Core system strategy management and control platform permission control method, system, device and medium
By employing a composite control method that maintains permissions through permission templates, available institutional functions, and institutional parameters, the complexity of permission management in the core banking system is resolved. This approach simplifies authorization operations and enables high-precision permission control, achieving dimensionality reduction optimization.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- IND BANK CO
- Filing Date
- 2022-11-22
- Publication Date
- 2026-06-19
AI Technical Summary
In the core banking system, existing access control methods are difficult to effectively manage the large number of roles and institutional differences, resulting in a redundant and difficult-to-maintain access control system.
A composite control method is adopted, which uses permission templates, available functions of an organization, and maintenance of permissions based on organization parameters. Permission templates and function associations are configured through a visual page, and precise permission judgment is made in combination with user and organization information.
It decouples users and permissions, simplifies the authorization process, and enables comprehensive and high-precision permission control over the bank's core system, achieving a dimensionality reduction and optimization effect.
Smart Images

Figure CN116861381B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of access control technology, specifically to an access control method for a bank core system policy management platform based on institutions and users, and more particularly to an access control method, system, device, and medium for a core system policy management platform. Background Technology
[0002] In the management of multi-user computer systems, privileges refer to the specific rights a user has to use certain system resources. Failure to implement privilege controls can lead to security problems. Accessing resources through different platforms to obtain a service often involves different permission verification rules.
[0003] The core systems of medium and large-sized banks are enormous and complex, with their strategy management platforms covering hundreds or even thousands of business operations. The platform's user base spans all levels of the bank, encompassing various departments and business lines. As the depth and breadth of banking operations increase, access control has also diversified into more detailed categories. Given such a diverse user base, a reasonable and effective access control method is indispensable for the strategy management platform.
[0004] Simply relying on the RABC model to implement authentication is difficult to meet the access control requirements of banking systems. If a corresponding role is created for each specific permission, the entire role list will become huge and difficult to manage.
[0005] Existing technologies have the following drawbacks: Within the Java technology ecosystem, Shiro and Spring Security, widely used for access control, both employ the RABC (Role-Based Access Control) model for their authentication schemes. RABC associates permissions with roles, granting users corresponding permissions by assigning roles. However, in banking systems, the distinction between permissions extends beyond business roles; even within the same business role, different institutions may have varying permissions. Assuming N institutions and M business roles, the final number of roles could reach N×M. This massive number of roles makes the entire access control system redundant and difficult to maintain. Summary of the Invention
[0006] To address the shortcomings of existing technologies, this invention provides a core system policy management platform access control method, system, device, and medium.
[0007] According to the present invention, a core system policy management platform access control method, system, device, and medium are provided, the solution of which is as follows:
[0008] Firstly, a core system policy management platform access control method is provided, the method comprising:
[0009] Step S1: Subscribe to the user management and institution management system, start a scheduled task to synchronize user information and bank institution information, and update the latest data to the Informix database;
[0010] Step S2: The administrator configures the function permission template, the available functions of the organization, and the organization parameter maintenance permissions respectively;
[0011] Step S3: Platform users log in using their account, password, and verification code. The front-end page encrypts the user information and sends it to the back-end for verification.
[0012] The backend retrieves the ACS-encrypted password from the Informix database, decrypts it, and performs user authentication. After successful authentication, a session is created to store the authentication result, and the corresponding jsessionID is returned to the client.
[0013] Step S4: When the client requests access to or operates platform functions, the backend verifies the jsessionID and retrieves the user information based on the jsessionID.
[0014] Preferably, step S2 includes: the administrator selects a function name on the visualized function permission template page, thereby establishing an association between the permission template and the function; by associating the user with the permission template, the administrator assigns the user access permissions corresponding to the function of the function permission template.
[0015] Preferably, step S2 further includes: the administrator selects function names on the visualized organization available functions page to establish the association between the organization and the functions; the administrator also configures the operation permissions for each available function on the organization parameter maintenance permission page, and the operation permissions include query, add, modify, cancel, restore, data export, data import and batch modification.
[0016] Preferably, step S4, retrieving user information based on jsessionID, specifically includes:
[0017] Step S4.1: Depending on whether the user is a head office employee, two different authorization strategies are adopted;
[0018] Step S4.2: Query the permission templates associated with the user and the available functions associated with the organization to which the user belongs, and perform a logical AND operation between the two, with the result being true or false;
[0019] A result of true indicates that the current user can access the available function, while a result of false indicates that the current user cannot access the function.
[0020] Step S4.3: Query the organization parameter maintenance data based on the user's organization information, determine the user's current operation type for this function, and whether it is a subset of the operation permissions that the user's organization has for this function. If so, allow the operation; otherwise, reject the user's operation request.
[0021] Secondly, a core system policy management platform access control system is provided, the system comprising:
[0022] Module M1: Subscribes to the user management and institution management system, starts scheduled tasks to synchronize user information and bank institution information, and updates the latest data to the Informix database;
[0023] Module M2: Administrators can configure function permission templates, available functions for the organization, and permissions for maintaining organization parameters.
[0024] Module M3: Platform users log in using their account, password, and verification code. The front-end page encrypts the user information and sends it to the back-end for verification.
[0025] The backend retrieves the ACS-encrypted password from the Informix database, decrypts it, and performs user authentication. After successful authentication, a session is created to store the authentication result, and the corresponding jsessionID is returned to the client.
[0026] Module M4: When a client requests access to or operates platform functions, the backend verifies the jsessionID and retrieves user information based on the jsessionID.
[0027] Preferably, the module M2 includes: the administrator selects a function name on the visualized function permission template page, thereby establishing an association between the permission template and the function; by associating the user with the permission template, the administrator assigns the user access permissions corresponding to the function of the function permission template.
[0028] Preferably, module M2 further includes: the administrator can select function names on the visualized available functions page of the organization to establish the association between the organization and the functions; the administrator can also configure the operation permissions for each available function on the organization parameter maintenance permission page, and the operation permissions include query, add, modify, cancel, restore, data export, data import and batch modification.
[0029] Preferably, the module M4 retrieves user information based on jsessionID, specifically including:
[0030] Module M4.1: Two different authorization strategies are adopted depending on whether the user is a head office employee;
[0031] Module M4.2: Queries the permission templates associated with a user and the available functions associated with the user's organization, performs a logical AND operation on the two, and determines whether the result is true or false;
[0032] A result of true indicates that the current user can access the available function, while a result of false indicates that the current user cannot access the function.
[0033] Module M4.3: Based on the user's organization information, query the organization parameter maintenance data, determine the user's current operation type for this function, and whether it is a subset of the operation permissions that the user's organization has for this function. If so, allow the operation; otherwise, reject the user's operation request.
[0034] Compared with the prior art, the present invention has the following beneficial effects:
[0035] 1. This invention achieves decoupling of users and permission details and simplifies the authorization operation by using a composite control of three dimensions: permission templates, available functions of the organization, and permission maintenance of organization parameters.
[0036] 2. This invention also achieves comprehensive and high-precision access control over the bank's core system policy management platform, thereby achieving the goal of dimensionality reduction and optimization of access configuration categories.
[0037] Other beneficial effects of the present invention will be explained in detail through the introduction of specific technical features and technical solutions in specific embodiments. Those skilled in the art should be able to understand the beneficial technical effects brought about by these technical features and technical solutions through the introduction of these technical features and technical solutions. Attached Figure Description
[0038] Other features, objects, and advantages of the present invention will become more apparent from the following detailed description of non-limiting embodiments with reference to the accompanying drawings:
[0039] Figure 1 This is a schematic diagram of the overall process of the present invention. Detailed Implementation
[0040] The present invention will now be described in detail with reference to specific embodiments. These embodiments will help those skilled in the art to further understand the present invention, but do not limit the invention in any way. It should be noted that those skilled in the art can make several changes and improvements without departing from the concept of the present invention. These all fall within the protection scope of the present invention.
[0041] This invention provides a core system policy management platform access control method for identity authentication and authorization on a bank's core system business policy management platform. By adopting a composite control approach across three dimensions—access templates, available institutional functions, and institutional parameter maintenance permissions—it achieves comprehensive and high-precision access control for the bank's core system policy management platform, reducing the number of access configuration categories from "N×M" to "N+M".
[0042] By designing a visually appealing functional permission template, an organization's available functions, and an associated configuration page for maintaining organization parameters, the goal of simplifying administrator permission assignment was achieved. (See reference...) Figure 1 As shown, the method specifically includes:
[0043] Step S1: Subscribe to the user management and institution management system, start a scheduled task to synchronize user information and bank institution information, and update the latest data to the Informix database.
[0044] Step S2: The administrator configures the function permission templates, available functions for the institution, and institution parameter maintenance permissions. On the visualized function permission template page, the administrator selects function names, thus establishing the association between the function permission template and the function. By associating users with the permission templates, the administrator assigns access permissions for the corresponding functions to users. Similarly, the administrator can also select function names on the visualized institution available functions page to establish the association between the institution and the function. In addition, the administrator can configure the operation permissions for each available function on the institution parameter maintenance permissions page, including query, add, modify, cancel, restore, data export, data import, and batch modification.
[0045] Step S3: Platform users log in using their account, password, and verification code. The front-end page encrypts the user information and sends it to the back-end for verification. The back-end retrieves the ACS-encrypted password from the Informix database, decrypts it, and performs user authentication. Upon successful authentication, a session is created to store the authentication result, and the corresponding jsessionID is returned to the client.
[0046] Step S4: When the client requests access to or operates platform functions, the backend verifies the jsessionID and retrieves user information based on the jsessionID, including user name, region, organization, etc.
[0047] First, depending on whether the user is a head office employee, two different authorization strategies are applied. For example, head office users are allowed to modify region codes. Then, the system queries the user's associated permission template and the available functions associated with the user's organization, performing a logical AND operation between the two. A true result indicates that the current user can access the function, while a false result indicates that the current user cannot access the function. Finally, based on the user's organization information, the system queries the organization parameter maintenance data to determine if the user's current operation type for that function is a subset of the organization's permissions for that function. If so, the operation is allowed; otherwise, the user's operation request is rejected.
[0048] This invention also provides a core system policy management platform access control system. This access control system can be implemented by executing the process steps of the core system policy management platform access control method. That is, those skilled in the art can understand the core system policy management platform access control method as a preferred embodiment of the core system policy management platform access control system. Specifically, it includes:
[0049] Module M1: Subscribes to the user management and institution management system, starts scheduled tasks to synchronize user information and bank institution information, and updates the latest data to the Informix database.
[0050] Module M2: Administrators configure function permission templates, available functions for an institution, and institution parameter maintenance permissions. On the visual function permission template page, administrators select function names to establish the association between permission templates and functions. By associating users with the permission templates, administrators assign access permissions for the corresponding functions to users. Similarly, administrators can also select function names on the visual institution available functions page to establish the association between institutions and functions. In addition, administrators can configure operation permissions for each available function on the institution parameter maintenance permission page, including query, add, modify, cancel, restore, data export, data import, and batch modification.
[0051] Module M3: Platform users log in using their account, password, and verification code. The front-end page encrypts the user information and sends it to the back-end for verification. The back-end retrieves the ACS-encrypted password from the Informix database, decrypts it, and performs user authentication. After successful authentication, a session is created to store the authentication result, and the corresponding jsessionID is returned to the client.
[0052] Module M4: When a client requests access to or operates platform functions, the backend verifies the jsessionID and retrieves user information based on the jsessionID, including the user's name, region, and organization.
[0053] First, depending on whether the user is a head office employee, two different authorization strategies are applied. For example, head office users are allowed to modify region codes. Then, the system queries the user's associated permission template and the available functions associated with the user's organization, performing a logical AND operation between the two. A true result indicates that the current user can access the function, while a false result indicates that the current user cannot access the function. Finally, based on the user's organization information, the system queries the organization parameter maintenance data to determine if the user's current operation type for that function is a subset of the organization's permissions for that function. If so, the operation is allowed; otherwise, the user's operation request is rejected.
[0054] This invention provides a core system policy management platform access control method, system, device, and medium. Through composite control of three dimensions—access templates, available functions of institutions, and institution parameter maintenance permissions—it not only decouples users and access details and simplifies the authorization process, but also achieves comprehensive and high-precision access control of the bank's core system policy management platform, thereby achieving the goal of dimensionality reduction and optimization of access configuration categories.
[0055] Those skilled in the art will understand that, besides implementing the system and its various devices, modules, and units provided by this invention in the form of purely computer-readable program code, the same functions can be achieved entirely through logical programming of the method steps, making the system and its various devices, modules, and units of this invention function in the form of logic gates, switches, application-specific integrated circuits, programmable logic controllers, and embedded microcontrollers. Therefore, the system and its various devices, modules, and units provided by this invention can be considered as a hardware component, and the devices, modules, and units included therein for implementing various functions can also be considered as structures within the hardware component; alternatively, the devices, modules, and units for implementing various functions can be considered as both software modules implementing the method and structures within the hardware component.
[0056] Specific embodiments of the present invention have been described above. It should be understood that the present invention is not limited to the specific embodiments described above, and those skilled in the art can make various changes or modifications within the scope of the claims, which do not affect the essence of the present invention. Unless otherwise specified, the embodiments and features described in this application can be arbitrarily combined with each other.
Claims
1. A method for access control on a core system policy management platform, characterized in that, include: Step S1: Subscribe to the user management and institution management system, start a scheduled task to synchronize user information and bank institution information, and update the latest data to the Informix database; Step S2: The administrator configures the function permission template, the available functions of the organization, and the organization parameter maintenance permissions respectively; Step S3: Platform users log in using their account, password, and verification code. The front-end page encrypts the user information and sends it to the back-end for verification. The backend retrieves the ACS-encrypted password from the Informix database, decrypts it, and then performs user authentication. After successful authentication, a session is created to store the authentication result, and the corresponding jsessionID is returned to the client. Step S4: When the client requests access to or operates platform functions, the backend verifies the jsessionID and retrieves the user information based on the jsessionID. Step S4, which retrieves user information based on jsessionID, specifically includes: Step S4.1: Depending on whether the user is a head office employee, two different authorization strategies are adopted; Step S4.2: Query the function permission templates associated with the user and the available functions associated with the user's organization, and perform a logical AND operation between the two, with the result being true or false; A result of true indicates that the current user can access the available function, while a result of false indicates that the current user cannot access the function. Step S4.3: Query the organization parameter maintenance data based on the user's organization information, determine the user's current operation type for this function, and whether it is a subset of the operation permissions that the user's organization has for this function. If so, allow the operation; otherwise, reject the user's operation request.
2. The core system policy management platform access control method according to claim 1, characterized in that, Step S2 includes: the administrator selects the function name on the visualized function permission template page, thereby establishing the association between the function permission template and the function; by associating the user with the permission template, the administrator assigns the user access permissions to the function corresponding to the function of the function permission template.
3. The core system policy management platform access control method according to claim 2, characterized in that, Step S2 further includes: the administrator selects function names on the visualized organization available functions page to establish the association between the organization and the functions; the administrator also configures the operation permissions for each available function on the organization parameter maintenance permission page, and the operation permissions include query, add, modify, cancel, restore, data export, data import and batch modification.
4. A core system policy management platform access control system, characterized in that, include: Module M1: Subscribes to the user management and institution management system, starts scheduled tasks to synchronize user information and bank institution information, and updates the latest data to the Informix database; Module M2: Administrators can configure function permission templates, available functions for the organization, and permissions for maintaining organization parameters. Module M3: Platform users log in using their account, password, and verification code. The front-end page encrypts the user information and sends it to the back-end for verification. The backend retrieves the ACS-encrypted password from the Informix database, decrypts it, and then performs user authentication. After successful authentication, a session is created to store the authentication result, and the corresponding jsessionID is returned to the client. Module M4: When a client requests access to or operates platform functions, the backend verifies the jsessionID and retrieves user information based on the jsessionID. The module M4 retrieves user information based on jsessionID, specifically including: Module M4.1: Two different authorization strategies are adopted depending on whether the user is a head office employee; Module M4.2: Queries the permission templates associated with a user and the available functions associated with the user's organization, performs a logical AND operation on the two, and determines whether the result is true or false; A result of true indicates that the current user can access the available function, while a result of false indicates that the current user cannot access the function. Module M4.3: Based on the user's organization information, query the organization parameter maintenance data, determine the user's current operation type for this function, and whether it is a subset of the operation permissions that the user's organization has for this function. If so, allow the operation; otherwise, reject the user's operation request.
5. The core system policy management platform access control system according to claim 4, characterized in that, The module M2 includes: the administrator selects function names on the visualized function permission template page, thereby establishing the association between the permission template and the function; by associating the user with the permission template, the administrator assigns the user access permissions corresponding to the function of the function permission template.
6. The core system policy management platform access control system according to claim 5, characterized in that, The module M2 also includes: the administrator can select function names on the visualized available functions page of the organization to establish the association between the organization and the function; the administrator can also configure the operation permissions for each available function on the organization parameter maintenance permission page, and the operation permissions include query, add, modify, cancel, restore, data export, data import and batch modification.