CN102377589B - Right management control method and terminal - Google Patents
Right management control method and terminal Download PDFInfo
- Publication number
- CN102377589B CN102377589B CN201010257826.8A CN201010257826A CN102377589B CN 102377589 B CN102377589 B CN 102377589B CN 201010257826 A CN201010257826 A CN 201010257826A CN 102377589 B CN102377589 B CN 102377589B
- Authority
- CN
- China
- Prior art keywords
- manager
- authority
- delegation
- target node
- delegated
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000013475 authorization Methods 0.000 claims description 30
- 238000010200 validation analysis Methods 0.000 claims description 19
- 238000012217 deletion Methods 0.000 description 13
- 230000037430 deletion Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 10
- 238000012986 modification Methods 0.000 description 8
- 230000004048 modification Effects 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 2
- 238000004891 communication Methods 0.000 description 1
- 238000003745 diagnosis Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a right management control method and a terminal. The method comprises the following steps of: configuring the attributes of a target node on a management tree according to information about trust relationships between a trusting manager and a trusted manager, wherein the information about the trust relationships comprises a trusting manager identifier, a trusted manager identifier, the information of the target node, trusted rights and a trust level; receiving an operating request for the target node from a first manager, and judging whether the first manager has operating rights or not according to the configured attributes of the target node; and performing a corresponding operation on the target node according to the operating request if the first manager has the operating rights, otherwise denying the first manager to perform the operation on the target node. The terminal provided by the embodiment of the invention comprises a management tree execution module and an equipment management agent module. By the method, the terminal can determine the trust relationships among a plurality of managers, and perform right management control on a node according to the trust relationships.
Description
Technical Field
The embodiment of the invention relates to a communication technology, in particular to a method and a terminal for realizing authority management control.
Background
Open Mobile Alliance (OMA) Device Management (DM) is a technology that downloads a Management instruction of a Management party from a network side to a terminal through an over-the-air technology, and the Management instruction is automatically run by the terminal, so as to complete remote Management such as installation and upgrade of software and hardware of the terminal, parameter configuration, diagnosis and the like.
The OMA DM technology mainly includes a terminal and a DM server. The terminal includes DM agent and DM management tree, the DM management tree is equivalent to the interface of DM server to manage the terminal, the DM agent is used to interpret and execute the management command sent by the DM server. Each node in the DM management tree has a respective access control list (hereinafter "ACL") attribute.
In the OMA DM technology, a terminal may have multiple managers, one of the managers may delegate its own management authority for a node in the terminal to another manager, and the delegated party has the management authority delegated by the delegate party, and may use the management authority to correspondingly manage the node in the terminal.
At present, for the situation that a plurality of managers of a terminal perform delegation authorization, the process of authority management control mainly includes: for a node in a terminal, each manager information capable of managing the node and the authority thereof are set in the ACL attribute of the node. For example, the administrator 1 has the right to delete the node a, and the administrator 1 delegates the right to delete the node a to the administrator 2, so that the administrator 1 and the administrator 2 have the right to delete the node a in the ACL attribute of the node a; when the node A is subsequently executed with the 'delete' operation by a manager, the terminal can determine whether the manager has the authority of the 'delete' operation aiming at the node A according to the ACL attribute of the node A, if so, the terminal executes the corresponding 'delete' operation on the node A, otherwise, the terminal refuses to execute.
In the process of implementing the invention, the inventor finds that at least the following problems exist in the prior art: when the authority management control is realized, the method adopted by the prior art records the management party of the node and the authority information of the management party in the terminal, so that even if a plurality of management parties exist in the node and the plurality of management parties have a delegation relationship, the terminal can only determine which management parties and the authority of each management party correspond to one node, but cannot determine the delegation relationship among the plurality of management parties, and cannot perform the authority management control on the node according to the delegation relationship, thereby reducing the service quality.
Disclosure of Invention
The embodiment of the invention provides a method and a terminal for realizing authority management control, which can determine the entrusting relationship among a plurality of managers and carry out authority management control on nodes according to the entrusting relationship.
The method for realizing the authority management control provided by the embodiment of the invention comprises the following steps:
configuring the attribute of a target node on a management tree according to the entrusting relation information between an entrusting manager and an entrusted manager; the delegation relationship information includes: the method comprises the steps that a consignment manager mark, a consigned manager mark, information of a target node, a consigned authority and a consignment level are obtained;
receiving an operation request of a first manager for the target node, and judging whether the first manager has an operation authority or not according to the configured attribute of the target node; if so, executing corresponding operation on the target node according to the operation request, otherwise, refusing the first manager to execute operation on the target node.
The terminal provided by the embodiment of the invention comprises:
the management tree execution module is used for configuring the attribute of the target node on the management tree according to the entrusting relation information between the entrusting manager and the entrusted manager; the delegation relationship information includes: the method comprises the steps that a consignment manager mark, a consigned manager mark, information of a target node, a consigned authority and a consignment level are obtained;
the device management agent module is used for receiving an operation request of a first manager for the target node and judging whether the first manager has an operation authority or not according to the configured attribute of the target node; if so, executing corresponding operation on the target node according to the operation request, otherwise, refusing the first manager to execute operation on the target node.
The method and the terminal for realizing the authority management control provided by the embodiment of the invention can configure the attribute of the target node on the management tree according to the entrusting relation information between the entrusting manager and the entrusted manager, wherein the entrusting relation information specifically comprises an entrusting manager identifier, an entrusted manager identifier, the information of the target node, an entrusted authority and an entrusting level, so that the terminal can know the entrusting relation aiming at one target node, namely, the authority of one manager of one target node is entrusted to another manager by which entrusting level, and the corresponding authority control can be carried out aiming at the entrusting relation, thereby improving the service quality.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a basic flowchart of a method for implementing rights management control according to an embodiment of the present invention;
fig. 2 is a flowchart of implementing rights management control in embodiment 1 of the present invention;
FIG. 3 is a diagram illustrating configuration of a Delegation relationship using an added deletion sub-tree in embodiment 1 of the present invention;
fig. 4 is a flowchart of implementing rights management control in embodiment 2 of the present invention;
fig. 5 is a flowchart of implementing rights management control in embodiment 3 of the present invention;
fig. 6 is a schematic structural diagram of a terminal according to an embodiment of the present invention;
fig. 7 is another schematic structural diagram of a terminal in embodiment 4 of the present invention;
fig. 8 is another schematic structural diagram of a terminal in embodiment 5 of the present invention;
fig. 9 is another schematic structural diagram of a terminal in embodiment 6 of the present invention;
fig. 10 is another schematic structural diagram of a terminal in embodiment 7 of the present invention;
fig. 11 is another schematic structural diagram of a terminal in embodiment 8 of the present invention;
fig. 12 is another schematic structural diagram of a terminal in embodiment 9 of the present invention;
fig. 13 is another schematic structural diagram of a terminal in embodiment 10 of the present invention;
fig. 14 is another schematic structural diagram of a terminal in embodiment 11 of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The embodiment of the invention provides a method for realizing authority management control, and referring to fig. 1, the method comprises the following steps:
step 101: and configuring the attribute of the target node on the management tree according to the entrusting relation information between the entrusting manager and the entrusted manager, wherein the entrusting relation information comprises an entrusting manager identifier, an entrusted manager identifier, the information of the target node, an entrusted authority and an entrusting level.
Step 102: receiving an operation request of a first manager for a target node, judging whether the first manager has an operation authority or not according to the configured attribute of the target node, if so, executing a step 103, otherwise, executing a step 104.
Step 103: and executing corresponding operation on the target node according to the operation request, and ending the current flow.
Step 104: and refusing the first manager to perform the operation on the target node.
It can be seen that, in the method for implementing authority management control provided in the embodiment of the present invention, the attribute of the target node on the management tree can be configured according to the delegation relationship information between the delegating manager and the delegated manager, where the delegation relationship information specifically includes a delegating manager identifier, a delegated manager identifier, information of the target node, a delegated authority, and a delegation level, so that the terminal can know the delegation relationship for one target node, that is, a manager of one target node delegates what authority to another manager in what delegation level, and thus can perform corresponding authority control for the delegation relationship, thereby improving service quality.
In the implementation of the embodiment of the present invention, the specific attribute to which the delegation relationship information is configured may be determined according to actual needs. According to different configured attributes of the delegation relationship information, the following service scenarios may specifically exist in the embodiments of the present invention:
in the first business scenario, account information of each management party is stored under a terminal management account (hereinafter, abbreviated as "DMAcc") management object of a management tree, so that a Delegation (hereinafter, abbreviated as "Delegation") sub-tree can be added under the DMAcc management object for each management party related to authority Delegation, Delegation relationship information is configured by using the added Delegation sub-tree, and an access control list (hereinafter, abbreviated as "ACL") attribute of a target node is configured according to the Delegation relationship information configured by the Delegation sub-tree.
And in a second service scenario, account information of each manager is stored under a DMAcc management object of the management tree, and an extension node is reserved corresponding to each manager, so that the extension node of each manager related to authority delegation can be used for configuring delegation relationship information under the DMAcc management object, and an ACL attribute of a target node is configured according to the delegation relationship information configured in the extension node.
And in a third service scene, each managed target node has an attribute of the managed target node on the management tree, so that the delegation relationship information can be directly configured in the attribute of the target node.
The following describes the process of performing rights management control in detail with respect to three service scenarios, respectively, in a specific embodiment.
Example 1:
the embodiment 1 is applicable to the first service scenario, where the added deletion sub-tree is used to configure a Delegation relationship, and an ACL attribute of a target node is configured, so as to implement subsequent authority management control for the Delegation relationship. Referring to fig. 2, in embodiment 1 of the present invention, a process of implementing rights management control includes the following steps:
step 201: under the DMAcc management object of the management tree, a deletion sub-tree is added for the manager involved in the Delegation of rights.
Step 202: and configuring the request relationship information between the request manager and the requested manager on the added deletion sub-tree.
In the above steps, the deletion sub-tree may be added corresponding to the requesting administrator, or corresponding to the requested administrator, or both the requesting administrator and the requested administrator; correspondingly, the request relationship information may be configured on the deletion sub-tree of the requesting administrator, or on the deletion sub-tree of the requested administrator, or may be configured on the deletion sub-tree of the requesting administrator and the deletion sub-tree of the requested administrator, respectively.
The delegation relationship information between the delegating manager and the delegated manager may specifically include: the system comprises a request manager identification, information of a target node, a request authority and a request level.
Regarding the delegation relationship information, first, the information of the target node includes at least one of: a universal resource identifier (hereinafter, abbreviated as "URI") of the target node, a management object identifier (hereinafter, abbreviated as "MOI"), or an MOI and a specific node value.
And secondly, the delegated authority indicates that the delegating administrator delegates the authority of the delegating administrator to the delegated administrator aiming at the target node. The value of the delegated authority can conform to the writing of standard ACL values. For example, if the requesting manager ServerA delegates "Get" and "Delete" rights to the requested manager ServerB, the value of the delegated rights is "Get ═ ServerB & Delete ═ ServerB".
The delegation level is set to realize authority management control based on a delegation relationship, and reflects the degree of ownership of the delegated authority by the delegating administrator and the delegated administrator. The delegation level can be set to: full delegation, meaning that after a delegating administrator delegates a right to a delegated administrator, the delegating administrator no longer owns the right. The delegation level can also be set to: and sharing delegation, which means that after a delegating manager delegates a right to a delegated manager, the delegating manager still has the right.
Finally, in order to further enhance the effect of performing the authority management control based on the delegation relationship, the delegation relationship information between the delegating administrator and the delegated administrator may further include: a delegated validation start time and/or a delegated validation duration. The delegated validation starting time is used for controlling the time point of delegated validation, so that a delegated manager can better control the use condition of delegated authority. The entrusted valid duration is used for enabling the terminal to automatically recover the authority entrusted by the entrusted manager, so that the entrusted manager does not continuously have the entrusted authority.
The configuration of the Delegation relationship information through the deletion sub-tree can be seen in fig. 3. An extension node shown in fig. 3 may be further reserved on the deletion sub-tree, so that when the content included in the Delegation relationship information is enhanced, the enhanced content may be recorded through the extension node.
Step 203: and when the timing reaches the consignment effective starting time, finding the target node on the management tree.
If the information of the target node in the delegation relationship information is the URI of the target node, then the corresponding target node on the management tree is directly found according to the URI in the step.
If the information of the target node in the delegation relationship information is an MOI, then, since the MOI usually corresponds to one or more subtrees, the root node of the subtree corresponding to the MOI is found on the management tree in this step.
If the information of the target node in the delegation relationship information is the MOI and a specific node value, first finding sub-trees corresponding to the MOI on the management tree, and then finding root nodes of the sub-trees having the specific node value from the sub-trees.
Step 204: and modifying the ACL value of the found target node according to the identification of the entrusted manager, the entrusted authority and the entrusting level.
If the delegation level is full delegation, then modifying the ACL value of the target node found includes: and the corresponding authority of the manager is delegated in the ACL value of the found target node by using the delegated authority. For example, if the requesting manager ServerA has delegated "Get" and "Delete" rights for the node 1 to the requested manager ServerA, and the value of the delegated rights is "Get ═ ServerA & Delete ═ ServerA", then the found ACL value for the node 1 originally includes the rights "Get ═ ServerA & Delete ═ ServerA" of the requesting manager ServerA for the node, and if the delegation level is full, the "Get ═ ServerA & Delete ═ ServerA" in the ACL value for the node 1 is overwritten with the "Get ═ ServerA & Delete ═ ServerA" in the ACL value for the node 1. So that the delegate manager ServerA no longer continues to have the "Get" and "Delete" rights for this node 1. Further, in order to ensure that the delegated manager ServerA does not continue to have the authority, a tag for excluding the delegated manager ServerA may be further added corresponding to the "Get" and "Delete" authorities of the ACL value.
If the delegation level is a shared delegation, then modifying the ACL value of the target node found includes: delegated rights are added to the found ACL value of node 1. For example, the requesting manager ServerA delegates the sharing of the rights to the node 1 between "Get" and "Delete" to the requested manager ServerB, and the value of the delegated rights is "Get ═ ServerB & Delete ═ ServerB", then the found ACL value of the node 1 originally includes the rights to the node 1 by the requesting manager ServerA "Get ═ ServerA & Delete ═ ServerA", and when the delegation level is the sharing delegation, the ACL value is still left "Get ═ ServerA & Delete ═ ServerA", and "Get ═ ServerB & Delete ═ ServerB" is added to the ACL value. So that both the entrusting manager ServerA and the entrusted manager ServerB possess the "Get" and "Delete" rights for the node 1.
Step 205: the terminal receives an operation request of a manager (marked as 'manager 1') to a target node (marked as 'node 1').
Step 206: the terminal judges whether the manager 1 has the operation authority according to the current ACL value of the node 1, if so, the step 207 is executed, otherwise, the step 208 is executed.
Step 207: and executing corresponding operation on the node 1 according to the operation request, and ending the current flow.
Step 208: the administrator 1 is denied performing an operation on the node 1.
If the Delegation relationship information configured on the deletion sub-tree includes a duration of Delegation validity, after modifying the ACL value of the found target node in step 204, the process shown in fig. 2 may further include: and when the time reaches the end time of the valid duration of the delegation, restoring the ACL value of the found target node to the ACL value before modification.
In embodiment 1 of the present invention, the Delegation sub-tree added to the management tree can be used to configure the Delegation relationship information between the delegating manager and the delegated manager, and modify the ACL value of the target node, so that the terminal can know the Delegation relationship for one target node, that is, what authority the one manager of one target node delegates to the other manager, and can perform corresponding authority control for the Delegation relationship. For example, the full delegation and sharing delegation of the delegation manager to the delegated manager can be realized by setting the delegation level, so that the flexibility of authority management control is greatly increased, and the service performance is optimized.
Example 2:
the embodiment 2 is applicable to the second service scenario, where the delegated relationship information is configured by using an extended node reserved under the DMAcc management object, and the ACL value of the target node is modified according to the delegated relationship information, thereby implementing subsequent authority management control for the delegated relationship. Referring to fig. 4, in embodiment 2 of the present invention, a process of implementing rights management control includes the following steps:
step 401: under the DMAcc management object of the management tree, the request relationship information between the requesting manager and the requested manager is configured by using the extension node of the manager related to the authority request.
Specifically, the delegation relationship information may be configured in an extension node value corresponding to a delegating administrator and/or in an extension node value corresponding to a delegated administrator.
The contents and roles of the delegation relationship information in this step are the same as those of the delegation relationship information in the above-described step 202.
The contents described in steps 402 to 407 are the same as those described in steps 203 to 208.
In the extension node value under the DMAcc management object, if the configured delegation relationship information includes a duration for which delegation is valid, after modifying the ACL value of the found target node in the above step 402, the above flow illustrated in fig. 4 may further include: and when the time reaches the end time of the valid duration of the delegation, restoring the ACL value of the found target node to the ACL value before modification.
In embodiment 2 of the present invention, the delegation relationship information between the delegating manager and the delegated manager can be configured by the extension node reserved under the DMAcc management object, and the ACL value is modified according to the delegation relationship information, so that the terminal can know the delegation relationship for a target node, that is, what authority the one manager of the target node delegates to another manager, and can perform corresponding authority control for the delegation relationship. For example, the full delegation and sharing delegation of the delegation manager to the delegated manager can be realized by setting the delegation level, so that the flexibility of authority management control is greatly increased, and the service performance is optimized.
Example 3:
the embodiment 3 is applicable to the third service scenario, and configures the entrusting relationship information by using the newly added attribute of the target node, thereby implementing subsequent authority management control for the entrusting relationship. Referring to fig. 5, in embodiment 3 of the present invention, a process of implementing rights management control includes the following steps:
step 501: after the request manager requests the operation authority of the target node to the requested manager, the request manager generates an authorization certificate storing request relationship information between the request manager and the requested manager.
In this step, the delegation relationship information in the authorization certificate may include: the system comprises a request manager identification, information of a target node, a request authority and a request level.
The delegation level may specifically be: a full delegate, a shared delegate, or a sub-delegate. When the delegation level is a sub delegation, the delegated manager identification comprises a first-level delegated manager identification and a second-level delegated manager identification, and after the delegation manager delegates the authority to the first-level delegated manager, the first-level delegated manager is allowed to continue delegating the authority to the second-level delegated manager.
And, further, the delegation relationship information in the authorization certificate may further include: a delegated validation start time and/or a delegated validation duration.
In this embodiment 3, the functions and the related descriptions of the delegated authority, the full delegation, the sharing delegation, the delegation validation start time, and the delegation validation duration are the same as those in the above-described step 202.
Step 502: and the entrusted manager sends the authorization certificate to the terminal.
Step 503: and the terminal configures the authorization certificate in the newly added attribute of the target node on the management tree.
For example, the delegating manager ServerA delegates the "Get" and "Delete" rights to the target node 1 to the delegated manager ServerB, then the authorization credential is configured in the newly added attribute of the target node 1 on the management tree.
Step 504: the terminal receives an operation request of a manager (marked as 'manager 1') to a target node (marked as 'node 1').
Step 505: the terminal judges whether the manager 1 has the operation authority or not according to the authorization certificate in the attribute of the node 1, if so, the step 506 is executed, otherwise, the step 507 is executed.
In this step, the delegation validation start time, the delegation manager identifier, the delegated authority, and the delegation level in the authorization certificate can all be used to determine whether the manager 1 has the operation authority. For example, one process of determining includes the steps of:
step 5051: and judging whether the current time is after the commission validation start time, if so, executing the step 5052, and otherwise, directly executing the step 507.
Step 5052: and judging whether the manager 1 has the operation authority or not according to the identifier of the entrusted manager, the entrusted authority and the entrustment level, if so, executing a step 506, and otherwise, executing a step 507.
If the delegation level is full delegation, then the specific judgment process in this step includes: judging whether the manager 1 is a delegated manager or not according to the delegated manager identifier, if so, judging whether the operation request is in the authority range or not according to the delegated authority, and if so, determining that the manager 1 has the operation authority;
if the delegation level is a sharing delegation, the specific judgment process in the step comprises: judging whether the manager 1 is any one of a delegating manager and a delegated manager according to the delegating manager identifier and the delegated manager identifier, if so, judging whether the operation request is in an authority range according to the delegated authority, and if so, determining that the manager 1 has the operation authority;
if the delegation level is a sub-delegation, the specific judgment process in this step includes: and judging whether the manager 1 is a second-level delegated manager according to the second-level delegated manager identifier, if so, judging whether the operation request is in the authority range according to the delegated authority, and if so, determining that the manager 1 has the operation authority.
Step 506: and executing corresponding operation on the node 1 according to the operation request, and ending the current flow.
Step 507: the administrator 1 is denied performing an operation on the node 1.
If the authorization certificate includes the delegation valid duration, after configuring the authorization certificate in the new attribute of the target node in the management tree in step 503, the process shown in fig. 5 further includes: when the time reaches the end time of the duration of the delegation validity, the authorization certificate is deleted from the attributes of the target node.
In embodiment 3 of the present invention, the delegation relationship information of the authorization certificate manner can be configured by using the newly added attribute of the target node on the management tree, so that the terminal can know the delegation relationship for one target node, that is, what authority a manager of one target node delegates to another manager, and thus can perform corresponding authority control for the delegation relationship. For example, the full delegation, the sub-delegation and the sharing delegation of the delegation manager to the delegated manager can be realized by setting the delegation level, so that the flexibility of authority management control is greatly increased, and the service performance is optimized.
It should be noted that, the manner of adding the deletion sub-tree in embodiment 1 is only to add a branch on the management tree of the terminal, embodiment 2 only utilizes the originally reserved extension node under the DMAcc management object, and embodiment 3 only utilizes the newly added attribute of the target node, so that the original structure of the terminal is slightly modified, and the implementation is easy.
Further, in embodiments 1 to 3 of the present invention, the time point at which the delegation is validated can be controlled by the set delegation validation start time, so that the delegation manager can better control the usage of the delegated authority. In addition, through the set valid duration of delegation, the terminal in embodiments 1 and 2 can automatically restore the ACL value of the target node to the ACL value before modification, and in embodiment 3, the terminal can automatically delete the authorization certificate in the attribute of the target node, so that subsequent authority operation on the target node can be restored to the authority before delegating authority delegation, and thus, the delegation authority can safely recover the delegated authority.
In embodiments 1 to 3 of the present invention, the terminal may execute the processing of each step in the above flowchart, or may execute the processing of each step by one control device connected to the terminal, and it is understood that the connection manner of the terminal and the control device includes but is not limited to a wired connection manner or a wireless connection manner, and the specific wired connection manner or the wireless connection manner does not limit the present invention.
The embodiment of the invention also provides the terminal. Referring to fig. 6, the terminal includes:
a management tree executing module 601, configured to configure attributes of target nodes on a management tree according to delegation relationship information between a delegation manager and a delegated manager; the entrusting relation information comprises an entrusting manager identifier, an entrusted manager identifier, information of a target node, an entrusted authority and an entrusting level;
the device management agent module 602 is configured to receive an operation request of a first manager for a target node, and determine whether the first manager has an operation permission according to the attribute configured for the target node; if so, executing corresponding operation on the target node according to the operation request, otherwise, refusing the first manager to execute operation on the target node.
It can be seen that, because the terminal provided in the embodiment of the present invention can configure the attribute of the target node on the management tree according to the delegation relationship information between the delegating manager and the delegated manager, and the delegation relationship information specifically includes the delegating manager identifier, the delegated manager identifier, the information of the target node, the delegated authority, and the delegation level, the terminal can know the delegation relationship for one target node, that is, what authority is delegated by one manager of one target node to another manager at what delegation level, so that the corresponding authority control can be performed for the delegation relationship, thereby improving the quality of service.
The terminal provided by the embodiment of the invention can be applied to the three service scenes, and the specific flow refers to the method embodiment.
Firstly, the specific structure and function of each module when the terminal device is applied to the service scenario one or the service scenario two are described:
optionally, referring to fig. 7, in embodiment 4 of the present invention, the management tree executing module 601 includes a first management tree executing module 701, where the first management tree executing module 701 is configured to add a delegation sub-tree corresponding to a delegation manager or a delegated manager under a terminal management account management object of a management tree, and configure delegation relationship information between the delegation manager and the delegated manager on the delegation sub-tree; and configuring the access control list attribute of the target node on the management tree according to the entrusting relation information configured on the entrusting sub-tree.
Optionally, referring to fig. 8, in embodiment 5 of the present invention, the management tree executing module 601 includes a second management tree executing module 801, where the second management tree executing module 801 is configured to, under a terminal management account management object of a management tree, configure delegation relationship information between the delegating manager and the delegated manager in an expansion node value corresponding to the delegating manager or in an expansion node value corresponding to the delegated manager; and configuring the access control list attribute of the target node on the management tree according to the entrusting relationship information configured in the expansion node value.
Optionally, referring to fig. 7 and 9, in embodiment 6 of the present invention, the first management tree executing module 701 may further include a modifying module 901, referring to fig. 8 and 10, in embodiment 7 of the present invention, the second management tree executing module 801 may further include a modifying module 1001, at least one of the modifying module 901 of fig. 9 and the modifying module 1001 of fig. 10 may be configured to find a target node on the management tree according to information of the target node in the delegation relationship information, and modify an access control list value of the found target node according to a delegation manager identifier, a delegated authority, and a delegation level in the delegation relationship information;
accordingly, the number of the first and second electrodes,
referring to fig. 9, in embodiment 6 of the present invention, the device management agent module 602 further includes a determining module 902; referring to fig. 10, in embodiment 7 of the present invention, the device management agent module 602 further includes a determining module 1002, and at least one of the determining module 902 and the determining module 1002 may determine whether the first administrator has an operation right according to a current access control list value of the target node.
Optionally, referring to fig. 9 and fig. 11, in embodiment 8 of the present invention, the modification module 901 in the first management tree execution module 701 further includes an execution module 1101; referring to fig. 10 and 12, in embodiment 9 of the present invention, the modification module 1001 in the second management tree executing module 801 further includes an executing module 1201, and at least one of the executing module 1101 and the executing module 1201 may be configured to, when the delegation relationship information further includes a delegation validation start time and/or a delegation validation duration, execute, according to the delegation validation start time in the delegation relationship information, an access control list value of a target node found by the modification when the delegation validation start time is reached; and according to the duration of the delegation validity in the delegation relationship information, after the found access control list value of the target node is modified, and further when the end time of the duration of the delegation validity is reached, restoring the access control list value of the target node to the access control list value before modification.
Next, the specific structure and function of each module when the terminal is applied to the service scene three are explained:
optionally, referring to fig. 13, in embodiment 10 of the present invention, the management tree executing module 601 further includes a third management tree executing module 1301, where the third management tree executing module 1301 is configured to configure an authorization certificate storing delegation relationship information between a delegating manager and a delegated manager in a newly added attribute of a target node on a management tree;
accordingly, the number of the first and second electrodes,
the device management agent module 602 further includes a third device management agent module 1302, where the third device management agent module 1302 is configured to determine whether the first manager has an operation right according to the delegating manager identifier, the delegated authority, and the delegating level in the authorization certificate of the target node.
Optionally, referring to fig. 14, in embodiment 11 of the present invention, the device management agent module 602 further includes a fourth device management agent module 1402, where the fourth device management agent module 1402 is configured to determine whether the first administrator has an operation right according to the delegation validation start time in the authorization certificate of the target node.
Referring to fig. 14, regardless of whether the device management agent module 602 includes the fourth device management agent module 1402, the management tree execution module 601 may further include a fourth management tree execution module 1401, where the fourth management tree execution module 1401 is configured to, after the authorization certificate is configured in the attribute of the corresponding target node on the management tree, delete the authorization certificate from the newly added attribute of the target node when the end time of the duration of the validity of the delegation in the authorization certificate is reached.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (4)
1. A method for implementing rights management control, comprising:
configuring the attribute of a target node on a management tree according to the entrusting relation information between an entrusting manager and an entrusted manager; the delegation relationship information includes: entrusting manager identification, entrusted manager identification, information of the target node, entrusted authority and entrusting level;
receiving an operation request of a first manager for the target node, and judging whether the first manager has an operation authority or not according to the configured attribute of the target node; if the first manager has the operation authority, executing corresponding operation on the target node according to the operation request, and if the first manager does not have the operation authority, refusing the first manager to execute operation on the target node;
the configuring the attribute of the target node on the management tree according to the entrusting relation information between the entrusting manager and the entrusted manager comprises the following steps: configuring an authorization certificate storing the delegation relationship information between the delegating manager and the delegated manager in a newly-added attribute of the target node on the management tree;
the judging whether the first manager has the operation authority according to the configured attribute of the target node comprises the following steps: determining whether the first manager has the operation authority or not according to the entrusted manager identification, the entrusted authority and the entrusting level in the authorization certificate;
the delegation level is full delegation; the judging whether the first manager has the operation authority includes: judging whether the first manager is the delegated manager or not according to the delegated manager identification, if so, judging whether the operation request is in an authority range or not according to the delegated authority, and if so, determining that the first manager has the operation authority;
or,
the delegation level is a sharing delegation; judging whether the first manager has the operation authority or not comprises the following steps: judging whether the first manager is any one of the entrusting manager and the entrusted manager or not according to the entrusting manager identifier and the entrusted manager identifier, if the first manager is any one of the entrusting manager and the entrusted manager, judging whether the operation request is in an authority range or not according to the entrusted authority, and if the operation request is in the authority range, determining that the first manager has the operation authority;
or,
the delegation level is a sub-delegation, and the delegated manager identification comprises a first-level delegated manager identification and a second-level delegated manager identification; the judging whether the first manager has the operation authority includes: and judging whether the first manager is a second-level delegated manager or not according to the second-level delegated manager identification, if so, judging whether the operation request is in an authority range or not according to the delegated authority, and if so, determining that the first manager has the operation authority.
2. The method of implementing rights management control of claim 1, wherein the delegation relationship information further includes a delegation validation start time; judging whether the first manager has the operation authority further comprises: determining whether the first manager has the operation authority or not according to whether the current time is after the consignment validation starting time or not;
and/or the presence of a gas in the gas,
the delegation relationship information further includes a duration of delegation validity; further comprising, after the authorization certificate is configured in the newly added attribute of the target node on the management tree: and when the timing reaches the end time of the consignment valid duration, deleting the authorization certificate from the newly added attribute of the target node.
3. A terminal, comprising:
the management tree execution module is used for configuring the attribute of a target node on a management tree according to the entrusting relation information between an entrusting manager and an entrusted manager, wherein the entrusting relation information comprises: entrusting manager identification, entrusted manager identification, information of the target node, entrusted authority and entrusting level;
the device management agent module is used for receiving an operation request of a first manager for the target node and judging whether the first manager has an operation authority or not according to the configured attribute of the target node; if the first manager has the operation authority, executing corresponding operation on the target node according to the operation request, and if the first manager does not have the operation authority, refusing the first manager to execute operation on the target node;
the management tree execution module further comprises a third management tree execution module, and the third management tree execution module is configured to configure an authorization certificate storing the delegation relationship information between the delegating administrator and the delegated administrator in a newly-added attribute of the target node on the management tree;
accordingly, the number of the first and second electrodes,
the device management agent module further comprises a third device management agent module, and the third device management agent module is configured to determine whether the first manager has the operation right according to the delegation manager identifier, the delegated authority, and the delegation level in the authorization certificate of the target node; the delegation level is full delegation; the judging whether the first manager has the operation authority includes: judging whether the first manager is the delegated manager or not according to the delegated manager identification, if so, judging whether the operation request is in an authority range or not according to the delegated authority, and if so, determining that the first manager has the operation authority;
or,
the delegation level is a sharing delegation; judging whether the first manager has the operation authority or not comprises the following steps: judging whether the first manager is any one of the entrusting manager and the entrusted manager or not according to the entrusting manager identifier and the entrusted manager identifier, if the first manager is any one of the entrusting manager and the entrusted manager, judging whether the operation request is in an authority range or not according to the entrusted authority, and if the operation request is in the authority range, determining that the first manager has the operation authority;
or,
the delegation level is a sub-delegation, and the delegated manager identification comprises a first-level delegated manager identification and a second-level delegated manager identification; the judging whether the first manager has the operation authority includes: and judging whether the first manager is a second-level delegated manager or not according to the second-level delegated manager identification, if so, judging whether the operation request is in an authority range or not according to the delegated authority, and if so, determining that the first manager has the operation authority.
4. The terminal of claim 3,
the device management agent module further comprises a fourth device management agent module, and the fourth device management agent module is used for judging whether the first manager has the operation authority or not according to the commission validation starting time in the authorization certificate of the target node;
and/or the presence of a gas in the gas,
the management tree execution module further comprises a fourth management tree execution module, and the fourth management tree execution module is configured to delete the authorization certificate from the newly added attribute of the target node after the authorization certificate is configured in the newly added attribute of the target node on the management tree and when the ending time of the delegated valid duration in the authorization certificate is reached in a timed manner.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010257826.8A CN102377589B (en) | 2010-08-12 | 2010-08-12 | Right management control method and terminal |
| CN201410333745.XA CN104079437B (en) | 2010-08-12 | 2010-08-12 | Realize the method and terminal of rights management control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010257826.8A CN102377589B (en) | 2010-08-12 | 2010-08-12 | Right management control method and terminal |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410333745.XA Division CN104079437B (en) | 2010-08-12 | 2010-08-12 | Realize the method and terminal of rights management control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102377589A CN102377589A (en) | 2012-03-14 |
| CN102377589B true CN102377589B (en) | 2014-12-24 |
Family
ID=45795611
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010257826.8A Active CN102377589B (en) | 2010-08-12 | 2010-08-12 | Right management control method and terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102377589B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104604295B (en) * | 2012-09-07 | 2018-08-14 | Lg电子株式会社 | For in a wireless communication system by server management of terminal to the method and its equipment of the access rights of resource |
| CN103870724B (en) * | 2012-12-12 | 2017-03-01 | 财团法人资讯工业策进会 | Main managing device, proxy management device, electronic installation and authorization management method |
| CN106302492A (en) * | 2016-08-23 | 2017-01-04 | 唐山新质点科技有限公司 | A kind of access control method and system |
| CN106302496A (en) * | 2016-08-25 | 2017-01-04 | 深圳前海弘稼科技有限公司 | A kind of cultivation box trustship method and device |
| CN112653581B (en) * | 2020-12-16 | 2023-03-24 | 中国联合网络通信集团有限公司 | Terminal management method and management system thereof |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101043752A (en) * | 2007-02-02 | 2007-09-26 | 华为技术有限公司 | Method, mobile terminal and system for voice calling continuity capability management |
| CN101505549A (en) * | 2008-02-04 | 2009-08-12 | 华为技术有限公司 | Configuration method and apparatus for terminal equipment |
| CN101582874A (en) * | 2008-05-12 | 2009-11-18 | 华为技术有限公司 | Method for management operation to appearance content, a server and a terminal |
| CN101677441A (en) * | 2008-09-18 | 2010-03-24 | 深圳华为通信技术有限公司 | Method, device and system of authorization control |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101330350B (en) * | 2007-06-21 | 2011-09-14 | 华为技术有限公司 | Method for transmitting data adapting load bandwidth, receive processing method and apparatus |
| CN101645882B (en) * | 2008-08-06 | 2012-08-29 | 华为技术有限公司 | Condition-based user selecting management method, server and system |
-
2010
- 2010-08-12 CN CN201010257826.8A patent/CN102377589B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101043752A (en) * | 2007-02-02 | 2007-09-26 | 华为技术有限公司 | Method, mobile terminal and system for voice calling continuity capability management |
| CN101505549A (en) * | 2008-02-04 | 2009-08-12 | 华为技术有限公司 | Configuration method and apparatus for terminal equipment |
| CN101582874A (en) * | 2008-05-12 | 2009-11-18 | 华为技术有限公司 | Method for management operation to appearance content, a server and a terminal |
| CN101677441A (en) * | 2008-09-18 | 2010-03-24 | 深圳华为通信技术有限公司 | Method, device and system of authorization control |
Non-Patent Citations (2)
| Title |
|---|
| Open Mobile Alliance.OMA Device Management Tree and Description.《OMA Device Management Tree and Description》.2006, * |
| 郝涛.OMA设备管理的研究与实现.《西安电子科技大学硕士学位论文》.2009, * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102377589A (en) | 2012-03-14 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8095674B2 (en) | Method, system and terminal for access control in device management | |
| CN107579958B (en) | Data management method, device and system | |
| US9960923B2 (en) | Handling of digital certificates | |
| CN104079437B (en) | Realize the method and terminal of rights management control | |
| KR101280346B1 (en) | Method and device for terminal device management based on right control | |
| CN109474508B (en) | VPN networking method, VPN networking system, VPN master node equipment and VPN master node medium | |
| CN111552936B (en) | Cross-system access right control method and system based on scheduling mechanism level | |
| US10374870B2 (en) | Efficient access control for trigger events in SDN | |
| US9094409B2 (en) | Method for configuring access rights, control point, device and communication system | |
| CN102377589B (en) | Right management control method and terminal | |
| US20150263902A1 (en) | Device and a method for managing access to a pool of computer and network resources made available to an entity by a cloud computing system | |
| CN113973275B (en) | Data processing method, device and medium | |
| WO2020156135A1 (en) | Method and device for processing access control policy and computer-readable storage medium | |
| CN110941853B (en) | Database permission control method, computer equipment and storage medium | |
| CN104378456A (en) | Allocation optimization method for IP addresses in local area network | |
| CN111416827B (en) | Method for discovering network function NF according to security level | |
| US20070162980A1 (en) | SYSTEM AND METHOD FOR PROVIDING CONTENT SECURITY IN UPnP SYSTEMS | |
| CN105281957A (en) | Method for connecting device to Internet of things and server | |
| CN108881460B (en) | Method and device for realizing unified monitoring of cloud platform | |
| CN112329058B (en) | Access control method, device and medium for multi-organization user information | |
| CN109299053B (en) | File operation method, device and computer storage medium | |
| CN112600744A (en) | Authority control method and device, storage medium and electronic device | |
| CN114667720A (en) | Method, device and equipment for replacing configuration equipment and storage medium | |
| CN107959584B (en) | Information configuration method and device | |
| KR20100070763A (en) | Access control method and device of usn middleware |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: 518129 Building 2, B District, Bantian HUAWEI base, Longgang District, Shenzhen, Guangdong. Patentee after: Huawei terminal (Shenzhen) Co.,Ltd. Address before: 518129 Building 2, B District, Bantian HUAWEI base, Longgang District, Shenzhen, Guangdong. Patentee before: HUAWEI DEVICE Co.,Ltd. |
|
| CP01 | Change in the name or title of a patent holder | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20181225 Address after: 523808 Southern Factory Building (Phase I) Project B2 Production Plant-5, New Town Avenue, Songshan Lake High-tech Industrial Development Zone, Dongguan City, Guangdong Province Patentee after: HUAWEI DEVICE Co.,Ltd. Address before: 518129 Building 2, B District, Bantian HUAWEI base, Longgang District, Shenzhen, Guangdong. Patentee before: Huawei terminal (Shenzhen) Co.,Ltd. |
|
| TR01 | Transfer of patent right |