[0039] The core idea of the present invention is to provide a centralized user safety management method and device, which utilizes the centralized user management domain to realize safe centralized user management, authorization, authentication and audit, and achieve the effect of single sign-on.
[0040] The present invention provides a centralized user security management device. An embodiment of the architecture is shown in Figure 1. The device includes: a centralized user management domain and multiple application domains;
[0041] The centralized user management domain is used for unified management of multiple application domains, and it includes at least: a centralized user management and authorization service entity and a centralized user authentication and audit service entity; the centralized user management and authorization service entity uses To realize the unified management and authorization of users, the authorization strategy can be defined by users according to their actual needs and stored in the LADP (Lightweight Directory Access Protocol) database;
[0042] The centralized user authentication and audit service entity is used to provide centralized authentication, authentication and logging services, and is responsible for judging whether the user's operation meets the rules and recording operation information; this entity can have multiple instances deployed in different On the server, it is used to improve the performance of authentication and authentication. The authentication strategy can be defined by the application domain itself and stored in the audit database;
[0043] The centralized user management domain provides a variety of service interfaces externally, such as security agent interface, user management and authorization interface, login/authentication/logging interface, etc., so that each application domain can customize more flexible and convenient authorization through each interface. View; using the security agent interface, the centralized user management domain can obtain the security object information of the application domain;
[0044] The application domain is an independent business system. As shown in Figure 2, each application domain includes security objects and access behaviors; the security objects are objects in the application domain that require security authority control, such as devices, directories Each security object includes basic attributes such as security object type, subtype, object ID, etc.; the access behavior is the definition of the access behavior that needs to be controlled for each security object type, including: add, delete, Modify, read, etc., each security object can correspond to multiple access behaviors;
[0045] The centralized user management domain manages users in the form of user groups. The user group is a collection of users. A user group can be bound to multiple roles and can contain multiple users; each user can be bound to multiple roles , And can belong to multiple user groups; the role is a collection of security objects and corresponding access behaviors, each application domain can contain multiple roles, and the security object roles can be presented during the interaction between the application domain and the centralized user management domain , As shown in Figure 2 for application domain A; it can also directly interact with the centralized user management domain in the form of security objects and access behaviors, as shown in Figure 2 for application domain B; the types and subtypes of security objects in the above application domains Information such as access behaviors corresponding to this type is predefined and stored centrally in the LDAP server or database.
[0046] The structure of another embodiment of the device of the present invention is shown in Fig. 3. The difference between this embodiment and the above-mentioned embodiment is that the domain security object service entity replaces the original security agent interface, and each application domain actively synchronizes and updates need to be managed. The security object information of the domain is sent to the domain security object service entity, and the centralized user management and authorization service entity and the centralized user authentication and audit service entity obtain the security object information of each application domain from the domain security object service entity.
[0047] The present invention provides a centralized user safety management method, which specifically includes the following steps:
[0048] Step 1: Assign permissions to users, and use centralized security management strategies to manage users;
[0049] The centralized user management and authorization service entity assigns permissions to users. The process is shown in Figure 4, which specifically includes the following operations:
[0050] Step 10: The centralized user management and authorization service entity receives the user role authorization request;
[0051] Step 11: The centralized user management and authorization service entity sequentially obtains the role list in the application domain from each application domain. The role list contains multiple roles. If there is no role definition in the application domain, the security object and corresponding access are directly obtained Behavior: After obtaining the role list of each application domain, select a role or security object and access behavior for the user from it. The selected role or security object and access behavior can be multiple;
[0052] Step 12: Bind the selected role or security object and access behavior to the role of the user in the centralized user management domain;
[0053] Step 13: Save the user role determined above in the LDAP server or database, and the process of assigning permissions is completed;
[0054]Operations supported by centralized user management and authorization service entities include: read, create, modify, and delete users/user groups/roles; add and delete users/roles in user groups; assign or cancel roles to users/user groups; and assign roles assign permissions;
[0055] Step 2: Under the condition of being assigned permissions, realize the single sign-on operation of centralized user authentication and audit services:
[0056] The operation process is shown in Figure 5, which specifically includes the following steps:
[0057] Step 20: The authorized user logs in to an application domain, and the centralized user authentication and audit service entity verifies the user name and password;
[0058] Step 21: After the centralized user authentication and audit service entity verifies the user name and password, it sends a token to the user, that is, assigns the user a unique identifier for the current session, which may be a byte sequence;
[0059] Step 22: After the user obtains the token, the user carries the token to perform the corresponding operation of the logged-in application domain, and the performed operation is any one of the selected role or security object and access behavior in the above authorization process ;
[0060] Step 23: After the user has performed the above-mentioned application domain operations, the token can be carried as needed to perform other application domain operations. Each application domain operation performed requires a centralized user authentication and audit service entity to perform an authentication operation.
[0061] In summary, the present invention realizes safe centralized user management, authorization, authentication and audit, and achieves the effect of single sign-on. Due to the support for custom authentication and authorization extension, it can flexibly integrate and manage multiple application systems. Safety.
[0062] The above are only the preferred specific embodiments of the present invention, but the protection scope of the present invention is not limited thereto. Any person skilled in the art can easily think of changes or changes within the technical scope disclosed in the present invention. All replacements should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be subject to the protection scope of the claims.
