200842642 九、發明說明: 【發明所屬之技術領域】 本發明係關於-種整合性作業權限管理系統及其方法,特別 是指能夠提供使用者登入本系統時,可因其個人所在地點的不 冋、登入時間的不同,取得不同的商業邏輯作業的作業權限。 【先前技術】 現今使用大型資訊系統提供的服務,以輔助完成各項商業邏 _業,已是各大公司作業的標相式。_,各項惡意攻擊及 入侵資訊系統的事件不斷發生,使得資域統中的資訊安全,成 為一不可忽視的重要課題。 為了因應現今各式各樣的商業服務,電齡統必需同時進行 不同的商業邏輯作業,在現有7x24不中斷服務的商業模式要求 下,商業邏輯應用系統必須提供使用者能夠在不同的時間、不同 的空間,使用不同的作業權限,來提供其客戶所需的服務。 由於登入使用者眾多,各類使用者運用系統中的應用程式作 業需求不同,在不同的時間、不同的空間,連線至系統要求使用 其合法之商業邏輯作業,故需一套單一認證及授權管理系統,透 過一多層次使用者認證授權管理機制,授與合法使用者應有的商 業邏輯作業權限。以往單一簽入系統僅能在使用者登入時,記錄 使用者個人資訊,在使用者呼叫商業邏輯應用程式時,由應用程 式依該程式行為模式,自行定義可執行或不可執行的人員、時間、 地點等,不但增加程式開發人員的負荷,一旦有方法繞過檢查程 200842642 式元件,更容易產生資訊安全漏洞,造成不可挽救的缺憾。 由此可見,上述習用方式仍有諸多缺失,實非一良善之設計, 為防止對資訊系統的惡意破壞行為,亟需建立一套使用者爷噔及 授權管理系統,以防止非法使用著的破壞,同時又不會因=加 程式開發人員的工作負荷,而造成成本的提升。 本案發明人鑑於上述f用方柄衍生的各項她,乃_亟思加 以改良創新,並經多年苦心孤詣潛心研究後,終於成功研發完成 本件多層次認證授權管理系統及方法。 【發明目的】 本發明之主要目的係在於建立一套單一認證及授權管理系 統’透過-多層次義者認證授鮮理機制,授與合法使用者應 有的商業邏輯作義限,以配合各類不同使用者同時存在的㈣ 次魂證授權管理系統及方法。 本發明之次要目的係在於提供—種可同時針對同—使用者, 因其在不_時間、不_地點登人,而得到不_商業邏輯作 業使用權限的多層次認證授權管理系統及方法。 【發明内容】 為達成上述目的,本發明所提供之多層次認證授權管理*** =法,係透過分析使用者工作屬性、統—記錄作業權限格式的 術,將分散料同知識領_商業邏輯作#,依其雜分類成 數大類別,認證授權管理元件,將不同_的商業邏輯作業 200842642 限管理程式的複 進而降低作業權 權限管理㈣賴成鮮格式,私簡化作業權 雜性,同時減低作業權限管理人員的工作負荷, 限管理成本,提高作業權限管理效能。 再者,本發明提供一種單一認證及授權管理系統,可 多層次使用者認證授權管理機制,授與每一個個別的人法使 ‘者,在不同的外在環境下,得到不同的«邏輯作業權Γ,以配 (δ各類不同的使用者同時存在。每—個個別的合法使用者,因盆 在不同_、不同的地㈣人本祕,_ 輯 作業使用觀。同時提供統—格式卿,使每-個合法 擁有的商業邏輯作業權限,不至於因少數特殊人 皮 成其他使用者登入本系統時,產生資訊安全漏润。”要求& 【實施方式】 請參閱圖-,為本發明乡層找證授鮮㈣統及方法 統架構,其組成包括: ' 一使用者權限紀錄資料庫,用以儲存使用者權限記錄資 料,其可為一資料庫或槽案伺服器; i用者觀轉元件11G,其可_好理者修改個別使用 者的系統作業權限; 二使用者身份認證元件12G,針對使用者登人身份進行認證; 一使用者基本觀設定元件.針對使用者登人時的身份進 行權限設定; 200842642 -使用者登人時_限設定元件14〇,針對使財身份及登入 時間,進行權限設定; -使用者登人地點權隨定元件w,針對使用者身份及登入 地點,進行權限設定; -使用者_檢查元件,其檢查發出使用商業邏輯作業元 ,件請求的使用者,是否已經由權限設定元件設定所需的使用權限; • —商業邏輯作業元件·其樹康商業邏輯提供特定的商業服 (1務。 請參閱圖二,為本發明多層次認證授權管理系統及方法之統 -權限設定系統作業流程示意圖,其主要步驟包括:每一名登入 本系統之登人制者’必須先由⑽權限管理者經由制者權限 維護元件_),將該使用者權限資料設定至使用者權限 料 庫(200)。當使用者連線至本系統時,如未經由權限管理模組設定 〇其相關使用權限,皆會重新導向至使用者身份認證元件⑽),重 新進行雜認證作業。身份認證作業確認後,導向至使用者基本 權限設定元件(130),設定該名使用者基本權限。之後繼續私依 使用者登入時間權限設定元件⑽),由本元件依使用者在使用者 權限記錄資料庫(200)中登入時間權限設定,新增及删除該名使用 者在當時被設定不能執行或設定特別准予執行的商業邏輯應用程 式功能。然後繼續導向依使用者登入地點權限設定元件⑽),由 本元件依使用者在使用者權限記錄資料庫_)中登入地點權限設 200842642 定’新增及刪除該名使用者在當地被設定錢執行或奴特別准 予執行的商業邏難躲式魏。在觀設定完畢後,#使用者 選擇其所需要的商業邏輯刺程式⑽)時,必須先經過使用者權 限檢查7G件⑽),確認是否擁有執行該項商麵輯·程式執行 權限,如有,則准許該名使用者執行該魏輯顧程式執行 權限,否則要求賴者重新登人,以取得足夠的權限。 本發明可制於大㈣⑽統提供的服務,以輔助完成各項 商業邏輯作業’現以朗於行動電話帳務祕U入認證授 權管理系統為實施例說明如下: *仃動電活帳務系統負責處理客戶申裝行動電話時的客戶基4 貝枓、各項費率及行鑛惠資訊、通話明細及費用金額、行制 話代收款項、行動電雜單處理、行動電騎㈣計報表等,麥 tt:位客戶的「客戶基本資料」、「帳單費用金額」、「通話明細 舁「仃動電話營收統計」皆需經由大型主機強大的運算功能以冰 t確無誤。然而,因應客戶的增加、業務義的繁多,商業翻 =複舰场嶋,,恤摘輸務系統的 ^業34減驗式作業的朗者,人數及雜賴也同步大 而S 機上可能又有「客戶基本資料比對作業」、「業 用明細查詢作業」及「帳單出帳金額調整作業」同時進行, 管Πί的使用者所需權限都不同,使得商#邏輯應用程式權限 Β理成為一重要課題。 200842642 .限,各=程式自行檢查該使用者是否有執行作業的權 -日_二 式無法統―,增加應用程式開發人員的困擾, -推限%轉,應肺式勢必也要隨_整 提供系統管理者—套也热法 使用者的鹿用,式,可以直接查詢各 益法由切限献當制者因職務調動紅作調整時, 無法由糸_限管理者直接進行設定。 c —入^達至]減少系統權限管理者負荷,同時提升應用程式作業的 切,我們採用-套權限管理記錄格式的方法,以簡㈣ 限=流程,使程式開發人員能夠更加專注於「商業邏輯規書^ 糸統推限官理亦不會擔心「系統資訊安全漏洞」。、」 首先,在伽者登人本系統進行商#邏輯應 爾柳獅行雜鳴邏“= 泰作業人㈣作業觀,記錄在體· Ο _)中’(如圖三所示)。 _ =需定義時間作業權限設定表御 /生(如圖四所示),相關作業時間設定,可以搭 管制所需作業權限,例如: °貝源調配, 「輪流值班人員」可定義其輪班時間,依照值班時間定義豆 章業===避免利用非值班時間進行非個人業務相_ 業亚可擴充功m與排班資料建立相關連結。 10 200842642 「職務代理人員」可定義其代理作業時間,由權限管理員設 定權限起迄時間,同時亦可將被代理人作業權限暫時删除,並= 擴充功能與人事出勤資料建立相關連結。 接著定義地點作業權限設定表,對於地點作義限設定表, 必須要包括使用者帳號、權限、來源網路位址以及屬性(如圖五 所示),相關作業地點設定,可以搭配人力資源調配,管制㈣作 業權限,例如·· 1 「異地支援作業人員」可定義其異地支援地點,依照異地支 援地點定義其商觸輯作業觀,若該名操制並非在其規定的 上班地點登入本系統、又沒有異地支援作業權限設定,則本系統 將拒絕其登入的請求。 「權限管理人員」可定義其登入作業地點,平日皆由内部網 路(intranet)登入本系統,若該名作業人員所在地點為資訊安全 }管理較為薄弱地區(intemet),可設定其無法執行具有營業秘密的 商業邏輯應用程式。 定義出紀錄檔格式之後,對於所有登入本系統的使用者,都 需透過本系統使用者密碼檢查元件(120)進行身份認證,並依序由 使用者基本權限設定元件(130)、使用者登入時間權限設定元件 (140)、使用者登入地點權限設定元件(15〇),決定本系統授與其使 用的權限種類。 接下來就可以在商業邏輯應用程式(170)執行之前,架上一個 11 200842642 使用者權限檢查元件⑽)’透過此元件檢查該登人使用者是否已 擁有該應用程式執行權限。 【特點及功效】 本發明所提供之多層次認證授權管理系統及方法,與其他習 用技術相互比較時,更具備下列優點: 本V月建立套單一認證及授權管理系統,透過一多層次 使用者認證授權管理機制,授與每—個個別的合法使用 者’在不同的外在環境下,得到不同的商業邏輯作業權限, 以配合各類不同的使用者同時存在。每一個個別的合法使 用者,因其在不同的時間、不同的地點登入本系統,而得 到不同的商業邏輯作業使用權限。 2本毛明月b有效降低業務麵繁多的業者管理使用者身份及 作業權限的成本,並提升系統管理效能。同時透過本發明 所提i、的統-格式機制,可減少權限管理系統的異動作 業’使每-個合法使用者所擁有的商業邏輯作業權限,應 可恰如其份,而不至於因少數特殊人員作業要求,造成其 他使用者登入本系統時,產生資訊安全漏洞。 上列洋細,兄明乃針對本發明之一可行實施例進行具體說明, 惟該實施例並_以限制本發明之專利朗,凡未脫離本發明技 藝精神所為之較實施紐更,均應包含於本案之專職圍中。 综上所述,本案不僅純術思想上確屬綱,並具備習用之 12 200842642 傳統方法所*及之上述多項魏,已充分符合新酿及進步性之 法定發明專機件’爰依法提Μ請,懇請貴局核准本件發明專 利申請案,以勵發明,至感德便。 【圖式簡單說明】 圖一為本發明多層次認證授權管理系統及方法之系統架構 圖; 圖一该多層次認證授權管理系統及方法之統一權限設定系統 作業流程示意圖; 圖三為該多層次認證授權管理系統及方法應用於行動電話帳 務系統之基本作業權限設定圖; 圖四為該多層次認證授權管理系統及方法應用於行動電話帳 務系統之時間作業權限設定圖;以及 圖五為該多層次認證授權管理系統及方法應用於行動電話帳 務系統之地點作業權限設定圖。 【主要元件符號說明】 11〇使用者權限維護元件 120使用者密碼檢查元件 130使用者基本權限設定元件 140使用者登入時間權限設定元件 15〇使用者登入地點權限設定元件 160使用者權限檢查元件 13 200842642 170商業邏輯作業元件 200使用者權限紀錄資料庫200842642 IX. Description of the invention: [Technical field of the invention] The present invention relates to an integrated operation authority management system and method thereof, and particularly to providing a user with a personal location when logging into the system. And different login time, get the job permission of different business logic jobs. [Prior Art] Nowadays, the services provided by large-scale information systems to assist in the completion of various business logics have become the standard for the operations of major companies. _, all kinds of malicious attacks and incidents of intrusion into the information system continue to occur, making information security in the domain of the community a major issue that cannot be ignored. In order to respond to a variety of commercial services today, the electrical age system must perform different business logic operations at the same time. Under the existing business model of 7x24 uninterrupted service, the business logic application system must provide users with different time and different time. Space, using different job permissions to provide the services your customers need. Due to the large number of login users, various users have different application requirements in the system, and different legal and logical operations are required to connect to the system at different times and in different spaces. Therefore, a single authentication and authorization is required. The management system grants the business logic operation rights that legitimate users should have through a multi-level user authentication and authorization management mechanism. In the past, a single check-in system only recorded the user's personal information when the user logged in. When the user called the business logic application, the application defined the executable or unexecutable personnel, time, and Locations, etc., not only increase the load of the program developers, once there is a way to bypass the inspection process 200842642 type components, it is more likely to generate information security vulnerabilities, resulting in irreparable defects. It can be seen that there are still many shortcomings in the above-mentioned methods of use. It is not a good design. In order to prevent malicious acts of information system, it is imperative to establish a set of user secrets and authorization management systems to prevent the destruction of illegal use. At the same time, it will not increase the cost of the developer's workload. The inventor of the present invention succeeded in researching and developing this multi-level certification and authorization management system and method after considering the above-mentioned various aspects derived from the square handle, which was _ 亟 思 思 to improve and innovate, and after years of painstaking research. [Objectives of the Invention] The main object of the present invention is to establish a single authentication and authorization management system to pass the multi-level right-hand authentication authentication mechanism, and to grant the legitimate logic of legal users the meaning of the business logic. (4) The second soul certificate authorization management system and method existed simultaneously for different users. The secondary object of the present invention is to provide a multi-level authentication and authorization management system and method capable of simultaneously targeting the same user, because it does not _ time, not _ place to get people, but not _ commercial logic operation use authority . SUMMARY OF THE INVENTION In order to achieve the above object, the multi-level authentication and authorization management system=method provided by the present invention is to analyze the user's work attribute and the system-recording operation authority format, and to disperse the material with the knowledge collar_business logic. #, according to its miscellaneous classification into a large number of categories, certification and authorization management components, will be different _ business logic operation 200842642 limit management program and then reduce the operation rights management (four) Lai Cheng fresh format, private simplified operation rights, while reducing operations The workload of the authority management personnel, the management cost, and the efficiency of the operation authority management. Furthermore, the present invention provides a single authentication and authorization management system, which can provide a multi-level user authentication and authorization management mechanism, and grants each individual person law to obtain different «logical operations in different external environments. Right, to match (δ different types of users exist at the same time. Each individual legitimate user, because the basin is in different _, different places (four) people secret, _ series operation view. Also provide a unified format Qing, so that every legally owned business logic operation authority will not cause information security leakage when a small number of special users are logged into the system." Requirements & [Implementation] Please refer to Figure -, for The invention has the following principles: 'a user authority record database for storing user authority record data, which can be a database or a slot server; i The user turns the component 11G, which can modify the system operation authority of the individual user; the second user identity authentication component 12G authenticates the user's identity; Set the component. Set the permission for the identity when the user logs in. 200842642 - When the user logs in, the user is limited to set the component 14〇, and the authority is set for the identity and login time. The component w, for the user identity and the login location, the permission setting; the user_checking component, which checks whether the user who uses the business logic job element, the request, has set the required usage right by the permission setting component; • Business logic operation components • Its business logic provides specific business services (1). Please refer to Figure 2, which is a schematic diagram of the operation flow of the multi-level authentication and authorization management system and method of the present invention. Including: each login system to the system must first be set up by the (10) authority manager via the system authority maintenance component _), and the user permission data is set to the user permission repository (200). When connecting to the system, if it is not set by the rights management module, its related usage rights will be redirected to the user identity authentication element. (10)), re-do the miscellaneous certification operation. After the identity authentication operation is confirmed, it is directed to the user's basic authority setting component (130), and the user's basic authority is set. After that, the user-dependent login time permission setting component (10) is continued. The component is set according to the user's login time permission in the user permission record database (200), adding and deleting the business logic application function that the user is set to be unable to execute or set the special permission to execute at that time. User login location permission setting component (10)), according to the user in the user permission record database _) login location permission set 200842642 set 'add and delete the user is set in the local money execution or slave special grant The business logic that is executed is difficult to hide. After the setting is completed, #user selects the business logic (10) required by the user, and must first check the 7G piece (10) by user permission to confirm whether or not the owner has executed the quotient. Face program execution permission, if any, allows the user to execute the program execution permission, Lai required to re-board the people, in order to obtain sufficient permissions. The present invention can be implemented in the services provided by the large (four) (10) system to assist in the completion of various business logic operations. The current embodiment of the mobile phone accounting system is as follows: * The mobile account management system Responsible for handling the client's application mobile phone number when the client's application mobile phone call, various rates and mining benefits information, call details and fee amount, banknotes collection, mobile phone billing, mobile phone riding (four) report Etc., tt: The customer's "customer basic information", "bill fee amount", "call details", "sudden phone revenue statistics" need to be confirmed by the powerful computing function of the mainframe. However, in response to the increase in customers and the complexity of business, the business is turning over to the shipyard, and the number of people who are in the industry’s 34-reduction operation is also large, and the number of people and the miscellaneous are also large. In addition, there are "Customer Basic Data Matching Jobs", "Industry Detail Inquiry Jobs" and "Billing Billing Amount Adjustment Jobs" at the same time. The users of the Π ί are required to have different permissions, so that the quotient #Logic Application Β Management has become an important issue. 200842642 . Limits, each program will check whether the user has the right to perform the operation - the day _ two can not be unified - to increase the trouble of the application developers, - the limit is turned, the lungs must also follow the _ Providing system administrators - sets of deer used by thermal users, can directly query the various benefits and methods, and the adjustment of the system is not directly determined by the administrator. c —Into the ^To reduce the system authority manager load, and improve the application operation, we use the set of permissions to manage the record format, with a simple (four) limit = process, so that program developers can focus more on "commercial The logic plan ^ 推 system rule will not worry about "system information security loopholes". First, in the gambler boarding system, the business logic _ _ _ lion lion line noise “ " = Thai operator (four) operation view, recorded in the body Ο _) ' (shown in Figure 3). = need to define the time job permission setting table Royal / Health (as shown in Figure 4), the relevant work time setting, you can control the required work permissions, for example: ° Bay source deployment, "rotating staff" can define their shift time, Define the bean industry according to the duty time === Avoid using non-duty time for non-personal business phase _ Industry and Asia can expand the work and establish relevant links with the shift data. 10 200842642 “Job Agent” can define the agent operation time, the permission administrator can set the permission start and end time, and can also temporarily delete the agent's operation authority, and the extension function establishes a link with the personnel attendance data. Then define the location operation permission setting table. For the location definition setting table, it must include the user account, authority, source network address and attributes (as shown in Figure 5). The relevant job location setting can be matched with human resource allocation. (4) Operation authority, for example, 1 "External support operator" can define its remote support location, and define its business touch operation view according to the remote support location. If the operation is not at the specified work location, log in to the system. If there is no remote support for job permission settings, the system will reject the request for login. The “authority manager” can define the location of the login operation. The system is accessed by the internal network (intranet) on weekdays. If the location of the operator is information security} management is weak, it can be set to be executed. Business logic application for business secrets. After defining the format of the log file, all users who log in to the system need to authenticate the identity through the user password checking component (120), and sequentially set the component (130) and user login by the user's basic authority. The time authority setting component (140) and the user login location authority setting component (15〇) determine the type of authority that the system grants to use. Next, before the business logic application (170) is executed, an 11 200842642 user permission checking component (10) can be placed to check whether the denial user has the application execution permission through the component. [Features and Efficacy] The multi-level authentication and authorization management system and method provided by the present invention have the following advantages when compared with other conventional technologies: This V month establishes a single authentication and authorization management system through a multi-level user. The authentication and authorization management mechanism grants each individual legal user 'in different external environments to obtain different business logic operation rights to coexist with different types of users. Each individual legitimate user has access to different business logic operations because he or she logs into the system at different times and in different locations. 2 Mao Mingyue b effectively reduces the cost of managing the user identity and job permissions of a wide range of business operators and improves system management effectiveness. At the same time, through the system-implemented mechanism of the present invention, the transaction management system can be reduced to make the business logic operation rights owned by each legal user appropriate, and not because of a few special Personnel operation requirements, resulting in information security vulnerabilities when other users log in to the system. The above is a detailed description of one of the possible embodiments of the present invention, but the embodiment is intended to limit the patent of the present invention, and all of them should be implemented without departing from the spirit of the present invention. It is included in the full-time division of the case. In summary, this case is not only purely intellectual, but also has the habit of 12 200842642 traditional methods * and the above-mentioned multiple Wei, has fully complied with the new brewing and progressive legal invention special features '爰According to the law I urge you to approve the application for this invention patent to encourage the invention. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a system architecture diagram of a multi-level authentication and authorization management system and method according to the present invention; FIG. 1 is a schematic diagram of a unified authority setting system operation flow of the multi-level authentication and authorization management system and method; The authentication authorization management system and method are applied to the basic operation authority setting diagram of the mobile phone accounting system; FIG. 4 is a time operation permission setting diagram of the multi-level authentication authorization management system and method applied to the mobile phone accounting system; The multi-level authentication and authorization management system and method are applied to a location job permission setting map of a mobile phone accounting system. [Main component symbol description] 11 user authority maintenance component 120 user password check component 130 user basic authority setting component 140 user login time authority setting component 15 user login location authority setting component 160 user authority checking component 13 200842642 170 business logic operation component 200 user authority record database
1414