CN102088351A - Authorization management system and implementation method thereof - Google Patents
Authorization management system and implementation method thereof Download PDFInfo
- Publication number
- CN102088351A CN102088351A CN200910217966XA CN200910217966A CN102088351A CN 102088351 A CN102088351 A CN 102088351A CN 200910217966X A CN200910217966X A CN 200910217966XA CN 200910217966 A CN200910217966 A CN 200910217966A CN 102088351 A CN102088351 A CN 102088351A
- Authority
- CN
- China
- Prior art keywords
- rights management
- platform
- management sub
- attribute certificate
- sub
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 52
- 238000000034 method Methods 0.000 title claims abstract description 24
- 230000008569 process Effects 0.000 claims description 9
- 238000012986 modification Methods 0.000 claims description 3
- 230000004048 modification Effects 0.000 claims description 3
- 230000008520 organization Effects 0.000 claims description 3
- 238000012217 deletion Methods 0.000 claims description 2
- 230000037430 deletion Effects 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 claims 1
- 230000007246 mechanism Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 3
- 238000007689 inspection Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 230000006872 improvement Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012827 research and development Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000027455 binding Effects 0.000 description 1
- 238000009739 binding Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000018109 developmental process Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 239000012467 final product Substances 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000033772 system development Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a distributed authorization management system, which comprises an authority management main platform, at least one authority management sub-platform, at least one middleware device, at least one application device and at least one user device which are connected with one another through a network. In the invention, the distributed authorization management system and the implementation method of the system can be provided, a plurality of authority management sub-platforms are arranged, each authority management sub-platform is used for releasing authorization information between a user group which belongs to a governing region and an application role in the form of an attribute certificate, user authorization information is provided for a plurality of application systems in the governing region, and the authorization information is uniformly monitored and shared through the authority management main platform. Support can be provided for a large number of users who do not register in the system, and a plurality of authority management sub-platforms can be added according to a practical requirement, so that the system can be flexibly extended, and the requirement on different volumes of the system is met.
Description
Technical field
The present invention relates to field of information security technology, particularly, relate to a kind of authentication management system and its implementation.
Background technology
Along with the raising of government, IT application in enterprises degree, application system quantity progressively increases.Under the situation very big at number of users, that the region substep is relatively wider, application system quantity is many, the mandate of application system becomes a very stubborn problem.In a big government or enterprises and institutions, following situation occurs through regular meeting: a certain employee leaves office, and can also normally visit some very important use systems; The change of some employee's positions, still corresponding old authority in the application system; Because interim service needed, in certain application system, registered number of the account and opened application permission, but forgotten that timely withdrawal causes key message to reveal for someone of other places; Though all are used all in the machine room of oneself, really can't take each application system authority easily and authorize situation can be responsible for informationalized policymaker.How can unify to solve resources effective share, how in time, the access rights of leading subscriber fast and effectively, become pendulum at the policymaker of application system development, a difficult problem in face of the service management person.
At user's unified certification mandate and safe access control, very many solutions have also been proposed at present:
(1), the patent application CN 200710191525.8 (applying date: 2007.12.12, title: based on the Unified Identity under digital certificate and multilevel field management and authentication method) discloses a kind ofly in, at first carried out the user identity maintenance based on management of the Unified Identity digital certificate and multilevel field under and authentication method; It is synchronous that employing timing and human resources system carry out subscriber identity information; By the manual maintenance mode, finish the management of user data information; Subscriber identity information is synchronized to the territory; With the ldap protocol of subscriber identity information, be synchronized in the corresponding AD subdomain according to user affiliated unit by standard; Realize authentification of user.The present invention can realize visit to a plurality of operation systems by user's single-sign-on, but can not solve the unified rights management problem of user in a plurality of operation systems.
(2), the patent application CN 200610076491.3 (applying date: 2006.04.26, title: the security protection system of information system or equipment and method of work thereof), CN 200810040672.X (the applying date: 2008.07.17, title: based on the system user access management system and the method for digital certificate technique), CN 200810040674.9 (the applying date: 2008.07.17, title: a kind of access control method and device of the information system based on digital certificate technique), CN 200620100455.1 (the applying date: 2006.01.18, a kind of network security certification authoring system) and the CN 200710147233.4 (applying date: 2007.08.30 title:, title: the implementation method of distributed business operation support system and distributed service) all disclose and a kind of login user is carried out authentication, and after by authentication, obtain the technical scheme of its corresponding access rights, but lack the safety management of user right information in these technical schemes, can not effectively avoid the people is the possibility of distorting, and the number of users of being supported is limited, can not solve a large number of users (particularly One's name is legion and the user's that do not register in system) uniform authorization and safe access control problem.
A kind of Web service controling mechanism based on PKI and PMI is disclosed among the patent application CN 200810062264.4 of Zhejiang University (applying date: 2008.06.17, title: based on the Web service controling mechanism of PKI and PMI).It comprises PKI, PMI and Web service safety system, the user is by PKI system application letter of identity, remove PMI system application Attribute certificate according to letter of identity again, Attribute certificate is associated with user's identity on one or more roles, predefined plan system of PMI system application Attribute certificate, Attribute certificate is associated with user's identity on one or more roles, the predefined tactful certificate of PMI system goes role bindings to one or more Web services, when the user uses Web service, the Web safety system helps the legitimacy of PKI systems inspection letter of identity, help PMI systems inspection user whether to have authority to call this Web service again, when all inspections are all passed through, allow the user capture Web service, call to realize safe Web service.The user uses letter of identity application Attribute certificate among the present invention, and specify the role applied for, examine the back by the keeper and obtain corresponding Attribute certificate, authority, role give the individual application who is primarily aimed at the user, can not the user's of colony authority and role be defined, the number of users of being supported is limited, can not support One's name is legion and the user who does not register in system.
The shortcoming that above technical scheme all exists is, can not authorize a large amount of user groups (particularly One's name is legion and the user group that in system, do not register), and with of the reliable form issue of described authorization message, thereby realize the unified user authorization management and the safe access control of a plurality of application systems with Attribute certificate.
The patent that our company declares simultaneously: authentication management system and its implementation, a kind of authentication management system and its implementation have been invented, the user group is authorized, and with of the form issue of described authorization message, thereby can provide unified authorized user message and safe access control for several application systems with Attribute certificate.The present invention has done further improvement on its basis, several rights management sub-platforms are set, each rights management sub-platform is with the form issue of the authorization message between user group in the affiliated administration field and the application role with Attribute certificate, for several application systems in the administration field provide user's authorization message, and pass through total platform unified monitoring of empowerment management and shared authorization message.The present invention can effectively reduce a large number of users when concurrent to the load that system caused, and expansion is flexibly, can satisfy the needs of different capabilities.
Our company has also declared patent simultaneously: based on authentication management system and its implementation of catalogue, invented a kind of authentication management system and its implementation based on catalogue, by the unification of empowerment management platform application system and user are carried out rights management and safe access control, with the form issue of the authorization message between user group and the application role with Attribute certificate, and corresponding PMI this locality is set from LIST SERVER in several zones that user distribution is concentrated, PMI copies to this locality from LIST SERVER according to the Attribute certificate that strategy will belong to local application apparatus, thereby provides authorized user message for the local application system in the one's respective area fast.The present invention is managed separately the authorization message between user group in the affiliated administration field and the application role by the rights management sub-platform, and by the total platform of rights management to all rights management sub-platforms unify control and data sharing, can be according to the practical application needs, at any time set up a plurality of rights management sub-platforms, thereby expand flexible more, as to satisfy different capabilities needs.
Summary of the invention
Technical problem to be solved by this invention is: a kind of distributed authorization management system and its implementation are provided, adopt PKI and PMI technology, several rights management sub-platforms are set, user group and the authorization message between the application role that each rights management sub-platform will belong in the administration field are issued with the form of Attribute certificate, for several application systems in the administration field provide user's authorization message, and pass through total platform unified monitoring of empowerment management and shared authorization message.
A kind of distributed authorization management system is provided among the present invention, comprises the total platform of rights management, at least one rights management sub-platform, at least one middleware device, at least one application apparatus and at least one user's set,
The total platform of described rights management, be used for all rights management sub-platforms are registered, for it provides the directory service of customer digital certificate, and the authorization message that the rights management sub-platform sends signed and issued into Attribute certificate, gather the distributing data of preserving all rights management sub-platforms;
Described rights management sub-platform, be used to the system that sets up and include the user group to the mandate relation of using the role, send described authorization message to the total platform of rights management, and provide the Attribute certificate directory service of signing and issuing through the total platform of rights management to the middleware device, also carry out data sync simultaneously with the total platform of rights management;
Described middleware device, be used to receive user's logging request that application apparatus is transmitted, operating state and the tabulation of rights management sub-platform according to the rights management sub-platform, link to each other with suitable rights management sub-platform, and search the Attribute certificate of described user corresponding to described application apparatus from it, the Role Information that is obtained in the dependency certificate is returned to application apparatus;
The total platform of described rights management, rights management sub-platform, middleware device, application apparatus link to each other by network with user's set.
The present invention also provides a kind of implementation method of distributed authorization management system, and the total platform of described rights management, rights management sub-platform, middleware device, application apparatus link to each other by network with user's set, may further comprise the steps:
Step 1: the rights management sub-platform sends register requirement to the total platform of rights management;
Step 2: the total platform of rights management is verified the identity of rights management sub-platform;
Does step 3: the total platform of rights management judge that whether the identity of rights management sub-platform is by checking?
If 1 by checking, then the total platform of rights management turns to step 4 to rights management sub-platform return authentication failed message;
If 2 by authentication, then
(1), the authentication information of the total platform record of rights management rights management sub-platform;
(2), the total platform of rights management sends a rights management sub-platform tabulation to the rights management sub-platform;
(3), the rights management sub-platform is transmitted described rights management sub-platform tabulation to coupled middleware device;
(4), the middleware device is preserved rights management sub-platform list information;
Step 4: this flow process finishes.
Compared with prior art, the invention has the beneficial effects as follows:
Extract user's identity and attribute information by digital certificate, can guarantee the authenticity of subscriber identity information; The user group is authorized in regular colony, working group and individual's mode, can provide support per family One's name is legion and the usefulness in system, do not registered; Authorization message use attribute certificate is issued, and can effectively avoid the people is the possibility of distorting; Administered and maintained separately by the authorization message of rights management sub-platform to user group in the institute administration field and application role, application apparatus can obtain authorized user message from the rights management sub-platform fast; By the total platform of rights management all rights management sub-platforms are unified control and data sharing, can set up a plurality of rights management sub-platforms at any time according to the practical application needs, expansion can be satisfied the needs of system's different capabilities flexibly; The Attribute certificate issue apparatus of all total platforms of the shared rights management of rights management sub-platform can reduce cost of investment; When operation irregularity appears in certain rights management sub-platform, can be connected to other rights management sub-platform by the middleware device, continue to provide authorization message by other rights management sub-platforms, thereby improve system availability, reduction maintenance cost.
Description of drawings
Fig. 1 is system deployment figure.
Fig. 2 is a distributed authorization management system structure chart.
Fig. 3 is the total platform structure figure of rights management.
Fig. 4 is a rights management sub-platform structure chart.
Fig. 5 is the register flow path figure of rights management sub-platform.
Fig. 6 signs and issues flow chart for Attribute certificate.
Fig. 7 is for revising the flow chart of authorization message.
Fig. 8 logins the flow chart of application apparatus for the user.
Embodiment
As shown in Figure 1, physics deployment diagram for the distributed authorization management system, system is by the total platform 1 of rights management, at least one rights management sub-platform 2, at least one middleware device 3, at least one application apparatus 4 and at least one user's set 5 are formed, wherein, the total platform 1 of rights management, rights management sub-platform 2, middleware device 3, application apparatus 4 and user's set 5 link to each other by network.Described user sends logging request by user's set 5 to application apparatus 4, visits described application resource information.Described user's set 5 can be subscriber computer, mobile phone etc.
As shown in Figure 2, the distributed authorization management system includes the total platform 1 of rights management, rights management sub-platform 2, middleware device 3.
The total platform 1 of rights management, be used for all rights management sub-platforms 2 are registered, for it provides the directory service of customer digital certificate, and the authorization message that rights management sub-platform 2 sends signed and issued into Attribute certificate, gather the distributing data of the PMI LIST SERVER 23 of preserving all rights management sub-platforms 2.
As shown in Figure 3, the total platform 1 of rights management includes Attribute certificate issue apparatus 11, CA LIST SERVER 12, master control device 13 and PMI catalogue server 14.
Attribute certificate issue apparatus 11 is used to set up the attribute authority (aa) source, receives the authorization message that rights management sub-platform 2 sends, and returns to rights management sub-platform 2 after described information signed and issued into Attribute certificate.Attribute certificate issue apparatus 11 reads the message of the specified format that rights management sub-platform 2 sends, resolve, obtain the authorization message between user group and the application role, described authorization message is signed and issued the Attribute certificate that becomes to meet the RFC3281V4 reference format, and described Attribute certificate is returned to rights management sub-platform 2.Abolish to authorize allowing if desired, then sign and issue an Attribute Certificate Revocation List (ACRL).
CA LIST SERVER 12 is used to follow the LDAP standard provides customer digital certificate for rights management sub-platform 2 directory service.Described digital certificate information includes user and institutional framework information.
PMI catalogue server 14 is used to gather, preserve the distributing data of the PMI LIST SERVER 23 of all rights management sub-platforms 2, and each rights management sub-platform 2 is provided the directory service of Attribute certificate.
As shown in Figure 4, rights management sub-platform 2 includes PMS manager 21, rights management device 22 and PMI LIST SERVER 23.
1, adds, revises the log-on message of application apparatus 4
2, check personal information and relevant institutional framework information, add, revise user group's information, as regular colony expression formula, working group and member
3, set up, revise, logging off users colony, individual subscriber and the mandate of using between the role concern and corresponding Attribute certificate rights management device 22, be used for system is included the user group, using role's mandate key element safeguards, set up the user group to the mandate relation of using the role, Attribute certificate issue apparatus 11 to the total platform 1 of rights management sends described authorization message, and the Attribute certificate that it is signed and issued is published on the PMI LIST SERVER 23, also receive the request connection message that middleware device 3 sends simultaneously, download the Attribute certificate relevant from the PMI catalogue server 14 of the total platform 1 of rights management, and described Attribute certificate is published on the PMI LIST SERVER 23 of self with the application apparatus that comprised 4 the described request connection message.Described user group includes three types:
1, regular colony: the attribute information that has according to the user colony's expression formula that establishes relevant regulations, utilize described regular colony expression formula to create regular colony, described regular colony is applicable to the scene that customer group is big, the distribution region is wide, whole users can't be registered in application apparatus 4.
2, working group: because the business development of application apparatus 4 needs, several users need have identical role, but can't or inconvenience create regular colony with regular colony expression formula, get final product the building work group, described several users are divided into a working group.
3, individual: scattered personal user.
PMI LIST SERVER 23, being used to follow the LDAP standard provides the directory service of Attribute certificate for middleware device 3, and uploads the PMI catalogue server 14 of data to the total platform 1 of rights management.For middleware device 3 provides the directory service of regular group property certificate, working group's Attribute certificate and personal attribute's certificate, and delete corresponding Attribute certificate by the Attribute Certificate Revocation List that rights management device 22 sends.Described Attribute certificate includes following several:
1, regular group property certificate, definition rule colony and use mandate relation between the role includes the information such as XML coding, local application apparatus 43, application role, valid expiration date of regular colony definition.
2, working group's Attribute certificate, definition working group and the mandate of using between the role concern, include workgroup name, work group member, local application apparatus 43, use information such as role, valid expiration date.
3, personal attribute's certificate, definition individual subscriber and the mandate of using between the role concern, include individual subscriber, local application apparatus 43, use information such as role, valid expiration date.
When system increased a rights management sub-platform 2 newly, described rights management sub-platform 2 needed to total platform 1 registration of rights management, and as shown in Figure 5, the register flow path of rights management sub-platform 2 is specific as follows:
Step 1: the rights management device 22 of rights management sub-platform 2 sends register requirement (step S1001) to the total platform 1 of rights management, includes the information such as position of rights management sub-platform 2 in the described register requirement;
Step 2: the identity of 13 pairs of rights management sub-platforms 2 of master control device of the total platform 1 of rights management is verified (step S1002);
Does step 3: the master control device 13 of the total platform 1 of rights management judge that whether the identity of rights management sub-platform 2 is by checking (step S1003)? the digital certificate that master control device 13 can be provided according to rights management sub-platform 2 carries out authentication to it;
If 1 by checking, then master control device 13 turns to step 4 (step S1009) to rights management sub-platform 2 return authentication failed messages (step S1004);
If 2 by authentication, then
(1), the authentication information (step S1005) of master control device 13 record rights management sub-platforms 2;
(2), master control device 13 sends 2 tabulations (step S1006) of a rights management sub-platform to rights management sub-platform 2; Described rights management sub-platform 2 tabulations include the positional information of all rights management sub-platforms 2, and according to certain priority order arrangement, when middleware device 3 monitors coupled rights management sub-platform 2 operation irregularities, according to priority order successively with the tabulation in other rights management sub-platforms 2 link to each other, thereby the assurance system can work on normally;
(3), rights management sub-platform 2 is transmitted described rights management sub-platform 2 tabulations (step S1007) to coupled middleware device 3;
(4), middleware device 3 is preserved rights management sub-platform 2 list informations (step S1008);
Step 4: this flow process finishes (step S1009).
After rights management sub-platform 2 is finished registration, user group in the compass of competency is sent to the total platform 1 of rights management with the authorization message of using the role, and the Attribute certificate after will signing and issuing via the total platform 1 of rights management is published on the PMI LIST SERVER 23, keep data sync with the total platform 1 of rights management simultaneously, as shown in Figure 6, concrete steps are as follows:
Step 1: the rights management device 22 of rights management sub-platform 2 obtains digital certificate from the CA LIST SERVER 12 of the total platform 1 of rights management, reads personnel and corresponding organization information (step S2001);
Step 2: rights management device 22 generates user group (step S2002);
Wherein the generative process of regular colony is as follows: the keeper is by PMS manager 21 definition rule colony expression formulas, and rights management device 22 reads the customer attribute information in the digital certificate according to regular colony expression formula, creates corresponding regular colony.For example, keeper's definition rule colony expression formula:
((city=Bei Jingshi ﹠amp; ﹠amp; Mechanism=parent company)) ﹠amp; ﹠amp; (department=) the ﹠amp of research and development centre; ﹠amp; ((tenure=principal) || (tenure=position of a deputy)),
The generative process of working group is as follows: the keeper checks personal information and relevant institutional framework information by PMS manager 21, and select the some personnel on the organization tree to define working group, rights management device 22 reads the work item information of keeper's definition, creates corresponding working group.
Step 3: rights management device 22 reads application apparatus 4 and corresponding application Role Information (step S2003) thereof; As shown in table 1, as shown in table 1, can be divided into a plurality of application roles according to the city under the user, mechanism, department, post, each uses the corresponding unique role's coding of role.
Table 1 is used role and the role mapping table of encoding
Step 4: rights management device 22 is set up the mandate relation (step S2004) between user group and the application role;
The keeper can concern that rights management device 22 reads, also sets up corresponding the mandate and concerns, and is as shown in table 2, is regular colony and the mapping table of using the role by PMS manager 21 definition user groups and the mandate of using between the role.
Table 2 is used the mapping table of role, role's coding and regular colony expression formula
Step 5: rights management device 22 sends to described authorization message the Attribute certificate issue apparatus 11 (step S2005) of the total platform 1 of rights management;
Step 6: Attribute certificate issue apparatus 11 is signed and issued Attribute certificate, and described Attribute certificate is returned to the rights management device 22 (step S2006) of rights management sub-platform 2;
Step 7: rights management device 22 is distributed to (step S2007) on the PMI LIST SERVER 23 with described Attribute certificate;
Step 8:PMI LIST SERVER 23 is uploaded the PMI catalogue server 14 (step S2008) of data to the total platform 1 of rights management.
If user group in 2 compasss of competency of rights management sub-platform and application role's authorization message has produced variation, for example the keeper revises the mandate relation between user group and the application role, rights management sub-platform 2 can be according to the changing content of authorization message, cancel old Attribute certificate and produce new Attribute certificate, keep data sync with the total platform 1 of rights management simultaneously, as shown in Figure 7, its concrete steps are as follows:
Step 1: the keeper of rights management sub-platform 2 revises authorization message (step S3001) by the PMS management devices;
Step 2:PMS management devices is transmitted to rights management device 22 (step S3002) with the request of described modification authorization message;
Step 3: rights management device 22 reads described message, and searches the Attribute certificate (step S3003) relevant with modification information in database;
Step 4: rights management device 22 is added into Attribute Certificate Revocation List with described Attribute certificate, and Attribute Certificate Revocation List and the new mandate that produces are concerned the Attribute certificate issue apparatus 11 (step S3004) that is sent to the total platform 1 of rights management;
Step 5: Attribute certificate issue apparatus 11 is signed and issued new Attribute certificate and Attribute Certificate Revocation List, and returns to the rights management device 22 (step S3005) of rights management sub-platform 2;
Step 6: rights management device 22 sends to PMI LIST SERVER 23 (step S3006) with described new Attribute certificate and Attribute Certificate Revocation List;
Step 7:PMI LIST SERVER 23 is pressed the corresponding Attribute certificate of Attribute Certificate Revocation List deletion, and issues new Attribute certificate (step S3007);
Step 8:PMI LIST SERVER 23 is uploaded the PMI catalogue server 14 (step S3008) of data to the total platform 1 of rights management.
As shown in Figure 8, the user uses digital certificate login application apparatus 4, and application apparatus 4 obtains the application role of described user's correspondence by middleware device 3, and authorizes the user corresponding access rights, and its concrete steps are as follows:
Step 1: the user uses digital certificate login application apparatus 4 (step S4001);
Step 2: application apparatus 4 is transmitted user's logging request (step S4002) to middleware device 3;
Step 3: 3 couples of users' of middleware device digital certificate information is verified (step S4003);
Does step 4: middleware device 3 judge that whether user's digital certificate is by checking (step S4004)? if by checking, then do not turn to step 7 (step S4012), this flow process finishes.
Is step 5: middleware device 3 judged rights management sub-platform 2 whether (step S4005) working properly?
If 1 is undesired, then middleware device 3 obtains the Attribute certificate of described user corresponding to described application apparatus 4 from the PMI LIST SERVER 23 of rights management sub-platform 2, and the application Role Information of correspondence is returned to application apparatus 4 (step S4006);
If 2 is normal, then:
(1), middleware device 3 is by rights management sub-platform 2 tabulations of preserving, and sends request connection messages (step S4007) with other rights management sub-platforms 2 in the tabulation, the described request connection message includes all application apparatus 4 information that described middleware links to each other;
(2), the rights management device 22 of other rights management sub-platforms 2 reads the described request connection message, download the Attribute certificate relevant from the PMI catalogue server 14 of the total platform 1 of rights management, and described Attribute certificate is published on self the PMI LIST SERVER 23 (step S4008) with the application apparatus that comprised 4 the described request connection message;
(3), the rights management device 22 of other rights management sub-platforms 2 returns successful connection message (step S4009) to described middleware device 3;
(4), middleware device 3 obtains the Attribute certificate of described user corresponding to described application apparatus 4 from the PMI LIST SERVER 23 of other rights management sub-platforms 2, and the application Role Information of correspondence is returned to application apparatus 4 (step S4010);
Step 6: application apparatus 4 is authorized the corresponding access rights of user (step S4011) according to described application Role Information;
Step 7: this flow process finishes (step S4012).
It should be noted last that above embodiment is only in order to explanation and unrestricted technical scheme described in the invention; Therefore, although this specification has been described in detail the present invention with reference to the above embodiments,, those of ordinary skill in the art should be appreciated that still and can make amendment or replacement to the present invention with being equal to; And all do not break away from the technical scheme and the improvement thereof of the spirit and scope of the present invention, and it all should be encompassed in the middle of the claim scope of the present invention.
Claims (7)
1. a distributed authorization management system comprises the total platform of rights management, at least one rights management sub-platform, at least one middleware device, and at least one application apparatus and at least one user's set is characterized in that,
The total platform of described rights management, be used for all rights management sub-platforms are registered, for it provides the directory service of customer digital certificate, and the authorization message that the rights management sub-platform sends signed and issued into Attribute certificate, gather the distributing data of preserving all rights management sub-platforms;
Described rights management sub-platform, be used to the system that sets up and include the user group to the mandate relation of using the role, send described authorization message to the total platform of rights management, and provide the Attribute certificate directory service of signing and issuing through the total platform of rights management to the middleware device, also carry out data sync simultaneously with the total platform of rights management;
Described middleware device, be used to receive user's logging request that application apparatus is transmitted, operating state and the tabulation of rights management sub-platform according to the rights management sub-platform, link to each other with suitable rights management sub-platform, and search the Attribute certificate of described user corresponding to described application apparatus from it, the Role Information that is obtained in the dependency certificate is returned to application apparatus;
The total platform of described rights management, rights management sub-platform, middleware device, application apparatus link to each other by network with user's set.
2. a kind of distributed authorization management system according to claim 1 is characterized in that, the total platform of described rights management includes:
The Attribute certificate issue apparatus is used to set up the attribute authority (aa) source, receives the authorization message that the rights management sub-platform sends, and returns to the rights management sub-platform after described information signed and issued into Attribute certificate;
The CA LIST SERVER is used to follow the LDAP standard provides customer digital certificate for the rights management sub-platform directory service;
The master control device is used to receive the register requirement that the rights management sub-platform sends, and after its authentication is passed through, to the tabulation of rights management sub-platform sending permission management sub-platform;
PMI catalogue server is used to gather, preserve the distributing data of all rights management sub-platforms, and each rights management sub-platform is provided the directory service of Attribute certificate.
3. a kind of distributed authorization management system according to claim 1 is characterized in that, described rights management sub-platform includes:
The PMS manager is used for the mutual of keeper and system;
The rights management device, be used for system is included the user group, using role's mandate key element safeguards, set up the user group to the mandate relation of using the role, Attribute certificate issue apparatus to the total platform of rights management sends described authorization message, and the Attribute certificate that it is signed and issued is published on the PMI LIST SERVER, also receive the request connection message that the middleware device sends simultaneously, from the PMI catalogue server of the total platform of rights management download with the described request connection message the relevant Attribute certificate of application apparatus that comprised, and described Attribute certificate is published on the PMI LIST SERVER of self;
The PMI LIST SERVER, being used to follow the LDAP standard provides the directory service of Attribute certificate for the middleware device, and uploads the PMI catalogue server of data to the total platform of rights management.
4. the implementation method of a distributed authorization management system, the total platform of described rights management, rights management sub-platform, middleware device, application apparatus link to each other by network with user's set, it is characterized in that, may further comprise the steps:
Step 1: the rights management sub-platform sends register requirement to the total platform of rights management;
Step 2: the total platform of rights management is verified the identity of rights management sub-platform;
Does step 3: the total platform of rights management judge that whether the identity of rights management sub-platform is by checking?
If 1 by checking, then the total platform of rights management turns to step 4 to rights management sub-platform return authentication failed message;
If 2 by authentication, then
(1), the authentication information of the total platform record of rights management rights management sub-platform;
(2), the total platform of rights management sends a rights management sub-platform tabulation to the rights management sub-platform;
(3), the rights management sub-platform is transmitted described rights management sub-platform tabulation to coupled middleware device;
(4), the middleware device is preserved rights management sub-platform list information;
Step 4: this flow process finishes.
5. method according to claim 4 is characterized in that, also includes following steps:
Step 1: the rights management sub-platform obtains digital certificate from the total platform of rights management, reads personnel and corresponding organization information;
Step 2: the rights management sub-platform generates the user group;
Step 3: the rights management sub-platform reads application apparatus and corresponding application Role Information thereof;
Step 4: the rights management sub-platform is set up the mandate relation between user group and the application role;
Step 5: the rights management sub-platform sends to the total platform of rights management with described authorization message;
Step 6: the total platform of rights management is signed and issued Attribute certificate, and described Attribute certificate is returned to the rights management sub-platform;
Step 7: the rights management sub-platform is issued described Attribute certificate;
Step 8: the rights management sub-platform is uploaded data to the total platform of rights management.
6. method according to claim 5 is characterized in that, also includes following steps:
Step 1: the keeper revises authorization message by the rights management sub-platform;
Step 2: the rights management sub-platform is searched the Attribute certificate relevant with modification information;
Step 3: the rights management sub-platform is added into Attribute Certificate Revocation List with described Attribute certificate, and Attribute Certificate Revocation List and the new mandate relation that produces are sent to the total platform of rights management;
Step 4: the total platform of rights management is signed and issued new Attribute certificate and Attribute Certificate Revocation List, and returns to the rights management sub-platform;
Step 5: the rights management sub-platform is pressed the corresponding Attribute certificate of Attribute Certificate Revocation List deletion, and issues new Attribute certificate;
Step 6: the rights management sub-platform is uploaded data to the total platform of rights management.
7. method according to claim 5 is characterized in that, also includes following steps:
Step 1: the user uses digital certificate login application apparatus;
Step 2: application apparatus is transmitted user's logging request to the middleware device;
Step 3: the middleware device is verified user's digital certificate information;
Does step 4: the middleware device judge that whether user's digital certificate is by checking? if by checking, then do not turn to step 7, this flow process finishes;
Does step 5: the middleware device judge whether the rights management sub-platform working properly?
If 1 is undesired, then the middleware device obtains the Attribute certificate of described user corresponding to described application apparatus from the PMI LIST SERVER of rights management sub-platform, and the application Role Information of correspondence is returned to application apparatus;
If 2 is normal, then:
(1), the middleware device is by the rights management sub-platform tabulation of preserving, with other rights management sub-platforms transmission request connection messages in the tabulation;
(2), other rights management sub-platforms read the described request connection message, from the total platform of rights management download with the described request connection message the relevant Attribute certificate of application apparatus that comprised, and described Attribute certificate issued;
(3), other rights management sub-platforms return successful connection message to described middleware device;
(4), the middleware device obtains the Attribute certificate of described user corresponding to described application apparatus from other rights management sub-platforms, and the application Role Information of correspondence is returned to application apparatus;
Step 6: application apparatus is authorized the user corresponding access rights according to described application Role Information;
Step 7: this flow process finishes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910217966.XA CN102088351B (en) | 2009-12-08 | 2009-12-08 | Authorization management system and implementation method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910217966.XA CN102088351B (en) | 2009-12-08 | 2009-12-08 | Authorization management system and implementation method thereof |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102088351A true CN102088351A (en) | 2011-06-08 |
| CN102088351B CN102088351B (en) | 2014-10-08 |
Family
ID=44099974
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910217966.XA Active CN102088351B (en) | 2009-12-08 | 2009-12-08 | Authorization management system and implementation method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102088351B (en) |
Cited By (24)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102843261A (en) * | 2012-09-18 | 2012-12-26 | 平顶山中选自控系统有限公司 | Role-based distributed authority management method for manufacturing execution system (MES) for coal preparation plant |
| CN103067463A (en) * | 2012-12-19 | 2013-04-24 | 新浪网技术(中国)有限公司 | Centralized management system and centralized management method for user root permission |
| CN103166911A (en) * | 2011-12-09 | 2013-06-19 | 阿里巴巴集团控股有限公司 | Version management server authority management method and version management server authority management equipment |
| CN103220172A (en) * | 2013-04-08 | 2013-07-24 | 杭州华三通信技术有限公司 | Device and method based on LDAP (lightweight directory access protocol) user authorization management |
| CN103281313A (en) * | 2013-05-14 | 2013-09-04 | 成都交大光芒科技股份有限公司 | Distribution-based authority management method for rail transportation integrated monitoring and controlling system |
| CN103490886A (en) * | 2012-06-12 | 2014-01-01 | 阿里巴巴集团控股有限公司 | Permission data validation method, device and system |
| CN103870727A (en) * | 2012-12-17 | 2014-06-18 | 百度在线网络技术(北京)有限公司 | Unified authority management method and system |
| CN104301149A (en) * | 2014-10-27 | 2015-01-21 | 浪潮(北京)电子信息产业有限公司 | A multi-data center rights management method and system |
| CN105357197A (en) * | 2015-11-03 | 2016-02-24 | 浪潮集团有限公司 | Cloud computing platform identity authentication and authority management system and method |
| CN105656642A (en) * | 2014-11-03 | 2016-06-08 | 北京确安科技股份有限公司 | Method for realizing authority management of integrated circuit test management system with INI |
| CN105787317A (en) * | 2016-03-23 | 2016-07-20 | 中国电力科学研究院 | Permission control method based on multi-layer hierarchy system |
| CN106681999A (en) * | 2015-11-05 | 2017-05-17 | 阿里巴巴集团控股有限公司 | Data table inquiry method and equipment |
| CN106847116A (en) * | 2016-12-28 | 2017-06-13 | 重庆金鑫科技产业发展有限公司 | A kind of Intelligent electronic table tablet and a kind of conference system |
| CN107145777A (en) * | 2017-05-09 | 2017-09-08 | 郑州云海信息技术有限公司 | Authorization management method for virtualization management system client |
| CN107276965A (en) * | 2016-04-07 | 2017-10-20 | 阿里巴巴集团控股有限公司 | The authority control method and device of service discovery component |
| CN107332840A (en) * | 2017-06-28 | 2017-11-07 | 中国南方电网有限责任公司超高压输电公司检修试验中心 | Authority intelligent management system and its method |
| CN107770190A (en) * | 2017-11-02 | 2018-03-06 | 山东浪潮通软信息科技有限公司 | A kind of right management method and device |
| CN108282480A (en) * | 2018-01-29 | 2018-07-13 | 五维引力(上海)数据服务有限公司 | A kind of user's mandate is multi-party to monitor sharing method and system |
| CN108616508A (en) * | 2018-03-29 | 2018-10-02 | 北京信安世纪科技股份有限公司 | Based on the role of application system in unification authentication platform reverse authorization method and system |
| CN109061352A (en) * | 2018-08-31 | 2018-12-21 | 浙江宏森科技有限公司 | Security protection event looks into the self-service clearing system and method for mechanism |
| CN111783042A (en) * | 2020-06-30 | 2020-10-16 | 北京金山云网络技术有限公司 | Database access control method, device, database host system and electronic device |
| CN111914296A (en) * | 2020-08-06 | 2020-11-10 | 平安科技(深圳)有限公司 | Multi-platform authority unified management method, device, terminal and storage medium |
| CN113542288A (en) * | 2019-10-11 | 2021-10-22 | 支付宝(杭州)信息技术有限公司 | Service authorization method, device, equipment and system |
| CN114928539A (en) * | 2022-05-13 | 2022-08-19 | 中国广电广州网络股份有限公司 | Broadcasting and television coaxial network data management method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080120302A1 (en) * | 2006-11-17 | 2008-05-22 | Thompson Timothy J | Resource level role based access control for storage management |
-
2009
- 2009-12-08 CN CN200910217966.XA patent/CN102088351B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080120302A1 (en) * | 2006-11-17 | 2008-05-22 | Thompson Timothy J | Resource level role based access control for storage management |
Non-Patent Citations (1)
| Title |
|---|
| 李兴唐: "基于角色的权限管理系统", 《硕士学位论文》 * |
Cited By (35)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103166911A (en) * | 2011-12-09 | 2013-06-19 | 阿里巴巴集团控股有限公司 | Version management server authority management method and version management server authority management equipment |
| CN103490886A (en) * | 2012-06-12 | 2014-01-01 | 阿里巴巴集团控股有限公司 | Permission data validation method, device and system |
| CN103490886B (en) * | 2012-06-12 | 2017-04-05 | 阿里巴巴集团控股有限公司 | The verification method of permissions data, apparatus and system |
| CN102843261A (en) * | 2012-09-18 | 2012-12-26 | 平顶山中选自控系统有限公司 | Role-based distributed authority management method for manufacturing execution system (MES) for coal preparation plant |
| CN102843261B (en) * | 2012-09-18 | 2015-11-18 | 平顶山中选自控系统有限公司 | A kind of distributed right management method of coal preparation plant MES based role |
| CN103870727B (en) * | 2012-12-17 | 2018-02-02 | 百度在线网络技术(北京)有限公司 | A kind of method and system for being managed collectively authority |
| CN103870727A (en) * | 2012-12-17 | 2014-06-18 | 百度在线网络技术(北京)有限公司 | Unified authority management method and system |
| CN103067463B (en) * | 2012-12-19 | 2016-05-11 | 新浪网技术(中国)有限公司 | user root authority centralized management system and management method |
| CN103067463A (en) * | 2012-12-19 | 2013-04-24 | 新浪网技术(中国)有限公司 | Centralized management system and centralized management method for user root permission |
| CN103220172A (en) * | 2013-04-08 | 2013-07-24 | 杭州华三通信技术有限公司 | Device and method based on LDAP (lightweight directory access protocol) user authorization management |
| CN103281313A (en) * | 2013-05-14 | 2013-09-04 | 成都交大光芒科技股份有限公司 | Distribution-based authority management method for rail transportation integrated monitoring and controlling system |
| CN103281313B (en) * | 2013-05-14 | 2016-03-02 | 成都交大光芒科技股份有限公司 | Based on distributed right management method in track traffic synthetic monitoring system |
| CN104301149A (en) * | 2014-10-27 | 2015-01-21 | 浪潮(北京)电子信息产业有限公司 | A multi-data center rights management method and system |
| CN105656642A (en) * | 2014-11-03 | 2016-06-08 | 北京确安科技股份有限公司 | Method for realizing authority management of integrated circuit test management system with INI |
| CN105357197A (en) * | 2015-11-03 | 2016-02-24 | 浪潮集团有限公司 | Cloud computing platform identity authentication and authority management system and method |
| CN106681999A (en) * | 2015-11-05 | 2017-05-17 | 阿里巴巴集团控股有限公司 | Data table inquiry method and equipment |
| CN105787317A (en) * | 2016-03-23 | 2016-07-20 | 中国电力科学研究院 | Permission control method based on multi-layer hierarchy system |
| CN107276965A (en) * | 2016-04-07 | 2017-10-20 | 阿里巴巴集团控股有限公司 | The authority control method and device of service discovery component |
| CN106847116A (en) * | 2016-12-28 | 2017-06-13 | 重庆金鑫科技产业发展有限公司 | A kind of Intelligent electronic table tablet and a kind of conference system |
| CN107145777A (en) * | 2017-05-09 | 2017-09-08 | 郑州云海信息技术有限公司 | Authorization management method for virtualization management system client |
| CN107332840B (en) * | 2017-06-28 | 2020-04-21 | 中国南方电网有限责任公司超高压输电公司检修试验中心 | Rights intelligent management system and method thereof |
| CN107332840A (en) * | 2017-06-28 | 2017-11-07 | 中国南方电网有限责任公司超高压输电公司检修试验中心 | Authority intelligent management system and its method |
| CN107770190A (en) * | 2017-11-02 | 2018-03-06 | 山东浪潮通软信息科技有限公司 | A kind of right management method and device |
| CN107770190B (en) * | 2017-11-02 | 2020-06-23 | 浪潮通用软件有限公司 | Authority management method and device |
| CN108282480B (en) * | 2018-01-29 | 2021-08-13 | 龙凯 | A user-authorized multi-party monitoring and sharing method and system |
| CN108282480A (en) * | 2018-01-29 | 2018-07-13 | 五维引力(上海)数据服务有限公司 | A kind of user's mandate is multi-party to monitor sharing method and system |
| CN108616508A (en) * | 2018-03-29 | 2018-10-02 | 北京信安世纪科技股份有限公司 | Based on the role of application system in unification authentication platform reverse authorization method and system |
| CN109061352A (en) * | 2018-08-31 | 2018-12-21 | 浙江宏森科技有限公司 | Security protection event looks into the self-service clearing system and method for mechanism |
| CN113542288A (en) * | 2019-10-11 | 2021-10-22 | 支付宝(杭州)信息技术有限公司 | Service authorization method, device, equipment and system |
| CN113542288B (en) * | 2019-10-11 | 2023-06-30 | 支付宝(杭州)信息技术有限公司 | Service authorization method, device, equipment and system |
| CN111783042A (en) * | 2020-06-30 | 2020-10-16 | 北京金山云网络技术有限公司 | Database access control method, device, database host system and electronic device |
| WO2021139319A1 (en) * | 2020-08-06 | 2021-07-15 | 平安科技(深圳)有限公司 | Multi-platform permissions unified management method and apparatus, terminal, and storage medium |
| CN111914296A (en) * | 2020-08-06 | 2020-11-10 | 平安科技(深圳)有限公司 | Multi-platform authority unified management method, device, terminal and storage medium |
| CN114928539A (en) * | 2022-05-13 | 2022-08-19 | 中国广电广州网络股份有限公司 | Broadcasting and television coaxial network data management method |
| CN114928539B (en) * | 2022-05-13 | 2023-08-15 | 中国广电广州网络股份有限公司 | Broadcast television coaxial network data management method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102088351B (en) | 2014-10-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102088351B (en) | Authorization management system and implementation method thereof | |
| CN102088360B (en) | Distributed authorization management system and implementation method thereof | |
| CN110012015B (en) | Block chain-based Internet of things data sharing method and system | |
| AU2012252388B2 (en) | Method for handling privacy data | |
| Peng et al. | A peer-to-peer file storage and sharing system based on consortium blockchain | |
| CN109670768A (en) | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain | |
| CN110957025A (en) | Medical health information safety management system | |
| CN109643242A (en) | Security design and architecture for multi-tenant HADOOP cluster | |
| Etalle et al. | A posteriori compliance control | |
| CN103441986A (en) | Data resource security control method in thin client mode | |
| CN103152179A (en) | Uniform identity authentication method suitable for multiple application systems | |
| CN106533693B (en) | Access method and device of railway vehicle monitoring and overhauling system | |
| CN102487377A (en) | An Authentication and Authority Management System | |
| CN101707594A (en) | Single sign on based grid authentication trust model | |
| ITVI20090253A1 (en) | SYSTEM AND METHOD FOR MANAGEMENT AND SHARING WITHIN A INFORMATION NETWORK OF INFORMATION AND CONTACTS RELATED TO USERS | |
| CN113986865A (en) | Cross-department service collaboration system and method based on block chain | |
| CN103535007A (en) | Managed authentication on a distributed network | |
| CN105046125A (en) | A Hierarchical System-Based Application Access Method for OA System | |
| CN119720145A (en) | E-home users and unified identity authentication system | |
| CN102088350B (en) | Directory service-based authorization management system and implementation method thereof | |
| CN103078960B (en) | Concerning security matters electronic document data exchanges and shared system | |
| CN202004786U (en) | Authentication and authority management server | |
| JP2003271782A (en) | Personal information management system | |
| CN108881197A (en) | High score grid system authentication system based on RBAC model | |
| Alawneh et al. | Defining and analyzing insiders and their threats in organizations |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |