CN105574372A - Loose-leaf switching mechanism of permission roles - Google Patents
Loose-leaf switching mechanism of permission roles Download PDFInfo
- Publication number
- CN105574372A CN105574372A CN201510626246.4A CN201510626246A CN105574372A CN 105574372 A CN105574372 A CN 105574372A CN 201510626246 A CN201510626246 A CN 201510626246A CN 105574372 A CN105574372 A CN 105574372A
- Authority
- CN
- China
- Prior art keywords
- user
- authority
- loose
- leaf
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a loose-leaf switching mechanism of permission roles. The operation permission of a system module is limited; simultaneously, a complete user permission management mechanism provided by a permission loose leaf is sufficiently utilized; permission user login databases having three loose-leaf permissions are adopted; and the security, which cannot be controlled by an application program, can be controlled through loose-leaf switching. According to the embodiment of the invention, practical conditions of system users are analyzed when users log in the system, such that the system users are divided into three permission loose leaves according to use permissions; a loose-leaf switching permission set including three permissions is established for each user; therefore, each system user can access the database login through the permission corresponding to the permission set, which the system user belongs to; on the one hand, the security control complexity and difficulty of the application program can be reduced; and on the other hand, security control can be carried out by sufficiently utilizing a security management mechanism switched through the three loose leaves.
Description
Technical field
The present invention relates to database application system development technique field, particularly relate to the rights management of user in performance history.
Background technology
Rights management, refers generally to the safety rule according to Operation system setting or security strategy, and user can access and can only access oneself authorized resource, neither too much nor too little.Rights management almost appears at inside any system, as long as there is the system of user and password.Enterprise IT administrators can be generally system definition role, distributes role to user.Here it is modal role-base access control.From control dynamics, rights management can be divided into two large classes: 1, functional level rights management; 2, data level rights management.From controlling party always, also rights management can be divided into two large classes: 1, obtain data from system, such as inquire about order, inquiry customer data; 2, submit data to system, such as delete order, amendment customer data.
In database application system exploitation, security of system is a key link in whole system design.Carry out subscriber authentication, operating right controls, first must analyze user and how enter system and visit data.Typical Database Systems are generally made up of database, data base management system (DBMS) (and developing instrument), application system, data base administrator and user.In real application systems exploitation, generally realize user authority management by two kinds of approach: the user management mechanism directly adopting DBMS to provide.(1) realized by application program self.Authority due to database user is unique fixing, such application security controls very complicated, there is the shortcomings such as security mechanism imperfection, dumb, development amount is large, and disabled user can skip foreground application and directly accesses back-end data sometimes, in this way neither a kind of efficient, safe method.(2) application system directly utilizes the user management mechanism of DBMS to carry out user authority management, and large-scale database system such as Oracle etc. uses the method for role to also provide perfect user authority management mechanism now.But in actual applications, if system situation allows, a database user (account) can be set up for each system user, and tight rights management is carried out to all accounts.But, if the quantity of user is uncertain, and up to a hundred may be had, just add complexity and the difficulty of management, so in general application system, seldom directly adopt the user management mechanism that DBMS provides.The benefit brought of loose-leaf handover mechanism mechanism of System Implementation authorization role: the loose-leaf handover mechanism of authorization role on the one hand for system manager provide flexibly, operation interface easily, make full use of again the security management mechanism of DBMS itself on the other hand, have security good, easy to operate, realize the advantages such as easy
Summary of the invention
In order to overcome the deficiency of the handover mechanism of existing authorization role, the invention provides a kind of authority loose-leaf mechanism to be limited the operating right of system module, what make full use of again that authority loose-leaf provides improves user authority management mechanism simultaneously, adopt the authority user log database of three loose-leaf authorities, can be switched by loose-leaf for the out of contior security of application program and control.Such one side can reduce complexity and the difficulty of application security control, and the security management mechanism that can make full use of again three loose-leaves switchings on the other hand carries out security control.
The technical solution adopted for the present invention to solve the technical problems is: when user carries out system login, subscriber authentication and authentication is carried out by user message table, and pass through database user log database again corresponding to user, and system manager can add new user right by user management module.Each system user authority switches and carries out authority examination to when uniting in system according to subscriber's meter authority, and for the module of with no authorized, user then can not enter.Not necessarily have all operations authority to data manipulations all in this module for the user with certain module authority, this also needs to examine this user and whether has corresponding data manipulation authority.Analyze according to system user of service actual conditions, system user is divided into three authority loose-leaves according to rights of using, bundle of permissions is switched for each user sets up a loose-leaf comprising three kinds of authorities, each like this system user just can be logged in by the authority accessing database that affiliated bundle of permissions is corresponding, and this application system user (asu) is also just limited in the operating right of database within the operating right scope of this database user certainly.
The invention has the beneficial effects as follows, a necessary corresponding a certain authority loose-leaf role of application system user (asu), could utilize this authority accessing database to log in, otherwise cannot visit data.Authority loose-leaf role can corresponding multiple system user, like this when system user of service increases, only personnel need be belonged to a certain authority loose-leaf role, and need not arrange for the data manipulation authority of each user.And authority loose-leaf role is according to circumstances newly-built on authority loose-leaf role in advance and controls accordingly database operating right.Its security can arrive table level, row level, row level, so both can make full use of the security management mechanism of authority loose-leaf role itself, again by application program for system manager provide flexibly, operation interface easily, realize carrying out dual control of authority from foreground application and authority loose-leaf role two aspects, backstage to user.
Accompanying drawing explanation
Below in conjunction with drawings and Examples, the present invention is further described.
Fig. 1 is instance user relation structure diagram of the present invention.
Fig. 2 is exemplary application system user accessing database of the present invention.
Fig. 3 is that instance user of the present invention pass owner props up structural drawing.
Fig. 4 is the crucial class method figure that example system user of the present invention logs in.
Fig. 5 is instance user login process figure of the present invention.
Embodiment
In FIG, the loose-leaf handover mechanism customer relationship structural drawing of authorization role is illustrated.(1) subscriber authentication.A user message table is safeguarded, comprising information such as user name, user password, line module authority, user right loose-leaves in application system.When user carries out system login, carry out subscriber authentication and authentication by this table, and by authority loose-leaf log database again belonging to user, and system manager can pass through authority loose-leaf module maintenance customer authority.
(2) line module rights management.Each system user carries out authority examination to when uniting in system according to subscriber's meter authority, and for the module of with no authorized, user then can not enter.Multi-stage module can be had, when user haves no right to a certain module, to should the submodule of module also having no right mutually in certain system.But not necessarily have all operations authority to data manipulations all in this module for the user with certain module authority, this also needs to examine this user and whether has corresponding data manipulation authority.
(3) database manipulation control of authority.Database manipulation authority to refer to this user during a certain database user identity logs database there is the authority of service data.A database can have multiple database user to log in, and this multiple database user can utilize that authority loose-leaf mechanism is carried out flexibly, security settings, and its security mechanisms comprises System Privileges and database object authority setting.In order to make full use of authority loose-leaf security mechanism, when applied system design, analyze according to system user of service actual conditions, system user is divided into several user's group according to rights of using, for each user sets up three authority loose-leaves, each like this system user just can carry out database login by the database user identity that affiliated authority loose-leaf is corresponding, and this application system user (asu) is also just limited in the operating right of database within the operating right scope of this authority loose-leaf certainly.Therefore, the control of system user to database operating right can be realized by system user and this corresponding relation of database, and also can prevent disabled user from skipping the direct visit data of application program like this.The operation of all modules is all subject to certain restriction.
Claims (3)
1. the loose-leaf handover mechanism of authorization role, it is characterized in that: the operating right of system module is limited, what make full use of again that authority loose-leaf provides improves user authority management mechanism simultaneously, adopt the authority user log database of three loose-leaf authorities, can be switched by loose-leaf for the out of contior security of application program and control.
2. the operating right based on system module according to claim 1 is limited, it is characterized in that: when user carries out system login, each system user authority switches and carries out authority examination to when uniting in system according to subscriber's meter authority, and for the module of with no authorized, user then can not enter.Analyze according to system user of service actual conditions, system user is divided into three authority loose-leaves according to rights of using, bundle of permissions is switched for each user sets up a loose-leaf comprising three kinds of authorities, each like this system user just can be logged in by the authority accessing database that affiliated bundle of permissions is corresponding, and this application system user (asu) is also just limited in the operating right of database within the operating right scope of this database user certainly.
3. according to claim 1 utilize authority loose-leaf to provide improve user authority management mechanism, adopt the authority user log database of three loose-leaf authorities, it is characterized in that: a necessary corresponding a certain authority loose-leaf role of application system user (asu), this authority accessing database could be utilized to log in, otherwise cannot visit data.Authority loose-leaf role can corresponding multiple system user, like this when system user of service increases, only personnel need be belonged to a certain authority loose-leaf role, and need not arrange for the data manipulation authority of each user.And authority loose-leaf role is according to circumstances newly-built on authority loose-leaf role in advance and controls accordingly database operating right, realize carrying out dual control of authority from foreground application and authority loose-leaf role two aspects, backstage to user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510626246.4A CN105574372A (en) | 2015-09-28 | 2015-09-28 | Loose-leaf switching mechanism of permission roles |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510626246.4A CN105574372A (en) | 2015-09-28 | 2015-09-28 | Loose-leaf switching mechanism of permission roles |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105574372A true CN105574372A (en) | 2016-05-11 |
Family
ID=55884496
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510626246.4A Pending CN105574372A (en) | 2015-09-28 | 2015-09-28 | Loose-leaf switching mechanism of permission roles |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105574372A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107545400A (en) * | 2016-06-28 | 2018-01-05 | 上海洋启投资中心 | Project structure based on more loose-leaves |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103780604A (en) * | 2014-01-06 | 2014-05-07 | 中国科学技术大学苏州研究院 | Ubiquitous resource user access control method for multiple roles |
| CN104573478A (en) * | 2014-11-20 | 2015-04-29 | 深圳市远行科技有限公司 | User authority management system of Web application |
-
2015
- 2015-09-28 CN CN201510626246.4A patent/CN105574372A/en active Pending
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103780604A (en) * | 2014-01-06 | 2014-05-07 | 中国科学技术大学苏州研究院 | Ubiquitous resource user access control method for multiple roles |
| CN104573478A (en) * | 2014-11-20 | 2015-04-29 | 深圳市远行科技有限公司 | User authority management system of Web application |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107545400A (en) * | 2016-06-28 | 2018-01-05 | 上海洋启投资中心 | Project structure based on more loose-leaves |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP2620893B1 (en) | Role-based access control permissions | |
| CN110957025A (en) | Medical health information safety management system | |
| CN116743440A (en) | Security design and architecture for multi-tenant HADOOP clusters | |
| CN105184144A (en) | Multi-system privilege management method | |
| CN104718526A (en) | Secure mobile framework | |
| CN102546664A (en) | User and authority management method and system for distributed file system | |
| CN105262780B (en) | A kind of authority control method and system | |
| CN103617485A (en) | Uniform authority management and deployment system | |
| US20150113614A1 (en) | Client based systems and methods for providing users with access to multiple data bases | |
| CN103379089A (en) | Access control method and system based on security domain isolation | |
| CN102611699A (en) | Method and system for access control in cloud operation system | |
| CN106815503A (en) | A kind of operating system method for managing user right and system | |
| CN105550590A (en) | Role-based access control mechanism | |
| DE112011103580T5 (en) | A method, secure device, system, and computer program product for securely managing user access to a file system | |
| CN101594386B (en) | Method and device for constructing reliable virtual organization based on distributed strategy verification | |
| CN102411689B (en) | Method for controlling authority of database administrator | |
| CN106529230A (en) | Role-based permission control mechanism | |
| CN109033861A (en) | The method that authorised operator is authorized in system | |
| CN106933605A (en) | A kind of intelligent progress recognizing control method and system | |
| CN105631266A (en) | Mechanism for achieving multi-user switching through jQuery shell | |
| CN105574372A (en) | Loose-leaf switching mechanism of permission roles | |
| CN107194239A (en) | A kind of right management method and device | |
| CN101860436A (en) | Technology for accurately controlling system user data authority | |
| CN108268782A (en) | The meeting mechanism of based role permission control | |
| CN101382983A (en) | Programmable control mode for powering authority for on-line computer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160511 |