CN106878325A - A kind of method and device for determining access privilege - Google Patents

A kind of method and device for determining access privilege Download PDF

Info

Publication number
CN106878325A
CN106878325A CN201710165821.4A CN201710165821A CN106878325A CN 106878325 A CN106878325 A CN 106878325A CN 201710165821 A CN201710165821 A CN 201710165821A CN 106878325 A CN106878325 A CN 106878325A
Authority
CN
China
Prior art keywords
resource
value
role
target
visited
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710165821.4A
Other languages
Chinese (zh)
Other versions
CN106878325B (en
Inventor
丛丛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Runke General Technology Co Ltd
Original Assignee
Beijing Runke General Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Runke General Technology Co Ltd filed Critical Beijing Runke General Technology Co Ltd
Priority to CN201710165821.4A priority Critical patent/CN106878325B/en
Publication of CN106878325A publication Critical patent/CN106878325A/en
Application granted granted Critical
Publication of CN106878325B publication Critical patent/CN106878325B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of method and device for determining access privilege, methods described includes:In response to the request of targeted customer's access target resource, it is determined that assigning the target roles of the targeted customer in advance, wherein, the target roles are a kind of user role in role's set, the target resource is a resource items to be visited in resource collection, the resource items to be visited are configured with an access authorization for resource value, and current accessed authority of each user role to the resource items to be visited is implied in the access authorization for resource value;The corresponding access authorization for resource value of the target resource is analyzed, current accessed authority of the target roles to the target resource is determined.The present invention can determine access rights of the user to system resource on the basis of the memory space for reducing rights management data.

Description

A kind of method and device for determining access privilege
Technical field
The present invention relates to rights management techniques field, more particularly to a kind of method and device for determining access privilege.
Background technology
Rights management, refers generally to the safety regulation or security strategy set according to system, and user can access and only Oneself authorized resource can be accessed, rights management is occurred nearly in any system, espespecially need user and code entry System.
Based on the system resource for being provided with access rights, different user has different access rights, such as, for same Each list items in list, are allowed for access rights and are also not necessarily identical, and some list items may be allowed to be owned User accesses, and some list items may only allow to be accessed by specific one or multiple users.Being weighed for this multi-user more The situation of limit, prior art generally needs to store access rights of the different user to different system resource items respectively, and this causes to need The rights management data to be prestored is relatively more, causes to take substantial amounts of memory space, particularly compares in user and resource items In the case of many.
The content of the invention
The main purpose of the embodiment of the present invention is to provide a kind of method and device for determining access privilege, Neng Gou Reduce on the basis of the memory space of rights management data, determine access rights of the user to system resource.
A kind of method for determining access privilege is the embodiment of the invention provides, including:
In response to the request of targeted customer's access target resource, it is determined that the target roles of the targeted customer are assigned in advance, Wherein, the target roles are a kind of user role in role's set, and the target resource is one in resource collection to be treated Resource items are accessed, the resource items to be visited are configured with an access authorization for resource value, implied in the access authorization for resource value each described Current accessed authority of the user role to the resource items to be visited;
The corresponding access authorization for resource value of the target resource is analyzed, determines the target roles to the current of the target resource Access rights.
Optionally, the current accessed authority is for permission access rights or forbids access rights;Methods described also includes:
For the permission access rights forbid access rights with described, different authority credentials are assigned respectively;
It is each user role in role set, assigns different role attribute values respectively according to model identical;
According to each user role to the authority credentials of the current accessed authority of the resource items to be visited and described Role attribute value, generates the corresponding access authorization for resource value of the resource items to be visited.
Optionally, the authority of the current accessed authority according to each user role to the resource items to be visited Value and the role attribute value, generate the corresponding access authorization for resource value of the resource items to be visited, including:
Calculate the corresponding access authorization for resource value of the resource items to be visited;
Wherein, the access authorization for resource value is that each user role distinguishes corresponding role's value sum, role's value It is the first numerical value and the product of second value, first numerical value is the user role to the current of the resource items to be visited The authority credentials of access rights, the second value is the corresponding role attribute value of the user role.
Optionally, the corresponding access authorization for resource value of the analysis target resource, determines the target roles to the mesh The current accessed authority of resource is marked, including:
According to the authority credentials and the assignment mode of the role attribute value, the corresponding resource power of the target resource is analyzed Limit value, determines current accessed authority of the target roles to the target resource.
Optionally, described to forbid the corresponding authority credentials of access rights for 0, the corresponding authority credentials of the permission access rights is 1;The corresponding role attribute value of the user role is 2 n powers, and n is the corresponding unique character coding of the user role;
The assignment mode according to the authority credentials and the role attribute value, analyzes the corresponding money of the target resource Source authority credentials, determines current accessed authority of the target roles to the target resource, including:
Obtain corresponding first binary value of role attribute value of the target roles;
Obtain corresponding second binary value of access authorization for resource value of the target resource;
First binary value and the identical bits of second binary value are carried out into phase and computing respectively, the 3rd is obtained Binary value;
If all positions of the 3rd binary value are not zero, it is determined that the target roles have to the target resource There are the permission access rights;
If all positions of the 3rd binary value are zero, it is determined that the target roles have to the target resource It is described to forbid access rights.
The embodiment of the present invention additionally provides a kind of device for determining access privilege, including:
Target roles determining unit, for the request in response to targeted customer's access target resource, it is determined that assigning institute in advance The target roles of targeted customer are stated, wherein, the target roles are a kind of user role in role's set, the target resource A resource items to be visited in for resource collection, the resource items to be visited are configured with an access authorization for resource value, the resource power Current accessed authority of each user role to the resource items to be visited is implied in limit value;
Access rights determining unit, for analyzing the corresponding access authorization for resource value of the target resource, determines the target angle Current accessed authority of the color to the target resource.
Optionally, the current accessed authority is for permission access rights or forbids access rights;Described device also includes:
Access right limit value assignment unit, for forbidding access rights with described for the permission access rights, assigns respectively Different authority credentials;
Role attribute value assignment unit, for being each user role in role set, according to model identical point Different role attribute values are not assigned;
Access authorization for resource value generation unit, for the current visit according to each user role to the resource items to be visited The authority credentials and the role attribute value of authority are asked, the corresponding access authorization for resource value of the resource items to be visited is generated.
Optionally, the access authorization for resource value generation unit specifically for:Calculate the resource items to be visited corresponding described Access authorization for resource value;
Wherein, the access authorization for resource value is that each user role distinguishes corresponding role's value sum, role's value It is the first numerical value and the product of second value, first numerical value is the user role to the current of the resource items to be visited The authority credentials of access rights, the second value is the corresponding role attribute value of the user role.
Optionally, the access rights determining unit specifically for:According to the authority credentials and the role attribute value Assignment mode, analyzes the corresponding access authorization for resource value of the target resource, determines that the target roles are worked as to the target resource Preceding access rights.
Optionally, described to forbid the corresponding authority credentials of access rights for 0, the corresponding authority credentials of the permission access rights is 1;The corresponding role attribute value of the user role is 2 n powers, and n is the corresponding unique character coding of the user role;
The access rights determining unit includes:
Binary value obtains subelement, corresponding first binary system of role attribute value for obtaining the target roles Value;Obtain corresponding second binary value of access authorization for resource value of the target resource;
With position and computing subelement, for first binary value to be divided with the identical bits of second binary value Phase and computing are not carried out, obtain the 3rd binary value;
Access rights determination subelement, if not being zero for all positions of the 3rd binary value, it is determined that described Target roles have the permission access rights to the target resource;If all positions of the 3rd binary value are zero, Then determine that the target roles forbid access rights described in having to the target resource.
A kind of method and device for determining access privilege provided in an embodiment of the present invention, accesses when targeted customer triggers During the request of target resource, it is determined that the target roles of targeted customer are assigned in advance, wherein, target roles are during role gathers User role is planted, target resource is a resource items to be visited in resource collection, the resource each to be visited in resource collection Item is each equipped with an access authorization for resource value, and each user role is implied in the access authorization for resource value to corresponding resource items to be visited Current accessed authority;Then, by analyzing the corresponding access authorization for resource value of the target resource, determine the target roles to described The current accessed authority of target resource.It can be seen that, for each resource items to be visited, an access authorization for resource value is respectively provided with, because of resource Authority credentials is a numerical value, so its memory space for taking is smaller;Further, since being implied in each access authorization for resource value Each user role to the current accessed authority of corresponding resource items to be visited, therefore, by analyzing what targeted customer was accessed The access authorization for resource value of resource items to be visited, it may be determined that access rights of the targeted customer to the resource items to be visited.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing The accompanying drawing to be used needed for having technology description is briefly described, it should be apparent that, drawings in the following description are the present invention Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis These accompanying drawings obtain other accompanying drawings.
Fig. 1 is the schematic flow sheet of the method for determination access privilege provided in an embodiment of the present invention;
Fig. 2 is the schematic flow sheet of the method for generation access authorization for resource value provided in an embodiment of the present invention;
Fig. 3 is the schematic flow sheet of the method for determination active user's access rights provided in an embodiment of the present invention;
Fig. 4 is the composition schematic diagram of the device of determination access privilege provided in an embodiment of the present invention.
Specific embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is A part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
A kind of method and device for determining access privilege provided in an embodiment of the present invention, can pre-set multiple use Family role, system resource is divided into multiple resource items to be visited, and pre-sets each user role to each money to be visited The access rights of source item.In order to save the memory space that access rights manage data, can be using an access authorization for resource value come hidden Containing each user role to the current accessed authority of certain resource items to be visited, so, each resource items to be visited just corresponds to one Access authorization for resource value;When certain user accesses one of them resource items to be visited, by analyzing the corresponding money of the resource items to be visited Source authority credentials, just can determine access rights of the user to the resource items to be visited.
Lower mask body introduces the embodiment of the present invention.
It is a kind of schematic flow sheet of method for determining access privilege provided in an embodiment of the present invention referring to Fig. 1, should Method includes S101-S102:
S101:In response to the request of targeted customer's access target resource, it is determined that assigning the target of the targeted customer in advance Role, wherein, the target roles are a kind of user role in role's set, and the target resource is in resource collection Individual resource items to be visited, the resource items to be visited are configured with an access authorization for resource value, are implied in the access authorization for resource value each Current accessed authority of the user role to the resource items to be visited.
For ease of description, the present embodiment will carry out the active user referred to as targeted customer of resource access, and the target is used The resource items each to be visited that family request is accessed are referred to as target resource.
In the present embodiment, multiple user roles can be pre-set, these user roles form role's set, its In, a user role can correspond to one or more users, i.e., each user can have one or more user roles Identity.For example, for the group created under the chat softwares such as QQ, the keeper of group is user role, with management The user of member's identity can have one or more;Again for example, in an engineering project, can be drawn according to the job specification of employee Divide user role, such as, these roles can be " assembling ", " maintenance " etc., and the employee (i.e. user) with " assembling " identity can To there is one or more, the employee (i.e. user) with " maintenance " role can have one or more.
In the present embodiment, all of system resource can also be divided, is obtained multiple resource items to be visited, these Resource items to be visited form the resource collection.For example, can be divided into for system resource by the example based on above-mentioned engineering project The different resource items to be visited such as " assembling " data, " maintenance " data, it is also possible to do " assembling " data and " maintenance " data etc. Further divide, each subdata that will be marked off is used as resource items to be visited.Additionally, the present embodiment does not limit the resource set The storage of conjunction or display mode, can be tabular form or other forms, when the resource collection is a display list, should One or more list items in display list may act as a resource items to be visited.
In the present embodiment, the resource items each to be visited in the resource collection may be by with different role property value User access, with reference to table 1, exist in being gathered with the role in 16 kinds of user roles, resource collections and have 15 The embodiment of the present invention is illustrated as a example by individual resource items to be visited.
Table 1
In an embodiment of the invention, can generate in the following manner in the resource collection each waits to visit Ask resource items corresponding access authorization for resource value, the schematic flow sheet of the method for generation access authorization for resource value shown in Figure 2, specific bag Include step S201-S203:
S201:For the permission access rights forbid access rights with described, different authority credentials are assigned respectively.
In the present embodiment, every kind of user role can be to allow to visit to the current accessed authority of the resource items to be visited Ask authority or forbid access rights, for example, the permission access rights can be allow to carry out the resource items to be visited it is clear The authority such as look at, change, accordingly, described to forbid access rights can forbid browsing the resource items to be visited, repair The authority such as change.
It is specifically, described to forbid access rights corresponding it is possible to further set the authority credentials of both access rights Authority credentials can be 0, it is described allow the corresponding authority credentials of access rights can be 1 (can also be 0.1 grade for 0 value).
For ease of understanding, referring to table 1, left side be coding be followed successively by 1,2 ..., 14,15 totally 15 resources to be visited , the top be coding be followed successively by 15,14 ... 1,0 totally 16 user roles, when forbidding the corresponding authority credentials of access rights For 0, when to allow the corresponding authority credentials of access rights be 1, for resource items to be visited 1, whole user roles have fair to it Perhaps access rights;For resource items to be visited 2, totally 7 user roles have permission to it for user role 15, user role 5-0 Access rights, other user roles have to it forbids access rights;On between other resource items to be visited and user role Access rights relation, no longer describe one by one herein, referring to table 1.
S202:It is each user role in role set, assigns different role's category respectively according to model identical Property value.
In the present embodiment, the every kind of user role in role's set has its corresponding role attribute value, specifically , uniqueness coding can be carried out to each user role in advance, such as user role is encoded according to ascending order or descending, And make the n powers (i.e. 2 that the corresponding role attribute value of each user role is 2n), wherein, n is that the user role is corresponding only One role encodes.
Referring to table 2, for 16 kinds of user roles in table 1, its role coding be followed successively by 0,1 ..., 14,15, its In, the role attribute value of user role 0 is 20=1, the role attribute value of user role 1 is 21=2, role's category of user role 2 Property value be 22=4, etc., the role attribute of other user roles is no longer described one by one at place, referring to table 2.
Table 2
User role Role attribute value
User role 0 1
User role 1 2
User role 2 4
User role 3 8
User role 4 16
User role 5 32
User role 6 64
User role 7 128
User role 8 256
User role 9 512
User role 10 1024
User role 11 2048
User role 12 4096
User role 13 8192
User role 14 16384
User role 15 32768
S203:According to each user role to the authority credentials of the current accessed authority of the resource items to be visited and described Role attribute value, generates the corresponding access authorization for resource value of the resource items to be visited.
In an embodiment of the invention, step S203 can specifically include:Calculate the resource items pair to be visited The access authorization for resource value answered;Wherein, the access authorization for resource value is that each user role distinguishes corresponding role's value sum, the role It is worth the product for the first numerical value and second value, first numerical value is that the user role is worked as to the resource items to be visited The authority credentials of preceding access rights, the second value is the corresponding role attribute value of the user role.
For ease of understanding present embodiment, referring to the right side of table 1, resource items to be visited 1 therein, resource items to be visited 2nd ..., the access authorization for resource value that resource items to be visited 15 have an access authorization for resource value, any resource items to be visited respectively meets Following computing formula:
Wherein, zyqiTo be encoded to the access authorization for resource value of the resource items to be visited of i, i=1,2 ..., 15;QijIt is coding It is the user role of j to being encoded to the authority credentials of the current accessed authority of the resource items to be visited of i, its value is 0 or 1;JjTo compile Code is the corresponding role attribute value of user role of j, and its value is 2i
For example, the resource items to be visited 2 in for table 1, its access authorization for resource value is:
zyq2=215+25+24+23+22+21+20=32831
It should be noted that the encoded radio of the user role gathered for the role, can be 0,1 ..., 15, Can be 0,2,4 ..., as long as its coded system meets certain rule.
Further, in an embodiment of the invention, can also include:It is pre-created stepping on for the targeted customer The corresponding relation of land information and the target roles.In this embodiment, for each user, can be set for it One logon information, there is provision of the corresponding user role of each user, wherein, the logon information of certain user can generally include The user name and user cipher of the user, and when the user has one or more user roles, can set up the user's The corresponding relation of logon information and one or more user roles.
Based on the foundation of above-mentioned corresponding relation, in step S101 " it is determined that assigning the target angle of the targeted customer in advance Color ", can specifically include:The corresponding relation between logon information and the target roles according to the targeted customer, it is determined that The target roles that the targeted customer has.For example, when the user role 15 in targeted customer's table 1 has corresponding relation, then When targeted customer uses its logon information login system, just can determine that it has been assigned user role 15.
S102:The corresponding access authorization for resource value of the target resource is analyzed, determines the target roles to the target resource Current accessed authority.
By the Conduce Disciplinarian of the access authorization for resource value of above-mentioned each resource items to be visited, each resource items to be visited can be made Access authorization for resource value in imply each user role to the current accessed authority of the resource items to be visited.Therefore, when with certain use The user (i.e. described targeted customer) of family role (i.e. described target roles) accesses certain resource items (i.e. described target money to be visited Source) when, the Conduce Disciplinarian of the access authorization for resource value of the resource items to be visited can be based on, determine the user to the resource items to be visited Current accessed authority.
Specifically, in one embodiment of the invention, step S102 can include:According to the authority credentials and the angle The assignment mode of color property value, analyzes the corresponding access authorization for resource value of the target resource, determines the target roles to the mesh Mark the current accessed authority of resource.
More specifically, it is 0, the corresponding authority of the permission access rights to forbid the corresponding authority credentials of access rights described in It is worth for the corresponding role attribute value of each user role is that (n is the user role pair to 2 n powers in 1, role set The unique character answered is encoded) when, the schematic flow sheet of the method for really settled preceding access privilege shown in Figure 3, step S102 can specifically include S301-S306:
S301:Obtain corresponding first binary value of role attribute value of the target roles.
Referring to table 1, it is assumed that the target roles for assigning the targeted customer are user role 15, and the user role 15 is corresponding Role attribute value is 32768 (i.e. 215), the corresponding binary value of the value is 1000000000000000.
S302:Obtain corresponding second binary value of access authorization for resource value of the target resource.
Referring to table 1, it is assumed that the target resource is resource items to be visited 1, the corresponding access authorization for resource of resource items to be visited 1 It is 65535 to be worth, and the corresponding binary value of the value is 1111111111111111.
S303:First binary value and the identical bits of second binary value are carried out into phase and computing respectively, is obtained To the 3rd binary value.
The 0th of 1000000000000000 is carried out and computing, general with the 0th of 1111111111111111 The 1st of 1000000000000000 with the 1st of 1111111111111111 carry out with computing ..., will The 15th of 1000000000000000 carries out phase and computing with the 15th of 1111111111111111, and two for finally giving enter Value processed is 1000000000000000.
S304:Judge whether all positions of the 3rd binary value are zero, if it is, S306 is performed, if not, Then perform S305.
S305:Determine that the target roles have the permission access rights to the target resource.
S306:Determine that the target roles forbid access rights described in having to the target resource.
Continue previous example, due to being 1000000000000000 through above-mentioned the 3rd binary value obtained with computing, Because the value is not zero, then targeted customer of the explanation with the identity of user role 15 has access rights to resource items to be visited 1.
Further, in the present embodiment, can be by the mark of each resource items to be visited and corresponding access authorization for resource value The storage of correspondence is carried out, because the memory space shared by access authorization for resource value is smaller, its correspondence this can be stored in In ground file, so, when it needs to be determined that active user access rights when, can be determined by accessing the local file current User not only saves the memory space of permissions data to the access rights of accessed resource, can also by be locally stored come Save Internet resources.It is of course also possible to the mark of each resource items to be visited is carried out into correspondence with corresponding access authorization for resource value Be stored in server database, specific storage mode the present embodiment is not limited.
In addition, it is contemplated that the security of data storage, can be by the mark of each resource items to be visited and corresponding resource Authority credentials is stored in encryption file, such as, be stored in the binary file of encryption, and file designation can be resource to be visited The mark title .dat of item.When users log on, rights management software with this binary file of automatic identification and can read file In information, so as to step shown in subsequent execution Fig. 1.
It should be noted that the present embodiment can according to demand update user role, it is also possible to repartition according to demand Resource items to be visited, and update access rights relation therebetween;When user's access system resources, in after renewal Appearance realizes step shown in Fig. 1.
To sum up, a kind of method for determining access privilege provided in an embodiment of the present invention, for each resource to be visited , an access authorization for resource value is respectively provided with, because access authorization for resource value is a numerical value, so its memory space for taking is smaller;This Outward, due to implying current accessed power of each user role to corresponding resource items to be visited in each access authorization for resource value Limit, therefore, by the access authorization for resource value for analyzing the resource items to be visited that targeted customer is accessed, it may be determined that targeted customer is to this The access rights of resource items to be visited.
More easily to understand the embodiment of the present invention, it is exemplified below:
By a kind of method for determining access privilege provided in an embodiment of the present invention, the shoe of a set of complex device is applied to Go through in management software.
Assuming that the equipment is divided into N number of component, each component has M bulk-breaking, and each bulk-breaking recorded maintenance note from assembling Record is all maintained in a electronic record, using the corresponding related data of each bulk-breaking in N × M bulk-breaking as resource to be visited ;Assume for user role to be divided into 16 kinds again, software manager can set visit of each user role to each bulk-breaking data Authority is asked, that is, is allowed access rights or is forbidden access rights, such as, based on the consideration that worry information is changed by mistake, certain can be made User role can only access the related information of its actual action.
Table 3
Referring to table 3, by the access authorization for resource value for analyzing each resource items to be visited:
No. 1, No. 2 and No. 15 data content of component, all user roles all may have access to;No. 3 data contents of component, 1 Number user role can be accessed;No. 4 data contents of component, No. 2 user roles can be accessed;No. 5 data contents of component, 7 Number user role can be accessed;No. 6 data contents of component, No. 8 user roles can be accessed;No. 7 data contents of component, 9 Number user role can be accessed;No. 8 and No. 9 data contents of component, No. 10 user roles can be accessed;No. 10-No. 14 components Data content, No. 11 user roles can access.
It is a kind of composition schematic diagram of device for determining access privilege provided in an embodiment of the present invention referring to Fig. 4, should Device 400 includes:
Target roles determining unit 401, for the request in response to targeted customer's access target resource, it is determined that assigning in advance The target roles of the targeted customer, wherein, the target roles are a kind of user role in role's set, the target money Source is a resource items to be visited in resource collection, and the resource items to be visited are configured with an access authorization for resource value, the resource Current accessed authority of each user role to the resource items to be visited is implied in authority credentials;
Access rights determining unit 402, for analyzing the corresponding access authorization for resource value of the target resource, determines the target Current accessed authority of the role to the target resource.
In an embodiment of the invention, the current accessed authority is for permission access rights or forbids access right Limit;Described device 400 can also include:
Access right limit value assignment unit, for forbidding access rights with described for the permission access rights, assigns respectively Different authority credentials;
Role attribute value assignment unit, for being each user role in role set, according to model identical point Different role attribute values are not assigned;
Access authorization for resource value generation unit, for the current visit according to each user role to the resource items to be visited Ask the authority credentials and the role attribute value of authority, the resource items described to be visited in generation target roles determining unit 401 The corresponding access authorization for resource value.
In an embodiment of the invention, the access authorization for resource value generation unit can be specifically for:Calculate described The corresponding access authorization for resource value of resource items to be visited;
Wherein, the access authorization for resource value is that each user role distinguishes corresponding role's value sum, role's value It is the first numerical value and the product of second value, first numerical value is the user role to the current of the resource items to be visited The authority credentials of access rights, the second value is the corresponding role attribute value of the user role.
In an embodiment of the invention, the access rights determining unit 402 can be specifically for:According to described Authority credentials and the assignment mode of the role attribute value, analyze the corresponding access authorization for resource value of the target resource, determine the mesh Current accessed authority of the mark role to the target resource.
In an embodiment of the invention, it is described to forbid the corresponding authority credentials of access rights for 0, it is described to allow to access The corresponding authority credentials of authority is 1;The corresponding role attribute value of the user role is 2 n powers, and n is the user role pair The unique character answered is encoded;
The access rights determining unit 402 can include:
Binary value obtains subelement, corresponding first binary system of role attribute value for obtaining the target roles Value;Obtain corresponding second binary value of access authorization for resource value of the target resource;
With position and computing subelement, for first binary value to be divided with the identical bits of second binary value Phase and computing are not carried out, obtain the 3rd binary value;
Access rights determination subelement, if not being zero for all positions of the 3rd binary value, it is determined that described Target roles have the permission access rights to the target resource;If all positions of the 3rd binary value are zero, Then determine that the target roles forbid access rights described in having to the target resource.
Described device 400 includes processor and memory, and above-mentioned target roles determining unit 401, access rights determines single First 402 grades are stored in memory as program unit, by computing device storage said procedure unit in memory To realize corresponding function.
Kernel is included in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can set one Or more, by adjusting kernel parameter, on the basis of the memory space for reducing rights management data, determine that user provides to system The access rights in source.
Memory potentially includes the volatile memory in computer-readable medium, random access memory (RAM) and/ Or the form, such as read-only storage (ROM) or flash memory (flash RAM) such as Nonvolatile memory, memory is deposited including at least one Storage chip.
A kind of device for determining access privilege provided in an embodiment of the present invention, compared with prior art, for each Resource items to be visited, are respectively provided with an access authorization for resource value, because access authorization for resource value is a numerical value, so its storage for taking is empty Between it is smaller;Further, since each user role is implied in each access authorization for resource value working as to corresponding resource items to be visited Preceding access rights, therefore, by the access authorization for resource value for analyzing the resource items to be visited that targeted customer is accessed, it may be determined that target Access rights of the user to the resource items to be visited.
Present invention also offers a kind of computer program product, when being performed on data processing equipment, it is adapted for carrying out just The program code of beginningization there are as below methods step:
In response to the request of targeted customer's access target resource, it is determined that the target roles of the targeted customer are assigned in advance, Wherein, the target roles are a kind of user role in role's set, and the target resource is one in resource collection to be treated Resource items are accessed, the resource items to be visited are configured with an access authorization for resource value, implied in the access authorization for resource value each described Current accessed authority of the user role to the resource items to be visited;
The corresponding access authorization for resource value of the target resource is analyzed, determines the target roles to the current of the target resource Access rights.
As seen through the above description of the embodiments, those skilled in the art can be understood that above-mentioned implementation All or part of step in example method can add the mode of required general hardware platform to realize by software.Based on such Understand, the part that technical scheme substantially contributes to prior art in other words can be in the form of software product Embody, the computer software product can be stored in storage medium, such as ROM/RAM, magnetic disc, CD, including it is some Instruction is used to so that a computer equipment (can be the network services such as personal computer, server, or WMG Equipment, etc.) perform method described in some parts of each embodiment of the invention or embodiment.
It should be noted that each embodiment is described by the way of progressive in this specification, each embodiment emphasis is said Bright is all the difference with other embodiment, between each embodiment identical similar portion mutually referring to.For reality For applying device disclosed in example, because it is corresponded to the method disclosed in Example, so description is fairly simple, related part Referring to method part illustration.
Also, it should be noted that herein, such as first and second or the like relational terms are used merely to one Entity or operation make a distinction with another entity or operation, and between not necessarily requiring or implying these entities or operate There is any this actual relation or order.And, term " including ", "comprising" or its any other variant be intended to contain Lid nonexcludability is included, so that process, method, article or equipment including a series of key elements not only will including those Element, but also other key elements including being not expressly set out, or also include being this process, method, article or equipment Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that Also there is other identical element in process, method, article or equipment including the key element.
The foregoing description of the disclosed embodiments, enables professional and technical personnel in the field to realize or uses the present invention. Various modifications to these embodiments will be apparent for those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, the present invention The embodiments shown herein is not intended to be limited to, and is to fit to and principles disclosed herein and features of novelty phase one The scope most wide for causing.

Claims (10)

1. it is a kind of determine access privilege method, it is characterised in that including:
In response to the request of targeted customer's access target resource, it is determined that the target roles of the targeted customer are assigned in advance, wherein, The target roles are a kind of user role in role's set, and the target resource is a money to be visited in resource collection Source item, the resource items to be visited are configured with an access authorization for resource value, and each user angle is implied in the access authorization for resource value Current accessed authority of the color to the resource items to be visited;
The corresponding access authorization for resource value of the target resource is analyzed, current accessed of the target roles to the target resource is determined Authority.
2. method according to claim 1, it is characterised in that the current accessed authority is to allow access rights or forbid Access rights;Methods described also includes:
For the permission access rights forbid access rights with described, different authority credentials are assigned respectively;
It is each user role in role set, assigns different role attribute values respectively according to model identical;
The authority credentials to the current accessed authority of the resource items to be visited and the role according to each user role Property value, generates the corresponding access authorization for resource value of the resource items to be visited.
3. method according to claim 2, it is characterised in that it is described according to each user role to described to be visited The authority credentials of the current accessed authority of resource items and the role attribute value, generate the resource items to be visited corresponding described Access authorization for resource value, including:
Calculate the corresponding access authorization for resource value of the resource items to be visited;
Wherein, the access authorization for resource value distinguishes corresponding role's value sum for each user role, and role's value is the The product of one numerical value and second value, first numerical value is current accessed of the user role to the resource items to be visited The authority credentials of authority, the second value is the corresponding role attribute value of the user role.
4. according to the method in claim 2 or 3, it is characterised in that described to analyze the corresponding resource power of the target resource Limit value, determines current accessed authority of the target roles to the target resource, including:
According to the authority credentials and the assignment mode of the role attribute value, the corresponding access authorization for resource of the target resource is analyzed Value, determines current accessed authority of the target roles to the target resource.
5. method according to claim 4, it is characterised in that described to forbid the corresponding authority credentials of access rights be 0, described It is 1 to allow the corresponding authority credentials of access rights;The corresponding role attribute value of the user role is 2 n powers, and n is the use The corresponding unique character coding of family role;
The assignment mode according to the authority credentials and the role attribute value, analyzes the corresponding resource power of the target resource Limit value, determines current accessed authority of the target roles to the target resource, including:
Obtain corresponding first binary value of role attribute value of the target roles;
Obtain corresponding second binary value of access authorization for resource value of the target resource;
First binary value and the identical bits of second binary value are carried out into phase and computing respectively, the three or two is obtained and is entered Value processed;
If all positions of the 3rd binary value are not zero, it is determined that the target roles have institute to the target resource State permission access rights;
If all positions of the 3rd binary value are zero, it is determined that the target roles have described to the target resource Forbid access rights.
6. it is a kind of determine access privilege device, it is characterised in that including:
Target roles determining unit, for the request in response to targeted customer's access target resource, it is determined that assigning the mesh in advance The target roles of user are marked, wherein, the target roles are a kind of user role in role's set, and the target resource is money A resource items to be visited in the set of source, the resource items to be visited are configured with an access authorization for resource value, the access authorization for resource value In imply current accessed authority of each user role to the resource items to be visited;
Access rights determining unit, for analyzing the corresponding access authorization for resource value of the target resource, determines the target roles pair The current accessed authority of the target resource.
7. device according to claim 6, it is characterised in that the current accessed authority is to allow access rights or forbid Access rights;Described device also includes:
Access right limit value assignment unit, for forbidding access rights with described for the permission access rights, assigns different respectively Authority credentials;
Role attribute value assignment unit, for being each user role in role set, assigns respectively according to model identical Give different role attribute values;
Access authorization for resource value generation unit, for being weighed to the current accessed of the resource items to be visited according to each user role The authority credentials of limit and the role attribute value, generate the corresponding access authorization for resource value of the resource items to be visited.
8. device according to claim 7, it is characterised in that the access authorization for resource value generation unit specifically for:Calculate The corresponding access authorization for resource value of the resource items to be visited;
Wherein, the access authorization for resource value distinguishes corresponding role's value sum for each user role, and role's value is the The product of one numerical value and second value, first numerical value is current accessed of the user role to the resource items to be visited The authority credentials of authority, the second value is the corresponding role attribute value of the user role.
9. the device according to claim 7 or 8, it is characterised in that the access rights determining unit specifically for:According to The authority credentials and the assignment mode of the role attribute value, analyze the corresponding access authorization for resource value of the target resource, determine institute State current accessed authority of the target roles to the target resource.
10. device according to claim 9, it is characterised in that described to forbid the corresponding authority credentials of access rights be 0, institute It is 1 to state the corresponding authority credentials of permission access rights;The corresponding role attribute value of the user role is 2 n powers, and n is described The corresponding unique character coding of user role;
The access rights determining unit includes:
Binary value obtains subelement, corresponding first binary value of role attribute value for obtaining the target roles;Obtain Take corresponding second binary value of access authorization for resource value of the target resource;
With position and computing subelement, for first binary value to be entered respectively with the identical bits of second binary value Row phase and computing, obtain the 3rd binary value;
Access rights determination subelement, if not being zero for all positions of the 3rd binary value, it is determined that the target Role has the permission access rights to the target resource;If all positions of the 3rd binary value are zero, really The fixed target roles forbid access rights described in having to the target resource.
CN201710165821.4A 2017-03-20 2017-03-20 A kind of method and device of determining access privilege Active CN106878325B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710165821.4A CN106878325B (en) 2017-03-20 2017-03-20 A kind of method and device of determining access privilege

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710165821.4A CN106878325B (en) 2017-03-20 2017-03-20 A kind of method and device of determining access privilege

Publications (2)

Publication Number Publication Date
CN106878325A true CN106878325A (en) 2017-06-20
CN106878325B CN106878325B (en) 2019-08-06

Family

ID=59171588

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710165821.4A Active CN106878325B (en) 2017-03-20 2017-03-20 A kind of method and device of determining access privilege

Country Status (1)

Country Link
CN (1) CN106878325B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108256314A (en) * 2018-01-11 2018-07-06 深圳市沃特沃德股份有限公司 Right management method and device
CN108664811A (en) * 2018-05-11 2018-10-16 北京汉能光伏投资有限公司 A kind of right management method and device
CN109347866A (en) * 2018-11-26 2019-02-15 珠海格力电器股份有限公司 Login method, device, system and computer readable storage medium
CN109598117A (en) * 2018-10-24 2019-04-09 平安科技(深圳)有限公司 Right management method, device, electronic equipment and storage medium
CN109733444A (en) * 2018-09-19 2019-05-10 比亚迪股份有限公司 Database Systems and train supervision management equipment
CN109815735A (en) * 2019-01-23 2019-05-28 浙江安点科技有限责任公司 To the management-control method and system of different user access same asset file permission
CN110290112A (en) * 2019-05-30 2019-09-27 平安科技(深圳)有限公司 Authority control method, device, computer equipment and storage medium
WO2019229546A1 (en) * 2018-05-31 2019-12-05 Vivek Kapoor Multiparty binary access controls

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231693A (en) * 2010-04-22 2011-11-02 北京握奇数据系统有限公司 Method and apparatus for managing access authority
CN102595211A (en) * 2012-02-28 2012-07-18 华为技术有限公司 Method and system for presenting network television programs based on social network
CN103179126A (en) * 2013-03-26 2013-06-26 山东中创软件商用中间件股份有限公司 Access control method and device
CN103701801A (en) * 2013-12-26 2014-04-02 四川九洲电器集团有限责任公司 Resource access control method
CN106295265A (en) * 2015-05-22 2017-01-04 阿里巴巴集团控股有限公司 A kind of method and device of user authority management

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102231693A (en) * 2010-04-22 2011-11-02 北京握奇数据系统有限公司 Method and apparatus for managing access authority
CN102595211A (en) * 2012-02-28 2012-07-18 华为技术有限公司 Method and system for presenting network television programs based on social network
CN103179126A (en) * 2013-03-26 2013-06-26 山东中创软件商用中间件股份有限公司 Access control method and device
CN103701801A (en) * 2013-12-26 2014-04-02 四川九洲电器集团有限责任公司 Resource access control method
CN106295265A (en) * 2015-05-22 2017-01-04 阿里巴巴集团控股有限公司 A kind of method and device of user authority management

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108256314A (en) * 2018-01-11 2018-07-06 深圳市沃特沃德股份有限公司 Right management method and device
CN108664811A (en) * 2018-05-11 2018-10-16 北京汉能光伏投资有限公司 A kind of right management method and device
WO2019229546A1 (en) * 2018-05-31 2019-12-05 Vivek Kapoor Multiparty binary access controls
CN109733444A (en) * 2018-09-19 2019-05-10 比亚迪股份有限公司 Database Systems and train supervision management equipment
CN109598117A (en) * 2018-10-24 2019-04-09 平安科技(深圳)有限公司 Right management method, device, electronic equipment and storage medium
CN109347866A (en) * 2018-11-26 2019-02-15 珠海格力电器股份有限公司 Login method, device, system and computer readable storage medium
CN109815735A (en) * 2019-01-23 2019-05-28 浙江安点科技有限责任公司 To the management-control method and system of different user access same asset file permission
CN110290112A (en) * 2019-05-30 2019-09-27 平安科技(深圳)有限公司 Authority control method, device, computer equipment and storage medium
CN110290112B (en) * 2019-05-30 2022-08-12 平安科技(深圳)有限公司 Authority control method and device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN106878325B (en) 2019-08-06

Similar Documents

Publication Publication Date Title
CN106878325A (en) A kind of method and device for determining access privilege
US7299171B2 (en) Method and system for processing grammar-based legality expressions
US10872162B2 (en) Role-based security policy for an object-oriented database system
US8533168B2 (en) Automatic policy generation based on role entitlements and identity attributes
US8793489B2 (en) Method and system for controlling data access to organizational data maintained in hierarchical
US20080271157A1 (en) Evaluating removal of access permissions
CN112182619A (en) Service processing method and system based on user permission, electronic device and medium
US20020083059A1 (en) Workflow access control
US7120698B2 (en) Access control for an e-commerce application
CN105095777A (en) Multi-mode access control strategy making and executing method under cloud environment
CN106790060A (en) The right management method and device of a kind of role-base access control
US11275850B1 (en) Multi-faceted security framework for unstructured storage objects
CN103198141B (en) Data record access control method and device under hierarchical relationship
US7814049B2 (en) Computer device for managing documents in multi-user mode
CN104717206B (en) A kind of Internet of Things resource access right control method and system
CN107194280A (en) Method for establishing model and device
Goodwin et al. Instance-level access control for business-to-business electronic commerce
Abdallah et al. Formal z specifications of several flat role-based access control models
JP4723930B2 (en) Compound access authorization method and apparatus
CN109670339A (en) The access control method and device towards secret protection based on ontology
JPH05181734A (en) Access right management control systems for data base and file system
CN114282591A (en) Dynamic security level real-time division method, terminal equipment and storage medium
Moniruzzaman et al. A study of privacy policy enforcement in access control models
Piattini et al. Secure databases: state of the art
Kern et al. Maintain High-Quality Access Control Policies: An Academic and Practice-Driven Approach

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant