CN105373714A - User permission control method and device - Google Patents
User permission control method and device Download PDFInfo
- Publication number
- CN105373714A CN105373714A CN201510843681.2A CN201510843681A CN105373714A CN 105373714 A CN105373714 A CN 105373714A CN 201510843681 A CN201510843681 A CN 201510843681A CN 105373714 A CN105373714 A CN 105373714A
- Authority
- CN
- China
- Prior art keywords
- role
- mutual exclusion
- authorized
- exclusion group
- authorize
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The invention provides a user permission control method. The user permission control method comprises the following steps: obtaining a to-be-authorized role and an authorized role of a user; obtaining an inner mutually-exclusive group and an outer mutually-exclusive group, which the preset to-be-authorized role and the preset authorized role belong to, wherein all the roles in the inner mutually-exclusive group are mutually exclusive; all the roles in the outer mutually-exclusive group are compatible; and all the roles in the outer mutually-exclusive group and all the roles not in the group are mutually exclusive; and judging whether the to-be-authorized role is authorized to the user or not according to the inner mutually-exclusive group and the outer mutually-exclusive group, which the to-be-authorized role and the authorized role belong to. Compared with the existing function comparison manner, the user permission control method disclosed by the invention has the advantages that: the permission comparison process is relatively simple; the control precision is relatively high; and the user permission control efficiency is greatly increased.
Description
Technical field
The invention belongs to user authority management field, particularly relate to a kind of user authority control method and device.
Background technology
In multi-user system, according to the authority of user and the difference of position, need for user distributes different authorities, thus provide safer reliable system service for user.
RBAC (English is Role-BasedAccessControl entirely, and Chinese full name is access control based roles specification) is the effective ways of the solution enterprise application system rights management of generally acknowledging at present.In RBAC, authority is associated with role, and user by becoming suitable role, thus obtains the authority of these roles, greatly simplifies the management complexity of authority.
RBAC has three security doctrines: minimum right principle, responsibility degree principle and data abstraction principle.And RBAC96 is most basic RBAC specification, it comprises 4 kinds of models: basic model RBAC0, role's hierarchy model RBAC1, limited model RBAC2, unified model RBAC3.Limited model wherein describes and realizes responsibility degree principle.
One in RBAC2 basic restriction is the restriction of mutually exclusive roles, and mutually exclusive roles refers to two roles that respective authority conditions each other.One of them role can only be assigned with for this kind of role user in certain once activity, the right to use of two roles can not be obtained simultaneously.
Such as, in audit activities, a user can not be assigned to accounting role and auditor role simultaneously.Or in company, the role of manager and assistant manager is also mutual exclusion, contract or check by manager's signature, can not can only be signed by assistant manager.In the RBAC2 model set up for company, a user can not get both simultaneously handle and assistant manager two roles.The mutual exclusion restriction of limited model can support the realization of power and responsibility separation principle.
Mutual exclusion method for limiting common at present adopts function to realize, when checking for user's assigned role or for just calling these functions during role assignments authority, the result returned according to function determines to distribute the requirement whether meeting restriction, usually only can effectively be checked those and those customary some simply restriction can realize.
Adopt the mode of function to realize mutual exclusion restriction, its method is comparatively flexible, can realize arbitrary restriction.But, along with the increase of user, when be each subscriber authorisation, need the compatibility of the authority of comparison one by one and other user, not only cumbersome, and easily make mistakes.
Summary of the invention
The object of the present invention is to provide a kind of user authority control method, to solve the increase of prior art along with user, when be each subscriber authorisation, need the compatibility of the authority of comparison one by one and other user, not only cumbersome, and the problem of easily makeing mistakes.
First aspect, embodiments provides a kind of user authority control method, and described method comprises:
The role obtaining user role to be authorized and authorized;
Obtain waiting of presetting authorize role and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group, mutual exclusion between roles all in wherein said interior mutual exclusion group, roles all in described outer mutual exclusion group is compatible, roles all in described outer mutual exclusion group and all Mutual exclusion of roles not in group;
Authorize role according to described waiting and authorized mutual exclusion group and outer mutual exclusion group in belonging to role to judge whether role authorization to be authorized to user.
In conjunction with first aspect, in the first possibility implementation of first aspect, wait described in described basis authorize role and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group to judge whether role authorization to be authorized to comprise to user steps:
Judge that whether role to be authorized and the role authorized are in same interior mutual exclusion group;
If role to be authorized and the role authorized are in same interior mutual exclusion group, then refuse to authorize, otherwise, judge whether the outer mutual exclusion group belonging to role to be authorized comprises all roles authorized further;
If the outer mutual exclusion group belonging to role to be authorized does not comprise all roles authorized, then refuse to authorize, otherwise whether the outer mutual exclusion group belonging to all roles that further judgement has been authorized comprises role to be authorized;
If the outer mutual exclusion group belonging to all roles authorized does not comprise role to be authorized, then refuse to authorize, otherwise allow to authorize.
In conjunction with first aspect, in the second possibility implementation of first aspect, described method also comprises:
When user do not exist authorized role time, then allow authorize.
In conjunction with first aspect, in the third possibility implementation of first aspect, wait described in described basis authorize role and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group to judge whether role authorization to be authorized to comprise to user steps:
If wait to authorize same outer mutual exclusion group belonging to role to comprise allly authorize role, then allow to authorize.
In conjunction with first aspect, may in implementation at the 4th kind of first aspect, authorize role waiting of presetting of described acquisition and authorized in belonging to role before mutual exclusion group and outer mutual exclusion group step, described method also comprises:
Set up the interior mutual exclusion group of system and outer mutual exclusion group, the number of described interior mutual exclusion group comprise zero, more than one or one, the number of described outer mutual exclusion group comprise zero, more than one or one, described interior mutual exclusion group at least comprises two roles, and described outer mutual exclusion group at least comprises a role.。
Second aspect, embodiments provide a kind of user right control device, described device comprises:
Role's acquiring unit, for the role obtaining user role to be authorized and authorized;
Relation group acquiring unit, authorize role for obtaining waiting of presetting and authorized mutual exclusion group and outer mutual exclusion group in belonging to role, mutual exclusion between roles all in wherein said interior mutual exclusion group, roles all in described outer mutual exclusion group is compatible, roles all in described outer mutual exclusion group and all Mutual exclusion of roles not in group;
First granted unit, authorizes role for waiting described in basis and has authorized mutual exclusion group and outer mutual exclusion group in belonging to role to judge whether role authorization to be authorized to user.
In conjunction with second aspect, in the first possibility implementation of second aspect, described first granted unit comprises:
First judgment sub-unit, for judging that whether role to be authorized and the role authorized are in same interior mutual exclusion group;
Second judgment sub-unit, if for role to be authorized with the role to have authorized in same interior mutual exclusion group, then refuse to authorize, otherwise, judge whether the outer mutual exclusion group belonging to role to be authorized comprises all roles authorized further;
3rd judgment sub-unit, if do not comprise all roles authorized for the outer mutual exclusion group belonging to role to be authorized, then refuse to authorize, otherwise whether the outer mutual exclusion group belonging to all roles that further judgement has been authorized comprises role to be authorized;
Authorize subelement, if do not comprise role to be authorized for the outer mutual exclusion group belonging to all roles of having authorized, then refuse to authorize, otherwise allow to authorize.
In conjunction with second aspect, in the second possibility implementation of second aspect, described device also comprises:
Second granted unit, when having authorized role for not existing as user, then allows to authorize.
In conjunction with second aspect, may in implementation at the third of second aspect, described first granted unit specifically for:
If wait to authorize same outer mutual exclusion group belonging to role to comprise allly authorize role, then allow to authorize.
In conjunction with second aspect, in the 4th kind of possibility implementation of second aspect, described device also comprises:
Relation sets up vertical unit, for setting up mutual exclusion group and outer mutual exclusion group in system, the number of described interior mutual exclusion group comprise zero, more than one or one, the number of described outer mutual exclusion group comprise zero, more than one or one, described interior mutual exclusion group at least comprises two roles, and described outer mutual exclusion group at least comprises a role.
In the present invention, wait authorize role and authorized role by obtaining user, wait to authorize mutual exclusion group and outer mutual exclusion group in belonging to role according to what preset, and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group to carry out judging thus determined whether will wait to authorize role authorization to user.Compare with existing function manner of comparison, user authority control method of the present invention, authority comparison procedure is relatively simple, and control accuracy is higher, improves the control efficiency of user right greatly.
Accompanying drawing explanation
Fig. 1 is the realization flow figure of the user authority control method that first embodiment of the invention provides;
Fig. 2 is the realization flow figure carrying out subscriber entitlement method according to relation group that second embodiment of the invention provides;
Fig. 3 is the structural representation of the user right control device that third embodiment of the invention provides.
Embodiment
In order to make object of the present invention, technical scheme and advantage clearly understand, below in conjunction with drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
User authority control method described in the embodiment of the present invention, when object is to solve and controls user right in prior art, need to pass through functional operation, compare the role that specifies for user one by one whether and the role conflict of having authorized, determine to distribute the requirement whether meeting restriction by returning results of function.Like this for set of system, for intrasystem N number of role, need the compatibility that each angle and other N-1 role are set, so just there is the compatibility matrix of a N*N, when authorizing for everyone, all to check this matrix, build and safeguard and use this matrix comparatively to bother, and easily make mistakes.Based on this, the present invention proposes the user authority control method that a kind of use is more easy, mandate efficiency is higher, is specifically described below in conjunction with accompanying drawing.
Embodiment one:
Fig. 1 shows the realization flow of the user authority control method that first embodiment of the invention provides, and details are as follows:
In step S101, the role obtaining user role to be authorized and authorized.
Concrete, role to be authorized described in the embodiment of the present invention, the role will distributed to user videlicet, such as user carries out the occasion such as registration, position promotion, or because of need of work, distributing user has the role of some specified permission, such as entering some important events needs to authorize, or need to obtain the authorization to data modification, need in systems in which for it distributes role or setting role.The described role authorized, the i.e. role that possessed in advance of user, the prior position role of such as user is " assistant manager ", and after promotion, position role changes to " manager ".
The role authorized described in the embodiment of the present invention can be one or more, and can certainly be empty, namely user be at present without any position, the user of such as new registration.When the role authorized is for time empty, then do not need follow-up judgement operation, directly can allow Authorized operation.
In step s 102, obtain waiting of presetting authorize role and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group, mutual exclusion between roles all in wherein said interior mutual exclusion group, roles all in described outer mutual exclusion group is compatible, roles all in described outer mutual exclusion group and all Mutual exclusion of roles not in group.
Concrete, the interior mutual exclusion group described in the embodiment of the present invention, refers to that the pass between all roles in this group is mutex relation.Namely be positioned at the role of same mutual exclusion group, same user can not be authorized simultaneously.Such as accounting role and auditor role, can belong to same interior mutual exclusion group, also may comprise other role in this interior mutual exclusion group, and the arbitrary role of a demand fulfillment in group is mutex relation with other role in group.
Described outer mutual exclusion group, refers to all roles in a group, is all compatibility relation, and the arbitrary role namely in group is compatible with other role in group.Further, for each role in outer mutual exclusion group, with the arbitrary role not in this outer mutual exclusion group, be all mutex relation, also, if user has authorized the role in outer mutual exclusion group, so, user just cannot authorize the role beyond described outer mutual exclusion group.
Such as, role A, A1, A2 belong to same outer mutual exclusion group, and role B, C do not belong to this outer mutual exclusion group, and so user can authorize one or more in role A, A1, A2.If user has authorized the role in described outer mutual exclusion group, so user has authorized the arbitrary role beyond outer mutual exclusion group by not allowing.
Obtain waiting of presetting in the embodiment of the present invention authorize role and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group, can by advance to roles all in system set up affiliated in mutual exclusion group and outer mutual exclusion group, and mutual exclusion group and outer mutual exclusion group in foundation to be stored.When needing to search in time authorizing role and authorized mutual exclusion group and outer mutual exclusion group in belonging to role, directly call the data of storage.
After mutual exclusion group and outer mutual exclusion are set up and stood in system, newly increasing user, or when the role of user changes, usually do not needing to carry out renewal rewards theory to described data.If system newly increases role, then the role needing basis to newly increase carries out adjustment again to the relation group stored.
In embodiments of the present invention, set up the interior mutual exclusion group of system and outer mutual exclusion group, the number of described interior mutual exclusion group can comprise zero, more than one or one, the number of described outer mutual exclusion group comprises more than one or one, described interior mutual exclusion group at least comprises two roles, and described outer mutual exclusion group at least comprises a role.
In step s 103, authorize role according to described waiting and authorized mutual exclusion group and outer mutual exclusion group in belonging to role to judge whether role authorization to be authorized to user.
According to waiting to authorize mutual exclusion group and outer mutual exclusion group in belonging to role, and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group, can detecting role that user authorized comparatively fast, whether to wait to authorize role with user incompatible, if there is incompatible, then refuse to authorize, if compatible, then allow to authorize.
The present invention waits authorize role and authorized role by obtaining user, wait to authorize mutual exclusion group and outer mutual exclusion group in belonging to role according to what preset, and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group to carry out judging thus determined whether will wait to authorize role authorization to user.Compare with existing function manner of comparison, user authority control method of the present invention, authority comparison procedure is relatively simple, and control accuracy is higher, improves the control efficiency of user right greatly.
Embodiment two:
Fig. 2 show that second embodiment of the invention provides according to described in wait authorize role and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group to judge whether that details are as follows by role authorization to be authorized to the realization flow of user:
In step s 201, judge that whether role to be authorized and the role authorized are in same interior mutual exclusion group.
Concrete, in practical operation, authorize role for waiting and authorize role not occur mutex relation, namely can not by the role of two mutex relations, such as bookkeeper role and auditor's role assignments give same user.
And any one user in interior mutual exclusion group of the present invention, be all mutex relation with other user in this group, therefore, when detect wait authorize role with to have authorized in role any one in same mutual exclusion group time, then can refuse to authorize.
Describedly judge role to be authorized and the role to have authorized whether in the method for same interior mutual exclusion group, can wait to authorize the interior mutual exclusion group belonging to role by obtaining, if authorized in role the mutual exclusion group having any one to be positioned to wait and authorize belonging to role, then refuse to authorize.
Certainly, also can obtain each interior mutual exclusion group of having authorized belonging to role, authorize if each in interior mutual exclusion group belonging to role, have arbitrary interior mutual exclusion group to comprise and wait to authorize role, then refuse to authorize.
In step S202, if role to be authorized and the role authorized are in same interior mutual exclusion group, then refuse to authorize, otherwise, judge whether the outer mutual exclusion group belonging to role to be authorized comprises all roles authorized further.
Further, if can not directly be judged as refusing subscriber authorisation by interior mutual exclusion group, then judge further to wait to authorize the outer mutual exclusion group belonging to role whether to comprise all roles authorized.
Namely for waiting to authorize in the outer mutual exclusion group belonging to role, other role in each role and group is compatible, but the role in each outer mutual exclusion group is the relation of mutual exclusion with the role in outer mutual exclusion group.
Owing to waiting to authorize role may comprise multiple outer mutual exclusion group, therefore, if wait authorize the outer mutual exclusion group belonging to role comprise all authorized role time, wait described in can't directly judging authorize role and authorize role to be compatibility relation.Also need to be judged further by step S203.
In step S203, if the outer mutual exclusion group belonging to role to be authorized does not comprise all roles authorized, then refuse to authorize, otherwise whether the outer mutual exclusion group belonging to all roles that further judgement has been authorized comprises role to be authorized.
If the outer mutual exclusion group belonging to role to be authorized does not comprise all roles authorized, then refuse to authorize.If the outer mutual exclusion group belonging to role to be authorized comprises all roles authorized, then whether the outer mutual exclusion group belonging to all roles that judgement has been authorized further comprises role to be authorized.
By judging the role authorizing the outer mutual exclusion group belonging to role to comprise, if authorized in the outer mutual exclusion group belonging to role, also comprise role to be authorized, then illustrated and wait to authorize role to meet authorising conditional, enter into step S204, treat and authorize role to authorize.
In step S204, if the outer mutual exclusion group belonging to all roles authorized does not comprise role to be authorized, then refuse to authorize, otherwise allow to authorize
As in the embodiment that the present invention optimizes further, described method can also comprise, if judge to wait to authorize same outer mutual exclusion group belonging to role to comprise allly authorize role, then allows to authorize.The benefit of carrying out judging like this to improve the efficiency of authorizing and judging.
The present invention having authorized role by combining, having waited to authorize the outer mutual exclusion group of role, interior mutual exclusion group carries out mandates judgement, and compare with manner of comparison one by one of the prior art, mandate efficiency of the present invention is higher.
Embodiment three:
Fig. 3 shows the structural representation of the user right control device that third embodiment of the invention provides, and details are as follows:
User right control device described in the embodiment of the present invention, comprising:
Role's acquiring unit 301, for the role obtaining user role to be authorized and authorized;
Relation group acquiring unit 302, authorize role for obtaining waiting of presetting and authorized mutual exclusion group and outer mutual exclusion group in belonging to role, mutual exclusion between roles all in wherein said interior mutual exclusion group, roles all in described outer mutual exclusion group is compatible, roles all in described outer mutual exclusion group and all Mutual exclusion of roles not in group;
First granted unit 303, authorizes role for waiting described in basis and has authorized mutual exclusion group and outer mutual exclusion group in belonging to role to judge whether role authorization to be authorized to user.
Preferably, described first granted unit comprises:
First judgment sub-unit, for judging that whether role to be authorized and the role authorized are in same interior mutual exclusion group;
Second judgment sub-unit, if for role to be authorized with the role to have authorized in same interior mutual exclusion group, then refuse to authorize, otherwise, judge whether the outer mutual exclusion group belonging to role to be authorized comprises all roles authorized further;
3rd judgment sub-unit, if do not comprise all roles authorized for the outer mutual exclusion group belonging to role to be authorized, then refuse to authorize, otherwise whether the outer mutual exclusion group belonging to all roles that further judgement has been authorized comprises role to be authorized;
Authorize subelement, if do not comprise role to be authorized for the outer mutual exclusion group belonging to all roles of having authorized, then refuse to authorize, otherwise allow to authorize.
Preferably, described device also comprises:
Second granted unit, when having authorized role for not existing as user, then allows to authorize.
Preferably, described first granted unit specifically for:
If wait to authorize same outer mutual exclusion group belonging to role to comprise allly authorize role, then allow to authorize.
Preferably, described device also comprises:
Relation sets up vertical unit, for setting up mutual exclusion group and outer mutual exclusion group in system, the number of described interior mutual exclusion group comprise zero, more than one or one, the number of described outer mutual exclusion group comprises more than one or one, described interior mutual exclusion group at least comprises two roles, and described outer mutual exclusion group at least comprises a role.
User right control device described in the embodiment of the present invention, corresponding with user authority control method described in embodiment one, two, do not repeat at this.
In several embodiment provided by the present invention, should be understood that, disclosed apparatus and method, can realize by another way.Such as, device embodiment described above is only schematic, such as, the division of described unit, be only a kind of logic function to divide, actual can have other dividing mode when realizing, such as multiple unit or assembly can in conjunction with or another system can be integrated into, or some features can be ignored, or do not perform.Another point, shown or discussed coupling each other or direct-coupling or communication connection can be by some interfaces, and the indirect coupling of device or unit or communication connection can be electrical, machinery or other form.
The described unit illustrated as separating component or can may not be and physically separates, and the parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of unit wherein can be selected according to the actual needs to realize the object of the present embodiment scheme.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, also can be that the independent physics of unit exists, also can two or more unit in a unit integrated.Above-mentioned integrated unit both can adopt the form of hardware to realize, and the form of SFU software functional unit also can be adopted to realize.
If described integrated unit using the form of SFU software functional unit realize and as independently production marketing or use time, can be stored in a computer read/write memory medium.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words or all or part of of this technical scheme can embody with the form of software product, this computer software product is stored in a storage medium, comprising some instructions in order to make a computer equipment (can be personal computer, server, or the network equipment etc.) perform all or part of of method described in each embodiment of the present invention.And aforesaid storage medium comprises: USB flash disk, portable hard drive, ROM (read-only memory) (ROM, Read-OnlyMemory), random access memory (RAM, RandomAccessMemory), magnetic disc or CD etc. various can be program code stored medium.
The foregoing is only preferred embodiment of the present invention, not in order to limit the present invention, all any amendments done within the spirit and principles in the present invention, equivalent replacement and improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. a user authority control method, is characterized in that, described method comprises:
The role obtaining user role to be authorized and authorized;
Obtain waiting of presetting authorize role and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group, mutual exclusion between roles all in wherein said interior mutual exclusion group, roles all in described outer mutual exclusion group is compatible, roles all in described outer mutual exclusion group and all Mutual exclusion of roles not in group;
Authorize role according to described waiting and authorized mutual exclusion group and outer mutual exclusion group in belonging to role to judge whether role authorization to be authorized to user.
2. method according to claim 1, is characterized in that, waits authorize role and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group to judge whether role authorization to be authorized to comprise to user steps described in described basis:
Judge that whether role to be authorized and the role authorized are in same interior mutual exclusion group;
If role to be authorized and the role authorized are in same interior mutual exclusion group, then refuse to authorize, otherwise, judge whether the outer mutual exclusion group belonging to role to be authorized comprises all roles authorized further;
If the outer mutual exclusion group belonging to role to be authorized does not comprise all roles authorized, then refuse to authorize, otherwise whether the outer mutual exclusion group belonging to all roles that further judgement has been authorized comprises role to be authorized;
If the outer mutual exclusion group belonging to all roles authorized does not comprise role to be authorized, then refuse to authorize, otherwise allow to authorize.
3. method according to claim 1, it is characterized in that, described method also comprises:
When user do not exist authorized role time, then allow authorize.
4. method according to claim 1, is characterized in that, waits authorize role and authorized the interior mutual exclusion group belonging to role and outer mutual exclusion group to judge whether role authorization to be authorized to comprise to user steps described in described basis:
If wait to authorize same outer mutual exclusion group belonging to role to comprise allly authorize role, then allow to authorize.
5. method according to claim 1, is characterized in that, authorize role waiting of presetting of described acquisition and authorized in belonging to role before mutual exclusion group and outer mutual exclusion group step, described method also comprises:
Set up the interior mutual exclusion group of system and outer mutual exclusion group, the number of described interior mutual exclusion group comprise zero, more than one or one, the number of described outer mutual exclusion group comprise zero, more than one or one, described interior mutual exclusion group at least comprises two roles, and described outer mutual exclusion group at least comprises a role.
6. a user right control device, is characterized in that, described device comprises:
Role's acquiring unit, for the role obtaining user role to be authorized and authorized;
Relation group acquiring unit, authorize role for obtaining waiting of presetting and authorized mutual exclusion group and outer mutual exclusion group in belonging to role, mutual exclusion between roles all in wherein said interior mutual exclusion group, roles all in described outer mutual exclusion group is compatible, roles all in described outer mutual exclusion group and all Mutual exclusion of roles not in group;
First granted unit, authorizes role for waiting described in basis and has authorized mutual exclusion group and outer mutual exclusion group in belonging to role to judge whether role authorization to be authorized to user.
7. device according to claim 6, it is characterized in that, described first granted unit comprises:
First judgment sub-unit, for judging that whether role to be authorized and the role authorized are in same interior mutual exclusion group;
Second judgment sub-unit, if for role to be authorized with the role to have authorized in same interior mutual exclusion group, then refuse to authorize, otherwise, judge whether the outer mutual exclusion group belonging to role to be authorized comprises all roles authorized further;
3rd judgment sub-unit, if do not comprise all roles authorized for the outer mutual exclusion group belonging to role to be authorized, then refuse to authorize, otherwise whether the outer mutual exclusion group belonging to all roles that further judgement has been authorized comprises role to be authorized;
Authorize subelement, if do not comprise role to be authorized for the outer mutual exclusion group belonging to all roles of having authorized, then refuse to authorize, otherwise allow to authorize.
8. device according to claim 6, it is characterized in that, described device also comprises:
Second granted unit, when having authorized role for not existing as user, then allows to authorize.
9. device according to claim 6, is characterized in that, described first granted unit specifically for:
If wait to authorize same outer mutual exclusion group belonging to role to comprise allly authorize role, then allow to authorize.
10. device according to claim 6, it is characterized in that, described device also comprises:
Set up the interior mutual exclusion group of system and outer mutual exclusion group, the number of described interior mutual exclusion group comprise zero, more than one or one, the number of described outer mutual exclusion group comprise zero, more than one or one, described interior mutual exclusion group at least comprises two roles, and described outer mutual exclusion group at least comprises a role.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510843681.2A CN105373714B (en) | 2015-11-26 | 2015-11-26 | A kind of user authority control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510843681.2A CN105373714B (en) | 2015-11-26 | 2015-11-26 | A kind of user authority control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN105373714A true CN105373714A (en) | 2016-03-02 |
| CN105373714B CN105373714B (en) | 2018-08-31 |
Family
ID=55375907
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510843681.2A Active CN105373714B (en) | 2015-11-26 | 2015-11-26 | A kind of user authority control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105373714B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105939221A (en) * | 2016-05-09 | 2016-09-14 | 杭州迪普科技有限公司 | Configuration method and device of network device |
| CN107679749A (en) * | 2017-09-30 | 2018-02-09 | 新奥(中国)燃气投资有限公司 | The measures and procedures for the examination and approval and Current Authorization Management Platform of a kind of authority application |
| CN109246079A (en) * | 2018-08-02 | 2019-01-18 | 网易乐得科技有限公司 | Right management method, system, medium and electronic equipment |
| CN110750780A (en) * | 2019-10-16 | 2020-02-04 | 北京微星优财网络科技有限公司 | User role permission fusion method, device and equipment based on multi-service system |
| CN110929250A (en) * | 2019-12-02 | 2020-03-27 | 山东中创软件工程股份有限公司 | Permission inheritance method, device, equipment and medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101976314A (en) * | 2010-09-21 | 2011-02-16 | 用友软件股份有限公司 | Access control method and system |
| CN103560994A (en) * | 2013-08-16 | 2014-02-05 | 中山大学 | Context-aware-based security access control method for RFID system |
| US20140196103A1 (en) * | 2013-01-04 | 2014-07-10 | International Business Machines Corporation | Generating role-based access control policies based on discovered risk-averse roles |
-
2015
- 2015-11-26 CN CN201510843681.2A patent/CN105373714B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101976314A (en) * | 2010-09-21 | 2011-02-16 | 用友软件股份有限公司 | Access control method and system |
| US20140196103A1 (en) * | 2013-01-04 | 2014-07-10 | International Business Machines Corporation | Generating role-based access control policies based on discovered risk-averse roles |
| CN103560994A (en) * | 2013-08-16 | 2014-02-05 | 中山大学 | Context-aware-based security access control method for RFID system |
Non-Patent Citations (2)
| Title |
|---|
| 付志峰 等: "RBAC***中职责分离的实现", 《计算机工程》 * |
| 陈胜 等: "RBAC模型中角色互斥研究及应用", 《计算机技术与发展》 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105939221A (en) * | 2016-05-09 | 2016-09-14 | 杭州迪普科技有限公司 | Configuration method and device of network device |
| CN105939221B (en) * | 2016-05-09 | 2019-05-07 | 杭州迪普科技股份有限公司 | The configuration method and device of the network equipment |
| CN107679749A (en) * | 2017-09-30 | 2018-02-09 | 新奥(中国)燃气投资有限公司 | The measures and procedures for the examination and approval and Current Authorization Management Platform of a kind of authority application |
| CN107679749B (en) * | 2017-09-30 | 2021-05-25 | 新奥(中国)燃气投资有限公司 | Authority application approval method and authorization management platform |
| CN109246079A (en) * | 2018-08-02 | 2019-01-18 | 网易乐得科技有限公司 | Right management method, system, medium and electronic equipment |
| CN110750780A (en) * | 2019-10-16 | 2020-02-04 | 北京微星优财网络科技有限公司 | User role permission fusion method, device and equipment based on multi-service system |
| CN110750780B (en) * | 2019-10-16 | 2023-04-18 | 北京微星优财网络科技有限公司 | User role permission fusion method, device and equipment based on multi-service system |
| CN110929250A (en) * | 2019-12-02 | 2020-03-27 | 山东中创软件工程股份有限公司 | Permission inheritance method, device, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN105373714B (en) | 2018-08-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105373714A (en) | User permission control method and device | |
| CN108076047B (en) | Public authorization management service | |
| US9372964B2 (en) | Software license control | |
| CN104751077A (en) | Access control method and device | |
| CN106250782A (en) | A kind of data permission control method resolved based on SQL statement and device | |
| US9460272B2 (en) | Method and apparatus for group licensing of device features | |
| KR20120062514A (en) | Authorization apparatus and method under software as a service platform | |
| CN105069383A (en) | Virtual desktop USB (Universal Serial Bus) storage peripheral management and control method and system | |
| CN102622311A (en) | USB (universal serial bus) mobile memory device access control method, USB mobile memory device access control device and USB mobile memory device access control system | |
| CN105224832A (en) | License authorization centralized management method | |
| CN105528553A (en) | A method and a device for secure sharing of data and a terminal | |
| MX2012009022A (en) | Generic feature licensing framework. | |
| CN101741558A (en) | Method for realizing uniform identity authentication | |
| GB2573726A (en) | Systems and methods for authenticating platform trust in a network function virtualization environment | |
| JP2004158007A (en) | Computer access authorization | |
| CN112019543A (en) | Multi-tenant permission system based on BRAC model | |
| WO2012107924A2 (en) | System and method for managing usage rights of software applications | |
| CN103020501A (en) | Access control method and access control device of user data | |
| US9069937B2 (en) | Converting traditional computer product licenses into cloud-based entitlements | |
| CN113111339A (en) | Access control method, device, equipment and medium for application service | |
| CN103152319A (en) | Cloud maintenance, and method and system for authorization | |
| CN105405004A (en) | Method and apparatus for managing machine room users | |
| CN104573480A (en) | Permission processing method and system | |
| Kang et al. | A strengthening plan for enterprise information security based on cloud computing | |
| KR101882685B1 (en) | Method for providing cloud-based service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |