-06 | 2007-06-06 | Control system and method for application program |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101320415B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101853359A (en) * | 2010-05-25 | 2010-10-06 | 中华电信股份有限公司 | Software license, prevention method and system based on application software dispersion |
| TWI468976B (en) * | 2012-06-05 | 2015-01-11 | Quanta Comp Inc | Platform and method for dynamic software license |
| TWI494872B (en) * | 2012-11-06 | 2015-08-01 | Quanta Comp Inc | Automatic software audit system and automatic software audit method |
| CN106599722B (en) * | 2016-12-14 | 2019-07-26 | 北京奇虎科技有限公司 | Intelligent terminal and its application program authority control method, device and server |
| JP7287235B2 (en) * | 2019-10-08 | 2023-06-06 | 富士フイルムビジネスイノベーション株式会社 | Information processing device and information processing program |
-
2007
- 2007-06-06 CN CN 200710108577 patent/CN101320415B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101320415A (en) | 2008-12-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10754932B2 (en) | Centralized consent management | |
| US9047582B2 (en) | Methods and systems for managing enterprise assets | |
| CN100430951C (en) | Systems and methods of access control enabling ownership of access control lists to users or groups | |
| US7401083B2 (en) | Methods and systems for managing user access to computer software application programs | |
| US9129129B2 (en) | Automatic data protection in a computer system | |
| US20040111639A1 (en) | Information aggregation, processing and distribution system | |
| US20070233600A1 (en) | Identity management maturity system and method | |
| JP5707250B2 (en) | Database access management system, method, and program | |
| US20120290544A1 (en) | Data compliance management | |
| EP2711860B1 (en) | System and method for managing role based access control of users | |
| CN103366122B (en) | For realizing the method and system of scan service | |
| US20030033255A1 (en) | License repository and method | |
| CN101320415B (en) | Control system and method for application program | |
| CN107358122A (en) | The access management method and system of a kind of data storage | |
| JP2003323528A (en) | Personnel management system and method | |
| RU2647643C1 (en) | System for establishing a confidentiality mark in an electronic document, accounting and control of work with confidential electronic documents | |
| CN110073335A (en) | Management application program coexists and multiple user equipment management | |
| WO2019028405A1 (en) | Data processing systems for the identification and deletion of personal data in computer systems | |
| KR101550788B1 (en) | Central electronic document management system based on cloud computing with capabilities of management and control of personal information | |
| TWI328179B (en) | Controlling module for programs and method for the same | |
| JP4758381B2 (en) | Test data generation system, program thereof, recording medium thereof, and test data generation method | |
| KR20210051817A (en) | System and method for providing an authentication information service based an open api | |
| EP2565814B1 (en) | Assigning access rights in enterprise digital rights management systems | |
| Tuztas | Where identity governance really belongs | |
| WO2019036651A1 (en) | Data processing systems and methods for populating and maintaining a centralized database of personal data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |