CN107342992B - System authority management method and device and computer readable storage medium - Google Patents
System authority management method and device and computer readable storage medium Download PDFInfo
- Publication number
- CN107342992B CN107342992B CN201710512825.5A CN201710512825A CN107342992B CN 107342992 B CN107342992 B CN 107342992B CN 201710512825 A CN201710512825 A CN 201710512825A CN 107342992 B CN107342992 B CN 107342992B
- Authority
- CN
- China
- Prior art keywords
- user
- authority
- interface service
- authorization
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a system authority management method, a device and a computer readable storage medium, wherein the method comprises the following steps: associating the button in the system resource with the corresponding element operation through the interface service; establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks; when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association. The invention solves the technical problem of large permission particles when the system permission is distributed by adopting the role-based access control in the prior art.
Description
Technical Field
The present invention relates to the field of rights management technologies, and in particular, to a method and an apparatus for managing system rights, and a computer-readable storage medium.
Background
The network system involved by the user needs to perform authority management, the authority management belongs to the category of system security, the authority management realizes the control of the user to access the system, and the user can be controlled to access and only access the authorized resource according to the security rule or the security policy. The authority management comprises two parts of user identity authentication and authorization, which are called authentication and authorization for short. The resource user needing access control is firstly authenticated, and the user can access the resource by the access authority after the authentication is passed.
The role-based access (RBAC for short) control technology is widely applied to authority management, in RBAC, a user and a role are in a many-to-many relationship, the role and the authority are in a many-to-many relationship, a relationship is established between the user and the authority through the role, the role is a set of the authority, and the authority represents system resources (such as menus, buttons, pages and the like).
In the system, the corresponding relation between a user and a role is basically the same, but the authority of system resource description is greatly different, and resources can be divided into three types, namely a directory, a menu and a button in a common system; the directory is used for managing menus, menu connection pages, and button corresponding operations (such as query, addition, modification, deletion and the like). There are differences in the button allocation schemes, and there are two button allocation methods: firstly, labeling a button, which is divided into inquiry, addition, modification and deletion, and binding a label by a user; and secondly, labeling the button, associating the label with the uniform resource locator URL of the button, acquiring a legal uniform resource locator URL by a user through the label, and intercepting an illegal uniform resource locator URL by an interceptor. The first solution only does not display any unallocated buttons on the page, and since the URL is not intercepted, the user can actually access an illegal (i.e., unallocated) URL. The second scheme is further optimized aiming at the defects of the first scheme, Uniform Resource Locators (URLs) are bound on the labels, an interceptor intercepts illegal URLs, page dynamic display buttons are realized, and illegal requests are shielded, but the scheme also has certain defects, such as Menu1, Menu2 and Menu3 menus in the system, the user is distributed with the inquiry authority of Menu1, actually, the user can also access the inquiry buttons of Menu2 and Menu3, the labels on the buttons cause larger authority particles, and the authority distribution of the system has certain holes and ideal effects.
The right distribution scheme in the system is realized only according to the current requirements, for example, the user is distributed with the query right, the user has the query right of all services, and the rough distribution mode has potential safety problems. The authority relationship of the current system is shown in fig. 3: the button type binding interfaces comprise all corresponding interface services, and after the user distributes the authority, all interfaces of one or more button types are obtained, so that illegal URL access cannot be effectively shielded, and potential safety hazards are caused.
Disclosure of Invention
The invention mainly aims to provide a system authority management method, a device and a computer readable storage medium, aiming at solving the technical problem of large authority particles when the system authority is distributed by adopting role-based access (RBAC) control in the prior art.
In order to achieve the above object, the present invention provides a system right management method, which comprises the following steps:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
In general, system resources may be divided into a directory, a menu, and a button, where the directory is used to manage the menu, the menu is connected to a page, and the page displays the button.
Furthermore, one button is associated with a plurality of authorization marks, the authorization marks are authority character strings, and the interface service is described through the authority character strings.
Further, before user authority distribution, the system is started, user identity verification is carried out, identity data submitted by a user are obtained, the identity data are compared with authentication domains, when the identity data accord with one of the authentication domains, authentication success is judged, and authentication domain information with the authentication success is returned.
Furthermore, an authority list formed by the authorization mark set corresponding to the interface service is stored in the authentication domain, and when user authority distribution is carried out, the authority list is read from the authentication domain according to roles found by users and roles inquiry authority.
Further, the authentication domain is any one of a relational database, a cache server, and a configuration file.
Furthermore, all information after the user logs in is recorded through the session, and the result of the user authority distribution is kept in one session.
Based on the same inventive concept, in another aspect, the present invention provides a system right management apparatus, including: the system comprises a memory, a processor and a right management program which is stored on the memory and can run on the processor, wherein the right management program realizes the following steps of the system right management method when being executed by the processor:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
Further, when executed by the processor, the rights management program further implements the following steps of the system rights management method:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
starting a system and carrying out user identity verification, acquiring identity data submitted by a user, comparing the identity data with authentication domains, judging that the authentication is successful and returning the authentication domain information of the authentication success when the identity data accords with one of the authentication domains;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
Further, when executed by the processor, the rights management program further implements the following steps of the system rights management method:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
starting a system and carrying out user identity verification, acquiring identity data submitted by a user, comparing the identity data with authentication domains, judging that the authentication is successful and returning the authentication domain information of the authentication success when the identity data accords with one of the authentication domains;
an authority list formed by the authorization mark set corresponding to the interface service is stored in the authentication domain, and when user authority distribution is carried out, the authority list is read from the authentication domain according to the role found by the user and the role inquiry authority;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
Further, when executed by the processor, the rights management program further implements the following steps of the system rights management method:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; if yes, allowing the user to execute the meta-operation corresponding to the interface service association;
and recording all information of the user after logging in through the session, and keeping the result of the user authority distribution in one session.
Based on the same inventive concept, in another aspect, the present invention further provides a computer-readable storage medium, wherein the computer-readable storage medium stores a rights management program, and the rights management program, when executed by the processor, implements the steps of the system rights management method as described above.
The system authority management method, the device and the computer readable storage medium of the invention describe the meta-operation authority by annotating the authorization mark, namely the authority character string, on the interface service from the perspective of system resources, and when the user distributes the authority, the user only needs to complete all work by configuring the authorization mark, and then judges whether the user is legal or not and whether the access interface is legal or not, thereby achieving the safe and configurable authority distribution. The problem that access control (RBAC) permission particles based on roles are large is solved, authorization marks (permission character strings) are printed on the interface service, one or more authorization marks are bound on the buttons, permission distribution of minimum particles is achieved, and safe and reliable permission distribution is achieved. The system resource data such as catalogs, menus, buttons and the like can be configured, a role-based access control (RBAC) module is not required to be maintained, and the complete encapsulation of the module is realized.
Drawings
FIG. 1 is a block diagram of a RBAC-based general rights management system;
FIG. 2 is a flow diagram of a rights enforcement process for a RBAC-based general rights management system;
FIG. 3 is a block diagram of a prior RBAC-based rights assignment relationship;
FIG. 4 is a flowchart of a first system rights management method according to an embodiment of the invention;
FIG. 5 is a flowchart of a second system rights management method according to an embodiment of the invention;
FIG. 6 is a flow chart of a third method for managing system permissions according to an embodiment of the present invention;
FIG. 7 is a flowchart illustrating a fourth method for managing system permissions according to an embodiment of the present invention;
fig. 8 is a block diagram of a rights assignment relationship structure of the system rights management apparatus according to the embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the following description, suffixes such as "module", "part", or "unit" used to denote elements are used only for facilitating the description of the present invention, and have no specific meaning by themselves. Thus, "module", "component" or "unit" may be used mixedly.
The authority management system is an indispensable part of an application system, and the authority management is to explicitly grant or limit the access capability and range through some way, so as to limit the access to key resources and prevent the intrusion of illegal users or the damage caused by the careless operation of legal users. With the development of computer technology and applications, especially the development of the internet, the demand of application systems for rights management is rapidly increasing. People have made great results in the research aspect of the authority management technology, and various authority management access control technologies appear in sequence, such as an autonomous authority management autonomous access control technology DAC and a mandatory access control technology MAC. With the increasing complexity of rights management, people generally feel that the rights management technologies of DAC and MAC cannot meet the security requirements of the application systems which are becoming more and more complex nowadays, and therefore, a role-based rights management technology RBAC is proposed.
The RBAC technology includes five basic data elements of User (USERS), role (role), object (obs), operation (ops), permission (prms), and authority is given to a role, and the role is assigned to a user, and the user has authority of meta-operation of the role. Wherein, the meta-operation is the smallest unit of authority management. In order to inquire whether a user has the authority to execute a meta-operation when the user requests to execute the meta-operation (for example, requests to access a network resource corresponding to a Uniform Resource Locator (URL)), according to the RBAC technology, role identifiers are allocated to the user, so that the role of the user can be determined according to the role identifiers of the user, and then the authority of the meta-operation of the role of the user is determined.
As shown in fig. 1, there is provided an RBAC-based general rights management system, which employs a rights system as described below;
firstly, the authority system is divided into three layers of roles, function groups and basic authorities.
Secondly, according to the needs of enterprises, all possible operations are divided in detail, and all basic rights are determined.
Finally, the related authorities can be combined into function groups, and several function groups are combined into a role. One user can serve several roles.
Through the layering, the whole authority management system can flexibly and effectively control the user to access the system data and manage the user operation.
The goal of the rights management system is to achieve the rights management described above. First, based on an analysis of the system, all basic rights of the system are determined. On this basis, the authority system administrator of the system is then provided with the functionality to flexibly organize, arrange groups and roles of functions and assign corresponding roles to users. The sub-systems of the authority management system are as follows: the system comprises three functions of function group management, role management and user role distribution, and also comprises an interface for checking whether a specific user has a certain basic authority according to authority distribution, password modification applicable to all users, inquiry function online user management, log management and the like.
The system can realize the system function by clearly knowing that the authority acquired in the role is the functional authority; if the entity rights are present, the entity object is selected. Meanwhile, a certain user obtains the role, can perform specific authority operation on the entity object, then modifies the authority and refreshes the authority record until the authority management is completed. The specific right implementation flow is shown in fig. 2:
the login subsystem is a module which each system should have, and the login interface is a precondition for entering the system. In the login interface set by the system, the user is required to input the correct user name and password. When the username and entered password do not match, a dialog box appears to prompt the user to "password error, please re-enter". The user operation subsystem comprises a function of inquiring system information and a function of maintaining the system information. In the aspect of system information query, the main characteristic is that the query and the concrete query of the whole system are supported. The user can inquire the system according to the needs of the user. For example, the user may want to know what roles have what permissions, what specific permissions a colleague has, and so on, so that the user can know the permissions through the query operation. In the query module, the user selects specific operation according to the content which the user wants to know. In the aspect of system information maintenance, the modification of the user password is mainly used. Since the user is initially assigned rights uniformly by the system operator when using the system and the user's information is initialized, i.e. the password and the rights are assigned. The rights are not changeable in the mind of the user, but the password is. The user can set the password according to own preference and habit, and the original password is replaced and stored in the user information. The core of the authority management system is to manage the authority of the user, and the specific authority management is to be carried out by a system operator. Therefore, in order to simplify the management of the authority, the management of the authority system is specifically divided into three small modules, namely a module for managing users, a module for managing roles and a module for managing authority groups.
The right management system is divided into coarse-grained and fine-grained authority control. Coarse grain privilege management, privilege management for resource types. Resource types such as: menu, URL connection, user add page, user information, classification method, button in page. Coarse grain rights management such as: the hypervisor may access all pages for user add pages, user information, etc. Fine-grained authority management, and authority management of resource instances. Materialization of resource instances with respect to resource types, such as: user id is the modified connection of 001, user information of 1110 shifts, employee of administration.
The implementation of the URL interception based approach is a more common approach. For the web system, URL interception is realized through a filter, and URL-based interception can also be realized by using an interceptor of springmvc.
In view of the above technical problems, embodiments of the method of the present invention are provided based on the above rights management system.
Example 1
To achieve the above object, as shown in fig. 4, the present invention provides a system right management method, which includes the following steps:
s101, associating a button in a system resource with a corresponding element operation through an interface service;
s102, establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
s103, when user authority distribution is carried out, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
In general, system resources may be divided into a directory, a menu, and a button, where the directory is used to manage the menu, the menu is connected to a page, and the page displays the button.
Wherein the meta-operation is the smallest unit of rights management, such as query, add, modify, delete, etc.
And one button is associated with and corresponds to a plurality of authorization marks, the authorization marks are authority character strings, and the interface service is described through the authority character strings.
The method comprises the steps that a Uniform Resource Locator (URL) is the smallest in authority particles, the URL is associated with corresponding interface services, a button possibly accesses more than one interface, authority marks (namely authority character strings) are marked on the interface through annotations (called metadata and code level descriptions) during interface development, the button is associated with the authority marks of the interface, the button is placed at the next level of a menu tree node, when the authority is distributed, a menu is selected, the button is also selected, a user binds the distributed directory, menu, the authority marks of the button and the authority marks of the interface after logging in a system, the user accesses the URL and matches the authority marks of the interface, the illegal URL is intercepted at an interface layer, and safe and reliable authority distribution is achieved.
As shown in fig. 8, the authority is assigned to the buttons at the next level of the menu tree, the buttons are associated with authorization marks, one button corresponds to multiple authorization marks, the authorization marks are in one-to-one correspondence with the interfaces, are resource identifiers, represent which resource of which module is operated, and support an authority string wildcard, ": "denotes a namespace break," denotes a resource break, and "") denotes that any resource can be manipulated. For example, "system: a user: query "indicates that the system has the query authority of the user managing the system," system: a user: query, system: a user: create represents the user system manages the user's queries and new permissions "system: a user: "represents all rights managed by the system user.
As shown in fig. 5, the second system right management method provided by the present invention includes the following steps:
s201, associating a button in a system resource with a corresponding element operation through an interface service;
s202, establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
s203, starting the system and carrying out user identity verification, acquiring identity data submitted by a user, comparing the identity data with authentication domains, judging that the authentication is successful and returning the authentication domain information of the authentication success when the identity data accords with one of the authentication domains;
s204, when the user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
The user submits identity data (generally an account number, a password, a verification code and the like), authentication is executed by an authenticator of the system, the authenticator is realized by an authentication strategy, and the authentication strategy generally has three types aiming at the conditions of various authentication domains: firstly, returning the authentication information of the first authentication domain as long as one authentication domain succeeds in authentication; secondly, as long as one authentication domain succeeds in authentication, the authentication information of all the authentication domains which succeed in authentication is returned, which is different from the first authentication domain; thirdly, the authentication of all the authentication domains is successful, the authentication information of all the authentication domains is returned, and if one authentication fails, the authentication fails. For the case of multiple account numbers, such as different authentication domains like email account number, mobile phone number, job number, etc., a second authentication policy is preferably adopted.
As shown in fig. 6, the third method for managing system rights provided by the present invention includes the following steps:
s301, associating a button in a system resource with a corresponding element operation through an interface service;
s302, establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
s303, starting a system and carrying out user identity verification, acquiring identity data submitted by a user, comparing the identity data with authentication domains, judging that the authentication is successful and returning the authentication domain information of the authentication success when the identity data accords with one of the authentication domains;
s304, storing an authority list formed by the authorization mark set corresponding to the interface service in the authentication domain, finding roles and inquiring roles according to users when distributing user authorities, and reading the authority list from the authentication domain;
s305, when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
Authorization, i.e. rights assignment, is performed by the authorizer, which controls whether the user has rights to perform operations, i.e. which functions in the application the user can access. Roles aggregate a set of permissions that control who can access resources. That is, a role is found according to a user, then the role finds a right, and then a right list is read from an authentication domain, and this way can also be called as access control based on the right, and the general rule of this way is "resource identifier: operations ", i.e. small-grain descriptions of resource classes. And judging whether the user has the access interface authority, and verifying the authority character string. For example, to modify the user's rights, two interfaces are used, the first one queries the user first, the second one submits modification information, and the rights strings of the two interfaces are "system: a user: query "," system: a user: update ", the assignment of rights of the smallest grain can be achieved as long as the user is assigned these two strings of rights.
The authentication domain may be a relational database, a cache server, or even a configuration file. The authentication domain of the scheme is placed in a relational database MySQL, and the user verification and the authority are respectively reading information from the MySQL.
As shown in fig. 7, a fourth method for managing system rights provided by the present invention includes the following steps:
s401, associating the buttons in the system resources with corresponding element operations through interface services;
s402, establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
s403, when user authority is distributed, distributing the authorization mark to the user, and judging whether the user has the corresponding interface service authority by verifying the authorization mark; if yes, allowing the user to execute the meta-operation corresponding to the interface service association;
s404, recording all information after the user logs in through the session, and keeping the result of the user authority distribution in one session.
Wherein, the authentication domain is any one of a relational database, a cache server and a configuration file.
A session is an uninterrupted sequence of requests and responses between a client and a server. For each request by a client, the server can recognize that the request is from the same client. A session is started when an unknown client sends a first request to a Web application. The session is ended when the client explicitly ends the session or the server does not accept any requests from the client within a predefined time limit. When the session is over, the server forgets the client and the client's request.
A web session can be simply understood as: a user opens a browser, accesses a certain web site, clicks a plurality of hyperlinks on the site, accesses a plurality of web resources of a server, and then closes the browser, wherein the whole process is called a session. The first request sent by a client to a Web application server may not be the first interaction of the client with the server. The first request refers to a request that requires a session to be created. We refer to the first request because it is the start (logically) of the count of multiple requests and the server starts remembering the client's request. For example, when a user logs in or adds an item to a shopping cart, a session must be initiated.
The session manager manages the session creation, maintenance, deletion, verification and other work of all users, and can conveniently acquire the relevant information of the users from the current session.
Example 2
Based on the same inventive concept, in another aspect, the present invention provides a system right management apparatus, including: the system comprises a memory, a processor and a right management program which is stored on the memory and can run on the processor, wherein the right management program realizes the following steps of the system right management method when being executed by the processor:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
On the basis of a role-based access control technology, when the operation authority of system resources is distributed, a label, namely an authorization mark, is set on an interface service, the authorization label corresponds to an interface one by one, and then the interface is associated with a button, so that when the authority is distributed, whether a user has the corresponding operation authority can be judged only by configuring the authorization label of the button. If yes, allowing the user to execute the meta-operation corresponding to the interface service association, and otherwise refusing the user to execute the meta-operation corresponding to the interface service association. Meta-operations may be specific operational steps of delete, save, view, etc.
Wherein, when executed by the processor, the rights management program further implements the steps of the system rights management method as follows:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
starting a system and carrying out user identity verification, acquiring identity data submitted by a user, comparing the identity data with authentication domains, judging that the authentication is successful and returning the authentication domain information of the authentication success when the identity data accords with one of the authentication domains;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
The identity authentication of a user, that is, a relationship between the user and a role needs to be established, the role is a set of permissions, and the permissions represent system resources (such as menus, buttons, pages, and the like). The pre-identity data stored in the authentication domain is compared with the identity data submitted by the user, so that the identity of the user is identified, the corresponding relation between the role and the user is established, the relation between the user and the right can be established through the role, and then the right distribution can be carried out on the user.
Wherein, when executed by the processor, the rights management program further implements the steps of the system rights management method as follows:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
starting a system and carrying out user identity verification, acquiring identity data submitted by a user, comparing the identity data with authentication domains, judging that the authentication is successful and returning the authentication domain information of the authentication success when the identity data accords with one of the authentication domains;
an authority list formed by the authorization mark set corresponding to the interface service is stored in the authentication domain, and when user authority distribution is carried out, the authority list is read from the authentication domain according to the role found by the user and the role inquiry authority;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
The authorization token of the interface, i.e. the authority string on the interface, is the authority list stored in the authentication domain, which may be a relational database, and may enable caching servers, or even configuration files. And after the user establishes a relationship with the authority through the role, distributing an authorization mark for the user through reading the authority list.
Wherein, when executed by the processor, the rights management program further implements the steps of the system rights management method as follows:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; if yes, allowing the user to execute the meta-operation corresponding to the interface service association;
and recording all information of the user after logging in through the session, and keeping the result of the user authority distribution in one session.
The session manager manages the session creation, maintenance, deletion, verification and other works of all users, and can conveniently acquire the relevant information of the users from the current session.
Example 3
Based on the same inventive concept, in another aspect, the present invention further provides a computer-readable storage medium, wherein the computer-readable storage medium stores a rights management program, and when the rights management program is executed by the processor, the following steps of the system rights management method are implemented:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; if yes, allowing the user to execute the meta-operation corresponding to the interface service association;
wherein, when executed by the processor, the rights management program further implements the steps of the system rights management method as follows:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
starting a system and carrying out user identity verification, acquiring identity data submitted by a user, comparing the identity data with authentication domains, judging that the authentication is successful and returning the authentication domain information of the authentication success when the identity data accords with one of the authentication domains;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
Wherein, when executed by the processor, the rights management program further implements the steps of the system rights management method as follows:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
starting a system and carrying out user identity verification, acquiring identity data submitted by a user, comparing the identity data with authentication domains, judging that the authentication is successful and returning the authentication domain information of the authentication success when the identity data accords with one of the authentication domains;
an authority list formed by the authorization mark set corresponding to the interface service is stored in the authentication domain, and when user authority distribution is carried out, the authority list is read from the authentication domain according to the role found by the user and the role inquiry authority;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; and if so, allowing the user to execute the meta-operation corresponding to the interface service association.
Wherein, when executed by the processor, the rights management program further implements the steps of the system rights management method as follows:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; if yes, allowing the user to execute the meta-operation corresponding to the interface service association;
and recording all information of the user after logging in through the session, and keeping the result of the user authority distribution in one session.
The system authority management method, the device and the computer readable storage medium of the invention describe the meta-operation authority by annotating the authorization mark, namely the authority character string, on the interface service from the perspective of system resources, and when the user distributes the authority, the user only needs to complete all work by configuring the authorization mark, and then judges whether the user is legal or not and whether the access interface is legal or not, thereby achieving the safe and configurable authority distribution. The problem that access control (RBAC) permission particles based on roles are large is solved, authorization marks (permission character strings) are printed on the interface service, one or more authorization marks are bound on the buttons, permission distribution of minimum particles is achieved, and safe and reliable permission distribution is achieved. The system resource data such as catalogs, menus, buttons and the like can be configured, a role-based access control (RBAC) module is not required to be maintained, and the complete encapsulation of the module is realized.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, the statement "comprises a" or "comprising" a defined element does not exclude the presence of other identical elements in the process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (7)
1. A method for system rights management, the method comprising the steps of:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks; one said button being associated with a plurality of said authorization indicia; the authorization token is an authority string through which the interface service is described;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; if yes, allowing the user to execute the meta-operation corresponding to the interface service association;
the smallest authority particle is a uniform resource locator URL, and the uniform resource locator URL is associated with the corresponding interface service;
before the user right assignment, the method further comprises the following steps: and starting the system, verifying the identity of the user, acquiring the identity data submitted by the user, comparing the identity data with the authentication domains, judging the authentication success and returning the authentication domain information with the authentication success when the identity data accords with one of the authentication domains.
2. The system right management method according to claim 1, wherein a right list formed by the authorization token sets corresponding to the interface services is stored in the authentication domain, and when performing user right assignment, the right list is read from the authentication domain according to a role found by a user and a role inquiry right.
3. The system right management method of claim 2, wherein the authentication domain is any one of a relational database, a cache server, and a configuration file.
4. The system rights management method of claim 1, the method further comprising: and recording all information of the user after logging in through the session, and keeping the result of the user authority distribution in one session.
5. A system rights management apparatus, the apparatus comprising: the system comprises a memory, a processor and a right management program which is stored on the memory and can run on the processor, wherein the right management program realizes the following steps of the system right management method when being executed by the processor:
associating the button in the system resource with the corresponding element operation through the interface service;
establishing a corresponding relation between a user and a right through a role, wherein the right corresponds to the system resource, the interface service is described by using authorization marks, the authorization marks correspond to the interface service one by one, and the button is associated with the authorization marks; one said button being associated with a plurality of said authorization indicia;
the smallest authority particle is a uniform resource locator URL, and the uniform resource locator URL is associated with the corresponding interface service;
when user authority is distributed, the authorization mark is distributed to the user, and whether the user has the corresponding interface service authority is judged by verifying the authorization mark; if yes, allowing the user to execute the meta-operation corresponding to the interface service association;
the right management program is executed by the processor to realize the following steps of the system right management method:
before user authority distribution, starting a system and carrying out user identity verification, acquiring identity data submitted by a user, comparing the identity data with authentication domains, judging that authentication is successful and returning authentication domain information which is successfully authenticated when the identity data accords with one of the authentication domains.
6. The system right distributing device of claim 5, wherein the right management program, when executed by the processor, further implements the following steps of the system right management method:
and recording all information of the user after logging in through the session, and keeping the result of the user authority distribution in one session.
7. A computer-readable storage medium, having a rights management program stored thereon, which when executed by a processor, performs the steps of the system rights management method of any of claims 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710512825.5A CN107342992B (en) | 2017-06-27 | 2017-06-27 | System authority management method and device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710512825.5A CN107342992B (en) | 2017-06-27 | 2017-06-27 | System authority management method and device and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107342992A CN107342992A (en) | 2017-11-10 |
| CN107342992B true CN107342992B (en) | 2020-12-08 |
Family
ID=60218903
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710512825.5A Active CN107342992B (en) | 2017-06-27 | 2017-06-27 | System authority management method and device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107342992B (en) |
Families Citing this family (37)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108289085B (en) * | 2017-01-10 | 2021-05-07 | 珠海金山办公软件有限公司 | Login method and device for document security management system |
| JP6939509B2 (en) * | 2017-12-20 | 2021-09-22 | トヨタ自動車株式会社 | Service management system, service management program, and service management method |
| CN108196837A (en) * | 2017-12-25 | 2018-06-22 | 国云科技股份有限公司 | A kind of system authority control method |
| CN108255513B (en) * | 2017-12-28 | 2021-03-16 | 平安科技(深圳)有限公司 | Electronic device, springmvc-based data interface, automatic generation method of description of springmvc-based data interface, and storage medium |
| CN109992988A (en) * | 2018-01-02 | 2019-07-09 | ***通信有限公司研究院 | A kind of data permission management method and device |
| CN108090374A (en) * | 2018-01-09 | 2018-05-29 | 珠海迈越信息技术有限公司 | A kind of multi User Privilege Management method and system |
| CN108319827B (en) * | 2018-01-25 | 2020-06-02 | 烽火通信科技股份有限公司 | API (application program interface) authority management system and method based on OSGI (open service gateway initiative) framework |
| CN108388604B (en) * | 2018-02-06 | 2022-06-10 | 平安科技(深圳)有限公司 | User authority data management apparatus, method and computer readable storage medium |
| CN108629484A (en) * | 2018-03-30 | 2018-10-09 | 平安科技(深圳)有限公司 | It attends a banquet qualification management method, apparatus and storage medium |
| CN108776756A (en) * | 2018-06-04 | 2018-11-09 | 北京奇虎科技有限公司 | Access authorization for resource management method and device |
| CN109088858B (en) * | 2018-07-13 | 2021-09-21 | 南京邮电大学 | Medical system and method based on authority management |
| CN109165486B (en) * | 2018-08-27 | 2021-06-22 | 四川长虹电器股份有限公司 | Configurable interface access authority control method |
| CN109446054B (en) * | 2018-09-03 | 2023-08-25 | 中国平安人寿保险股份有限公司 | Processing method and terminal equipment for override operation request based on big data |
| CN109145545A (en) * | 2018-09-11 | 2019-01-04 | 郑州云海信息技术有限公司 | A kind of processing method and processing device of user's operation |
| CN111125650A (en) * | 2018-10-31 | 2020-05-08 | 北京国双科技有限公司 | Page access right processing method and device, storage medium and processor |
| CN109766706A (en) * | 2018-12-28 | 2019-05-17 | 中电科大数据研究院有限公司 | A kind of more Rights Management System of data |
| CN111625842A (en) * | 2019-02-28 | 2020-09-04 | 武汉朗立创科技有限公司 | Permission control system based on RBAC |
| CN110569667B (en) * | 2019-09-10 | 2022-03-15 | 北京字节跳动网络技术有限公司 | Access control method and device, computer equipment and storage medium |
| CN110708298A (en) * | 2019-09-23 | 2020-01-17 | 广州海颐信息安全技术有限公司 | Method and device for centralized management of dynamic instance identity and access |
| CN112580000A (en) * | 2019-09-30 | 2021-03-30 | 北京国双科技有限公司 | User data processing method and device |
| CN110780876A (en) * | 2019-10-29 | 2020-02-11 | 北京北纬通信科技股份有限公司 | Web development front-end and back-end separation authority control method and system |
| CN111062028B (en) * | 2019-12-13 | 2023-11-24 | 腾讯科技(深圳)有限公司 | Authority management method and device, storage medium and electronic equipment |
| CN111191221B (en) * | 2019-12-30 | 2023-05-12 | 腾讯科技(深圳)有限公司 | Configuration method and device of authority resources and computer readable storage medium |
| CN111241503A (en) * | 2020-01-16 | 2020-06-05 | 上海上实龙创智慧能源科技股份有限公司 | Js frame-based page button authorization method |
| CN111526143B (en) * | 2020-04-21 | 2022-04-19 | 北京思特奇信息技术股份有限公司 | Method and device for realizing anti-unauthorized access of CRM system and storage medium |
| CN111695124A (en) * | 2020-05-18 | 2020-09-22 | 北京三快在线科技有限公司 | Authority control method and device, storage medium and electronic equipment |
| CN111835792A (en) * | 2020-07-31 | 2020-10-27 | 海南中金德航科技股份有限公司 | System authentication role relationship system |
| CN111783076A (en) * | 2020-08-05 | 2020-10-16 | 绵阳市智慧城市产业发展有限责任公司 | Multi-scenario normalization processing model for construction, right establishment, authorization and verification of authority resources |
| CN112055024B (en) * | 2020-09-09 | 2023-08-22 | 深圳市欢太科技有限公司 | Authority verification method and device, storage medium and electronic equipment |
| CN112346624B (en) * | 2020-11-09 | 2022-04-01 | 福建天晴在线互动科技有限公司 | Method and system for realizing menu authority of background management system |
| CN112347442B (en) * | 2020-11-30 | 2023-03-21 | 四川长虹电器股份有限公司 | User authority verification method and device |
| CN112989373A (en) * | 2021-03-08 | 2021-06-18 | 北京慧友云商科技有限公司 | Hierarchical authorization control management engine based on RBAC |
| CN113542214B (en) * | 2021-05-31 | 2023-08-22 | 新华三信息安全技术有限公司 | Access control method, device, equipment and machine-readable storage medium |
| CN113792270A (en) * | 2021-09-29 | 2021-12-14 | 北京字跳网络技术有限公司 | Authority resource configuration method and device, storage medium and electronic equipment |
| CN113849848B (en) * | 2021-12-02 | 2022-03-15 | 上海金仕达软件科技有限公司 | Data permission configuration method and system |
| CN114978601A (en) * | 2022-04-25 | 2022-08-30 | 康键信息技术(深圳)有限公司 | Authority management method, device, equipment and medium |
| CN115118480B (en) * | 2022-06-22 | 2024-04-26 | ***数智科技有限公司 | Method and device for realizing split-weight split-domain function of Skyline system based on Openstack |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101441688A (en) * | 2007-11-20 | 2009-05-27 | 阿里巴巴集团控股有限公司 | User authority allocation method and user authority control method |
| CN101582767A (en) * | 2009-06-24 | 2009-11-18 | 阿里巴巴集团控股有限公司 | Authorization control method and authorization server |
| CN101902402A (en) * | 2010-07-21 | 2010-12-01 | 中兴通讯股份有限公司 | Method for managing user right and device thereof |
| CN102195956A (en) * | 2010-03-19 | 2011-09-21 | 富士通株式会社 | Cloud service system and user right management method thereof |
Family Cites Families (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3715501B2 (en) * | 2000-03-10 | 2005-11-09 | アンリツ株式会社 | Spanning tree bridge and route change method using the same |
| CN101515932B (en) * | 2009-03-23 | 2013-06-05 | 中兴通讯股份有限公司 | Method and system for accessing Web service safely |
| CN102129364B (en) * | 2010-01-14 | 2013-09-25 | 中国电信股份有限公司 | Method for embedding widget toolbar in application program and rapid widget accessing method |
| CN101917448A (en) * | 2010-08-27 | 2010-12-15 | 山东中创软件工程股份有限公司 | Control method for realizing RBAC access permission in application on basis of.NET |
| CN102955644A (en) * | 2011-08-19 | 2013-03-06 | 幻音科技(深圳)有限公司 | Method and system for controlling resource display |
| CN103530568B (en) * | 2012-07-02 | 2016-01-20 | 阿里巴巴集团控股有限公司 | Authority control method, Apparatus and system |
| CN103077028B (en) * | 2012-12-28 | 2016-06-08 | 北京赛科世纪数码科技有限公司 | A kind of display packing and system |
| CN103500297A (en) * | 2013-10-11 | 2014-01-08 | 济钢集团有限公司 | Fine grit authority management method in information system |
| US9553997B2 (en) * | 2014-11-01 | 2017-01-24 | Somos, Inc. | Toll-free telecommunications management platform |
| CN104484482B (en) * | 2014-12-31 | 2018-02-16 | 广州东海网络科技有限公司 | The info web update method and system of the network platform |
| CN104836910A (en) * | 2015-04-27 | 2015-08-12 | 陆俊 | Mobile terminal application authority switching method and mobile terminal |
| CN106096425A (en) * | 2016-06-06 | 2016-11-09 | 北京金山安全软件有限公司 | System permission starting method, device and equipment |
-
2017
- 2017-06-27 CN CN201710512825.5A patent/CN107342992B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101441688A (en) * | 2007-11-20 | 2009-05-27 | 阿里巴巴集团控股有限公司 | User authority allocation method and user authority control method |
| CN101582767A (en) * | 2009-06-24 | 2009-11-18 | 阿里巴巴集团控股有限公司 | Authorization control method and authorization server |
| CN102195956A (en) * | 2010-03-19 | 2011-09-21 | 富士通株式会社 | Cloud service system and user right management method thereof |
| CN101902402A (en) * | 2010-07-21 | 2010-12-01 | 中兴通讯股份有限公司 | Method for managing user right and device thereof |
Non-Patent Citations (2)
| Title |
|---|
| 《 一种基于改进RBAC模型的权限管理***》;文骁一;《硅谷》;20120428;全文 * |
| 《基于角色访问控制(RBAC)的Web应用》;吴限;《中国硕士学位论文全文数据库 信息技术辑》;20020621;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107342992A (en) | 2017-11-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107342992B (en) | System authority management method and device and computer readable storage medium | |
| US10853805B2 (en) | Data processing system utilising distributed ledger technology | |
| CN107403106B (en) | Database fine-grained access control method based on terminal user | |
| US7827598B2 (en) | Grouped access control list actions | |
| KR100438080B1 (en) | Network system, device management system, device management method, data processing method, storage medium, and internet service provision method | |
| CN103078859B (en) | Operation system right management method, equipment and system | |
| JP2022000757A5 (en) | ||
| CN109670768A (en) | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain | |
| US7237119B2 (en) | Method, system and computer program for managing user authorization levels | |
| US20090063448A1 (en) | Aggregated Search Results for Local and Remote Services | |
| US6678682B1 (en) | Method, system, and software for enterprise access management control | |
| US10148637B2 (en) | Secure authentication to provide mobile access to shared network resources | |
| WO2010138910A1 (en) | Secure collaborative environment | |
| JP2013008229A (en) | Authentication system, authentication method and program | |
| US8104076B1 (en) | Application access control system | |
| US20120290592A1 (en) | Federated search apparatus, federated search system, and federated search method | |
| KR101668550B1 (en) | Apparatus and Method for Allocating Role and Permission based on Password | |
| US8079065B2 (en) | Indexing encrypted files by impersonating users | |
| US20080163191A1 (en) | System and method for file transfer management | |
| US20040243851A1 (en) | System and method for controlling user authorities to access one or more databases | |
| US8819806B2 (en) | Integrated data access | |
| JP3382881B2 (en) | Data access control device | |
| Delessy et al. | Patterns for access control in distributed systems | |
| JP2010079444A (en) | File management method and system by metadata | |
| KR101025029B1 (en) | Implementation method for integration database security system using electronic authentication |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20201117 Address after: 518000 408, building 5, tongfuyu Industrial Park, Dalang street, Longhua New District, Shenzhen City, Guangdong Province Applicant after: Shenzhen media home culture Communication Co., Ltd Address before: 518000 Guangdong Province, Shenzhen high tech Zone of Nanshan District City, No. 9018 North Central Avenue's innovation building A, 6-8 layer, 10-11 layer, B layer, C District 6-10 District 6 floor Applicant before: NUBIA TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |