Whether the "permission" configuration of the electronic seal system is reasonable directly affects the security of the seal and system data. Is' rights' allocated according to management systems and functional authorities? How to prevent the "administrator power" from being too centralized and losing supervision? The contract lock electronic signature system implements a "separation of three members" and "separation of three powers" seal authorization system of "mutual isolation, mutual management, and mutual supervision". By establishing an independent "security audit" role, it effectively supervises and tracks various configurations and authorization operations within the system, ensuring the security of enterprise seals and documents.

1. System "three member separation": permissions are isolated and supervised from each other to prevent power concentration.

The national confidentiality standard BMB20-2007 "Classification Protection Management Specification for Information Systems Involving State Secrets" stipulates the classification protection management process, management requirements, and management content of classified information systems. It proposes that system administrators, security and confidentiality administrators, and security auditors respectively undertake the daily operation and maintenance (configuration), security and confidentiality management (authorization), and security audit (audit) work of classified information systems, completely abolish the "super administrator", and implement the "three member" permission settings that are independent and mutually restrictive.

(Requirements for Separation of Three Personnel in National Security Standards)

Among them, "three personnel" refers to three positions or roles, not three people, and can be multiple people. Each system can allocate a reasonable number of personnel according to the actual situation. The contract lock electronic signature system has fully implemented the "three member separation" permission system, helping enterprises to intelligently configure their own "system administrators, security personnel, and security auditors" on the backend of the system. At the same time, through a refined permission management system, the configuration, authorization, and audit permissions of the "three personnel" are comprehensively refined and decomposed, forming multiple basic roles such as "system administrator, seal administrator, business creator, template creator, file administrator, auditor, etc." Through a full process operation system, the requirements for permission authorization, execution, and supervision are fully implemented.

(Contract Lock Refined Permission Management System)

1) Help enterprises intelligently configure "three personnel" and achieve "audit independence"

In order to facilitate the execution of the three personnel plan, the Contract Lock Electronic Signature System has helped enterprises achieve intelligent configuration, allowing them to intelligently add and modify the list of "system administrators, security personnel, and security auditors" within the system, efficiently completing the "three personnel" configuration.

(Contract Lock Three Member Setting)

In order to achieve "audit independence", enterprises can intelligently add "security auditors" as "mutually exclusive roles" in the process of configuring system administrators and security personnel, preventing system administrators or security personnel from simultaneously serving as auditors and ensuring that users' electronic signature systems have an independent "audit supervision" role to impartially and strictly enforce supervision.

(Mutual exclusion and supervision between system administrators and auditors)

2) Help enterprises refine and decompose permissions, and achieve on-demand "authorization to people"

In order to facilitate the fine management and monitoring of various system operations by enterprises, the contract lock will continuously decompose the system "authorization" permissions of the "security and confidentiality administrator" into multiple sub permissions such as "seal permissions, template permissions, file viewing permissions, etc." according to the actual seal usage needs of the enterprise. By creating corresponding roles, relevant permissions are assigned to employees as needed, meeting the requirements of efficient, secure, and transparent authorization.

(Create segmented roles as needed)

img src=“ https://ossapi.qiyuesuo.

Com/cms/image/view/34b838e2-238f-4d6f-b382-df98273dc1d6 "alt=" Alt text ">

(Add personnel information to complete authorization)

3) Detailed logs accurately record operation details, timely" audit supervision "of personnel actions

Contract lock provides audit logs for the full process of viewing, creating, changing, deleting, authorizing, and using" signed documents, electronic seals, and member information "in the system, helping enterprises monitor the system in real time and improve risk screening capabilities.

(Operation Log)

2. Seal "separation of powers": "management, use, and operation" separation of powers to prevent the risk of manual seal use

In order to ensure the security of user seal use, the contract lock electronic signature adopts a seal "management, use, and operation" separation of powers management system, and the entire process management environment helps users fully control the seal dynamics.

1) System administrators, general users, and technical personnel have "no access" to seals. The system has three roles: seal administrator, seal user, and system administrator, which restrict personnel in each role from playing any other role and avoid overlapping permissions.

Seal administrators are only responsible for the daily management and maintenance of seals and cannot operate seal stamping files. ·The seal user is the person who operates the seal specifically, but cannot modify any seal related data. ·System administrators can only maintain management parameters in the system, provide technical support such as integration and operation, and cannot access any data related to seal management and usage.

(Front end users only use seals and do not touch seals)

(Mid end managers only configure seals and business processes)

(Back end operations and maintenance do not touch seals)

Application value

Contract lock electronic signature system uses a flexible permission system to help organizations break down system operation permissions one by one, assign administrators to each operation, and use refined data audit tools to help users efficiently restore "system operations and maintenance, permission configuration, and personnel execution" situations, ensuring transparency and controllability of user system management, and ensuring the security of seals and files.