CN106878325A - A kind of method and device for determining access privilege - Google Patents
A kind of method and device for determining access privilege Download PDFInfo
- Publication number
- CN106878325A CN106878325A CN201710165821.4A CN201710165821A CN106878325A CN 106878325 A CN106878325 A CN 106878325A CN 201710165821 A CN201710165821 A CN 201710165821A CN 106878325 A CN106878325 A CN 106878325A
- Authority
- CN
- China
- Prior art keywords
- resource
- value
- role
- target
- visited
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of method and device for determining access privilege, methods described includes:In response to the request of targeted customer's access target resource, it is determined that assigning the target roles of the targeted customer in advance, wherein, the target roles are a kind of user role in role's set, the target resource is a resource items to be visited in resource collection, the resource items to be visited are configured with an access authorization for resource value, and current accessed authority of each user role to the resource items to be visited is implied in the access authorization for resource value;The corresponding access authorization for resource value of the target resource is analyzed, current accessed authority of the target roles to the target resource is determined.The present invention can determine access rights of the user to system resource on the basis of the memory space for reducing rights management data.
Description
Technical field
The present invention relates to rights management techniques field, more particularly to a kind of method and device for determining access privilege.
Background technology
Rights management, refers generally to the safety regulation or security strategy set according to system, and user can access and only
Oneself authorized resource can be accessed, rights management is occurred nearly in any system, espespecially need user and code entry
System.
Based on the system resource for being provided with access rights, different user has different access rights, such as, for same
Each list items in list, are allowed for access rights and are also not necessarily identical, and some list items may be allowed to be owned
User accesses, and some list items may only allow to be accessed by specific one or multiple users.Being weighed for this multi-user more
The situation of limit, prior art generally needs to store access rights of the different user to different system resource items respectively, and this causes to need
The rights management data to be prestored is relatively more, causes to take substantial amounts of memory space, particularly compares in user and resource items
In the case of many.
The content of the invention
The main purpose of the embodiment of the present invention is to provide a kind of method and device for determining access privilege, Neng Gou
Reduce on the basis of the memory space of rights management data, determine access rights of the user to system resource.
A kind of method for determining access privilege is the embodiment of the invention provides, including:
In response to the request of targeted customer's access target resource, it is determined that the target roles of the targeted customer are assigned in advance,
Wherein, the target roles are a kind of user role in role's set, and the target resource is one in resource collection to be treated
Resource items are accessed, the resource items to be visited are configured with an access authorization for resource value, implied in the access authorization for resource value each described
Current accessed authority of the user role to the resource items to be visited;
The corresponding access authorization for resource value of the target resource is analyzed, determines the target roles to the current of the target resource
Access rights.
Optionally, the current accessed authority is for permission access rights or forbids access rights;Methods described also includes:
For the permission access rights forbid access rights with described, different authority credentials are assigned respectively;
It is each user role in role set, assigns different role attribute values respectively according to model identical;
According to each user role to the authority credentials of the current accessed authority of the resource items to be visited and described
Role attribute value, generates the corresponding access authorization for resource value of the resource items to be visited.
Optionally, the authority of the current accessed authority according to each user role to the resource items to be visited
Value and the role attribute value, generate the corresponding access authorization for resource value of the resource items to be visited, including:
Calculate the corresponding access authorization for resource value of the resource items to be visited;
Wherein, the access authorization for resource value is that each user role distinguishes corresponding role's value sum, role's value
It is the first numerical value and the product of second value, first numerical value is the user role to the current of the resource items to be visited
The authority credentials of access rights, the second value is the corresponding role attribute value of the user role.
Optionally, the corresponding access authorization for resource value of the analysis target resource, determines the target roles to the mesh
The current accessed authority of resource is marked, including:
According to the authority credentials and the assignment mode of the role attribute value, the corresponding resource power of the target resource is analyzed
Limit value, determines current accessed authority of the target roles to the target resource.
Optionally, described to forbid the corresponding authority credentials of access rights for 0, the corresponding authority credentials of the permission access rights is
1;The corresponding role attribute value of the user role is 2 n powers, and n is the corresponding unique character coding of the user role;
The assignment mode according to the authority credentials and the role attribute value, analyzes the corresponding money of the target resource
Source authority credentials, determines current accessed authority of the target roles to the target resource, including:
Obtain corresponding first binary value of role attribute value of the target roles;
Obtain corresponding second binary value of access authorization for resource value of the target resource;
First binary value and the identical bits of second binary value are carried out into phase and computing respectively, the 3rd is obtained
Binary value;
If all positions of the 3rd binary value are not zero, it is determined that the target roles have to the target resource
There are the permission access rights;
If all positions of the 3rd binary value are zero, it is determined that the target roles have to the target resource
It is described to forbid access rights.
The embodiment of the present invention additionally provides a kind of device for determining access privilege, including:
Target roles determining unit, for the request in response to targeted customer's access target resource, it is determined that assigning institute in advance
The target roles of targeted customer are stated, wherein, the target roles are a kind of user role in role's set, the target resource
A resource items to be visited in for resource collection, the resource items to be visited are configured with an access authorization for resource value, the resource power
Current accessed authority of each user role to the resource items to be visited is implied in limit value;
Access rights determining unit, for analyzing the corresponding access authorization for resource value of the target resource, determines the target angle
Current accessed authority of the color to the target resource.
Optionally, the current accessed authority is for permission access rights or forbids access rights;Described device also includes:
Access right limit value assignment unit, for forbidding access rights with described for the permission access rights, assigns respectively
Different authority credentials;
Role attribute value assignment unit, for being each user role in role set, according to model identical point
Different role attribute values are not assigned;
Access authorization for resource value generation unit, for the current visit according to each user role to the resource items to be visited
The authority credentials and the role attribute value of authority are asked, the corresponding access authorization for resource value of the resource items to be visited is generated.
Optionally, the access authorization for resource value generation unit specifically for:Calculate the resource items to be visited corresponding described
Access authorization for resource value;
Wherein, the access authorization for resource value is that each user role distinguishes corresponding role's value sum, role's value
It is the first numerical value and the product of second value, first numerical value is the user role to the current of the resource items to be visited
The authority credentials of access rights, the second value is the corresponding role attribute value of the user role.
Optionally, the access rights determining unit specifically for:According to the authority credentials and the role attribute value
Assignment mode, analyzes the corresponding access authorization for resource value of the target resource, determines that the target roles are worked as to the target resource
Preceding access rights.
Optionally, described to forbid the corresponding authority credentials of access rights for 0, the corresponding authority credentials of the permission access rights is
1;The corresponding role attribute value of the user role is 2 n powers, and n is the corresponding unique character coding of the user role;
The access rights determining unit includes:
Binary value obtains subelement, corresponding first binary system of role attribute value for obtaining the target roles
Value;Obtain corresponding second binary value of access authorization for resource value of the target resource;
With position and computing subelement, for first binary value to be divided with the identical bits of second binary value
Phase and computing are not carried out, obtain the 3rd binary value;
Access rights determination subelement, if not being zero for all positions of the 3rd binary value, it is determined that described
Target roles have the permission access rights to the target resource;If all positions of the 3rd binary value are zero,
Then determine that the target roles forbid access rights described in having to the target resource.
A kind of method and device for determining access privilege provided in an embodiment of the present invention, accesses when targeted customer triggers
During the request of target resource, it is determined that the target roles of targeted customer are assigned in advance, wherein, target roles are during role gathers
User role is planted, target resource is a resource items to be visited in resource collection, the resource each to be visited in resource collection
Item is each equipped with an access authorization for resource value, and each user role is implied in the access authorization for resource value to corresponding resource items to be visited
Current accessed authority;Then, by analyzing the corresponding access authorization for resource value of the target resource, determine the target roles to described
The current accessed authority of target resource.It can be seen that, for each resource items to be visited, an access authorization for resource value is respectively provided with, because of resource
Authority credentials is a numerical value, so its memory space for taking is smaller;Further, since being implied in each access authorization for resource value
Each user role to the current accessed authority of corresponding resource items to be visited, therefore, by analyzing what targeted customer was accessed
The access authorization for resource value of resource items to be visited, it may be determined that access rights of the targeted customer to the resource items to be visited.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
Fig. 1 is the schematic flow sheet of the method for determination access privilege provided in an embodiment of the present invention;
Fig. 2 is the schematic flow sheet of the method for generation access authorization for resource value provided in an embodiment of the present invention;
Fig. 3 is the schematic flow sheet of the method for determination active user's access rights provided in an embodiment of the present invention;
Fig. 4 is the composition schematic diagram of the device of determination access privilege provided in an embodiment of the present invention.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
A kind of method and device for determining access privilege provided in an embodiment of the present invention, can pre-set multiple use
Family role, system resource is divided into multiple resource items to be visited, and pre-sets each user role to each money to be visited
The access rights of source item.In order to save the memory space that access rights manage data, can be using an access authorization for resource value come hidden
Containing each user role to the current accessed authority of certain resource items to be visited, so, each resource items to be visited just corresponds to one
Access authorization for resource value;When certain user accesses one of them resource items to be visited, by analyzing the corresponding money of the resource items to be visited
Source authority credentials, just can determine access rights of the user to the resource items to be visited.
Lower mask body introduces the embodiment of the present invention.
It is a kind of schematic flow sheet of method for determining access privilege provided in an embodiment of the present invention referring to Fig. 1, should
Method includes S101-S102:
S101:In response to the request of targeted customer's access target resource, it is determined that assigning the target of the targeted customer in advance
Role, wherein, the target roles are a kind of user role in role's set, and the target resource is in resource collection
Individual resource items to be visited, the resource items to be visited are configured with an access authorization for resource value, are implied in the access authorization for resource value each
Current accessed authority of the user role to the resource items to be visited.
For ease of description, the present embodiment will carry out the active user referred to as targeted customer of resource access, and the target is used
The resource items each to be visited that family request is accessed are referred to as target resource.
In the present embodiment, multiple user roles can be pre-set, these user roles form role's set, its
In, a user role can correspond to one or more users, i.e., each user can have one or more user roles
Identity.For example, for the group created under the chat softwares such as QQ, the keeper of group is user role, with management
The user of member's identity can have one or more;Again for example, in an engineering project, can be drawn according to the job specification of employee
Divide user role, such as, these roles can be " assembling ", " maintenance " etc., and the employee (i.e. user) with " assembling " identity can
To there is one or more, the employee (i.e. user) with " maintenance " role can have one or more.
In the present embodiment, all of system resource can also be divided, is obtained multiple resource items to be visited, these
Resource items to be visited form the resource collection.For example, can be divided into for system resource by the example based on above-mentioned engineering project
The different resource items to be visited such as " assembling " data, " maintenance " data, it is also possible to do " assembling " data and " maintenance " data etc.
Further divide, each subdata that will be marked off is used as resource items to be visited.Additionally, the present embodiment does not limit the resource set
The storage of conjunction or display mode, can be tabular form or other forms, when the resource collection is a display list, should
One or more list items in display list may act as a resource items to be visited.
In the present embodiment, the resource items each to be visited in the resource collection may be by with different role property value
User access, with reference to table 1, exist in being gathered with the role in 16 kinds of user roles, resource collections and have 15
The embodiment of the present invention is illustrated as a example by individual resource items to be visited.
Table 1
In an embodiment of the invention, can generate in the following manner in the resource collection each waits to visit
Ask resource items corresponding access authorization for resource value, the schematic flow sheet of the method for generation access authorization for resource value shown in Figure 2, specific bag
Include step S201-S203:
S201:For the permission access rights forbid access rights with described, different authority credentials are assigned respectively.
In the present embodiment, every kind of user role can be to allow to visit to the current accessed authority of the resource items to be visited
Ask authority or forbid access rights, for example, the permission access rights can be allow to carry out the resource items to be visited it is clear
The authority such as look at, change, accordingly, described to forbid access rights can forbid browsing the resource items to be visited, repair
The authority such as change.
It is specifically, described to forbid access rights corresponding it is possible to further set the authority credentials of both access rights
Authority credentials can be 0, it is described allow the corresponding authority credentials of access rights can be 1 (can also be 0.1 grade for 0 value).
For ease of understanding, referring to table 1, left side be coding be followed successively by 1,2 ..., 14,15 totally 15 resources to be visited
, the top be coding be followed successively by 15,14 ... 1,0 totally 16 user roles, when forbidding the corresponding authority credentials of access rights
For 0, when to allow the corresponding authority credentials of access rights be 1, for resource items to be visited 1, whole user roles have fair to it
Perhaps access rights;For resource items to be visited 2, totally 7 user roles have permission to it for user role 15, user role 5-0
Access rights, other user roles have to it forbids access rights;On between other resource items to be visited and user role
Access rights relation, no longer describe one by one herein, referring to table 1.
S202:It is each user role in role set, assigns different role's category respectively according to model identical
Property value.
In the present embodiment, the every kind of user role in role's set has its corresponding role attribute value, specifically
, uniqueness coding can be carried out to each user role in advance, such as user role is encoded according to ascending order or descending,
And make the n powers (i.e. 2 that the corresponding role attribute value of each user role is 2n), wherein, n is that the user role is corresponding only
One role encodes.
Referring to table 2, for 16 kinds of user roles in table 1, its role coding be followed successively by 0,1 ..., 14,15, its
In, the role attribute value of user role 0 is 20=1, the role attribute value of user role 1 is 21=2, role's category of user role 2
Property value be 22=4, etc., the role attribute of other user roles is no longer described one by one at place, referring to table 2.
Table 2
User role | Role attribute value |
User role 0 | 1 |
User role 1 | 2 |
User role 2 | 4 |
User role 3 | 8 |
User role 4 | 16 |
User role 5 | 32 |
User role 6 | 64 |
User role 7 | 128 |
User role 8 | 256 |
User role 9 | 512 |
User role 10 | 1024 |
User role 11 | 2048 |
User role 12 | 4096 |
User role 13 | 8192 |
User role 14 | 16384 |
User role 15 | 32768 |
S203:According to each user role to the authority credentials of the current accessed authority of the resource items to be visited and described
Role attribute value, generates the corresponding access authorization for resource value of the resource items to be visited.
In an embodiment of the invention, step S203 can specifically include:Calculate the resource items pair to be visited
The access authorization for resource value answered;Wherein, the access authorization for resource value is that each user role distinguishes corresponding role's value sum, the role
It is worth the product for the first numerical value and second value, first numerical value is that the user role is worked as to the resource items to be visited
The authority credentials of preceding access rights, the second value is the corresponding role attribute value of the user role.
For ease of understanding present embodiment, referring to the right side of table 1, resource items to be visited 1 therein, resource items to be visited
2nd ..., the access authorization for resource value that resource items to be visited 15 have an access authorization for resource value, any resource items to be visited respectively meets
Following computing formula:
Wherein, zyqiTo be encoded to the access authorization for resource value of the resource items to be visited of i, i=1,2 ..., 15;QijIt is coding
It is the user role of j to being encoded to the authority credentials of the current accessed authority of the resource items to be visited of i, its value is 0 or 1;JjTo compile
Code is the corresponding role attribute value of user role of j, and its value is 2i。
For example, the resource items to be visited 2 in for table 1, its access authorization for resource value is:
zyq2=215+25+24+23+22+21+20=32831
It should be noted that the encoded radio of the user role gathered for the role, can be 0,1 ..., 15,
Can be 0,2,4 ..., as long as its coded system meets certain rule.
Further, in an embodiment of the invention, can also include:It is pre-created stepping on for the targeted customer
The corresponding relation of land information and the target roles.In this embodiment, for each user, can be set for it
One logon information, there is provision of the corresponding user role of each user, wherein, the logon information of certain user can generally include
The user name and user cipher of the user, and when the user has one or more user roles, can set up the user's
The corresponding relation of logon information and one or more user roles.
Based on the foundation of above-mentioned corresponding relation, in step S101 " it is determined that assigning the target angle of the targeted customer in advance
Color ", can specifically include:The corresponding relation between logon information and the target roles according to the targeted customer, it is determined that
The target roles that the targeted customer has.For example, when the user role 15 in targeted customer's table 1 has corresponding relation, then
When targeted customer uses its logon information login system, just can determine that it has been assigned user role 15.
S102:The corresponding access authorization for resource value of the target resource is analyzed, determines the target roles to the target resource
Current accessed authority.
By the Conduce Disciplinarian of the access authorization for resource value of above-mentioned each resource items to be visited, each resource items to be visited can be made
Access authorization for resource value in imply each user role to the current accessed authority of the resource items to be visited.Therefore, when with certain use
The user (i.e. described targeted customer) of family role (i.e. described target roles) accesses certain resource items (i.e. described target money to be visited
Source) when, the Conduce Disciplinarian of the access authorization for resource value of the resource items to be visited can be based on, determine the user to the resource items to be visited
Current accessed authority.
Specifically, in one embodiment of the invention, step S102 can include:According to the authority credentials and the angle
The assignment mode of color property value, analyzes the corresponding access authorization for resource value of the target resource, determines the target roles to the mesh
Mark the current accessed authority of resource.
More specifically, it is 0, the corresponding authority of the permission access rights to forbid the corresponding authority credentials of access rights described in
It is worth for the corresponding role attribute value of each user role is that (n is the user role pair to 2 n powers in 1, role set
The unique character answered is encoded) when, the schematic flow sheet of the method for really settled preceding access privilege shown in Figure 3, step
S102 can specifically include S301-S306:
S301:Obtain corresponding first binary value of role attribute value of the target roles.
Referring to table 1, it is assumed that the target roles for assigning the targeted customer are user role 15, and the user role 15 is corresponding
Role attribute value is 32768 (i.e. 215), the corresponding binary value of the value is 1000000000000000.
S302:Obtain corresponding second binary value of access authorization for resource value of the target resource.
Referring to table 1, it is assumed that the target resource is resource items to be visited 1, the corresponding access authorization for resource of resource items to be visited 1
It is 65535 to be worth, and the corresponding binary value of the value is 1111111111111111.
S303:First binary value and the identical bits of second binary value are carried out into phase and computing respectively, is obtained
To the 3rd binary value.
The 0th of 1000000000000000 is carried out and computing, general with the 0th of 1111111111111111
The 1st of 1000000000000000 with the 1st of 1111111111111111 carry out with computing ..., will
The 15th of 1000000000000000 carries out phase and computing with the 15th of 1111111111111111, and two for finally giving enter
Value processed is 1000000000000000.
S304:Judge whether all positions of the 3rd binary value are zero, if it is, S306 is performed, if not,
Then perform S305.
S305:Determine that the target roles have the permission access rights to the target resource.
S306:Determine that the target roles forbid access rights described in having to the target resource.
Continue previous example, due to being 1000000000000000 through above-mentioned the 3rd binary value obtained with computing,
Because the value is not zero, then targeted customer of the explanation with the identity of user role 15 has access rights to resource items to be visited 1.
Further, in the present embodiment, can be by the mark of each resource items to be visited and corresponding access authorization for resource value
The storage of correspondence is carried out, because the memory space shared by access authorization for resource value is smaller, its correspondence this can be stored in
In ground file, so, when it needs to be determined that active user access rights when, can be determined by accessing the local file current
User not only saves the memory space of permissions data to the access rights of accessed resource, can also by be locally stored come
Save Internet resources.It is of course also possible to the mark of each resource items to be visited is carried out into correspondence with corresponding access authorization for resource value
Be stored in server database, specific storage mode the present embodiment is not limited.
In addition, it is contemplated that the security of data storage, can be by the mark of each resource items to be visited and corresponding resource
Authority credentials is stored in encryption file, such as, be stored in the binary file of encryption, and file designation can be resource to be visited
The mark title .dat of item.When users log on, rights management software with this binary file of automatic identification and can read file
In information, so as to step shown in subsequent execution Fig. 1.
It should be noted that the present embodiment can according to demand update user role, it is also possible to repartition according to demand
Resource items to be visited, and update access rights relation therebetween;When user's access system resources, in after renewal
Appearance realizes step shown in Fig. 1.
To sum up, a kind of method for determining access privilege provided in an embodiment of the present invention, for each resource to be visited
, an access authorization for resource value is respectively provided with, because access authorization for resource value is a numerical value, so its memory space for taking is smaller;This
Outward, due to implying current accessed power of each user role to corresponding resource items to be visited in each access authorization for resource value
Limit, therefore, by the access authorization for resource value for analyzing the resource items to be visited that targeted customer is accessed, it may be determined that targeted customer is to this
The access rights of resource items to be visited.
More easily to understand the embodiment of the present invention, it is exemplified below:
By a kind of method for determining access privilege provided in an embodiment of the present invention, the shoe of a set of complex device is applied to
Go through in management software.
Assuming that the equipment is divided into N number of component, each component has M bulk-breaking, and each bulk-breaking recorded maintenance note from assembling
Record is all maintained in a electronic record, using the corresponding related data of each bulk-breaking in N × M bulk-breaking as resource to be visited
;Assume for user role to be divided into 16 kinds again, software manager can set visit of each user role to each bulk-breaking data
Authority is asked, that is, is allowed access rights or is forbidden access rights, such as, based on the consideration that worry information is changed by mistake, certain can be made
User role can only access the related information of its actual action.
Table 3
Referring to table 3, by the access authorization for resource value for analyzing each resource items to be visited:
No. 1, No. 2 and No. 15 data content of component, all user roles all may have access to;No. 3 data contents of component, 1
Number user role can be accessed;No. 4 data contents of component, No. 2 user roles can be accessed;No. 5 data contents of component, 7
Number user role can be accessed;No. 6 data contents of component, No. 8 user roles can be accessed;No. 7 data contents of component, 9
Number user role can be accessed;No. 8 and No. 9 data contents of component, No. 10 user roles can be accessed;No. 10-No. 14 components
Data content, No. 11 user roles can access.
It is a kind of composition schematic diagram of device for determining access privilege provided in an embodiment of the present invention referring to Fig. 4, should
Device 400 includes:
Target roles determining unit 401, for the request in response to targeted customer's access target resource, it is determined that assigning in advance
The target roles of the targeted customer, wherein, the target roles are a kind of user role in role's set, the target money
Source is a resource items to be visited in resource collection, and the resource items to be visited are configured with an access authorization for resource value, the resource
Current accessed authority of each user role to the resource items to be visited is implied in authority credentials;
Access rights determining unit 402, for analyzing the corresponding access authorization for resource value of the target resource, determines the target
Current accessed authority of the role to the target resource.
In an embodiment of the invention, the current accessed authority is for permission access rights or forbids access right
Limit;Described device 400 can also include:
Access right limit value assignment unit, for forbidding access rights with described for the permission access rights, assigns respectively
Different authority credentials;
Role attribute value assignment unit, for being each user role in role set, according to model identical point
Different role attribute values are not assigned;
Access authorization for resource value generation unit, for the current visit according to each user role to the resource items to be visited
Ask the authority credentials and the role attribute value of authority, the resource items described to be visited in generation target roles determining unit 401
The corresponding access authorization for resource value.
In an embodiment of the invention, the access authorization for resource value generation unit can be specifically for:Calculate described
The corresponding access authorization for resource value of resource items to be visited;
Wherein, the access authorization for resource value is that each user role distinguishes corresponding role's value sum, role's value
It is the first numerical value and the product of second value, first numerical value is the user role to the current of the resource items to be visited
The authority credentials of access rights, the second value is the corresponding role attribute value of the user role.
In an embodiment of the invention, the access rights determining unit 402 can be specifically for:According to described
Authority credentials and the assignment mode of the role attribute value, analyze the corresponding access authorization for resource value of the target resource, determine the mesh
Current accessed authority of the mark role to the target resource.
In an embodiment of the invention, it is described to forbid the corresponding authority credentials of access rights for 0, it is described to allow to access
The corresponding authority credentials of authority is 1;The corresponding role attribute value of the user role is 2 n powers, and n is the user role pair
The unique character answered is encoded;
The access rights determining unit 402 can include:
Binary value obtains subelement, corresponding first binary system of role attribute value for obtaining the target roles
Value;Obtain corresponding second binary value of access authorization for resource value of the target resource;
With position and computing subelement, for first binary value to be divided with the identical bits of second binary value
Phase and computing are not carried out, obtain the 3rd binary value;
Access rights determination subelement, if not being zero for all positions of the 3rd binary value, it is determined that described
Target roles have the permission access rights to the target resource;If all positions of the 3rd binary value are zero,
Then determine that the target roles forbid access rights described in having to the target resource.
Described device 400 includes processor and memory, and above-mentioned target roles determining unit 401, access rights determines single
First 402 grades are stored in memory as program unit, by computing device storage said procedure unit in memory
To realize corresponding function.
Kernel is included in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can set one
Or more, by adjusting kernel parameter, on the basis of the memory space for reducing rights management data, determine that user provides to system
The access rights in source.
Memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/
Or the form, such as read-only storage (ROM) or flash memory (flash RAM) such as Nonvolatile memory, memory is deposited including at least one
Storage chip.
A kind of device for determining access privilege provided in an embodiment of the present invention, compared with prior art, for each
Resource items to be visited, are respectively provided with an access authorization for resource value, because access authorization for resource value is a numerical value, so its storage for taking is empty
Between it is smaller;Further, since each user role is implied in each access authorization for resource value working as to corresponding resource items to be visited
Preceding access rights, therefore, by the access authorization for resource value for analyzing the resource items to be visited that targeted customer is accessed, it may be determined that target
Access rights of the user to the resource items to be visited.
Present invention also offers a kind of computer program product, when being performed on data processing equipment, it is adapted for carrying out just
The program code of beginningization there are as below methods step:
In response to the request of targeted customer's access target resource, it is determined that the target roles of the targeted customer are assigned in advance,
Wherein, the target roles are a kind of user role in role's set, and the target resource is one in resource collection to be treated
Resource items are accessed, the resource items to be visited are configured with an access authorization for resource value, implied in the access authorization for resource value each described
Current accessed authority of the user role to the resource items to be visited;
The corresponding access authorization for resource value of the target resource is analyzed, determines the target roles to the current of the target resource
Access rights.
As seen through the above description of the embodiments, those skilled in the art can be understood that above-mentioned implementation
All or part of step in example method can add the mode of required general hardware platform to realize by software.Based on such
Understand, the part that technical scheme substantially contributes to prior art in other words can be in the form of software product
Embody, the computer software product can be stored in storage medium, such as ROM/RAM, magnetic disc, CD, including it is some
Instruction is used to so that a computer equipment (can be the network services such as personal computer, server, or WMG
Equipment, etc.) perform method described in some parts of each embodiment of the invention or embodiment.
It should be noted that each embodiment is described by the way of progressive in this specification, each embodiment emphasis is said
Bright is all the difference with other embodiment, between each embodiment identical similar portion mutually referring to.For reality
For applying device disclosed in example, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part
Referring to method part illustration.
Also, it should be noted that herein, such as first and second or the like relational terms are used merely to one
Entity or operation make a distinction with another entity or operation, and between not necessarily requiring or implying these entities or operate
There is any this actual relation or order.And, term " including ", "comprising" or its any other variant be intended to contain
Lid nonexcludability is included, so that process, method, article or equipment including a series of key elements not only will including those
Element, but also other key elements including being not expressly set out, or also include being this process, method, article or equipment
Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that
Also there is other identical element in process, method, article or equipment including the key element.
The foregoing description of the disclosed embodiments, enables professional and technical personnel in the field to realize or uses the present invention.
Various modifications to these embodiments will be apparent for those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, the present invention
The embodiments shown herein is not intended to be limited to, and is to fit to and principles disclosed herein and features of novelty phase one
The scope most wide for causing.
Claims (10)
1. it is a kind of determine access privilege method, it is characterised in that including:
In response to the request of targeted customer's access target resource, it is determined that the target roles of the targeted customer are assigned in advance, wherein,
The target roles are a kind of user role in role's set, and the target resource is a money to be visited in resource collection
Source item, the resource items to be visited are configured with an access authorization for resource value, and each user angle is implied in the access authorization for resource value
Current accessed authority of the color to the resource items to be visited;
The corresponding access authorization for resource value of the target resource is analyzed, current accessed of the target roles to the target resource is determined
Authority.
2. method according to claim 1, it is characterised in that the current accessed authority is to allow access rights or forbid
Access rights;Methods described also includes:
For the permission access rights forbid access rights with described, different authority credentials are assigned respectively;
It is each user role in role set, assigns different role attribute values respectively according to model identical;
The authority credentials to the current accessed authority of the resource items to be visited and the role according to each user role
Property value, generates the corresponding access authorization for resource value of the resource items to be visited.
3. method according to claim 2, it is characterised in that it is described according to each user role to described to be visited
The authority credentials of the current accessed authority of resource items and the role attribute value, generate the resource items to be visited corresponding described
Access authorization for resource value, including:
Calculate the corresponding access authorization for resource value of the resource items to be visited;
Wherein, the access authorization for resource value distinguishes corresponding role's value sum for each user role, and role's value is the
The product of one numerical value and second value, first numerical value is current accessed of the user role to the resource items to be visited
The authority credentials of authority, the second value is the corresponding role attribute value of the user role.
4. according to the method in claim 2 or 3, it is characterised in that described to analyze the corresponding resource power of the target resource
Limit value, determines current accessed authority of the target roles to the target resource, including:
According to the authority credentials and the assignment mode of the role attribute value, the corresponding access authorization for resource of the target resource is analyzed
Value, determines current accessed authority of the target roles to the target resource.
5. method according to claim 4, it is characterised in that described to forbid the corresponding authority credentials of access rights be 0, described
It is 1 to allow the corresponding authority credentials of access rights;The corresponding role attribute value of the user role is 2 n powers, and n is the use
The corresponding unique character coding of family role;
The assignment mode according to the authority credentials and the role attribute value, analyzes the corresponding resource power of the target resource
Limit value, determines current accessed authority of the target roles to the target resource, including:
Obtain corresponding first binary value of role attribute value of the target roles;
Obtain corresponding second binary value of access authorization for resource value of the target resource;
First binary value and the identical bits of second binary value are carried out into phase and computing respectively, the three or two is obtained and is entered
Value processed;
If all positions of the 3rd binary value are not zero, it is determined that the target roles have institute to the target resource
State permission access rights;
If all positions of the 3rd binary value are zero, it is determined that the target roles have described to the target resource
Forbid access rights.
6. it is a kind of determine access privilege device, it is characterised in that including:
Target roles determining unit, for the request in response to targeted customer's access target resource, it is determined that assigning the mesh in advance
The target roles of user are marked, wherein, the target roles are a kind of user role in role's set, and the target resource is money
A resource items to be visited in the set of source, the resource items to be visited are configured with an access authorization for resource value, the access authorization for resource value
In imply current accessed authority of each user role to the resource items to be visited;
Access rights determining unit, for analyzing the corresponding access authorization for resource value of the target resource, determines the target roles pair
The current accessed authority of the target resource.
7. device according to claim 6, it is characterised in that the current accessed authority is to allow access rights or forbid
Access rights;Described device also includes:
Access right limit value assignment unit, for forbidding access rights with described for the permission access rights, assigns different respectively
Authority credentials;
Role attribute value assignment unit, for being each user role in role set, assigns respectively according to model identical
Give different role attribute values;
Access authorization for resource value generation unit, for being weighed to the current accessed of the resource items to be visited according to each user role
The authority credentials of limit and the role attribute value, generate the corresponding access authorization for resource value of the resource items to be visited.
8. device according to claim 7, it is characterised in that the access authorization for resource value generation unit specifically for:Calculate
The corresponding access authorization for resource value of the resource items to be visited;
Wherein, the access authorization for resource value distinguishes corresponding role's value sum for each user role, and role's value is the
The product of one numerical value and second value, first numerical value is current accessed of the user role to the resource items to be visited
The authority credentials of authority, the second value is the corresponding role attribute value of the user role.
9. the device according to claim 7 or 8, it is characterised in that the access rights determining unit specifically for:According to
The authority credentials and the assignment mode of the role attribute value, analyze the corresponding access authorization for resource value of the target resource, determine institute
State current accessed authority of the target roles to the target resource.
10. device according to claim 9, it is characterised in that described to forbid the corresponding authority credentials of access rights be 0, institute
It is 1 to state the corresponding authority credentials of permission access rights;The corresponding role attribute value of the user role is 2 n powers, and n is described
The corresponding unique character coding of user role;
The access rights determining unit includes:
Binary value obtains subelement, corresponding first binary value of role attribute value for obtaining the target roles;Obtain
Take corresponding second binary value of access authorization for resource value of the target resource;
With position and computing subelement, for first binary value to be entered respectively with the identical bits of second binary value
Row phase and computing, obtain the 3rd binary value;
Access rights determination subelement, if not being zero for all positions of the 3rd binary value, it is determined that the target
Role has the permission access rights to the target resource;If all positions of the 3rd binary value are zero, really
The fixed target roles forbid access rights described in having to the target resource.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710165821.4A CN106878325B (en) | 2017-03-20 | 2017-03-20 | A kind of method and device of determining access privilege |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710165821.4A CN106878325B (en) | 2017-03-20 | 2017-03-20 | A kind of method and device of determining access privilege |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106878325A true CN106878325A (en) | 2017-06-20 |
CN106878325B CN106878325B (en) | 2019-08-06 |
Family
ID=59171588
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710165821.4A Active CN106878325B (en) | 2017-03-20 | 2017-03-20 | A kind of method and device of determining access privilege |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106878325B (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108256314A (en) * | 2018-01-11 | 2018-07-06 | 深圳市沃特沃德股份有限公司 | Right management method and device |
CN108664811A (en) * | 2018-05-11 | 2018-10-16 | 北京汉能光伏投资有限公司 | A kind of right management method and device |
CN109347866A (en) * | 2018-11-26 | 2019-02-15 | 珠海格力电器股份有限公司 | Login method, device, system and computer readable storage medium |
CN109598117A (en) * | 2018-10-24 | 2019-04-09 | 平安科技(深圳)有限公司 | Right management method, device, electronic equipment and storage medium |
CN109733444A (en) * | 2018-09-19 | 2019-05-10 | 比亚迪股份有限公司 | Database Systems and train supervision management equipment |
CN109815735A (en) * | 2019-01-23 | 2019-05-28 | 浙江安点科技有限责任公司 | To the management-control method and system of different user access same asset file permission |
CN110290112A (en) * | 2019-05-30 | 2019-09-27 | 平安科技(深圳)有限公司 | Authority control method, device, computer equipment and storage medium |
WO2019229546A1 (en) * | 2018-05-31 | 2019-12-05 | Vivek Kapoor | Multiparty binary access controls |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102231693A (en) * | 2010-04-22 | 2011-11-02 | 北京握奇数据系统有限公司 | Method and apparatus for managing access authority |
CN102595211A (en) * | 2012-02-28 | 2012-07-18 | 华为技术有限公司 | Method and system for presenting network television programs based on social network |
CN103179126A (en) * | 2013-03-26 | 2013-06-26 | 山东中创软件商用中间件股份有限公司 | Access control method and device |
CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
CN106295265A (en) * | 2015-05-22 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of method and device of user authority management |
-
2017
- 2017-03-20 CN CN201710165821.4A patent/CN106878325B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102231693A (en) * | 2010-04-22 | 2011-11-02 | 北京握奇数据系统有限公司 | Method and apparatus for managing access authority |
CN102595211A (en) * | 2012-02-28 | 2012-07-18 | 华为技术有限公司 | Method and system for presenting network television programs based on social network |
CN103179126A (en) * | 2013-03-26 | 2013-06-26 | 山东中创软件商用中间件股份有限公司 | Access control method and device |
CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
CN106295265A (en) * | 2015-05-22 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of method and device of user authority management |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108256314A (en) * | 2018-01-11 | 2018-07-06 | 深圳市沃特沃德股份有限公司 | Right management method and device |
CN108664811A (en) * | 2018-05-11 | 2018-10-16 | 北京汉能光伏投资有限公司 | A kind of right management method and device |
WO2019229546A1 (en) * | 2018-05-31 | 2019-12-05 | Vivek Kapoor | Multiparty binary access controls |
CN109733444A (en) * | 2018-09-19 | 2019-05-10 | 比亚迪股份有限公司 | Database Systems and train supervision management equipment |
CN109598117A (en) * | 2018-10-24 | 2019-04-09 | 平安科技(深圳)有限公司 | Right management method, device, electronic equipment and storage medium |
CN109347866A (en) * | 2018-11-26 | 2019-02-15 | 珠海格力电器股份有限公司 | Login method, device, system and computer readable storage medium |
CN109815735A (en) * | 2019-01-23 | 2019-05-28 | 浙江安点科技有限责任公司 | To the management-control method and system of different user access same asset file permission |
CN110290112A (en) * | 2019-05-30 | 2019-09-27 | 平安科技(深圳)有限公司 | Authority control method, device, computer equipment and storage medium |
CN110290112B (en) * | 2019-05-30 | 2022-08-12 | 平安科技(深圳)有限公司 | Authority control method and device, computer equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN106878325B (en) | 2019-08-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106878325A (en) | A kind of method and device for determining access privilege | |
US7299171B2 (en) | Method and system for processing grammar-based legality expressions | |
US10872162B2 (en) | Role-based security policy for an object-oriented database system | |
US8533168B2 (en) | Automatic policy generation based on role entitlements and identity attributes | |
US8793489B2 (en) | Method and system for controlling data access to organizational data maintained in hierarchical | |
US20080271157A1 (en) | Evaluating removal of access permissions | |
CN112182619A (en) | Service processing method and system based on user permission, electronic device and medium | |
US20020083059A1 (en) | Workflow access control | |
US7120698B2 (en) | Access control for an e-commerce application | |
CN105095777A (en) | Multi-mode access control strategy making and executing method under cloud environment | |
CN106790060A (en) | The right management method and device of a kind of role-base access control | |
US11275850B1 (en) | Multi-faceted security framework for unstructured storage objects | |
CN103198141B (en) | Data record access control method and device under hierarchical relationship | |
US7814049B2 (en) | Computer device for managing documents in multi-user mode | |
CN104717206B (en) | A kind of Internet of Things resource access right control method and system | |
CN107194280A (en) | Method for establishing model and device | |
Goodwin et al. | Instance-level access control for business-to-business electronic commerce | |
Abdallah et al. | Formal z specifications of several flat role-based access control models | |
JP4723930B2 (en) | Compound access authorization method and apparatus | |
CN109670339A (en) | The access control method and device towards secret protection based on ontology | |
JPH05181734A (en) | Access right management control systems for data base and file system | |
CN114282591A (en) | Dynamic security level real-time division method, terminal equipment and storage medium | |
Moniruzzaman et al. | A study of privacy policy enforcement in access control models | |
Piattini et al. | Secure databases: state of the art | |
Kern et al. | Maintain High-Quality Access Control Policies: An Academic and Practice-Driven Approach |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |