[go: up one dir, main page]

CN101739526B - Service system-oriented object-oriented-based authority management method - Google Patents

Service system-oriented object-oriented-based authority management method Download PDF

Info

Publication number
CN101739526B
CN101739526B CN2009102425537A CN200910242553A CN101739526B CN 101739526 B CN101739526 B CN 101739526B CN 2009102425537 A CN2009102425537 A CN 2009102425537A CN 200910242553 A CN200910242553 A CN 200910242553A CN 101739526 B CN101739526 B CN 101739526B
Authority
CN
China
Prior art keywords
role
function
goal systems
correspondence table
stored
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2009102425537A
Other languages
Chinese (zh)
Other versions
CN101739526A (en
Inventor
马传峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaxun Feihong Electrical Co Ltd
Original Assignee
Beijing Jiaxun Feihong Electrical Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaxun Feihong Electrical Co Ltd filed Critical Beijing Jiaxun Feihong Electrical Co Ltd
Priority to CN2009102425537A priority Critical patent/CN101739526B/en
Publication of CN101739526A publication Critical patent/CN101739526A/en
Application granted granted Critical
Publication of CN101739526B publication Critical patent/CN101739526B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a service system-oriented object-oriented rights management method, belonging to the technical field of computer security. The method identifies the functions of a business system in a service form, abstracts and organizes the open business functions in an object-oriented mode, takes each business function as a permission management object, encapsulates the operation, attribute and data range contained in the function in the object, and identifies the operation, attribute and data range as an atomic-level permission management unit. Through the analysis of the scene, different views are abstracted out to be used as authorization templates of an object level. The visibility of the user to the function is controlled by judging whether the service is issued or not during authorization, and then the authorization of the atomic-level authority management unit in each authorization template provides a more complete authority management mechanism for an application developer, reduces the complexity of authorization management and reduces the management overhead; flexibly supports the security policy of the enterprise and has great flexibility to the change of the enterprise.

Description

A kind of service-oriented system based on OO right management method
Technical field
The present invention relates to the computer security technique field, relate in particular to a kind of service-oriented system based on OO right management method.
Background technology
In rights management, mainly contain following dual mode at present:
1. service-oriented rights management
2. based on role's rights management
More than in two kinds of methods, first kind of mode makes other application program to use these services through issuing with findable interface, thereby realizes the management to user right with the open business function of the form of software service; The second way is carried out rights management with the relation of user-role-function items.Between user and function items, introduced this middle relation of role, system then for each role assigns corresponding user, thereby reaches the purpose that operating right is managed through being the operating right of each role assignments function items.These two kinds of methods; Though all be that application developer provides perfect rights management mechanism; But the rights management to function is all more single, when handling the rights management of the many scenes of same function, has certain limitation; Thereby increased the complicacy of empowerment management, can not support the security strategy of enterprise neatly.
Summary of the invention
The objective of the invention is the problem that exists in the present rights management described in the top background technology, proposed a kind of service-oriented system based on OO right management method.
It is characterized in that, may further comprise the steps:
1) function of recognition objective system and according to functional classification is stored in the goal systems database;
2) attribute that each function comprised of recognition objective system is stored in the goal systems database;
3) in the goal systems database, add role's table, and in goal systems, add the role function module;
4) in the goal systems database, add correspondence table;
5) in goal systems, add authorization module;
6) in goal systems, add the user authority management public module;
7) for each role carries out Authorized operation, mandate is saved in information in the above-mentioned correspondence table after accomplishing;
Said method is with OO mode, and the function of goal systems is as permission object, with operation, attribute and the data area information of the inner encapsulation of permission object, as the rights management unit of atom level, as shown in Figure 1;
Different by scene, generate the mandate template of different views as object level; When being role authorization, the pairing mandate template of persona is authorized respectively.
The present invention reduces the complicacy of empowerment management for application developer provides more perfect rights management mechanism, reduces administration overhead; Support the security strategy of enterprise neatly, and the variation of enterprise is had very big retractility.
Description of drawings
Fig. 1: overall construction drawing;
Fig. 2: the agent list structural drawing of storing in the goal systems database;
Fig. 3: the menu structural drawing of storing in the goal systems database;
Fig. 4: the operation table structural drawing of storing in the goal systems database;
Fig. 5: the attribute list structural drawing of storing in the goal systems database;
Fig. 6: the view table structural drawing of storing in the goal systems database;
Fig. 7: the data area list structure figure that stores in the goal systems database;
Fig. 8: character stored list structure figure in the goal systems database;
Fig. 9: character stored function correspondence table structural drawing in the goal systems database;
Figure 10: character stored operation correspondence table structural drawing in the goal systems database;
Figure 11: character stored attribute correspondence table structural drawing in the goal systems database;
Figure 12: character stored user correspondence table structural drawing in the goal systems database;
Figure 13: character stored data area correspondence table structural drawing in the goal systems database.
Embodiment
Below in conjunction with accompanying drawing, preferred embodiment is elaborated.Should be emphasized that following explanation only is exemplary, rather than in order to limit scope of the present invention and application thereof.
Step 1: the service of recognition objective system and the function that comprises thereof, simultaneously in the goal systems database, the required basic data of model of creation:
With the service in the goal systems, be stored in the goal systems database service table with Fig. 2 structure;
With the function in the goal systems, be stored in the goal systems database function table with Fig. 3 structure.
Step 2: the attribute that each function comprised of recognition objective system, simultaneously in the goal systems database, the required basic data of model of creation: i.e. input control that comprises and button in this function interface,
The button that comprises in the function interface with each function is stored in the goal systems database manipulation table with Fig. 4 structure;
With the input control that function interface comprised of each function, be stored in the goal systems Database Properties table with Fig. 5 structure;
With the scene that each function comprised, be stored in the goal systems data base view table with Fig. 6 structure;
With the data presentation scope of each scene, be stored in the goal systems database data scope table with Fig. 7 structure.
Step 3: in the goal systems database, add role's table, and in goal systems, add the role function module; The Role Information of goal systems is stored in the goal systems database role table with Fig. 8 structure.Authorize the module operation attribute through authorization function for each role, add the user for each role through user function under adding.
Step 4: in the goal systems database, add correspondence table:
Confirm role and function corresponding relation, be stored in the goal systems database role function correspondence table with Fig. 9 structure;
Confirm role and operation corresponding relation, be stored in the goal systems database role operation correspondence table with Figure 10 structure;
Confirm role and attribute corresponding relation, be stored in the goal systems database role attribute correspondence table with Figure 11 structure;
Confirm role and user's corresponding relation, be stored in the goal systems database role user correspondence table with Figure 12 structure;
Confirm role and data area corresponding relation, be stored in the goal systems database role data area correspondence table with Figure 13 structure;
Step 5: in goal systems, add authorization module, be used for each role is carried out empowerment management; The empowerment management interface, the goal systems function shows with tree-like formula, makes things convenient for subscriber authorisation; Its Authorized operation comprises:
To the observability of button that function interface comprises mandate, the mode of its mandate is: visible, invisible;
2. the input authority of the input control that function interface comprised is authorized, its mandate comprises four kinds of modes: hiding, read-only, full operation, acquiescence;
3. promptly authorize the authority of checking data area to the user to the mandate of data scope, its authorization is: for this role adds the data filter condition.
Step 6: in goal systems, add the user authority management public module, and in goal systems, the module that control of authority is carried out in identification; Utilization AOP technology is the functional module definition tangent plane that identifies; In the AOP model, add authority control method, this method is done following processing:
1. in user conversation, obtain user function ID, scene information;
2. through user function ID, reach scene information, obtain corresponding with it view;
3. through view, return the defined atom level control of authority of each view unit setting, generate the control of authority script and return to functional module;
4. the authority script that returns according to AOP of functional module reorganizes each key element in the function interface, then new function interface is returned to the operation user, thereby the management that realizes authority is controlled.
Step 7: the login goal systems, get into entitlement management module, for goal systems is authorized, authorize and accomplish, click and preserve, with user data, be stored in respectively in the mapping table.
After the user logined goal systems, goal systems was according to role in the correspondence table and function information, for the user demonstrates its employable service.Select a certain function, can call corresponding view according to user's scene of living in; According to the sign of view, in the look of chamfering operation correspondence table, role attribute correspondence table and the data area correspondence table, obtain relevant information; Reorganize and present to the user then, thereby reach the management of authority;
The above; Be merely the preferable embodiment of the present invention, but protection scope of the present invention is not limited thereto, the technician who is familiar with the present technique field is in the technical scope that the present invention discloses; The variation that can expect easily or replacement all should be encompassed within protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion with the protection domain of claim.

Claims (6)

  1. A service-oriented system based on OO right management method, it is characterized in that, may further comprise the steps:
    1) function of recognition objective system and according to functional classification is stored in the goal systems database;
    2) attribute that each function comprised of recognition objective system is stored in the goal systems database;
    3) in the goal systems database, add role's table, and in goal systems, add the role function module;
    4) interpolation role function correspondence table, role operate correspondence table, role attribute correspondence table, Role Users correspondence table and character data scope correspondence table in the goal systems database;
    5) in goal systems, add authorization module;
    6) in goal systems, add the user authority management public module;
    7) for each role carries out Authorized operation, after authorize accomplishing, with information be saved in above-mentioned role function correspondence table, the role operates in correspondence table, role attribute correspondence table, Role Users correspondence table and the character data scope correspondence table;
    Said method is with OO mode, with the function of goal systems as permission object, with operation, attribute and the data area information of the inner encapsulation of permission object, as the rights management unit of atom level;
    Different by scene, generate the mandate template of different views as object level; When being role authorization, the pairing mandate template of persona is authorized respectively.
  2. A kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that the function of said recognition objective system and according to functional classification is stored in the goal systems database, its operation comprises:
    1) service in the recognition objective system is stored in the goal systems database service table;
    2) function in the recognition objective system is stored in the goal systems database function table.
  3. A kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that the attribute that each function comprised of said recognition objective system is stored in the goal systems database, its operation comprises:
    1) button that comprises in the function interface of each function in the recognition objective system is stored in the goal systems database manipulation table;
    2) input control that function interface comprised of each function in the recognition objective system is stored in the goal systems Database Properties table;
    3) scene of each function of recognition objective system is stored in the goal systems data base view table;
    4) each contextual data indication range in the recognition objective system is stored in the goal systems database data scope table.
  4. A kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that said role function module allows operation that the role in the goal systems is added, deletes and revises; And for each role authorization function is provided and adds under user function;
  5. A kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that saidly in the goal systems database, add correspondence table, its operation comprises:
    1) adds the role function correspondence table, storage role and function corresponding relation;
    2) add the role and operate correspondence table, storage role and operation corresponding relation;
    3) add the role attribute correspondence table, storage role and attribute corresponding relation;
    4) add the Role Users correspondence table, storage role and user's corresponding relation;
    5) add character data scope correspondence table, storage role and data area corresponding relation.
  6. A kind of service-oriented system according to claim 1 based on OO right management method, it is characterized in that said user authority management public module is used for according to user profile, interface control is carried out initialization control.
CN2009102425537A 2009-12-16 2009-12-16 Service system-oriented object-oriented-based authority management method Expired - Fee Related CN101739526B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009102425537A CN101739526B (en) 2009-12-16 2009-12-16 Service system-oriented object-oriented-based authority management method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009102425537A CN101739526B (en) 2009-12-16 2009-12-16 Service system-oriented object-oriented-based authority management method

Publications (2)

Publication Number Publication Date
CN101739526A CN101739526A (en) 2010-06-16
CN101739526B true CN101739526B (en) 2012-04-18

Family

ID=42463000

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009102425537A Expired - Fee Related CN101739526B (en) 2009-12-16 2009-12-16 Service system-oriented object-oriented-based authority management method

Country Status (1)

Country Link
CN (1) CN101739526B (en)

Families Citing this family (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8954879B2 (en) * 2010-06-04 2015-02-10 Mitel Networks Corporation Method and apparatus for sharing user service classes
CN102201935B (en) * 2011-05-13 2013-11-06 大唐移动通信设备有限公司 Access control method and device based on VIEW
US10031646B2 (en) * 2011-09-07 2018-07-24 Mcafee, Llc Computer system security dashboard
TWI522949B (en) * 2014-06-17 2016-02-21 耐點科技股份有限公司 Method of activating other function of application and mobile communication device, server apply to the method
CN104217146B (en) * 2014-09-04 2017-02-15 浪潮通用软件有限公司 Access control method based on ABAC (Attribute Based Access Control) and RBAC (Role Based Access Control)
CN105046119A (en) * 2015-08-13 2015-11-11 杭州杉石科技有限公司 Permission design system based on APP (Application)
CN105005730A (en) * 2015-08-13 2015-10-28 杭州杉石科技有限公司 Authority design method based on APP (application)
CN105227551A (en) * 2015-09-24 2016-01-06 四川长虹电器股份有限公司 The uniform permission administration method of XBRL application platform
CN106682487A (en) * 2016-11-04 2017-05-17 浙江蘑菇加电子商务有限公司 User authority management method and system
CN110113369A (en) * 2019-06-27 2019-08-09 无锡华云数据技术服务有限公司 A kind of method for authenticating of based role permission control
CN111814174B (en) * 2020-09-04 2020-12-08 平安国际智慧城市科技股份有限公司 Data access control method and device and computer equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1967560A (en) * 2006-11-09 2007-05-23 华为技术有限公司 Controlling method of business operations competence and generating method of relational database
CN101034990A (en) * 2007-02-14 2007-09-12 华为技术有限公司 Right management method and device
CN101499906A (en) * 2008-02-02 2009-08-05 厦门雅迅网络股份有限公司 Method for implementing subscriber authority management based on role function mapping table

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1967560A (en) * 2006-11-09 2007-05-23 华为技术有限公司 Controlling method of business operations competence and generating method of relational database
CN101034990A (en) * 2007-02-14 2007-09-12 华为技术有限公司 Right management method and device
CN101499906A (en) * 2008-02-02 2009-08-05 厦门雅迅网络股份有限公司 Method for implementing subscriber authority management based on role function mapping table

Also Published As

Publication number Publication date
CN101739526A (en) 2010-06-16

Similar Documents

Publication Publication Date Title
CN101739526B (en) Service system-oriented object-oriented-based authority management method
CN104516777B (en) User interface management method and system
CN113297550A (en) Authority control method, device, equipment, storage medium and program product
CN104573478B (en) A kind of user authority management system of Web applications
US20180357440A1 (en) Personalized Meetings
CA2784334C (en) Multiplatform management system and method for mobile devices
US20080141334A1 (en) Method and Apparatus for Dissociating Binding Information from Objects to Enable Proper Rights Management
CN110443010A (en) One kind permission visual configuration control method, device, terminal and storage medium in information system
CN110457891A (en) A kind of authority configuration interface display method, device, terminal and storage medium
EP2405607A1 (en) Privilege management system and method based on object
CN110532764A (en) A kind of method, mobile terminal and the readable storage medium storing program for executing of permission processing
CN105378768A (en) Proximity and context aware mobile workspaces in enterprise systems
CN107832105B (en) Application program starting method, starting device and computer readable storage medium
CN107871062A (en) A kind of application permission control method, device and terminal
CN113342340A (en) Component rendering method and device
CN105556534B (en) For suggesting the electronic equipment and method of response guide when refusing
US8069479B2 (en) Position and velocity-based mobile device management
CN113268450A (en) File access method and device, electronic equipment and storage medium
CN102446258B (en) Attachment authority type expansion method and device and system adopting same
US10417410B2 (en) Access control to protected resource based on images at changing locations identifiable by their type
CN106648962A (en) Management method and device and intelligent terminal for multi-open application
CN112528248A (en) User authority management scheme facing multiple applications
KR100845309B1 (en) Method and device for controlling access rights of contents
CN116611085A (en) Authority management and control method and device, electronic equipment and storage medium
CN115174177A (en) Authority management method, device, electronic apparatus, storage medium and program product

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120418

Termination date: 20181216

CF01 Termination of patent right due to non-payment of annual fee