CN102075357A - Multi-domain security management method for network management system - Google Patents
Multi-domain security management method for network management system Download PDFInfo
- Publication number
- CN102075357A CN102075357A CN2010106212528A CN201010621252A CN102075357A CN 102075357 A CN102075357 A CN 102075357A CN 2010106212528 A CN2010106212528 A CN 2010106212528A CN 201010621252 A CN201010621252 A CN 201010621252A CN 102075357 A CN102075357 A CN 102075357A
- Authority
- CN
- China
- Prior art keywords
- user
- network element
- security management
- domain
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a multi-domain security management method for a network management system, which comprises the following steps of: 1) creating one or more logic security management domains; 2) distributing network elements to corresponding logic security management domains; 3) creating a user group and assigning different users to the user groups; 4) creating an operating rights set; 5) specifying the rights set for the logic security management domains and establishing an association relation of the logic security management domains and the operating rights set; and 6) specifying an association relation of the one or more logic security management domains and the operating rights set for the user group, and finally establishing an association relation of the user group, the logic security management domains and the operating rights set. By the method, a problem of control in different domains by different rights in the network management system is solved, and different rights in different management domains are distributed to the users flexibly.
Description
Technical field
The present invention relates to SDH (SDH (Synchronous Digital Hierarchy))/MSTP (based on the multi-service transport platform of SDH)/PTN (Packet Transport Network) transmission network, pay close attention to the Authority and Domain Based Management management of network management system, control user right flexibly, stop undelegated customer access network resource and Network Management Function.
Background technology
In recent years, along with the transmission network scale constantly enlarges, the transmission network of telecom operators had formed many producers, the situation of transmitting more and depositing.The equipment of transmission network management centralized management all kinds and each producer, real-time monitoring warning and performance, the configuration diverse network connects and is professional.Because transmission network management is centralized management, and the function of the scope of management and realization is more and more, and therefore the safety management to webmaster proposes higher requirement.User expectation provides control of authority means flexibly, for designated user is given one or more operating right.
The various types of equipment of the various producers of management in the network management system, and be distributed in different physical regions.User expectation has different administration authorities to different zones, for example there is the modification authority in the A territory, and authority is only checked in the B territory.Configure user authority and control its operation makes things convenient for the control of authority management, the fail safe that improves system so flexibly.
The prior art relevant with the present invention, its technical scheme one is as follows:
The granularity of control of authority is the territory, and binds with the physical domain of true environment, and a user's authority is at specific one or more physical domain.
By technique scheme as can be seen, there is following defective in prior art scheme one:
User right directly and the physical domain binding, may scene and exist: the user has operating right to some some network element of physical domain A, and some network element of territory B is had operating right, user right is provided with the management area and just has problems under this scene.
Technical scheme two:
The granularity of control of authority is a network element, and user's authority is provided with at each network element.
By technique scheme as can be seen, there is following defective in the prior art scheme:
It is loaded down with trivial details that user right distributes, and need carry out right assignment and control at each network element, and exist a large amount of redundant informations.
Summary of the invention
Technical problem to be solved by this invention is: a kind of network management system multiple domain method for managing security is provided, and by this method, authority control problem is divided in the branch territory in the solution network management system, distributes the different rights of different management domains flexibly to the user.
The technical solution adopted in the present invention is: network management system multiple domain method for managing security comprises:
S1) create one or more logical security management domain;
S2) distribute network element to corresponding logical security management domain;
S3) create user's group, assign different user to this user's group;
S4) creation operation authority set;
S5), set up the incidence relation of logical security management domain-operating right set to the set of logical security management domain specified right;
S6) user is organized the incidence relation of specifying one or more logical security management domains-operating right set, finally set up the incidence relation of user's group-logical security management domain-operating right set.
The logical security management domain of described step S1 is virtual domain logic, and it comprises the network element of one or more physical domain.
User's group of described step S3 comprises keeper, Systems Operator and observer.These user's groups are system default values, can also new user organize according to user's oneself requirements definition.
The operating right set of described step S4 comprises system, operates and checks authority set.
Described System Privileges collection comprises system manager's relevant operating right item, for example comprises that network element operating right item, network element check that authority items, business operations competence item, business check authority items and user's operating right item; The operating right collection comprises that network element operating right item, network element check that authority items, business operations competence item and business check authority items; Check that authority set comprises that network element checks that authority items and business check authority items.
Described network element checks that authority items comprises the operation of checking network element attribute, checking network element state, and network element operating right item comprises the operation that creates NE, deletes network element and revise network element.
The incidence relation of user's group-logical security management domain of described step S6-operating right set comprises: administrator's group-all logical security management domain-System Privileges collection, operator user's group-all logical security management domain-operating right collection, and observer user's group-all domain logics-check authority set.
Advantage of the present invention: in network management system, this method has solved the subject matter of branch territory safety, at different user, provides rights management mechanism flexibly.
At first it has solved the binding of safety and physical domain, and the scope of user management network element and physical address are without any related, and the user can assign the range of management of network element flexibly.Secondly, it has reduced the operating time of security configuration, need not carry out independent authority configuration at each network element, only uses the logical security management domain is unified configure user group and authority set, alleviates the servicing time.
Description of drawings
Fig. 1 is a key diagram of the present invention.
Fig. 2 is normal flow figure of the present invention.
Fig. 3 is authority incidence relation figure of the present invention.
Embodiment
At first create virtual logical security management domain (this territory and physical domain are not contacted directly, and the logical security management domain can be regarded the set of a group NEs as, but the network element in this set can belong to different physical domain respectively) according to user's needs; According to user's actual safety management demand, the physical NE of different physical domain is divided in this logic manage territory then; Create user's group, add the associated user to this user's group; Give different safety management authorities to the logical security management domain at last, and the contact of designated user group and logical security management domain.The user just can manage different network elements in the various different physical domain flexibly according to actual conditions like this, and different equipment is had different operating right set, satisfies the branch territory decentralized management requirement of webmaster.
The invention provides following technical scheme:
This programme mainly comprises following notion:
1. network element: true physical equipment and Virtual NE equipment.
2. physical domain: real equipment control territory, generally divide according to the region, for example all physical equipments of Wuhan City can be regarded a physical domain as.
3. logical security management domain: the virtual logical security management domain that comes out, be mainly used in user's security control, virtual Domain and physical domain are not contacted directly, and he is the set of a group NEs, the network element that can comprise different physical domain, can the flexible assignment network element in domain logic.
Example: domain logic=network element 1, network element 24 ...
4. user: real user.
5. the user organizes: one group of user's set with identity logic safety management domain and identical authority.
Example: user's group=keeper, the Systems Operator ...
The user organizes that the default administrator of having organizes, operator user's group and observer user's group or the like, and the user can also self-defined user's group.
6. authority items: the set of operating right, can dispose according to the function granularity.
Example: network element operating right item=create NE, the deletion network element is revised network element ...
7. authority set: distribute to the set of user function authority items.
Example: keeper's operating right collection=network element operating right item, the business operations competence item ...
Wherein, action-item is that system is self-defining, and action-item is the set of operation; Authority set is the set of action-item, and which action-item the user can select see the following form 1~3.
The authority items that table 1 authority set is comprised
Annotate: the authority set system default has system, operates, checks authority set etc.OAM refers to Operations, Administration and Maintenance.
The operational set that table 2 authority items is comprised
| The authority key name | Operational set |
| Network element operating right item | Create NE, the deletion network element is revised network element .. etc. |
| Network element is checked authority | Check network element attribute, check network element state .. etc. |
Annotate: by system definition, the user can not be self-defined according to the function granularity for authority items.
Table 3 user organizes the incidence relation of pairing domain logic-authority set
| User's group name | Domain logic: corresponding authority set |
| Administrator's group | All network element domain logics: System Privileges collection |
| Operator user's group | All network element domain logics: operating right collection |
| Observer user's group | All network element domain logics: check authority set |
| User Defined |
Domain logic A: System Privileges collection |
| User Defined group 2 | Domain logic A: operating right collection; Domain logic B: check authority set |
Annotate: authority is user's group, domain logic, operating right collection three incidence relation at last.
This mechanism mainly comprises the steps:
S1) at first create one to a plurality of domain logics according to user's request.
S2) according to the actual requirement of user the network element of different physical domain is divided in the different domain logics then.
S3) create user's group, and assign the associated user in user's group.
S4) create different authority set or the authority set of using system acquiescence (the authority set acquiescence has the keeper, operator, observer etc.).
S5) different logical security management domains is distributed different authority set.
S6) one or more logical securities territory (containing operating right collection relation) is assigned to particular group of users.
Embodiment:
For a kind of webmaster right management method is provided, by this method, authority control problem is divided in the branch territory in the solution network management system, distributes the different rights of different management domains flexibly to the user.
Normal flow of the present invention is as follows:
Step 1: create the logical security territory.
Step 2: distribute network element to the logical security territory.
Step 3: creation operation authority set.
Step 4: virtual Domain is formulated the authority set.
Step 5: the user is specified virtual Domain and authority set.
Claims (7)
1. network management system multiple domain method for managing security is characterized in that comprising:
S1) create one or more logical security management domain;
S2) distribute network element to corresponding logical security management domain;
S3) create user's group, assign different user to this user's group;
S4) creation operation authority set;
S5), set up the incidence relation of logical security management domain-operating right set to the set of logical security management domain specified right;
S6) user is organized the incidence relation of specifying one or more logical security management domains-operating right set, finally set up the incidence relation of user's group-logical security management domain-operating right set.
2. method according to claim 1 is characterized in that: the logical security management domain of step S1 is virtual domain logic, and it comprises the network element of one or more physical domain.
3. method according to claim 1 is characterized in that: user's group of step S3 comprises keeper, Systems Operator and observer.
4. method according to claim 1 is characterized in that: the operating right set of step S4 comprises system, operates and checks authority set.
5. method according to claim 4 is characterized in that: the System Privileges collection comprises that network element operating right item, network element check that authority items, business operations competence item, business check authority items and user's operating right item; The operating right collection comprises that network element operating right item, network element check that authority items, business operations competence item and business check authority items; Check that authority set comprises that network element checks that authority items and business check authority items.
6. method according to claim 5 is characterized in that: network element checks that authority items comprises the operation of checking network element attribute, checking network element state, and network element operating right item comprises the operation that creates NE, deletes network element and revise network element.
7. according to claim 3 or 4 described methods, it is characterized in that: the incidence relation of user's group-logical security management domain of step S6-operating right set comprises: administrator's group-all logical security management domain-System Privileges collection, operator user organizes all logical security management domain-operating right collection, and observer user's group-all domain logics-check authority set.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010621252 CN102075357B (en) | 2010-12-31 | 2010-12-31 | Multi-domain security management method for network management system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 201010621252 CN102075357B (en) | 2010-12-31 | 2010-12-31 | Multi-domain security management method for network management system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102075357A true CN102075357A (en) | 2011-05-25 |
| CN102075357B CN102075357B (en) | 2013-05-08 |
Family
ID=44033712
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 201010621252 Expired - Fee Related CN102075357B (en) | 2010-12-31 | 2010-12-31 | Multi-domain security management method for network management system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102075357B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571745A (en) * | 2011-11-16 | 2012-07-11 | 烽火通信科技股份有限公司 | User access authority management method aiming at large capacity of objects |
| CN102903029A (en) * | 2012-09-27 | 2013-01-30 | 广东亿迅科技有限公司 | Domain-partitioned authorization method for cloud computing resources |
| CN103916304A (en) * | 2012-12-31 | 2014-07-09 | ***通信集团公司 | SNS system, network and method for processing SNS request |
| CN106506238A (en) * | 2015-08-24 | 2017-03-15 | 中兴通讯股份有限公司 | A kind of network element management method and system |
| CN106685902A (en) * | 2015-11-10 | 2017-05-17 | 大唐移动通信设备有限公司 | User authority management method, client and server |
| CN107196795A (en) * | 2017-05-18 | 2017-09-22 | 上海耐相智能科技有限公司 | A kind of efficient Internet user's management system |
| CN110139174A (en) * | 2019-06-03 | 2019-08-16 | 北京盟力星科技有限公司 | A kind of NE management device based on Network Management System |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1741464A (en) * | 2004-08-27 | 2006-03-01 | 华为技术有限公司 | Network user management system and method thereof |
| CN101159618A (en) * | 2007-11-23 | 2008-04-09 | 杭州华三通信技术有限公司 | Authority configuring method and apparatus |
-
2010
- 2010-12-31 CN CN 201010621252 patent/CN102075357B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1741464A (en) * | 2004-08-27 | 2006-03-01 | 华为技术有限公司 | Network user management system and method thereof |
| CN101159618A (en) * | 2007-11-23 | 2008-04-09 | 杭州华三通信技术有限公司 | Authority configuring method and apparatus |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571745A (en) * | 2011-11-16 | 2012-07-11 | 烽火通信科技股份有限公司 | User access authority management method aiming at large capacity of objects |
| CN102903029A (en) * | 2012-09-27 | 2013-01-30 | 广东亿迅科技有限公司 | Domain-partitioned authorization method for cloud computing resources |
| CN103916304A (en) * | 2012-12-31 | 2014-07-09 | ***通信集团公司 | SNS system, network and method for processing SNS request |
| CN103916304B (en) * | 2012-12-31 | 2017-06-20 | ***通信集团公司 | A kind of method of SNS system, network and treatment SNS requests |
| CN106506238A (en) * | 2015-08-24 | 2017-03-15 | 中兴通讯股份有限公司 | A kind of network element management method and system |
| CN106685902A (en) * | 2015-11-10 | 2017-05-17 | 大唐移动通信设备有限公司 | User authority management method, client and server |
| CN107196795A (en) * | 2017-05-18 | 2017-09-22 | 上海耐相智能科技有限公司 | A kind of efficient Internet user's management system |
| CN110139174A (en) * | 2019-06-03 | 2019-08-16 | 北京盟力星科技有限公司 | A kind of NE management device based on Network Management System |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102075357B (en) | 2013-05-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102075357B (en) | Multi-domain security management method for network management system | |
| CN108921551B (en) | Alliance block chain system based on Kubernetes platform | |
| CN108134764B (en) | Distributed data sharing and exchanging method and system | |
| CN107153565B (en) | Method for configuring resource and network equipment thereof | |
| DE112013003180B4 (en) | Method, zone server and storage medium for managing server hardware resources in a cloud data center environment | |
| CN111159755B (en) | Cross-link data cooperation method based on alliance link | |
| CN110851278A (en) | Distribution network automation master station mobile application service management method and system based on micro-service architecture | |
| US20170295066A1 (en) | Virtual infrastructure | |
| CN109074287B (en) | Infrastructure resource status | |
| CN107493524B (en) | Method for realizing virtual OLT | |
| US9026632B2 (en) | Network with a network wide extended policy framework | |
| CN101753996A (en) | Management method for user rights in video monitoring system, and video monitoring system | |
| CN105894159A (en) | Implementation method of cross-domain and cross-platform user unified management system | |
| CN101764711B (en) | Resource control method on sharing network element, sharing network element and relevant equipment | |
| CN102045189B (en) | Network management system and method | |
| US20060259955A1 (en) | Attribute-based allocation of resources to security domains | |
| WO2022042905A1 (en) | Method and system for providing time-critical services | |
| CN103096030A (en) | Video monitoring multi-service convergence platform and solution | |
| CN101184214A (en) | Method of managing user authority in monitoring system | |
| CN107682411A (en) | A kind of extensive SDN controllers cluster and network system | |
| CN107562547B (en) | CTDB cluster system, creation method and creation system | |
| CN107404442A (en) | Flow processing method and system | |
| CN107846297A (en) | A kind of user's Explore of Unified Management Ideas for network platform exploitation | |
| CN100401684C (en) | Method for implementing network management layer to information managing by element management layer | |
| CN113596168A (en) | Block chain alliance chain-based verification method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB03 | Change of inventor or designer information |
Inventor after: Zhang Jue Inventor after: Cao Dong Inventor before: Zhang Jue |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: INVENTOR; FROM: ZHANG JUE TO: ZHANG JUE CAO DONG |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20130508 Termination date: 20191231 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |