阅读说明：本技术 一种一体化平台基于单点登录的控制方法、装置、介质 (Control method, device and medium for integrated platform based on single sign-on ) 是由 孙龙 孙忠 张�诚 付江 车百灵 黄本波 夏浩智 张锐 于 2021-07-21 设计创作，主要内容包括：本发明公开了一种一体化平台基于单点登录的控制方法、装置、介质,包括三员管理和单点登录,包括以下步骤：S1：用户提出申请并到保密工作机构进行备案；S2：系统管理员收到申请根据所在部门审批结果和保密工作机构的核准认可,在信息建设系统中为该用户生成标识符创建用户账号；S3：安全保密管理员收到申请后根据保密工作机构的审核结果,配置相应权限,并激活账号；S4：安全审计员定期查看与系统管理员、安全保密管理员相关的审计日志；克服了三员管理机制落实不到位、权限控制粗糙和无法杜绝泄密的问题,通过实施单点登录系统可以有效地实现业务系统的整合,提高整个一体化平台系统的安全性、易用性,权限统一管理、权限具体到字段级。(The invention discloses a control method, a device and a medium of an integrated platform based on single sign-on, which comprises three-person management and single sign-on, and comprises the following steps: s1: the user applies for and records in a confidential work mechanism; s2: the system administrator receives the application according to the approval result of the department and the approval of the confidential working organization, and generates an identifier for the user in the information construction system to create a user account; s3: after receiving the application, the security and privacy administrator configures corresponding authority according to the auditing result of the privacy work organization and activates the account; s4: the security auditor checks audit logs related to a system administrator and a security administrator regularly; the problems that a three-person management mechanism is not implemented in place, the authority control is rough and secret disclosure cannot be avoided are solved, integration of a service system can be effectively achieved by implementing a single sign-on system, the safety and the usability of the whole integrated platform system are improved, the unified management of the authority is realized, and the authority is specifically in a field level.)

1. A control method of an integrated platform based on single sign-on is characterized by comprising three-person management and single sign-on, wherein the three-person management comprises a system administrator, a security and privacy administrator and a security auditor, and the control method comprises the following steps:

s1: the user applies for and records in a confidential work mechanism;

s2: after receiving the application, the system administrator generates an identifier for the user to create a user account number or the work or authority change of the user in the information construction system according to the approval result of the department and the approval and approval of the confidential work mechanism, and notifies the confidential work mechanism of the unit to record by the department where the user works or the authority change is;

s3: after receiving the application, the security and privacy administrator configures corresponding authority according to the auditing result of the privacy work organization and activates the account;

s4: the security auditor checks audit logs related to a system administrator and a security administrator regularly;

s5: and the user logs in an account at the login entrance of the information construction system.

2. The integrated platform single sign-on based control method according to claim 1, wherein the system administrator responds to the processing operation of managing security rights of the application in the information construction system.

3. The integrated platform single sign-on based control method according to claim 1, wherein the security administrator responds to the processing operation of the user access security authority of the application in the information construction system.

4. The integrated platform single sign-on-based control method according to claim 1, wherein the audit administrator performs a security audit processing operation in response to an application in the information construction system.

5. The integrated platform single sign-on-based control method according to claim 1, wherein the security auditor determines compliance of operations of a system administrator and a security administrator according to addition and deletion of user accounts and user authority changes of related procedure files.

6. The integrated platform single sign-on-based control method of claim 1, wherein the application comprises a written application and an electronic application.

7. The integrated platform single sign-on based control method of claim 1, wherein in the step S1, the record includes the description of the authority of the new user from the current department to the security working organization according to the actual situation.

8. The method for controlling an integrated platform based on single sign-on of claim 1, wherein in step S3, after receiving the notification of the work or permission change of the user, the security administrator logs out the user account or performs permission adjustment according to the result of the change.

9. A device based on single sign-on in an information construction system, which is characterized by comprising a device adopting the control method of the claims 1-5, wherein after the device creates and authorizes users in local states through a three-person management mechanism, the users log in accounts at a single sign-on entrance, return database connection with row-level authority according to user codes, and a business system uses the returned database connection with row-level authority to connect.

10. An information construction system single sign-on based storage medium having a computer program stored thereon, wherein the computer program when executed by a processor performs the method according to any one of claims 1 to 8.

Technical Field

The invention belongs to the technical field of informatization construction, and particularly relates to a control method and device of an integrated platform based on single sign-on and a storage medium.

Background

With the rapid development of information technology, especially the gradual acceleration of electronic information technology, each system has been developed from independent single-machine application to more and more complex interconnected secure network application, and this change directly leads to the spread of the application of system user identity authentication technology. The application of identity authentication is the first line of defense of a network security application system, plays a very important role in the application system, and is an essential link in the network system. Various application systems are continuously emerging in various local states, network resources are continuously increased, the places needing to pass identity authentication are continuously increased, the work of administrators is gradually increased, the management of users of various systems is more and more complex, and the administrators urgently need to have a network user identity authentication and authorization system which is centralized and unified one by one, so that effective user identity and access control management can be carried out in a distributed network environment.

Mainly faces the following technical problems: 1. the login of the user is inconvenient, and the user needs to login respectively when applying different systems due to the fact that respective authentication is carried out, so that the user is inconvenient to log in for many times, login information leakage is easy to cause, and potential safety hazards exist; 2. information repetition, which inevitably results in a large amount of information repetition due to the fact that a plurality of systems are correlated with each other; 3. the permission setting is disordered, and the permission setting cannot be unified due to the fact that the permissions of the users are set by a plurality of systems respectively; 4. data inconsistency: due to independent management of users, data must be input or updated to multiple systems simultaneously when data is input or updated, which causes data inconsistency among application systems.

Disclosure of Invention

The invention aims to provide a control method of an integrated platform based on single sign-on, which enables a user to obtain authorization of all business systems and application software based on one-time identity authentication when the user initially accesses the system, and enables all authorized resources, applications and services to be accessed seamlessly in the whole information construction system without multiple times of authentication. The single sign-on technology is the best method for solving the problem and solving the problems existing in the authentication mechanism.

A control method based on single sign-on of an integrated platform comprises three-member management and single sign-on, wherein the three-member management comprises a system administrator, a security and secrecy administrator and a security auditor, and the control method comprises the following steps:

s1: the user applies for and records in a confidential work mechanism;

s2: after receiving the application, the system administrator generates an identifier for the user to create a user account number or the work or authority change of the user in the information construction system according to the approval result of the department and the approval and approval of the confidential work mechanism, and notifies the confidential work mechanism of the unit to record by the department where the user works or the authority change is;

s3: after receiving the application, the security and privacy administrator configures corresponding authority according to the auditing result of the privacy work organization and activates the account;

s4: the security auditor checks audit logs related to a system administrator and a security administrator regularly;

s5: and the user logs in an account at the login entrance of the information construction system.

Further preferably, the system administrator responds to the processing operation of the application in the information building system for managing the security authority.

Further preferably, the security administrator is responsive to processing operations by which users of applications in the information building system access security privileges.

Further preferably, the audit manager is responsive to the application in the information construction system to perform a security audit processing operation.

In a further preferred embodiment of the present invention, the security auditor determines compliance of operations of a system administrator and a security administrator according to addition, deletion, and user permission change of the user account according to the relevant procedure file.

Further preferably, the application includes a written application and an electronic application.

Further preferably, in the above S1, the record includes a description of the authority of the new user from the current department to the security working organization according to the actual situation.

In a further preferred embodiment of the present invention, in S3, the security administrator receives a notification of a change in work or authority of the user and then logs out the user account or performs authority adjustment according to the result of the change.

A device based on single sign-on in an information construction system comprises a device adopting any one of the control methods, after the device establishes and authorizes users in local states through a three-person management mechanism, the users log in accounts at a single sign-on inlet, database connection with row-level authority is returned according to user codes, and a service system is connected by using the returned database with row-level authority.

An information construction system single sign-on based storage medium having stored thereon a computer program which, when executed by a processor, performs the method of any one of the above.

In summary, due to the adoption of the technical scheme, the invention has the beneficial effects that:

in the information construction of the electronic information field, the invention overcomes the problems of incomplete implementation of a three-member management mechanism, rough authority control and incapability of avoiding secret leakage, can effectively realize the integration of a service system by implementing a single sign-on system, improves the safety and the usability of the whole integrated platform system, uniformly manages the authority, specifies the authority to a field level, reduces the overall cost of the informatization and improves the field information construction efficiency.

Drawings

The invention will now be described, by way of example, with reference to the accompanying drawings, in which:

FIG. 1 is a schematic flow diagram of the process of the present invention.

Detailed Description

All of the features disclosed in this specification, or all of the steps in any method or process so disclosed, may be combined in any combination, except combinations where mutually exclusive features and/or steps are expressly stated.

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It is to be understood that the specific embodiments described herein are for purposes of illustration only and are not to be construed as limiting the invention, i.e., the described embodiments are merely a subset of the embodiments of the invention and are not intended to be exhaustive, and all features disclosed in this specification, or all of the steps in any method or process disclosed, may be combined in any way, except for mutually exclusive features and/or steps.

Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present invention without making any creative effort, shall fall within the protection scope of the present invention.

It is noted that relational terms such as the terms "first," "second," and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The present invention will be described in detail with reference to fig. 1.

Systems have evolved from stand-alone, stand-alone applications to increasingly complex, interconnected, secure network applications, a change that has directly led to the spread of application of system user authentication techniques. The application of identity authentication is the first line of defense of a network security application system, plays a very important role in the application system, and is an essential link in the network system. Various application systems are continuously brought forward in various regions, network resources are continuously increased, places needing to pass identity authentication are continuously increased, work of administrators is continuously increased, management of users of various systems is more and more complex, managers urgently need to have network user identity authentication and authorization systems which are centralized and unified one by one, and effective user identity and access control management can be carried out in a distributed network environment. Especially in the information construction of the electronic information domain, the user information belongs to the secret range, the authority of each service system is self-organized, and the management is disordered;

mainly faces the following technical problems: 1. the login of the user is inconvenient, and the user needs to login respectively when applying different systems due to the fact that respective authentication is carried out, so that the user is inconvenient to log in for many times, login information leakage is easy to cause, and potential safety hazards exist; 2. information repetition, which inevitably results in a large amount of information repetition due to the fact that a plurality of systems are correlated with each other; 3. the permission setting is disordered, and the permission setting cannot be unified due to the fact that the permissions of the users are set by a plurality of systems respectively; 4. data inconsistency: due to independent management of users, data must be input or updated to multiple systems simultaneously when data is input or updated, which causes data inconsistency among application systems.

The first embodiment is as follows: a control method based on single sign-on of an integrated platform comprises three-person management and single sign-on, wherein the three-person management comprises a system administrator, a security and secrecy administrator and a security auditor, and when a user needs to be added to an information construction system, the control method comprises the following steps:

s1: the user applies for and records in a confidential work mechanism;

s2: after receiving the application, the system administrator generates an identifier for the user and creates a user account in the information construction system according to the approval result of the department and the approval and approval of the confidential work institution;

s3: after receiving the application, the security and privacy administrator configures corresponding authority according to the auditing result of the privacy work organization and activates the account;

s4: the security auditor checks audit logs related to a system administrator and a security administrator regularly;

s5: and the user logs in an account at the login entrance of the information construction system.

The second embodiment: a control method of an integrated platform based on single sign-on comprises the following steps:

s1: the user applies for and records in a confidential work mechanism;

s2: the department where the user works or the authority changes informs a security and confidentiality manager, and reports the confidential work institution of the unit for record;

s3: after receiving the application, the security and privacy administrator configures corresponding authority according to the auditing result of the privacy work organization and activates the account;

s4: the security auditor checks audit logs related to a system administrator and a security administrator regularly;

s5: and the user logs in an account at the login entrance of the information construction system.

The third embodiment is as follows: the system administrator responds to the processing operation of managing the security authority of the application in the information construction system, the security administrator responds to the processing operation of accessing the security authority by the user of the application in the information construction system, and the audit administrator responds to the application in the information construction system to perform the processing operation of security audit.

The fourth embodiment is as follows: and the safety auditor determines the operation compliance of a system administrator and a safety confidentiality administrator according to the conditions of addition and deletion of the user account and user permission change of the related procedure file.

The fifth embodiment: further preferred over the above embodiments are applications including, but not limited to, written applications, electronic applications.

The sixth implementation case: a device based on single sign-on in an information construction system comprises a device adopting any one of the control methods, wherein after the device establishes and authorizes users in local states through a three-person management mechanism, the users log in accounts at a single sign-on entrance, database connection with row-level authority is returned according to user codes, and a service system is connected by using the returned database with row-level authority.

The implementation case is seven: an information construction system based on single sign-on storage medium having stored thereon a computer program which, when executed by a processor, executes any one of the above-described control methods.

Although the invention has been described herein with reference to a number of illustrative embodiments thereof, it should be understood that numerous other modifications and embodiments can be devised by those skilled in the art that will fall within the spirit and scope of the principles of this disclosure. More specifically, various variations and modifications are possible in the component parts and/or arrangements of the subject combination arrangement within the scope of the disclosure and claims of this application. In addition to variations and modifications in the component parts and/or arrangements, other uses will also be apparent to those skilled in the art.