[go: up one dir, main page]

CN101320415A - Control and management module and method for application program - Google Patents

Control and management module and method for application program Download PDF

Info

Publication number
CN101320415A
CN101320415A CN 200710108577 CN200710108577A CN101320415A CN 101320415 A CN101320415 A CN 101320415A CN 200710108577 CN200710108577 CN 200710108577 CN 200710108577 A CN200710108577 A CN 200710108577A CN 101320415 A CN101320415 A CN 101320415A
Authority
CN
China
Prior art keywords
client
data
control module
user
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 200710108577
Other languages
Chinese (zh)
Other versions
CN101320415B (en
Inventor
黄文昌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fineart Technology Co Ltd
Original Assignee
Fineart Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fineart Technology Co Ltd filed Critical Fineart Technology Co Ltd
Priority to CN 200710108577 priority Critical patent/CN101320415B/en
Publication of CN101320415A publication Critical patent/CN101320415A/en
Application granted granted Critical
Publication of CN101320415B publication Critical patent/CN101320415B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)
  • Computer And Data Communications (AREA)

Abstract

本发明揭露一种应用程序的控管模块与其方法,本发明通过输入端更改储存于服务器端关于客户端应用程序与网页操作的权限数据,并依所述的权限数据,进行服务器端与客户端间权限数据交换与更新,以此达到管理客户端上应用程序操作权限的功能。

Figure 200710108577

The present invention discloses an application control module and method thereof. The present invention modifies the permission data about client application and web page operation stored in the server through an input end, and exchanges and updates the permission data between the server and the client according to the permission data, so as to achieve the function of managing the application operation permission on the client.

Figure 200710108577

Description

应用程序的控管模块与其方法 The application's control module and its methods

技术领域 technical field

本发明为一种关于应用程序的控管模块与其方法,具体来说,是一种关于限制客户端应用程序操作权限的模块与方法。The present invention relates to an application program control module and its method, specifically, a module and method for limiting the operating authority of a client application program.

背景技术 Background technique

因为信息科技的发展,各企业均日渐依赖计算机协助其业务的推展;但信息科技的普及同时也伴随着风险,来自外部的攻击,例如病毒、后门程序、系统漏洞攻击等威胁亦随之日增,因此企业的信息防护即成为重要课题。Due to the development of information technology, enterprises are increasingly relying on computers to assist in the promotion of their business; however, the popularity of information technology also comes with risks, such as external attacks, such as viruses, backdoor programs, and system vulnerability attacks. Threats are also increasing day by day , so enterprise information protection becomes an important issue.

关于信息安全的威胁除了来自外部的攻击,更可能来自内部的不当使用;相当多调查发现对于企业信息安全的威胁源其实来自于员工恶意的行为与非恶意的失误操作,因此企业内部关于应用软件的不当使用与信息存取行为,实为暗藏信息安全威胁之处,如何解决内部信息安全问题,是企业所必须面临的重要安全课题。In addition to external attacks, threats to information security are more likely to come from improper internal use; quite a few surveys have found that threats to corporate information security actually come from employees’ malicious behaviors and non-malicious misoperations. Improper use and information access behaviors are actually hidden threats to information security. How to solve internal information security issues is an important security issue that enterprises must face.

目前关于企业内部信息安全管理,多以服务器端与客户端构成一管理模块,由中央服务器端对于客户端上的操作行为加以控管;所以市面上软件多可以达到异地管理与控制,对多台客户端计算机加以实时监控与根据客户端授权层级,为相对应限制的功能。但是目前所述的这种控管模块,只能针对企业内部对于外部信息的存取,例如对浏览外部网页,或自特定网址下载程序的行为加以限制,而且仅能做到阻绝程序操作或网页的存取,而不能仅是限制特定功能操作,例如目前监控模块尚不能作到可浏览外部网页但对于特定网页信息的储存,剪贴网页等操作加以限制的功能。因此如何在使用者在使用企业内部信息时,例如企业员工使用企业资源规画(ERP:EnterpriseResource Planning)系统时,有效率管理使用者操作行为,防止使用者恶意操作或不当操作,造成信息安全管理上的漏洞,实为急待解决的问题。At present, with regard to the internal information security management of enterprises, the server and the client constitute a management module, and the central server controls the operation behavior on the client; therefore, most of the software on the market can achieve remote management and control. The client computer is monitored in real time and functions are correspondingly restricted according to the authorization level of the client. However, the control module described so far can only be aimed at internal access to external information within the enterprise, such as restricting the behavior of browsing external web pages or downloading programs from specific URLs, and can only block program operations or web pages. access, rather than just restricting specific functional operations. For example, the current monitoring module cannot browse external web pages but limit the storage of specific web page information, clipping web pages, and other operations. Therefore, when users use internal information of the enterprise, such as when employees of the enterprise use the enterprise resource planning (ERP: Enterprise Resource Planning) system, how to effectively manage the user's operation behavior and prevent the user from malicious or improper operation, causing information security management The loopholes in the above are really problems that need to be solved urgently.

发明内容 Contents of the invention

本发明揭露一种可限制客户端上应用程序与网页操作与管理与更新相关权限数据的控制模块与方法,以解决上述问题。The present invention discloses a control module and method capable of restricting the operation and management of application programs and webpages on the client, and updating relevant authority data, so as to solve the above problems.

本发明揭露一种关于控制客户端程序与网页操作的模块与方法,本发明至少包含一输入端(console)、一服务器端(server)与一客户端(client);其中输入端的功能为负责接收或传递变更权限指令;服务器端的功能则包含:根据输入端所传入的指令变更服务器端所储存的权限数据、通知客户端所述的变更权限事件,与更新储存于客户端的权限数据;客户端则可根据服务器端的通知信息取得更新的权限数据,并据以限制客户端应用程序的操作权限。通过上述模块与方法,本发明即可达到限制客户端程序操作的目的。The present invention discloses a module and method for controlling client programs and web page operations. The present invention at least includes an input terminal (console), a server terminal (server) and a client terminal (client); wherein the function of the input terminal is responsible for receiving Or transmit permission change instructions; the server-side functions include: change the permission data stored in the server-side according to the instructions passed in from the input terminal, notify the client of the change permission event described in the client, and update the permission data stored in the client; Then the updated permission data can be obtained according to the notification information of the server side, and the operation permission of the client application program can be restricted accordingly. Through the above modules and methods, the present invention can achieve the purpose of limiting the operation of the client program.

本发明还揭露一种集中控管复数客户端应用软件操作的模块与方法,以达到实时与统一控制数客户端的目的。在关于本发明的一具体实施例中,服务器端与客户端均包含一数据库;上述数据库包含以一组权限数据储存表与控制指针,通过权限数据储存表上的记录与所述的控制指针间的互动对应关系,即可在服务器端统一管理与更新复数客户端关于应用程序操作的权限数据。The invention also discloses a module and method for centralized control and management of multiple client application software operations, so as to achieve the purpose of real-time and unified control of multiple clients. In a specific embodiment of the present invention, both the server end and the client end include a database; the database includes a set of authority data storage tables and control pointers, through the records on the authority data storage tables and the control pointers The interactive corresponding relationship between multiple clients can be managed and updated on the server side in a unified manner.

附图说明 Description of drawings

图1显示关于本发明的应用程序控管模块。Figure 1 shows the application control module related to the present invention.

图2显示关于本发明的控管应用程序的方法流程图。FIG. 2 shows a flow chart of a method for controlling an application of the present invention.

附图说明:Description of drawings:

输入端10Input 10

服务器端20server side 20

数据接收与传递单元21Data receiving and transmitting unit 21

处理单元22processing unit 22

数据库单元23Database unit 23

客户端30client 30

变更权限101Change permissions 101

通知变更权限102Notification Change Permission 102

收到权限变更通知201Receive permission change notification 201

通知权限变更202Notify Permissions Change 202

在数据库取得新权限数据203Obtain new permission data in the database 203

将新权限数据传回204Pass back the new permission data 204

收到权限变更通知301Receive permission change notification 301

下载新权限设定302Download new permission settings 302

取得新权限设定303Get new permission settings 303

新权限设定生效304New permission setting takes effect 304

具体实施方式 Detailed ways

本发明将配合其较佳实施例与附图详述如下,应理解的是本发明中所有的较佳实施例仅为示例之用,因此除说明书中所述的较佳实施例与参考图示外,本发明亦可广泛地应用在其它实施例中。且本发明并不受限于任何实施例,应以权利要求范围及其同等领域而定。The present invention will be described in detail below in conjunction with its preferred embodiments and accompanying drawings. It should be understood that all preferred embodiments in the present invention are for illustration only, In addition, the present invention can also be widely applied in other embodiments. And the present invention is not limited to any embodiment, but should be determined by the scope of claims and their equivalent fields.

图1显示关于本发明的一具体实施例,所述的控制模块包含一输入端10、一服务器端20与一客户端30,其中输入端10功能为接收与传输受控管应用程序操作权限指令;服务器端20则可储存前述权限数据、在输入端10与客户端30间传递关于操作权限的数据与更新客户端30上储存的操作权限数据;客户端30则可根据服务器所传来的变更权限事件信息,更新客户端上储存的操作权限数据,并据以限制客户端上应用程序的操作权限。以上述架构,控制模块即可限制客户端的应用程序的操作。关于本发明的控制模块可适用于家庭、办公室环境等内部网络环境中,但并不限于此;所述的模块尚可以应用于任何有控制客户端应用程序操作需要的网络环境,例如图书馆、网络咖啡厅等等空间。FIG. 1 shows a specific embodiment of the present invention. The control module includes an input terminal 10, a server terminal 20 and a client terminal 30, wherein the function of the input terminal 10 is to receive and transmit the operation authority instruction of the controlled management application program. The server end 20 can store the aforementioned authority data, transmit the data about the operation authority and update the operation authority data stored on the client terminal 30 between the input terminal 10 and the client terminal 30; The permission event information updates the operation permission data stored on the client, and limits the operation permission of the application program on the client accordingly. With the above structure, the control module can limit the operation of the application program of the client. The control module of the present invention can be applied to internal network environments such as home and office environments, but is not limited thereto; the described module can also be applied to any network environment that needs to control the operation of client application programs, such as libraries, Internet cafe and so on space.

关于上述实施例中控制模块的功能可以更详述如下。上述控制模块中输入端10,功能为接收与输出使用者所输入指令,以通知服务器端20变更数据库中储存的权限数据;上述的输入指令包含新增、修改、删除关于限制或开放受控管应用程序特定功能与查询所述的项目状态的变更权限指令。更特定言之,上述变更权限指令中,关于限制特定应用程序操作功能的项目包括:禁止打印特定信息、禁用复制特定信息、禁用键盘、禁用另存新文件与禁用鼠标拖曳特定信息等功能;在另一具体实施例中,尚包括限制网页信息存取功能,其项目包括:禁止打印、禁用复制特定信息、禁用键盘、禁用另存新文件与禁用鼠标拖曳数据、禁止以邮件传送网页、禁止检视原始档。The functions of the control module in the above embodiments can be described in more detail as follows. The input terminal 10 in the above-mentioned control module has the function of receiving and outputting instructions input by the user to notify the server-side 20 to change the authority data stored in the database; Application-specific functions and querying the project state change permission command. More specifically, in the above-mentioned permission change instruction, items related to restricting the operation functions of specific applications include: prohibiting the printing of specific information, prohibiting the copying of specific information, disabling the keyboard, disabling the ability to save new files, and disabling the mouse to drag specific information; In a specific embodiment, it also includes the function of restricting web page information access, and its items include: prohibiting printing, prohibiting copying specific information, prohibiting keyboards, prohibiting additionally saving new files and prohibiting mouse drag data, prohibiting sending web pages by email, prohibiting viewing original files .

关于本发明的一具体实施例中,上述输入端为一使用者接口,使用者可通过点选接口上的选项,控管特定应用程序的操作权限。使用者可点选使用者接口的功能键,例如禁用特定功能选项,即可开启一窗口分区,所述的窗口内区分数字段包含所述的受控管软件名称、类型与功能选项。使用者可点选画面上方的修改选项在窗口中输入受控管的程序名称,即可开启权限功能设定窗口,输入权限功能设定信息。上述权限功能设定窗口包含复数个预先设计的字段,使用者可根据各字段对应的功能加以勾选,即可开启或关闭特定功能,完成输入端的输入。In a specific embodiment of the present invention, the above-mentioned input end is a user interface, and the user can control the operation authority of a specific application program by clicking options on the interface. The user can click the function key of the user interface, such as disabling a specific function option, to open a window partition, and the distinguishing number field in the window includes the name, type and function option of the controlled software. The user can click the modify option at the top of the screen and enter the name of the controlled program in the window to open the permission function setting window and enter the permission function setting information. The above permission function setting window includes a plurality of pre-designed fields, and the user can check the corresponding functions of each field to enable or disable a specific function and complete the input of the input terminal.

关于本发明的另一具体实施例为关于限制控制网页的操作,在所述的具体实施例中,操作接口与上述控管特定应用程序的操作接口相似,但使用者所输入的控制标的为一网址。Another specific embodiment of the present invention is about restricting and controlling the operation of webpages. In the specific embodiment, the operation interface is similar to the above-mentioned operation interface for controlling specific application programs, but the control target input by the user is a URL.

在本发明的具体实施例中,服务器端20包含以下功能:接收输入端输入的变更权限指令,储存、更新与传递关于客户端的受控管应用程序权限数据。In a specific embodiment of the present invention, the server 20 includes the following functions: receiving an authority change command from the input terminal, storing, updating and transmitting the controlled application authority data about the client.

服务器20包含一数据接收与传递单元21、一处理单元22与一数据库单元23。数据接收与传递单元21可接收来自输入端10的变更权限信息,之后将数据传递予处理单元22,处理单元22根据所述的变更权限信息,更改数据库单元23中的权限数据,并通过数据接收与传递单元21发出变更权限通知,通知客户端30所述的权限变更事件的发生。服务器端20则在接收到客户端30所传回权限数据下载请求后,即会传送一变更权限数据予客户端30,以更新客户端30上储存的应用软件权限数据。上述的服务器20亦包含如内存、操作系统、硬盘、显示单元等的其它构件,然而本领域具有通常知识的人应得以理解,为避免模糊本发明的焦点,故不赘述。输入端与客户端亦同。The server 20 includes a data receiving and transmitting unit 21 , a processing unit 22 and a database unit 23 . The data receiving and transmitting unit 21 can receive the change authority information from the input terminal 10, and then transmit the data to the processing unit 22, and the processing unit 22 changes the authority data in the database unit 23 according to the change authority information, and receives The communication unit 21 sends a permission change notification to notify the client 30 of the occurrence of the permission change event. After receiving the permission data download request sent back from the client 30, the server 20 will send a change permission data to the client 30 to update the application software permission data stored on the client 30. The above-mentioned server 20 also includes other components such as memory, operating system, hard disk, display unit, etc. However, those with ordinary knowledge in the field should understand that, in order to avoid obscuring the focus of the present invention, they are not described in detail. The same goes for the input terminal and the client terminal.

更特定言之,在关于本发明的一具体实施例中,上述数据接收与传递单元21利用TCP通讯协议,通知客户端30下载权限数据,并以不同代号代表应用程序权限数据与网址权限数据;而通知客户端权限数据更新的事件使用UDP协议。在关于本发明的另一具体实施例中,自上述数据接收与传递单元21所传送的权限数据包含对应于客户端受控管的应用程序或网页的指针数据,以使客户端得以确定所要更新的权限数据。More specifically, in a specific embodiment of the present invention, the data receiving and transmitting unit 21 uses the TCP communication protocol to notify the client 30 to download the permission data, and use different codes to represent the application program permission data and website permission data; The UDP protocol is used to notify the client of the update of the authorization data. In another specific embodiment of the present invention, the authority data transmitted from the data receiving and transmitting unit 21 includes pointer data corresponding to the application program or web page controlled by the client, so that the client can determine the updated permissions data.

上述用于储存权限数据的数据库23包含一组数据表与控制指针,用以纪录与更新关于客户端上储存的应用程序权限数据。在关于本发明的一具体实施例中,上述数据表至少包含两数据表:信息安全行为(security_action)与信息安全策略(security_policy)执行权限数据操作限制功能,其中信息安全行为(security_action)为纪录包含但不限于受控管的应用程序、指令、网址或网页等的行为或模式,信息安全策略(security_policy)纪录包含但不限于关于特定应用程序、指令、网址或网页的权限数据。信息安全行为子数据库中至少包含以下字段:辨识表(id)为一指标字段,用于与其它工作表产生关联、分类表(category)用于纪录应用程序、指令、网址或网址的类型、标的名称(target_name)用于纪录受控管应用程序执行文件名或受控管网址、标的类型(target_type)用于纪录受控管标的类型。Security_policy表则是纪录受控管应用程序或网址的权限限制数据。信息安全策略表中量化(value)栏为纪录一指针数据,所述的指针与软件行为(software_action)中辨识(id)字段中指针数据具相对应关系,以使两数据表产生关联关系;解除行为(Disabled_action)栏则是纪录所述的应用程序或网址所要被限制的权限,所述的字段可写入特定数值,表示所述的行为被管控,不能使用。The database 23 for storing authority data includes a set of data tables and control pointers for recording and updating application authority data stored on the client. In a specific embodiment of the present invention, the above-mentioned data table includes at least two data tables: information security behavior (security_action) and information security policy (security_policy) to perform authority data operation restriction function, wherein information security behavior (security_action) is a record containing But not limited to the behavior or mode of the controlled application, command, website or webpage, etc., the information security policy (security_policy) record includes but not limited to the authority data about the specific application, command, website or webpage. The information security behavior sub-database contains at least the following fields: the identification table (id) is an index field used to associate with other work tables, and the classification table (category) is used to record the application program, instruction, website or website type, target The name (target_name) is used to record the executable file name of the controlled application or the controlled URL, and the target type (target_type) is used to record the type of the controlled target. The Security_policy table records the permission restriction data of the controlled applications or URLs. The quantification (value) column in the information security policy table is to record a pointer data, and the pointer has a corresponding relationship with the pointer data in the identification (id) field in the software action (software_action), so that the two data tables are associated; The Disabled_action column records the restricted permissions of the application or website. The field can be written with a specific value, indicating that the behavior is controlled and cannot be used.

客户端模块30则至少包含以下功能:自服务器端接受信息、自服务器端下载权限数据与设定权限数据。在一具体实施例中,客户端包含一权限控制单元,例如一另外植入的权限控制程序,以实施上述客户端的功能。于另一具体实施例中,客户端包含一数据库用于储存客户端权限数据。上述数据库包括一组数据表与控制指针,其中数据表记载客户端受控管的应用程序数据,且各受控制标的的数据包含一控制指针与服务器端上相同受控制标的的控制指标具相对应关系,因此客服端方可在下载服务器新权限数据后,找出相对应的受控制应用程序权限数据并加以更新。The client module 30 at least includes the following functions: receiving information from the server, downloading authority data from the server, and setting authority data. In a specific embodiment, the client includes an authority control unit, such as an additional implanted authority control program, to implement the functions of the above client. In another embodiment, the client includes a database for storing client authority data. The above database includes a set of data tables and control pointers, wherein the data table records the application program data controlled by the client, and the data of each controlled object includes a control pointer corresponding to the control pointer of the same controlled object on the server. Therefore, after downloading the new permission data of the server, the customer service terminal can find out the corresponding controlled application permission data and update it.

关于本发明的另一具体实施例中,控制模块可为上述实施例之中控制模块的复数组合,以完成一多层次的控制模块;此多层次的控制模块可根据不同授权层级,限制各服务器可更动的权限数据,以达到分级管理的目的。在所述的具体实施例中,包含一中央服务器与复数台周边服务器以及客户端计算机。中央服务器的数据库储存各周边服务器权限数据,周边服务器除储存所述的周边服务器权限数据,还储存特定区域内客户端上应用程序的权限数据。在上述多阶层架构下,由一中央服务器统一管理各周边服务器上权限数据的状态与更新,周边服务器则根据不同需求,不同授权层级,开放不同的权限数据变更权限,以管理客户端的应用程序,以此一控管架构即可达成分级,分区授权的信息安全管理架构,管理客户端计算机上应用程序的操作。如此除可迅速更新复数台客户端的权限外,并可避免需手动逐区更新服务器权限数据时,所可能发生的错误。In another specific embodiment of the present invention, the control module can be a plurality of combinations of the control modules in the above embodiments to complete a multi-level control module; this multi-level control module can restrict each server according to different authorization levels Modifiable permission data to achieve the purpose of hierarchical management. In the described embodiment, a central server and a plurality of peripheral servers and client computers are included. The database of the central server stores the permission data of each peripheral server, and the peripheral server not only stores the peripheral server permission data, but also stores the permission data of the application program on the client in a specific area. Under the above-mentioned multi-level structure, a central server uniformly manages the status and update of the permission data on each peripheral server, and the peripheral servers open different permission data to change permissions according to different needs and different authorization levels to manage client applications. With this control structure, a hierarchical and partitioned authorized information security management structure can be achieved to manage the operation of the application program on the client computer. In this way, in addition to rapidly updating the permissions of multiple clients, it is also possible to avoid errors that may occur when manually updating the server permission data zone by zone.

图2显示关于权限更新流程的具体实施例;使用者可通过输入端在步骤101输入变更权限并更改服务器端的权限数据,并在后续步骤102发出信息通知服务器端所述的变更权限信息事件。步骤201表示服务器端20收到上述变更权限信息,并在下一步骤202中,发出信息通知客户端所述的变更权限事件的存在。客户端在步骤301中收到服务器端传来的权限设定变更信息后,即在后续步骤302发送信息要求自服务器端下载新权限设定。在后续步骤203中,数据库根据由步骤302所传来的信息,取出上述更新后的权限数据,并在步骤204将上述更新后的权限数据传送给客户端。客户端在步骤303中取得由服务器端所传送来的新权限数据后,在步骤304中更新客户端的权限设定。FIG. 2 shows a specific embodiment of the authority update process; the user can input change authority and change the authority data on the server through the input terminal in step 101, and send a message in subsequent step 102 to notify the server of the change authority information event. Step 201 means that the server 20 receives the above permission change information, and in the next step 202, sends a message to notify the client of the existence of the permission change event. After receiving the authority setting change information from the server in step 301, the client sends a message in subsequent step 302 to request to download the new authority setting from the server. In subsequent step 203 , the database retrieves the above-mentioned updated authority data according to the information transmitted in step 302 , and in step 204 transmits the above-mentioned updated authority data to the client. After the client obtains the new permission data transmitted from the server in step 303 , in step 304 the permission setting of the client is updated.

在另一具体实施例中,关于本发明的权限更新流程尚可应用于多部外围服务器的情形,在此实施例中,其更新流程与图2所显示的流程类似,但各周边服务器可由一中央服务器管理,在本具体实施例中,服务器端的变更权限指令由中央服务器端下载,但根据对各服务器或使用者所开放的权限,也可由各服务器的输入端输入权限数据。是故通过一中央服务器的设置,将复数个与图2相同的更新流程互相组合,即可达到分层、分区的应用软件操作权限管理。In another specific embodiment, the authorization update flow of the present invention can still be applied to the situation of multiple peripheral servers. In this embodiment, the update flow is similar to that shown in FIG. 2, but each peripheral server can be controlled by one Central server management, in this specific embodiment, the authority change command of the server end is downloaded by the central server end, but according to the authority open to each server or user, the authority data can also be input by the input terminal of each server. Therefore, by setting up a central server and combining multiple updating processes identical to those in FIG. 2 , hierarchical and partitioned application software operation authority management can be achieved.

本发明以较佳实施例说明如上,然其并非用以限定本发明所主张的专利权利范围。其专利保护范围当视权利要求范围及其等同领域而定。凡具有本领域通常知识的人,在不脱离本专利精神或范围内,所作的更动或润饰,均属于本发明所揭示精神下所完成的等效改变或设计,且应包含在权利要求范围内。The present invention is described above with preferred embodiments, but it is not intended to limit the scope of patent rights claimed by the present invention. The scope of its patent protection shall depend on the scope of the claims and their equivalent fields. Any modification or modification made by a person with ordinary knowledge in the field without departing from the spirit or scope of this patent belongs to the equivalent change or design completed under the spirit disclosed by the present invention, and should be included in the scope of the claims Inside.

Claims (10)

1. application program control module comprises at least:
One input end can be imported permissions data;
One server end, at least comprise a database and an output/input unit, wherein said database can store described permissions data and pointer data, and in order to carry out information security behavior and information security policy pattern, output/input unit can receive and transmit described permissions data;
One client comprises an authority controlling and managing unit at least, can store, receives and transmit described permissions data, and limits the operating right of the described application software on the client according to this.
2. according to right request 1 described application program control module, it is characterized in that described authority controlling and managing unit can limit the user because of certain purpose, the application software output data on described client; Wherein above-mentioned output comprises at least with the indicator device towing data, and described purpose comprises at least and is used to duplicate, prints, stores.
3. according to right request 1 described application program control module, it is characterized in that described authority controlling and managing unit can limit the user application software on the described client is used the I/O device input instruction.
4. according to right request 1 described application program control module, it is characterized in that described authority controlling and managing unit can limit the webpage source code that the user inspects client.
5. according to right request 1 described application program control module, it is characterized in that described authority controlling and managing unit can limit the user and use bitcom.
6. method with control module limits application operating right comprises at least:
Receive a change authority information at server end;
Permissions data in the database of change server end, wherein said database can store described permissions data and pointer data, in order to carry out information security behavior and information security policy pattern;
Client is downloaded described permissions data after receiving the change authority notice that described server end transmits;
Upgrade the permissions data of client.
7. according to right request 6 described methods, it is characterized in that, can limit the user because of certain purpose, from described client output data with control module limits application operating right; Wherein above-mentioned output comprises at least with the indicator device towing data, and described purpose comprises at least and is used to duplicate, prints, stores.
8. according to right request 6 described methods, it is characterized in that, can limit the user and use the I/O device input instruction with control module limits application operating right.
9. according to right request 6 described methods, it is characterized in that, can limit the user and inspect the webpage source code with control module limits application operating right.
10. according to right request 6 described methods, it is characterized in that, can limit the user and use bitcom with control module limits application operating right.
CN 200710108577 2007-06-06 2007-06-06 Application program control system and its methods Active CN101320415B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200710108577 CN101320415B (en) 2007-06-06 2007-06-06 Application program control system and its methods

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200710108577 CN101320415B (en) 2007-06-06 2007-06-06 Application program control system and its methods

Publications (2)

Publication Number Publication Date
CN101320415A true CN101320415A (en) 2008-12-10
CN101320415B CN101320415B (en) 2011-11-16

Family

ID=40180459

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200710108577 Active CN101320415B (en) 2007-06-06 2007-06-06 Application program control system and its methods

Country Status (1)

Country Link
CN (1) CN101320415B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101853359A (en) * 2010-05-25 2010-10-06 中华电信股份有限公司 A software authorization and protection method and system based on application software distribution
CN103473503A (en) * 2012-06-05 2013-12-25 广达电脑股份有限公司 Dynamic Software Authorization Platform and Method
CN103809956B (en) * 2012-11-06 2017-03-01 广达电脑股份有限公司 Automatic software auditing system and automatic software auditing method
CN106599722A (en) * 2016-12-14 2017-04-26 北京奇虎科技有限公司 Intelligent terminal and application program authority control method and device thereof, and server
CN112631697A (en) * 2019-10-08 2021-04-09 富士施乐株式会社 Information processing apparatus, recording medium, and information processing method
CN119203082A (en) * 2024-09-05 2024-12-27 青矩技术股份有限公司 Rights management method, device, equipment and storage medium

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101853359A (en) * 2010-05-25 2010-10-06 中华电信股份有限公司 A software authorization and protection method and system based on application software distribution
CN103473503A (en) * 2012-06-05 2013-12-25 广达电脑股份有限公司 Dynamic Software Authorization Platform and Method
CN103809956B (en) * 2012-11-06 2017-03-01 广达电脑股份有限公司 Automatic software auditing system and automatic software auditing method
CN106599722A (en) * 2016-12-14 2017-04-26 北京奇虎科技有限公司 Intelligent terminal and application program authority control method and device thereof, and server
WO2018108050A1 (en) * 2016-12-14 2018-06-21 北京奇虎科技有限公司 Intelligent terminal and application program right control method and apparatus therefor, and server
CN112631697A (en) * 2019-10-08 2021-04-09 富士施乐株式会社 Information processing apparatus, recording medium, and information processing method
CN119203082A (en) * 2024-09-05 2024-12-27 青矩技术股份有限公司 Rights management method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN101320415B (en) 2011-11-16

Similar Documents

Publication Publication Date Title
US11405428B2 (en) Method and system for policy management, testing, simulation, decentralization and analysis
US7743336B2 (en) Widget security
US8326874B2 (en) Model-based implied authorization
US10133875B2 (en) Digital rights management system implementing version control
US20190034647A1 (en) Managing access to documents with a file monitor
US20110239293A1 (en) Auditing access to data based on resource properties
US20090300712A1 (en) System and method for dynamically enforcing security policies on electronic files
US20110231927A1 (en) Internet Mediation
JP5417533B2 (en) Computer system management method and client computer
US20080034402A1 (en) Methods, systems, and computer program products for implementing policy-based security control functions
US20030033255A1 (en) License repository and method
US20090012987A1 (en) Method and system for delivering role-appropriate policies
WO2007111751A2 (en) Architecture for a smart enterprise framework and methods thereof
US9836585B2 (en) User centric method and adaptor for digital rights management system
US12423428B2 (en) Method and system for inferring document sensitivity
CN101320415A (en) Control and management module and method for application program
CA3224095A1 (en) Security risk remediation tool
US10721236B1 (en) Method, apparatus and computer program product for providing security via user clustering
US20210021600A1 (en) Context-aware content object security
US20240388586A1 (en) Secure Access Via A Remote Client
US20070079364A1 (en) Directory-secured packages for authentication of software installation
TWI328179B (en) Controlling module for programs and method for the same
CN113127906A (en) Unified authority management platform, method and storage medium based on C/S architecture
US10467423B1 (en) Static analysis-based tracking of data in access-controlled systems
US11895158B2 (en) Cybersecurity system having security policy visualization

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant