Directory service-based authorization management system and implementation method thereof

Abstract

The invention discloses a directory-based authorization management system, which comprises an authorization management platform, at least one local slave directory service device, at least one local application device and at least one user device, wherein the authorization management platform, the local slave directory service device, the local application device and the user device are connected with one another through a network. Authorization management is uniformly performed on an application system and a user by the authorization management platform, authorization information between a user group and an application role is released in the form of an attribute certificate, and corresponding purchase management index (PMI) local slave directory servers are arranged in a plurality of regions and are used for copying the attribute certificate of the local application device to local according to a strategy, so that user authorization information is quickly provided for a local application system, an application mode is simplified, system security is further enhanced, and load, which is caused by concurrency of a large number of users, on the system is effectively lowered; simultaneously, system availability is enhanced and maintenance cost is lowered.

Description

technical field [0001] The present invention relates to the technical field of information security, in particular to an authorization management system based on directory services and an implementation method thereof. Background technique [0002] With the improvement of government and enterprise informatization, the number of application systems has gradually increased. When the number of users is very large, the geographical distribution is relatively wide, and the number of application systems is large, the authorization of application systems becomes a very difficult problem. In a large government or enterprise, the following situations often occur: an employee has left the job, but can still access some very important application systems normally; an employee's position has changed, and the application system still corresponds to the old permissions; Due to temporary business needs, I registered an account for someone from other places in an application system and ope...

AI Technical Summary

Problems solved by technology

[0005] (2), patent application CN 200610076491.3 (application date: 2006.04.26, name: information system or equipment security protection system and its working method), CN 200810040672.X (application date: 2008.07.17, name: digital certificate-based technology system user access management system and method), CN 200810040674.9 (application date: 2008.07.17, name: an access control method and device for an information system based on digital certificate technology), CN 200620100455.1 (application date: 2006.01.18, name : a network security authentication and authorization system) and CN 200710147233.4 (application date: 2007.08.30, name: distributed business operation support system and method for realizing distributed business) both disclose a kind of identity authentication for login users, and in Technical solutions for obtaining corresponding access rights after passing authentication, but these technical solutions lack security management of user rights information, cannot effectively avoid the possibility of human tampering, and support a limited number of users, which cannot solve a large number of users (especially A large number of users who are not registered in the system) unified authorization and security access control issues

[0007] The disadvantages of the above technical solutions are that it is impossible to authorize a large number of user groups (especially a large number of user groups that are not registered in the system), and release the authorization information in a reliable form of attribute certificates, so as to realize multiple Unified user authorization management and security access control for application systems

Images