A college staff identity data governance method and system based on a three-layer separation model
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- JINAN UNIVERSITY
- Filing Date
- 2026-04-15
- Publication Date
- 2026-06-30
AI Technical Summary
The independent construction of various business systems in universities has resulted in scattered and redundant identity data, which cannot be effectively linked, making access control complex and causing serious gaps in identity information. The existing unified identity authentication system has failed to fundamentally solve the problem of the separation of 'people, positions, and rights'.
A three-tier separation model is adopted, including a data cleaning engine, a lifecycle engine, and an identity authorization engine, to generate globally unique identity identifiers and automatically update permissions through standard job positions and business tags, thereby achieving full lifecycle management.
It has achieved unified association of identity data, improved the efficiency and accuracy of access control, avoided identity gaps and dormant accounts, provided automated management throughout the entire lifecycle, and established the accuracy and consistency of identity data for all personnel in the school.
Smart Images

Figure CN122309616A_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of data processing technology, and in particular relates to a method and system for governing the identity data of university personnel based on a three-layer separation model. Background Technology
[0002] With the continuous deepening of information technology construction in universities, universities have gradually built various business systems (such as personnel systems, academic affairs systems, student affairs systems, OA systems, etc.). For a long time, each system has often been built independently, forming an identity authentication system centered on its own business. It generally adopts the model of "managing people by card" or "managing people by number", that is, each system assigns a unique number (such as student ID, employee ID, card number) to the same user as an identity identifier.
[0003] This traditional model has led to numerous problems: First, the phenomenon of "one person, multiple accounts" is extremely common. For example, a faculty member may simultaneously possess multiple accounts such as an employee ID, an OA account, and a research account, resulting in fragmented data between these accounts and an inability to link them. Second, there are gaps in identity and chaotic lifecycles. When a user's identity changes, the old and new identities cannot be effectively linked, making access control complex and prone to errors. Third, the relationship between "person, position, and authority" is ambiguous, leading to lax management. Permissions are usually bound to fixed numbers, failing to clearly express the relationship between "person" and "position."
[0004] Existing technologies, such as Single Sign-On (SSO), only address the issue of a unified authentication entry point, without addressing the governance of the identity data itself. The underlying data of a single identity authentication system remains fragmented, redundant, and inconsistent, failing to fundamentally solve the problem of separating "people, roles, and rights." Therefore, there is an urgent need for a method and system that can address the issue at its source and achieve full lifecycle management of personnel identities. Summary of the Invention
[0005] To address the aforementioned technical problems, this invention proposes a method and system for governing university personnel identity data based on a three-layer separation model, thereby resolving the issues present in the existing technologies.
[0006] To achieve the above objectives, this invention provides a method for governing university personnel identity data based on a three-layer separation model, comprising: Obtain raw identity data from the upstream data source system; The original identity data is cleaned and merged according to the preset cleaning rules, and a globally unique identity identifier is generated for each natural person to associate with multiple business identity instances of that natural person, so as to obtain standardized identity data. The original job title is extracted from the standardized identity data, and the original job title is mapped to a standard job code and a set of business tags according to a preset standard job dictionary. The default permission group is obtained according to the standard job code and the set of business tags. Synchronize the standardized identity data to the unified identity authentication system; The unified identity authentication system receives authentication requests from downstream business systems. After successful verification, it determines the corresponding globally unique identity identifier based on the authentication request, obtains the default permission group associated with the identity identifier from the identity authorization engine, and returns an authentication response containing the globally unique identity identifier and the default permission group. The downstream business system performs user authentication based on the authentication response, thereby achieving identity data governance.
[0007] Optionally, the preset cleaning rules include strong association rules and weak association rules; The process of obtaining standardized identity data includes: Based on set theory, a matching degree function is defined to calculate the matching degree between two data records; When the ID number and name of two data records match exactly, it is determined to be a strong association rule, and the two data records are automatically merged and assigned the same globally unique identity identifier; When two data records match in terms of phone number and name but have missing or inconsistent ID numbers, it is determined to be a weak association rule, marked as potentially belonging to the same person, and a manual intervention merging process is triggered.
[0008] Optionally, a state machine can be maintained through a lifecycle engine to receive and manage the lifecycle states of natural persons; When a preset identity change event occurs, the state machine determines the target state to migrate to based on the current state and the identity change event, and automatically triggers interaction actions with downstream business systems.
[0009] Optionally, the original job title is extracted from the standardized identity data, and mapped to a set of standard job codes and business tags according to a preset standard job dictionary, including: Extract a triple containing the user identifier and the original job title from the standardized identity data; convert the original job title into a standard job title code according to the standard job title dictionary; and match the original job title with a set of corresponding business tags according to the business tag dictionary.
[0010] Optionally, a default permission group is obtained based on the standard job code and the business tag set, including: Based on the standard job code, obtain the corresponding basic permission template from the job basic permission table; based on the business tag set, obtain the corresponding extended permission set from the tag additional permission table; calculate the union of the basic permission template and the extended permission set, and use it as the default permission group.
[0011] Optionally, the unified identity authentication system determines a globally unique identity identifier based on the authentication request, including: The authentication request includes the user's original employee ID or student ID; after the unified identity authentication system verifies the request, it queries the synchronized standardized identity data based on the original employee ID or student ID to obtain a globally unique identity identifier associated with the original employee ID or student ID.
[0012] Optionally, the authentication response may also include aggregated identity information, which includes all business identity instances, role lists, and basic attributes of the natural person.
[0013] Optionally, the downstream business system performs user authentication based on the authentication response, including: The default permission group in the authentication response is represented in the form of a permission tag set; the downstream business system extracts the permission tag set from the authentication response; it determines whether the permission tag set intersects with the permission tag set required by the business application, and if so, it determines that the user has permission.
[0014] This invention also provides a university personnel identity data governance system based on a three-layer separation model, used to implement the above method, including: The upstream data source system is used to provide raw personnel identity data; An identity governance platform is deployed between the upstream data source system and the downstream business application system. The identity governance platform includes: The data cleaning engine is used to clean and merge the original identity data according to preset cleaning rules, generate a globally unique identity identifier for each natural person to associate multiple business identity instances of that natural person, and obtain standardized identity data. The lifecycle engine is used to maintain the lifecycle status of natural persons and trigger interaction actions with downstream business systems when identity change events occur. An identity authorization engine is used to extract the original job title from the standardized identity data, map the original job title to a standard job code and a set of business tags, and obtain a default permission group based on the standard job code and the set of business tags. A unified identity authentication system is used to receive standardized identity data carrying the globally unique identity identifier synchronized by the identity governance platform, and to receive authentication requests from downstream business systems. After successful verification, the system determines the corresponding globally unique identity identifier based on the authentication request, obtains the default permission group associated with the identity identifier from the identity authorization engine, and returns an authentication response containing the globally unique identity identifier and the default permission group. Downstream business application systems are used to receive the authentication response and perform user authentication based on the authentication response.
[0015] Optionally, the identity governance platform is deployed with four core tables, including: The Natural Person table uses a globally unique identifier as the primary key to store the inherent attributes of natural persons; the Standard Unit dictionary table is used to standardize the organizational structure across the entire school; the Standard Position dictionary table is used to store position codes and standard names; the User Appointment table, linked by the globally unique identifier as a foreign key, is used to establish a one-to-many relationship between natural persons and positions; the Identity Governance Platform also communicates with the existing system to clean the historical identity data of the existing system according to the cleansing rules and generate globally unique identifiers for historical personnel.
[0016] Compared with the prior art, the present invention has the following advantages and technical effects: By generating globally unique UUIDs for natural persons, the identity identifiers of all business systems are uniformly associated with a unique natural person entity, fundamentally solving the problem of scattered identity data. By adopting a three-tier separation model of "standard position - standard position - business tag", permissions are bound to positions rather than individuals. When a person's position changes, permissions can be automatically updated, improving the efficiency and accuracy of permission management. It can track the entire lifecycle status of personnel from entering the school to leaving the school, realize automated and process-oriented management of identity and permissions, and avoid identity gaps and zombie accounts; The strategy of "dual-track parallel operation, incremental priority, and cleanup of existing resources" allows for the gradual replacement and upgrade of the underlying architecture without interrupting existing business, thus reducing implementation risks. By establishing unified data standards and cleaning rules, and by setting authoritative data sources, the accuracy, consistency, and completeness of the identity data of all personnel across the university have been improved, laying a solid foundation for future data analysis and process reengineering. Attached Figure Description
[0017] The accompanying drawings, which form part of this application, are used to provide a further understanding of this application. The illustrative embodiments and descriptions of this application are used to explain this application and do not constitute an undue limitation of this application. In the drawings: Figure 1 This is a flowchart illustrating the university personnel identity data governance method based on a three-layer separation model, according to an embodiment of the present invention. Figure 2 This is a schematic diagram of the "natural person-standard position-business instance" three-layer separation model according to an embodiment of the present invention; Figure 3 This is a sequence diagram of the authentication process after modifying the unified identity authentication system according to an embodiment of the present invention; Figure 4 This is an architecture diagram of a university personnel identity data governance system based on a three-layer separation model, according to an embodiment of the present invention. Detailed Implementation
[0018] It should be noted that, unless otherwise specified, the embodiments and features described in this application can be combined with each other. This application will now be described in detail with reference to the accompanying drawings and embodiments.
[0019] It should be noted that the steps shown in the flowchart in the accompanying drawings can be executed in a computer system such as a set of computer-executable instructions, and although a logical order is shown in the flowchart, in some cases the steps shown or described may be executed in a different order than that shown here.
[0020] Example 1 This embodiment provides a method for governing university personnel identity data based on a three-layer separation model, including the following steps: Step S1: Develop and publish a data governance standard system that includes data standards, application standards, and cleaning rules to provide a basis for data cleaning and modeling; Step S2: Build an identity governance platform, including a data cleaning engine, a lifecycle engine, and an identity authorization engine.
[0021] The identity governance platform is deployed between the upstream data source system and the downstream business application system. The identity governance platform deploys four core tables, including the natural person table (sys_user), the standard unit dictionary table (sys_dep), the standard job dictionary table (sys_post), and the user appointment table (sys_user_assignment). The `sys_user` table uses a globally unique UUID as its primary key and contains fields such as name, ID number, and lifecycle status. It stores the inherent attributes of a natural person. `sys_dept`: Uses `dept_id` as the primary key and includes fields such as unit name and parent unit code. It is used to standardize the organizational structure across the entire university and is shared by all business systems. `sys_post`: Uses `post_id` as the primary key and contains fields such as a unique job code, standard name, and job level. Downstream systems use this for authentication and permission calculation. The `sys_user_assignment` table uses `assignment_id` as the primary key and is linked via a UUID foreign key to record each business identity instance (employee ID, job title, and employing unit). This table establishes a one-to-many relationship between individuals and job titles through the UUID and `post_code` fields.
[0022] By using a three-tiered data model consisting of "natural person - standard position - business example", the decoupling of natural person and business identity is achieved.
[0023] Step S201: The data cleaning engine extracts data from the upstream data source system, cleans, deduplicates, and merges the data according to the cleaning rules, generating a globally unique identity identifier (UUID) for each individual. The cleaning rules include strong association rules and weak association rules, and a similarity algorithm is introduced for auxiliary judgment. A decision function is defined based on set theory to identify absolutely mergeable data pairs. Suppose there are two data pairs... and Each contains the following attributes: Name , ID number , ,Phone number , Define the matching degree function. for: ; in, Harmony The matching function returns either 1 or 0. The name similarity function is normalized to Jaro-Winkler distance. ; , , These are the weighting coefficients, and .like and If a strong association rule determines that the user is the same person, the system automatically merges the results and assigns the same UUID; if... and The weak association rule is marked as "suspected to be the same person", triggering a manual intervention and merging process.
[0024] Step S202: The lifecycle engine maintains a state machine, defined as a quintuple. .
[0025] State set: S = {pre (before entering school), active (on campus), left (left campus), rehired (rehired), alumni (alumni) ...}; The set of events that trigger state transitions: E = {enroll (reporting for duty), graduate (graduation), resign (resignation), rehire (re-employment) ...}; State transition function: This indicates the target state that a natural person should migrate to when a specific event occurs under a specific state. Each state transition automatically triggers one or more predefined actions, which typically involve interactions with the identity authorization engine, unified identity authentication system, or downstream business systems.
[0026] Initial state: .
[0027] Set of termination states: .
[0028] Step S203: The identity authorization engine, through a set mapping of standard job positions and business tags, introduces a set mapping and permission calculation model to achieve a three-layer separation of "person-position-authority". The specific workflow is as follows: (1) Receive the cleaned job data, each data point is represented as a triple. ,in Original job title; (2) Define a standardized mapping function to convert the original job titles into a set of standard job codes and business tags. for: ; in, This is the original job title. Standard job code, This is a set of business tags. This mapping is performed based on the standard job title dictionary table established in step S1. (3) Based on the standard job title and tag set, the permission synthesis function is used. Calculate the user's default permission group: in, Return to standard position The corresponding basic permission template, Return to tags The corresponding extended permission set. The final permission set is the union of the two. Based on this, the engine dynamically generates the default permissions for the individual in various business systems, realizing the automatic binding of permissions to job roles.
[0029] Step S3: Synchronize the cleaned, standardized identity data with UUIDs to the unified identity authentication system, and modify the unified identity authentication system process so that it returns extended attributes containing the UUID and all user identity information after successful authentication. The specific algorithm is as follows: Users log in using their original employee ID / student ID and password. After successful verification, the system queries the associated accounts based on the ID. Then execute the attribute aggregation function. Generate extended property set : ; in, This refers to the number of roles or identities of the natural person (e.g., teacher, graduate student). For the role The corresponding attribute set (including department, position, tags, validity period, etc.). The following principles are followed during aggregation: basic attributes (such as name, ID number) are merged, and conflicts are resolved based on the authoritative source; role lists are merged and deduplicated; permission tags are merged and retained. Upon successful authentication, the following will be displayed: and Return it to the downstream business system.
[0030] Step S4: The downstream business system connects to the upgraded unified identity authentication system and receives the information from step 3. and Parse out the extended attributes, to Primary key, The system caches the data locally, checks the user's permissions, and defines a permission check function. : ; in, The set of user permission tags obtained from the authentication response (i.e., the default permission group calculated by the identity authorization engine in step S203) is passed to the downstream through the extended attributes in step 3. For business application systems The required set of permission tags. When the set of permission tags overlaps with the business application system, the user is deemed to have permission.
[0031] The data standards established in step S1 include at least: a standard unit dictionary table, a standard job title dictionary table, a job level dictionary table, and a business tag dictionary table, which are used to unify the data definitions of each upstream data source system; the application standards established in step S1 require that all personnel must come from authoritative sources such as human resources and education departments, prohibit business systems from creating personnel privately, and establish a 1:N relationship between personnel and identity.
[0032] The invention will be further illustrated below with specific examples, such as... Figure 1 As shown, it includes: Step S1: Establish data standards, application standards, and cleaning rules; Data Standards: A set of Master Data Management Specifications will be developed and published to specify uniform codes and names for all data that can exist in enumeration form. Examples of data standards include, but are not limited to, those shown in Tables 1 to 6: Standard unit dictionary (sys_dep), standard job dictionary (sys_post), standard job dictionary (tags), job level dictionary (post level), basic job permissions (post base auth), and tag-based additional permissions (tagsextra).
[0033] Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Application Standards: At the same time, the Personnel Department, Academic Affairs Department, and Graduate School are established as authoritative data sources for personnel identification. Unauthorized creation of personnel by business systems is strictly prohibited, and only the identification numbers from authoritative sources can be used.
[0034] Cleaning rules: Define the logic for cleaning existing data, including strong association rules and weak association rules.
[0035] Strong association rule: For two or more records where the ID number and name match exactly, the engine determines that they belong to the same natural person and generates a UUID for them; Weak association rule: For records where the mobile phone number and name match but the ID number is missing or inconsistent, they are marked as "suspected to be the same person" and manually verified and merged. After merging, a unique UUID is generated.
[0036] Step S2: Construct an identity governance platform; The identity governance platform generates four core tables, including but not limited to the system's natural person table (sys_user), standard unit table (sys_dep), standard job dictionary table (sys_post), and user appointment table (sys_user_assignment). The table structure is designed according to a three-layer separation model of "natural person - standard job - business instance," as follows: Figure 2This three-layer separation model achieves the decoupling of natural persons and business operations.
[0037] Step S201: Data cleaning and UUID generation; Taking data from the personnel system and the research and teaching systems as examples, the implementation process of step S201 is explained in detail. The data cleaning engine extracts three data entries from the upstream: A. Human Resources System (Employee ID: 202301001, Name: Zhang) ID card number: 110101199001011232, Mobile phone number: 13600165071). B. Scientific Research System (Employee ID: 202301001, Name: Zhang) ID card number: 110101199001011232, Mobile phone number: 13712498078). C. Academic Affairs System (Student ID: 2019120331, Name: Zhang) ID card: blank; mobile phone: 13600165071.
[0038] The engine calls the matching function. ,in =0.6, =0.2, =0.2. A and B have the same ID number. =1; different phone numbers =0; all names are "Zhang" " =1. Calculate =0.6×1+0.2×1+0.2×0=0.8. The exact match of the ID number satisfies the condition (i.e., ...). =1 and =1 can be considered a strong association), and the engine directly triggers the automatic merging process. Finally, a globally unique identifier (UUID) is generated for the natural persons corresponding to the two data entries (e.g., np_4f8e2c3aAbCdEfGhIjKlMnOpQ). A and C both have the phone number 13600165071, but their ID card numbers are different. =0, =0.6×0+0.2×1+0.2×1=0.4, which does not meet the strong association rule, but satisfies the weak association rule. =1 and =1), therefore A and C are "suspected to be the same person", and manual confirmation is required for "Zhang". "If the person listed is a current faculty member pursuing a doctorate and is indeed the same individual, click 'Confirm Merge'. The system will assign the same UUID to both A and C. The UUID will be written to the sys_user table."
[0039] Step S202: Lifecycle state management; The state transition rules defined in this embodiment are as follows: The transformation matrix is as follows: ; When "Zhang" "Upon completion of the onboarding process, the HR system sends an enroll event to the lifecycle engine. The engine then performs a state transition." It will automatically trigger unified identity authentication, all-in-one card and other systems to activate "Zhang". The account was named "". When he retired, his status changed. The engine will automatically trigger an action that will revoke most of its operating permissions in various business systems.
[0040] Step S203, Identity Transformation and Authorization; After receiving the original appointment record, the identity authorization engine parses it into an internal triplet structure: ; The standard job title dictionary table `sys_post` is queried, mapping "Vice Dean" to `post_code=DEAN_VICE` and `post_level=L3`. A tag set `Tags{TAG_FINANCE, TAG_MANAGER}` is obtained based on the tag rules. Basic permissions (Baau) are obtained using `DEAN_VICE` (e.g., "reimbursement approval" in finance), and extended permissions (Extra) are obtained using the tag set. A standardized appointment record is generated and stored in the user appointment table `sys_user_assignment`.
[0041] Step S3: Unified Identity Authentication System Process Transformation; like Figure 3 As shown, the modified certification process is as follows: The identity governance platform will synchronize basic information, including the correspondence between employee ID / student ID and natural person UUID, to the unified identity authentication system; User Zhang When logging into a business system (such as OA), users are redirected to the unified identity authentication login page. open Enter his default employee ID 202301001 and password; After the unified identity authentication system verifies the password, it executes the "number to person" logic: based on the employee number 202301001, the corresponding UUID is found to be np_4f8e2c3aAbCdEfGhIjKlMnOpQ; Aggregate all identity information under this UUID, including all associated employee / student IDs, names, companies, all positions, and all business tags; The unified identity authentication system returns an enhanced authentication response P, as shown below: P={“sub”:“202301001”, / / Compatible with old systems, retain original employee ID; "user_name": "Zhang" ”, “unit_name”:“Finance Department”, "current_role":"STAFF", / / The currently logged-in identity, which can be determined based on the context or default rules; “all_roles”: [“STAFF”, “FINANCE_APPROVER”], / / All roles aggregated from the job records; “UUID”: “np_4f8e2c3aAbCdEfGhIjKlMnOpQ”, / / Newly added core natural person unique ID}.
[0042] Step S4: Business system access and migration; Taking a financial system as an example, when a user logs in, the unified identity authentication system returns a UUID and a permission tag set P (such as {financial approval, budget adjustment}). The financial system caches P locally using the UUID as the primary key. When accessing the application, the permission determination function is executed. ,like and If there is an intersection, access is allowed; otherwise, access is denied.
[0043] For newly built or heavily modified systems, the database design directly uses UUID as the user primary key, and a separate identity table is designed to store multiple user identities (such as teacher identity, student identity), forming a 1:N relationship to adapt to multi-identity scenarios.
[0044] Existing systems: UUIDs can be obtained through the modified authentication process, but the original employee IDs can still be used in the short term. The internal logic can be gradually migrated to UUID-based systems, ultimately achieving a complete replacement of the underlying architecture.
[0045] like Figure 4 This embodiment also provides a university personnel identity data governance system, which mainly includes: an upstream data source system (such as a personnel system, an academic affairs system, including existing systems), an identity governance platform, a unified identity authentication system, and a downstream business application system (such as an OA system, a scientific research system). Upstream data source systems include, but are not limited to, personnel systems, academic affairs systems, and graduate student systems. These are the sole producers of personnel data and are responsible for providing the original identity data to the identity governance platform. The personnel system provides employee IDs, names, departments, and job information; the academic affairs system and graduate student system provide student IDs, colleges, and major information. Existing systems: These refer to legacy business systems whose data may have quality issues. The identity governance platform will clean up their existing data and generate UUIDs for historical personnel. Identity Governance Platform: The core processing unit of the system, deployed between the upstream data source system and the downstream business application system, connecting with both the upstream data source system and existing systems. Internally, it includes: Data cleaning engine: Its input end is connected to at least one data source system, calls cleaning rules, processes the input raw data, and generates and maintains globally unique natural person UUIDs; Lifecycle Engine: Connects to the data cleaning engine to track and update the lifecycle status of each UUID; Identity authorization engine: It connects to the data cleaning engine and lifecycle engine respectively, and automatically derives and calculates default permissions based on job information and business tags; Unified Identity Authentication System: Communicates with the identity governance platform and receives synchronized standardized identity data containing UUIDs. It is responsible for receiving authentication requests from downstream business systems and, upon successful authentication, returning an enhanced authentication response containing the UUID and aggregated identity information. Downstream business systems: These systems connect to the unified identity authentication system and include academic affairs systems, OA systems, student affairs systems, etc. They communicate with the unified identity authentication system. These systems receive authentication responses from the unified identity authentication system, parse and obtain the UUID, and use this as the unique primary key for personnel information in their internal business logic.
[0046] In summary, by constructing a three-layer separation model and an identity governance platform, and by transforming the authentication process, this invention successfully elevates the management of university personnel identity from the dimension of "number" to the dimension of "person," providing a solid data foundation for building a secure, efficient, and intelligent digital campus.
[0047] The above are merely preferred embodiments of this application, but the scope of protection of this application is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this application should be included within the scope of protection of this application. Therefore, the scope of protection of this application should be determined by the scope of the claims.
Claims
1. A method for governing university personnel identity data based on a three-layer separation model, characterized in that, Includes the following steps: Obtain raw identity data from the upstream data source system; The original identity data is cleaned and merged according to preset cleaning rules, and a globally unique identity identifier is generated for each natural person to associate with multiple business identity instances of that natural person, thereby obtaining standardized identity data. The original job title is extracted from the standardized identity data, and the original job title is mapped to a standard job code and a set of business tags according to a preset standard job dictionary. The default permission group is obtained according to the standard job code and the set of business tags. Synchronize the standardized identity data to the unified identity authentication system; The unified identity authentication system receives authentication requests from downstream business systems. After successful verification, it determines the corresponding globally unique identity identifier based on the authentication request, obtains the default permission group associated with the identity identifier from the identity authorization engine, and returns an authentication response containing the globally unique identity identifier and the default permission group. The downstream business system performs user authentication based on the authentication response, thereby achieving identity data governance.
2. The method for governing university personnel identity data based on a three-layer separation model according to claim 1, characterized in that, The preset cleaning rules include strong association rules and weak association rules; The process of obtaining standardized identity data includes: Based on set theory, a matching degree function is defined to calculate the matching degree between two data records; When the ID number and name of two data records match exactly, it is determined to be a strong association rule, and the two data records are automatically merged and assigned the same globally unique identity identifier; When two data records match in terms of phone number and name but have missing or inconsistent ID numbers, it is determined to be a weak association rule, marked as potentially belonging to the same person, and a manual intervention merging process is triggered.
3. The method for governing university personnel identity data based on a three-layer separation model according to claim 1, characterized in that, Also includes: A state machine is maintained through a lifecycle engine to receive and manage the lifecycle states of natural persons; When a preset identity change event occurs, the state machine determines the target state to migrate to based on the current state and the identity change event, and automatically triggers interaction actions with downstream business systems.
4. The method for governing university personnel identity data based on a three-layer separation model according to claim 1, characterized in that, The original job title is extracted from the standardized identity data, and mapped to a set of standard job codes and business tags according to a preset standard job dictionary, including: Extract a triple containing the user identifier and the original job title from the standardized identity data; convert the original job title into a standard job title code according to the standard job title dictionary; and match the original job title with a set of corresponding business tags according to the business tag dictionary.
5. The method for governing university personnel identity data based on a three-layer separation model according to claim 4, characterized in that, The default permission group is obtained based on the standard job code and the business tag set, including: Based on the standard job code, obtain the corresponding basic permission template from the job basic permission table; based on the business tag set, obtain the corresponding extended permission set from the tag additional permission table; calculate the union of the basic permission template and the extended permission set, and use it as the default permission group.
6. The method for governing university personnel identity data based on a three-layer separation model according to claim 1, characterized in that, The unified identity authentication system determines a globally unique identity identifier based on the authentication request, including: The authentication request includes the user's original employee ID or student ID; after the unified identity authentication system verifies the request, it queries the synchronized standardized identity data based on the original employee ID or student ID to obtain a globally unique identity identifier associated with the original employee ID or student ID.
7. The method for governing university personnel identity data based on a three-layer separation model according to claim 1, characterized in that, The authentication response also includes aggregated identity information, which includes all business identity instances, role lists, and basic attributes of the natural person.
8. The method for governing university personnel identity data based on a three-layer separation model according to claim 1, characterized in that, Downstream business systems perform user authentication based on the authentication response, including: The default permission group in the authentication response is represented in the form of a permission tag set; the downstream business system extracts the permission tag set from the authentication response; it determines whether the permission tag set intersects with the permission tag set required by the business application, and if so, it determines that the user has permission.
9. A university personnel identity data governance system based on a three-layer separation model, used to implement the method described in any one of claims 1-8, characterized in that, include: The upstream data source system is used to provide raw personnel identity data; An identity governance platform is deployed between the upstream data source system and the downstream business application system. The identity governance platform includes: The data cleaning engine is used to clean and merge the original identity data according to preset cleaning rules, generate a globally unique identity identifier for each natural person to associate multiple business identity instances of that natural person, and obtain standardized identity data. The lifecycle engine is used to maintain the lifecycle status of natural persons and trigger interaction actions with downstream business systems when identity change events occur. An identity authorization engine is used to extract the original job title from the standardized identity data, map the original job title to a standard job code and a set of business tags, and obtain a default permission group based on the standard job code and the set of business tags. A unified identity authentication system is used to receive standardized identity data carrying the globally unique identity identifier synchronized by the identity governance platform, and to receive authentication requests from downstream business systems. After successful verification, the system determines the corresponding globally unique identity identifier based on the authentication request, obtains the default permission group associated with the identity identifier from the identity authorization engine, and returns an authentication response containing the globally unique identity identifier and the default permission group. Downstream business application systems are used to receive the authentication response and perform user authentication based on the authentication response.
10. The university personnel identity data governance system based on a three-layer separation model according to claim 9, characterized in that, The identity governance platform is deployed with four core tables, including: The Natural Person table uses a globally unique identifier as the primary key to store the inherent attributes of natural persons; the Standard Unit dictionary table is used to standardize the organizational structure across the entire school; the Standard Position dictionary table is used to store position codes and standard names; the User Appointment table, linked by the globally unique identifier as a foreign key, is used to establish a one-to-many relationship between natural persons and positions; the Identity Governance Platform also communicates with the existing system to clean the historical identity data of the existing system according to the cleansing rules and generate globally unique identifiers for historical personnel.