CN106301940A - A kind of authority configuring method - Google Patents
A kind of authority configuring method Download PDFInfo
- Publication number
- CN106301940A CN106301940A CN201610723886.1A CN201610723886A CN106301940A CN 106301940 A CN106301940 A CN 106301940A CN 201610723886 A CN201610723886 A CN 201610723886A CN 106301940 A CN106301940 A CN 106301940A
- Authority
- CN
- China
- Prior art keywords
- authority
- packet
- user
- classification
- territory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a kind of authority configuring method, comprise the following steps: S01: configuration classification authority territory, classification authority territory is the tree structure of unlimited classification, and is imported in data base by the configuration file in classification authority territory;S02: permission bits and authority credentials are set, and configure user right and packet authority at the node in corresponding authority territory according to data base, classification authority territory, permission bits and authority credentials;S03: add packet for user so that user inherits the packet authority of this packet;S04: the priority of packet authority between each packet added in user is set, and is grouped the priority between authority and user right.A kind of authority configuring method of the present invention, is split to different packets by authority so that user and packet have oneself independent authority, and classification authority territory makes the classification of authority unrestricted, it is achieved finer delineation of power.
Description
Technical field
The present invention relates to a kind of authority configuring method.
Background technology
In IP (Internet Protocol) field, increasing along with extensively application based on IP operation and number of devices, gives management
Bring a lot of inconvenience with maintenance, typically carry out binding authority by arranging authority territory, and then realize user, the management of equipment and dimension
Protect, but, authorization is usually batch authorization, and the classification of authority is limited, if the quantity of user, equipment is relatively big, can lead
The division causing to authorize is the most careful and licensing process is numerous and diverse, in-convenience in use, and existing technology generally is directed to equipment and user
Authority be allocated, the authority of back-stage management is distributed less.
Therefore, in the exploitation on backstage, need divide careful and configure again convenient control of authority.
Summary of the invention
It is an object of the invention to provide a kind of authority configuring method, to realize the careful distribution of authority, and authorize conveniently,
It is applicable to the authority distribution on great majority management backstage.
To achieve these goals, the technical solution used in the present invention is:
A kind of authority configuring method, it is characterised in that comprise the following steps:
S01: configuration classification authority territory, classification authority territory is the tree structure of unlimited classification, and joining classification authority territory
Put file to import in data base;
S02: permission bits and authority credentials are set, and according to data base, classification authority territory, permission bits and authority credentials at corresponding point
User right and packet authority is configured at the node in level authority territory;
S03: add packet for user so that user inherits the packet authority of this packet;
S04: the priority of packet authority between each packet added in user is set, and packet authority and user's power
Priority between limit.
In described step S01, the configuration file in classification authority territory includes the key of classification, title, path and sequence.
Described step S01 also includes that the key that data base is each classification in configuration file configures unique permission ID.
It described step S02 is the permission ID of key according to classification each in data base according to data base.
Described step S03 adds packet for user, is to add the permission ID of packet to group list belonging to user
In.
In described step S02, permission bits includes!And *,!For leaf node, authority credentials is the most effective to present node, and * is institute
Child node, authority credentials is had to will be applied onto in all child nodes of this node.
In described step S02, authority credentials uses binary system.
The packet-priority that the priority of the packet authority between being respectively grouped in described step S04 is added after being is more than first adding
The packet-priority added, the priority of user right is more than the priority of packet authority.
A kind of authority configuring method, also includes step S05: obtain the packet of described user, and obtain the user of this user
The packet authority of authority and each packet, checks packet authority and user right.
Beneficial effects of the present invention:
One, authority is split to different packets so that user and packet have oneself independent authority, and user can belong to
In multiple packets, by adding packet for user, it is possible to realize user and inherit the authority of this respective packets;
Two, classification authority territory makes the classification of authority unrestricted, it is achieved finer delineation of power;
Three, distribution can authorize downwards at certain node when authorizing, and gives all child nodes corresponding authority, it is also possible to right
Present node authorizes, give the corresponding authority of present node, simplify Authorized operation, authorize the most careful precisely;
Four, authorize and can expand, a newly-built Authorized Domain, a new permissions list can be had, thus realize spanned item mesh
Distribution authority;
Five, highly versatile, range are extensively, can be used for the authority distribution on great majority management backstage.
Accompanying drawing explanation
Accompanying drawing described herein is used for providing a further understanding of the present invention, constitutes the part of the present invention, this
Bright schematic description and description is used for explaining the present invention, is not intended that inappropriate limitation of the present invention.In the accompanying drawings:
Fig. 1 is the inventive method flow chart;
Fig. 2 is the tree structure schematic diagram in classification authority territory;
Fig. 3 is the purview structure schematic diagram of user.
Detailed description of the invention
In order to make the technical problem to be solved, technical scheme and beneficial effect clearer, clear, below tie
Close drawings and Examples, the present invention is further elaborated.Should be appreciated that specific embodiment described herein is only used
To explain the present invention, it is not intended to limit the present invention.
As shown in Figure 1 to Figure 3, the present invention provides a kind of authority configuring method, it is characterised in that comprise the following steps:
S01: configuration classification authority territory, classification authority territory is the tree structure of unlimited classification, and joining classification authority territory
Put file to import in data base, and the configuration file in different authority territories imports tables of data different in data base, to ensure to be somebody's turn to do
The ID that tables of data produces is pertaining only to the authority territory of correspondence;
S02: permission bits and authority credentials are set, and according to data base, classification authority territory, permission bits and authority credentials at corresponding point
Configuring user right and packet authority at the node in level authority territory, so, distribution can authorize downwards at certain node when authorizing,
Give all child node authorities, simplify Authorized operation, and license distribution can be carried out, can be to inquiring about, revise, perform these licenses
Combination authorizes;
S03: add packet for user so that user inherits the packet authority of this packet;
S04: the priority of packet authority between each packet added in user is set, and packet authority and user's power
Priority between limit.
In described step S01, the configuration file in classification authority territory includes the key of classification, title, path and sequence.
Described step S01 also includes that the key that data base is each classification in configuration file configures unique permission ID.
It described step S02 is the permission ID of key according to classification each in data base according to data base.
Described step S03 adds packet for user, is to add the permission ID of packet to group list belonging to user
In.
In described step S02, permission bits includes!And *,!For leaf node, authority credentials is the most effective to present node, and * is institute
Having child node, authority credentials to will be applied onto in all child nodes of this node, all child node authorities are pressed nearby principle and are calculated preferential
Level, nearby principle is particularly as follows: first check for present node!Whether having the right on position limit value, if having, then using this value;If nothing, then examine
Look into limit value of whether having the right on present node * position;If nothing, then check limit value of whether having the right on present node father node * position;If having,
Then use this value;If nothing, then check the authority credentials on a father node * position, such as, determine the authority of foo-b, should examine successively
Look into foo-b!, authority credentials on these permission bits of foo-b*, foo*, *.
In described step S02, authority credentials uses binary system, and specially 1 is to look at view;2 is editor edit;4 are carried out
Exec, can carry out additive combination, checks and editing authority as 3=1+2 represents to have, and especially ,-1 expression has proprietary rights
Limit, is generally used for power user and authorizes.
The packet-priority that the priority of the packet authority between being respectively grouped in described step S04 is added after being is more than first adding
The packet-priority added, the priority of user right is more than the priority of packet authority.
A kind of authority configuring method, also includes step S05: obtain the packet of described user, and obtain the user of this user
The packet authority of authority and each packet, checks packet authority and user right.
By the following examples, it is specifically described:
Configuration authority territory:
Defining an authority territory scopeA, by the purview structure under one territory of ini file configuration, each section is fixed
Justice one by attributes such as '-' key of classification, title, path and sequences, be defined as follows shown in:
[foo]
Name=Foo
Path=/foo
Rank=1
[foo-a]
Name=FooA
Path=/foo/a
Rank=3
[foo-b]
Name=FooB
Path=/foo/b
Rank=4
[bar]
Name=Bar
Path=/bar
Rank=2
Wherein, foo, bar are one-level authorities, and foo-a, foo-b are belonging to two grades of authorities of foo.
As shown in table 1, being imported in data base by the configuration file of scopeA, data base is each classification in configuration file
Key configure unique permission ID.
| ID | KEY | NAME | PATH | RANK |
| 1 | foo | Foo | /foo | 1 |
| 2 | foo-a | FooA | /foo/a | 3 |
| 3 | foo-b | FooB | /foo/b | 4 |
| 4 | Bar | Bar | /bar | 2 |
Table 1
Configuration user right:
User right is a JSON field being made up of authority territory, authority field and authority credentials, and form is:
Wherein, authority field is made up of permission ID+permission bits, for defining the particular location of authority attachment.
Such as, the leaf node of foo-a to be navigated to, authority field flag is 2!, wherein 2 is the authority that foo-a is corresponding
ID,!For leaf node labelling;All child nodes of foo to be navigated to, authority field flag is 1*, and wherein, 1 is the power that foo is corresponding
Limit ID, * are child node branch markers, and when opening when checking authority of foo-a for certain user, corresponding mandate is as follows:
{
ScopeA:
{
2!: 1 ...
}
}
Configuration packet authority:
It should be noted that the configuration of packet authority is the same with the configuration of user right, only this authority is belonging to
It is grouped rather than certain user, prescribes a time limit with the power of amendment when opening checking of foo for certain packet, owing to checking that authority credentials is 1, amendment
Authority credentials is 2, checks and revise authority so to open simultaneously, and authority credentials should be set to 1+2=3, and corresponding mandate is:
{
ScopeA:
{
1*:3 ...
}
}
Add packet for user, the permission ID of packet is added in the affiliated group list of user, it is possible to allow user
Inheriting all permissions of this packet, merging rule is: authority belongs to merging of same authority territory, different rights territory by
Individual authority territory merges, and the rear packet added has higher priority, and the user right priority of user self is the highest,
I.e. priority for packet one authority <be grouped two authorities < ... < last packet authority <user right of user self, when running into
The while that permission ID and permission bits being homogeneous, directly the configuration with high priority covers the configuration of low priority, particularly as follows: first obtain institute
State the packet of user, and obtain the user right of this user and the packet authority of each packet, the most according to priority merge and generate
Whole authority, owing in the present embodiment, the authority territory of user right and packet authority is all scopeA, then packet authority and user's power
Result after limit merges is as follows:
{
ScopeA:
{
1*:3,
2!: 1 ...
}
}
It should be noted that be coordination between two different authority territories, direct peer places, follow-up power
Limit inspection can be carried out in corresponding authority territory, then different when the authority territory of user right and packet authority, i.e. user right
Authority territory is scopeA, and the authority territory of packet authority is scopeB, and now the merging of user right and packet authority is as follows:
{
ScopeA:
{
…
}
ScopeB:
{
…
}
}
In above-mentioned when running into permission ID and permission bits is homogeneous while, directly cover low priority with the configuration of high priority
Configuration, specifically refers to multiple authorization source and distributes inconsistent situation, such as user under scopeA for same authority
2!The authority of position is 3, and in group belonging to user under scopeA 2!The authority of position is 1, then when merging, due to user's self
Priority is higher than packet-priority, so final 2!The authority of position is 3.
Scope check:
Inspection authority is from the beginning of present node, the most up.If the leaf node of present node!There is configuration authority credentials,
Then this whether is had to permit with step-by-step and (&) manipulation check;If present node is configured without, then the authority searching father node is joined
Put, if there being configuration, then check whether license, otherwise continue up.Note, when checking the authority configuration of father node, position should be checked
In the authority of father node * position, because only that * position is the authority for controlling its child node,!It is served only for controlling current leaf joint
Point.
Check that what whether above-mentioned user had a foo-a checks/revise authority:
Leaf node authority field corresponding for foo-a is 2!, mandate has configuration, and authorization value 1, checks the authority of authority
Value is 1, and both carry out step-by-step and (&) and operate 1&1=1, and checks that authority is identical, and mandate is passed through;The authority credentials of amendment authority is
2, carry out step-by-step and (&) operation 1&2=0<>2 with authorization value, authorize and do not pass through.
Check that what whether above-mentioned user had a foo-b checks/revise authority:
Leaf node authority field corresponding for foo-b is 3!, it being configured without in mandate, the authority upwards searching father node is joined
Put;Upper level father node corresponding for foo-b is foo, and corresponding child node authority field is 1*, has configuration, and authorize in mandate
Value is 3, checks that the authority credentials of authority is 1, and both compare 1&3=1, and inspection is passed through;The authority credentials of amendment authority is 2, both ratios
Relatively 2&3=2, inspection is passed through.
Beneficial effects of the present invention:
One, authority is split to different packets so that user and packet have oneself independent authority, and user can belong to
In multiple packets, by adding packet for user, it is possible to realize user and inherit the authority of this respective packets;
Two, classification authority territory makes the classification of authority unrestricted, it is achieved finer delineation of power;
Three, distribution can authorize downwards at certain node when authorizing, and gives all child nodes corresponding authority, it is also possible to right
Present node authorizes, give the corresponding authority of present node, simplify Authorized operation, authorize the most careful precisely;
Four, authorize and can expand, a newly-built Authorized Domain, a new permissions list can be had, thus realize spanned item mesh
Distribution authority.
Five, highly versatile, range are extensively, can be used for the authority distribution on great majority management backstage.
Described above illustrate and describes the preferred embodiments of the present invention, as previously mentioned, it should be understood that the present invention not office
Be limited to form disclosed herein, be not to be taken as the eliminating to other embodiments, and can be used for other combinations various, amendment and
Environment, and can be changed by above-mentioned teaching or the technology of association area or knowledge in invention contemplated scope described herein
Dynamic.And the change that those skilled in the art are carried out and change are without departing from the spirit and scope of the present invention, the most all should be appended by the present invention
In scope of the claims.
Claims (9)
1. an authority configuring method, it is characterised in that comprise the following steps:
S01: configuration classification authority territory, classification authority territory is the tree structure of unlimited classification, and by the configuration literary composition in classification authority territory
Part imports in data base;
S02: permission bits and authority credentials are set, and weigh in corresponding classification according to data base, classification authority territory, permission bits and authority credentials
User right and packet authority is configured at the node of confinement;
S03: add packet for user so that user inherits the packet authority of this packet;
S04: the priority of packet authority between each packet added in user is set, and packet authority and user right it
Between priority.
A kind of authority configuring method the most according to claim 1, it is characterised in that: classification authority territory in described step S01
Configuration file include the key of classification, title, path and sequence.
A kind of authority configuring method the most according to claim 2, it is characterised in that: described step S01 also includes data base
Key for each classification in configuration file configures unique permission ID.
A kind of authority configuring method the most according to claim 3, it is characterised in that: according to data base in described step S02
It it is the permission ID of key according to classification each in data base.
A kind of authority configuring method the most according to claim 4, it is characterised in that: described step S03 is added for user
Packet, is the permission ID of packet to be added in the group list belonging to user.
A kind of authority configuring method the most according to claim 1, it is characterised in that: in described step S02, permission bits includes!
And *,!For leaf node, authority credentials is the most effective to present node, and * is all child nodes, and authority credentials will be applied onto the institute of this node
Have in child node.
A kind of authority configuring method the most according to claim 1, it is characterised in that: in described step S02, authority credentials uses
Binary system.
A kind of authority configuring method the most according to claim 1, it is characterised in that: in described step S04 between each packet
The priority of packet authority be after the packet-priority that adds more than the packet-priority first added, the priority of user right
Priority more than packet authority.
A kind of authority configuring method the most according to claim 1, it is characterised in that: also include step S05: obtain described use
The packet at family, and obtain the user right of this user and the packet authority of each packet, packet authority and user right are examined
Look into.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610723886.1A CN106301940A (en) | 2016-08-25 | 2016-08-25 | A kind of authority configuring method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610723886.1A CN106301940A (en) | 2016-08-25 | 2016-08-25 | A kind of authority configuring method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106301940A true CN106301940A (en) | 2017-01-04 |
Family
ID=57616427
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610723886.1A Pending CN106301940A (en) | 2016-08-25 | 2016-08-25 | A kind of authority configuring method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106301940A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107196915A (en) * | 2017-04-25 | 2017-09-22 | 北京潘达互娱科技有限公司 | Authority setting method, apparatus and system |
| CN108614976A (en) * | 2018-04-28 | 2018-10-02 | 苏州科达科技股份有限公司 | Authority configuring method, device and storage medium |
| CN109344650A (en) * | 2018-09-25 | 2019-02-15 | 郑州云海信息技术有限公司 | A kind of file permission management method, system and the relevant apparatus of file system |
| CN111159273A (en) * | 2019-12-31 | 2020-05-15 | 中国联合网络通信集团有限公司 | Data stream processing method, device, server and storage medium |
| CN111193612A (en) * | 2019-12-03 | 2020-05-22 | 云深互联(北京)科技有限公司 | Access authority configuration control method and system |
| CN111478894A (en) * | 2020-04-03 | 2020-07-31 | 深信服科技股份有限公司 | External user authorization method, device, equipment and readable storage medium |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101159618A (en) * | 2007-11-23 | 2008-04-09 | 杭州华三通信技术有限公司 | Authority configuring method and apparatus |
| CN101582767A (en) * | 2009-06-24 | 2009-11-18 | 阿里巴巴集团控股有限公司 | Authorization control method and authorization server |
| US20120150912A1 (en) * | 2010-12-09 | 2012-06-14 | International Business Machines Corporation | Hierarchical multi-tenancy management of system resources in resource groups |
| CN102932340A (en) * | 2012-10-25 | 2013-02-13 | 上海电机学院 | System and method for role-based access control |
| CN103200188A (en) * | 2013-03-19 | 2013-07-10 | 汉柏科技有限公司 | Method of dividing different access authority for different users |
| CN104573430A (en) * | 2013-10-21 | 2015-04-29 | 华为技术有限公司 | Data access rights control method and device |
-
2016
- 2016-08-25 CN CN201610723886.1A patent/CN106301940A/en active Pending
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101159618A (en) * | 2007-11-23 | 2008-04-09 | 杭州华三通信技术有限公司 | Authority configuring method and apparatus |
| CN101582767A (en) * | 2009-06-24 | 2009-11-18 | 阿里巴巴集团控股有限公司 | Authorization control method and authorization server |
| US20120150912A1 (en) * | 2010-12-09 | 2012-06-14 | International Business Machines Corporation | Hierarchical multi-tenancy management of system resources in resource groups |
| CN102932340A (en) * | 2012-10-25 | 2013-02-13 | 上海电机学院 | System and method for role-based access control |
| CN103200188A (en) * | 2013-03-19 | 2013-07-10 | 汉柏科技有限公司 | Method of dividing different access authority for different users |
| CN104573430A (en) * | 2013-10-21 | 2015-04-29 | 华为技术有限公司 | Data access rights control method and device |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107196915A (en) * | 2017-04-25 | 2017-09-22 | 北京潘达互娱科技有限公司 | Authority setting method, apparatus and system |
| CN107196915B (en) * | 2017-04-25 | 2020-02-14 | 北京潘达互娱科技有限公司 | Permission setting method, device and system |
| CN108614976A (en) * | 2018-04-28 | 2018-10-02 | 苏州科达科技股份有限公司 | Authority configuring method, device and storage medium |
| CN109344650A (en) * | 2018-09-25 | 2019-02-15 | 郑州云海信息技术有限公司 | A kind of file permission management method, system and the relevant apparatus of file system |
| CN111193612A (en) * | 2019-12-03 | 2020-05-22 | 云深互联(北京)科技有限公司 | Access authority configuration control method and system |
| CN111159273A (en) * | 2019-12-31 | 2020-05-15 | 中国联合网络通信集团有限公司 | Data stream processing method, device, server and storage medium |
| CN111478894A (en) * | 2020-04-03 | 2020-07-31 | 深信服科技股份有限公司 | External user authorization method, device, equipment and readable storage medium |
| CN111478894B (en) * | 2020-04-03 | 2022-11-22 | 深信服科技股份有限公司 | External user authorization method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106301940A (en) | A kind of authority configuring method | |
| DE602004009354T2 (en) | Registering or sub-registering a digital rights management server in a digital rights management architecture | |
| CN101159618B (en) | Authority configuring method and apparatus | |
| WO2005026952A3 (en) | System and method for management of mutating applications | |
| CN105917309A (en) | Determining a permission of a first tenant with respect to a second tenant | |
| US20070192276A1 (en) | Method and apparatus for temporarily using DRM contents | |
| EP3269087B1 (en) | Adding metadata associated with a composite network policy | |
| WO2016186605A1 (en) | Composition constraints for network policies | |
| CN107657171A (en) | A kind of method in SSR centralized management platform management application programs | |
| WO2014135548A2 (en) | Security zones in industrial control systems | |
| CN105743946A (en) | Template disposition method and apparatus | |
| CN105376198A (en) | Access control method and device | |
| CN106778306A (en) | A kind of Permission Design method based on JavaEJB frameworks | |
| Acar | Toward a theory of problem formulation and the planning of change: Causal mapping and dialectical debate in situation formulation | |
| CN105243337A (en) | Permission control system and method | |
| Fabri et al. | The lagrangean relaxation for the flow shop scheduling problem with precedence constraints, release dates and delivery times | |
| Chen et al. | New method of state‐space formulation for degenerate circuit and coupling circuit | |
| Zhao | Collaborative access control | |
| Cisco | Cisco APE User Model | |
| Lee et al. | Network policy whiteboarding and composition | |
| CN107370729B (en) | Command authority distribution method | |
| Wang et al. | An Averaging Principle for Mckean–Vlasov‐Type Caputo Fractional Stochastic Differential Equations | |
| Spendolini | User Authorization | |
| Tromp | Between Protection and Participation: Moral promises and perils in pediatric clinical research | |
| Ahmad et al. | A Framework of Rights Allocation in Online Social Networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170104 |