CN109462576B - Permission policy configuration method and device and computer readable storage medium - Google Patents

Permission policy configuration method and device and computer readable storage medium Download PDF

Info

Publication number
CN109462576B
CN109462576B CN201811201709.2A CN201811201709A CN109462576B CN 109462576 B CN109462576 B CN 109462576B CN 201811201709 A CN201811201709 A CN 201811201709A CN 109462576 B CN109462576 B CN 109462576B
Authority
CN
China
Prior art keywords
access
policy
information
preparation
permission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811201709.2A
Other languages
Chinese (zh)
Other versions
CN109462576A (en
Inventor
袁哲
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Tencent Cloud Computing Beijing Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Tencent Cloud Computing Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd, Tencent Cloud Computing Beijing Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201811201709.2A priority Critical patent/CN109462576B/en
Publication of CN109462576A publication Critical patent/CN109462576A/en
Application granted granted Critical
Publication of CN109462576B publication Critical patent/CN109462576B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Abstract

The invention provides a permission policy configuration method, which comprises the steps of obtaining access permission configuration information, and generating at least one access permission preparation policy based on the access permission configuration information; acquiring access right flow information, and performing policy operation on an access right preparation policy in a preset sandbox environment according to the access right flow information to obtain a preparation policy operation result; screening the operation result of the preparation strategy by using a preset threshold value to obtain a corresponding access authority strategy; and carrying out configuration operation on the access authority strategy on the corresponding data access system. The invention also provides a permission policy configuration device, generates a corresponding access permission preparation policy based on the access permission configuration information and the access permission flow information, and screens all the access permission preparation policies in a preset sandbox environment, thereby greatly improving the configuration efficiency of the access permission preparation policy and improving the operation stability of the configured access permission preparation policy.

Description

Permission policy configuration method and device and computer readable storage medium
Technical Field
The present invention relates to the field of internet, and in particular, to a method and an apparatus for configuring an authority policy, and a computer-readable storage medium.
Background
With the development of science and technology, people have higher and higher requirements on data access, and in order to meet various data access requirements of people, the existing data service providers can provide various data access authorities to perform conditional restriction and flow control on data access. Such as controlling the access rights of different users to different data resources by configuring a data access rights policy.
In the existing data authority strategy configuration method, a data service provider directly authorizes a corresponding account or a client after establishing an access authority strategy; if the access right policy cannot meet the service requirement of the user (such as compatibility problem, unauthorized problem or unexpected change problem), the user can apply for changing the authorized access right policy, the changed access right policy is a new version of access right policy, or the user switches to the previous version of access right policy to perform policy rollback, so as to change the access right policy on the basis of the original access right policy.
Although the existing data authority policy configuration method provides a policy rollback mechanism, the problem is discovered by testing a new data authority policy through the operation data of the existing network; if a problem is found, the new data authority policy may have a great influence on the data access system, so the existing data authority policy configuration method is inefficient and has low stability.
Disclosure of Invention
The embodiment of the invention provides an authority strategy configuration method and an authority strategy configuration device with higher configuration efficiency and higher stability; the technical problems that the configuration efficiency and the configuration stability of the conventional permission policy configuration method and the configuration device are low are solved.
The embodiment of the invention provides an authority strategy configuration method, which comprises the following steps:
acquiring access authority configuration information, and generating at least one access authority preparation strategy based on the access authority configuration information;
obtaining access right flow information, and performing policy operation on the access right preparation policy in a preset sandbox environment according to the access right flow information to obtain a preparation policy operation result;
screening the operation result of the preparation strategy by using a preset threshold value to obtain a corresponding access authority strategy; and
and carrying out configuration operation on the access authority strategy on a corresponding data access system.
The embodiment of the present invention further provides a device for configuring an authority policy, which includes:
the preparation strategy generation module is used for acquiring access authority configuration information and generating at least one access authority preparation strategy based on the access authority configuration information;
the policy operation module is used for acquiring access authority flow information and performing policy operation on the access authority preparation policy in a preset sandbox environment according to the access authority flow information to obtain a preparation policy operation result;
the access authority strategy acquisition module is used for screening the operation result of the preparation strategy by using a preset threshold value so as to obtain a corresponding access authority strategy; and
and the configuration module is used for configuring the access authority policy on a corresponding data access system.
Embodiments of the present invention also provide a computer-readable storage medium having stored therein processor-executable instructions, which are loaded by one or more processors to perform the above-mentioned permission policy configuration method.
Compared with the prior art, the permission policy configuration method, the permission policy configuration device and the computer-readable storage medium generate the corresponding access permission preparation policies based on the access permission configuration information, and screen all the access permission preparation policies in the preset sandbox environment, so that the configuration efficiency of the access permission preparation policies is greatly improved, and the running stability of the configured access permission preparation policies is improved; the technical problems that the configuration efficiency and the configuration stability of the conventional permission policy configuration method and the configuration device are low are effectively solved.
Drawings
FIG. 1 is a flowchart of a first embodiment of a permission policy configuration method of the present invention;
FIG. 2 is a flowchart of a second embodiment of a permission policy configuration method of the present invention;
FIG. 3 is a schematic structural diagram of a rights policy configuration device according to a first embodiment of the present invention;
FIG. 4 is a schematic structural diagram of a rights policy configuration device according to a second embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a policy operation module of a second embodiment of an authorization policy configuration apparatus according to the present invention;
FIG. 6 is a flowchart of an embodiment of a method and an apparatus for configuring a permission policy according to the present invention;
fig. 7 is a schematic view of a working environment structure of an electronic device in which the permission policy configuration apparatus of the present invention is located.
Detailed Description
Referring to the drawings, wherein like reference numbers refer to like elements, the principles of the present invention are illustrated as being implemented in a suitable computing environment. The following description is based on illustrated embodiments of the invention and should not be taken as limiting the invention with regard to other embodiments that are not detailed herein.
In the description that follows, embodiments of the invention are described with reference to steps and symbols of operations performed by one or more computers, unless otherwise indicated. It will thus be appreciated that those steps and operations, which are referred to herein several times as being computer-executed, include being manipulated by a computer processing unit in the form of electronic signals representing data in a structured form. This manipulation transforms the data or maintains it at locations in the computer's memory system, which may reconfigure or otherwise alter the computer's operation in a manner well known to those skilled in the art. The data maintains a data structure that is a physical location of the memory that has particular characteristics defined by the data format. However, while the principles of the invention have been described in language specific to above, it is not intended to be limited to the specific details shown, since one skilled in the art will recognize that various steps and operations described below may be implemented in hardware.
The permission policy configuration method and the permission policy configuration device can be arranged in any electronic equipment and are used for configuring the access permission policy of the database of the data service provider. The electronic devices include, but are not limited to, wearable devices, head-worn devices, medical health platforms, personal computers, server computers, hand-held or laptop devices, mobile devices (such as mobile phones, Personal Digital Assistants (PDAs), media players, and the like), multiprocessor systems, consumer electronics, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like. The electronic device is preferably an access authority policy configuration server so as to receive instructions of a user or a database administrator to efficiently set and change the access authority policy, and the set and changed access authority policy has high operation stability.
Referring to fig. 1, fig. 1 is a flowchart illustrating a permission policy configuration method according to a first embodiment of the present invention. The permission policy configuration method of this embodiment may be implemented by using the electronic device, and preferably implemented by using an access permission policy configuration server, where the permission policy configuration method of this embodiment includes:
step S101, obtaining access authority configuration information, and generating at least one access authority preparation strategy based on the access authority configuration information;
step S102, obtaining access right flow information, and performing policy operation on an access right preparation policy in a preset sandbox environment according to the access right flow information to obtain a preparation policy operation result;
step S103, screening the operation result of the preparation strategy by using a preset threshold value to obtain a corresponding access authority strategy;
and step S104, configuring the access authority policy on the corresponding data access system.
The following describes in detail a rights policy configuration process of the rights policy configuration method according to the first embodiment of the present invention.
In step S101, the rights policy configuring device (e.g., the access rights policy configuring server) acquires access rights configuration information from the outside. Here, the access right configuration information is basic information of the access right policy, that is, each part constituting the access right policy.
The access authority configuration information may include access data identification information, access data interface information, access data location information, access data attribution information, access data authorization information, and the like.
The access data identification information is a data request identification corresponding to the access authority policy, an operation service identification corresponding to the access authority policy, and the like. The data request identifier is a unique identifier of the access right policy, and the operation service identifier is used to indicate a data Storage type of the access right policy, such as cloud Storage (COS) or a cloud server (CVM).
The access data interface information is the interface type and interface identification corresponding to the access authority policy.
The access data location information is an area where data corresponding to the access authority policy is located, and may refer to a specific physical location, such as europe or china, or may refer to a certain virtual location, such as a second-number server.
And the access data attribution information is the owner identification of the data corresponding to the access authority policy or the identification of the corresponding data server.
The access data authorization information is an authorized user identification of the access authority policy.
Thus, the authority policy configuration device can generate an access authority preparation policy through the setting of the access authority configuration information. Through the access authority preparation strategy, a user with an authorized user identification can access the identification data of a specific position through a corresponding interface, and meanwhile, the authorized user can obtain owner information of the identification data and the data operation type which can be executed by the authorized user.
The access data interface information, the access data identification information, the access data position information, the access data attribution information and the access data authorization information are different access authority configuration information. Therefore, the permission policy configuration device can generate a plurality of access permission preparation policies according to the acquired access permission configuration information, and if a user needs to acquire data access conditions of a plurality of access data interfaces, a corresponding number of access permission preparation policies can be generated through different access data interfaces.
The access right preparation policy is only an access right policy generated according to user prediction, and the access right policy does not necessarily meet the data access requirement desired by the user, so that all the access right preparation policies need to be verified in the subsequent steps to find an access right policy which meets the requirement and runs stably.
In step S102, the permission policy configuration apparatus obtains access permission traffic information from the outside, where the access permission traffic information may include traffic information of an access data type and traffic information of an access data time.
The flow information of the access data type can be a service type of the access data flow, a data access operation type corresponding to the access data flow, a resource type corresponding to the access data flow, and the like.
The traffic information of the access data time may be information of a time period in which the access data traffic occurs.
In this way, the permission policy configuration device can perform policy operation on the access permission preparation policy obtained in step S101 according to the access permission traffic information, that is, determine the policy operation time and the policy operation object of the access permission preparation policy. In order to avoid the influence of the access right preparation strategy on the existing data access system, the authority strategy configuration device can perform strategy operation on the access right preparation strategy in a preset sandbox environment, so that a preparation strategy operation result is obtained.
The operation result of the preparation policy herein is an operation result of the access right preparation policy in a preset sandbox environment, such as a trend range of data access request amount during operation of the preparation policy, an error code distribution range of data access, a request service distribution range of data access, and the like.
In step S103, the authority policy configuration device obtains a preset threshold, where the preset threshold may be at least one of a request amount trend range, an error code distribution range, and a request service distribution range preset by a user. The preset threshold value is the range of the expected strategy operation result after the user adjusts the access authority strategy.
Subsequently, the permission policy configuration device screens the operation result of the preparation policy obtained in step S102 by using the preset threshold, so as to obtain the operation result of the preparation policy meeting the requirement of the preset threshold; and setting the access authority preparation strategy corresponding to the corresponding preparation strategy operation result as an access authority strategy.
In step S104, the authorization policy configuration device performs configuration operation on the access authorization policy acquired in step S103 on the corresponding data access system. If a plurality of access right policies are acquired in step S103, the access right policy closest to the preset threshold is automatically selected or a user selects one access right policy from the access right policies for configuration operation.
Thus, the data access permission policy configuration process of the permission policy configuration method of the embodiment is completed.
The permission policy configuration method of the embodiment generates the corresponding access permission preparation policy based on the access permission configuration information and the access permission traffic information, and screens all the access permission preparation policies in the preset sandbox environment, so that the configuration efficiency of the access permission preparation policy is greatly improved, and the operation stability of the configured access permission preparation policy is improved.
Referring to fig. 2, fig. 2 is a flowchart illustrating a permission policy configuration method according to a second embodiment of the present invention. The permission policy configuration method of this embodiment may be implemented by using the electronic device, and preferably implemented by using an access permission policy configuration server, where the permission policy configuration method of this embodiment includes:
step S201, obtaining access authority configuration information, and generating at least one access authority preparation strategy based on the access authority configuration information;
step S202, obtaining access right flow information, and performing policy operation on an access right preparation policy in a preset sandbox environment according to the access right flow information to obtain a preparation policy operation result;
step S203, determining a preset threshold value based on the operation result of the existing access authority strategy and a preset floating range;
step S204, screening the operation result of the preparation strategy by using a preset threshold value to obtain a corresponding access authority strategy;
step S205, performing configuration operation on the access right policy on the corresponding data access system.
The following describes in detail a rights policy configuration process of the rights policy configuration method according to the second embodiment of the present invention.
In step S201, the rights policy configuration device (e.g., the access rights policy configuration server) acquires access rights configuration information from the outside. Here, the access right configuration information is basic information of the access right policy, that is, each part constituting the access right policy.
The access authority configuration information may include access data identification information, access data interface information, access data location information, access data attribution information, access data authorization information, and the like.
The right policy configuration means may then generate a plurality of access right preparation policies by the setting of the above-mentioned access right configuration information. Different access right preparation strategies correspond to different access data interface information, different access data position information, different access data attribution information and/or different access data authorization information.
The access data interface information, the access data identification information, the access data position information, the access data attribution information and the access data authorization information are different access authority configuration information. Therefore, the permission policy configuration device can generate a plurality of access permission preparation policies according to the acquired access permission configuration information, and if a user needs to acquire data access conditions of a plurality of access data interfaces, a corresponding number of access permission preparation policies can be generated through different access data interfaces.
In step S202, the permission policy configuration apparatus obtains access permission traffic information from the outside, where the access permission traffic information may include traffic information of an access data type and traffic information of an access data time.
In this way, the permission policy configuration device can perform policy operation on the access permission preparation policy obtained in step S201 according to the access permission traffic information, that is, determine the policy operation time and the policy operation object of the access permission preparation policy. In order to avoid the influence of the access right preparation strategy on the existing data access system, the authority strategy configuration device can perform strategy operation on the access right preparation strategy in a preset sandbox environment, so that a preparation strategy operation result is obtained.
Specifically, the permission policy configuration device may directly use access information corresponding to traffic of a preset access data type to perform policy operation on the access permission preparation policy in a preset sandbox environment. Namely, the test operation of the access right preparation strategy is carried out according to the flow of the type of the test access data desired by the user.
The access permission policy configuration device can also directly use access information corresponding to the flow of the preset access data time to perform policy operation on the access permission preparation policy in the preset sandbox environment. Namely, the test operation of the access right preparation strategy is carried out according to the flow of the time when the user wants to test the access data. Furthermore, the access right preparation policy may be tested by using the traffic of a certain historical access data time, or the access right preparation policy may be tested by directly using the real-time traffic.
The permission policy configuration device can also perform policy operation on the access permission preparation policy in a preset sandbox environment by simultaneously using access information corresponding to the flow of the preset access data type and access information corresponding to the flow of the preset access data time. Specifically, the permission policy configuration device may convert traffic of each access data type of the preset access data time into traffic of the preset access data type based on a preset conversion formula, so as to simulate traffic pressure of all access data types using the traffic of the same access data type. And then the access policy configuration device performs policy operation on the access permission preparation policy in a preset sandbox environment by using the converted access information corresponding to the flow of the preset access data type, namely, performs test operation on the access permission preparation policy according to the flow of the access data type which the user wants to test.
In this step, the permission policy configuration device may further perform policy operation on at least two access permission preparation policies simultaneously in the same preset sandbox environment according to the access permission traffic information. The two access right preparation strategies which are operated simultaneously should have approximately the same preparation strategy operation results, so that the configuration efficiency of the access right preparation strategies can be further improved by performing strategy operation simultaneously through a plurality of access right preparation strategies, and meanwhile, the diversity of the access right preparation strategies is further improved by the combined operation of at least two access right preparation strategies, so that a user can find and operate the more stable access right strategies.
In step S203, the authority policy configuration device determines a preset threshold value based on the operation result of the existing access authority policy and a preset floating range. In order to avoid the influence of the environment on the operation result of the policy, the authority policy configuration device of this embodiment determines the modified access authority policy based on the operation result of the existing access authority policy, that is, adds a preset floating range to the operation result of the existing access authority policy to determine a preset threshold for determining the operation result of the modified access authority policy.
The preset threshold may be at least one of a request amount trend range, an error code distribution range, and a request traffic distribution range.
In step S204, the authority policy configuration device filters the operation result of the preparation policy obtained in step S202 by using the preset threshold obtained in step S203, so as to obtain the operation result of the preparation policy meeting the requirement of the preset threshold; and setting the access authority preparation strategy corresponding to the corresponding preparation strategy operation result as an access authority strategy.
In step S205, the authority policy configuring device performs a configuring operation on the access authority policy acquired in step S204 on the corresponding data access system. If a plurality of access right policies are acquired in step S204, the access right policy closest to the preset threshold is automatically selected or a user selects one access right policy from the access right policies for configuration operation.
Thus, the data access permission policy configuration process of the permission policy configuration method of the embodiment is completed.
On the basis of the first embodiment, the permission policy configuration method of this embodiment can generate a plurality of access permission preparation policies at the same time, and can test the plurality of access permission preparation policies at the same time by using a plurality of methods, thereby further improving the configuration efficiency of the access permission preparation policies and further improving the operation stability of the configured access permission preparation policies.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a permission policy configuration apparatus according to a first embodiment of the present invention. The authorization policy configuration device of this embodiment can be implemented by using the first embodiment of the authorization policy configuration method, and the authorization policy configuration device 30 of this embodiment includes a preparation policy generation module 31, a policy operation module 32, an access authorization policy acquisition module 33, and a configuration module 34.
The preparation policy generating module 31 is configured to obtain access right configuration information, and generate at least one access right preparation policy based on the access right configuration information; the policy operation module 32 is configured to obtain access right flow information, and perform policy operation on the access right preparation policy in a preset sandbox environment according to the access right flow information to obtain a preparation policy operation result; the access authority policy obtaining module 33 uses a preset threshold to screen the operation result of the preparation policy to obtain a corresponding access authority policy; the configuration module 34 is configured to perform a configuration operation on the access right policy on the corresponding data access system.
When the authorization policy configuration device 30 of the present embodiment is used, the preparation policy generation module 31 (such as an access authorization policy configuration server) first obtains access authorization configuration information from the outside. Here, the access right configuration information is basic information of the access right policy, that is, each part constituting the access right policy.
The access authority configuration information may include access data identification information, access data interface information, access data location information, access data attribution information, access data authorization information, and the like.
The access data identification information is a data request identification corresponding to the access authority policy, an operation service identification corresponding to the access authority policy, and the like. The data request identifier is a unique identifier of the access right policy, and the operation service identifier is used to indicate a data Storage type of the access right policy, such as cloud Storage (COS) or a cloud server (CVM).
The access data interface information is the interface type and interface identification corresponding to the access authority policy.
The access data location information is an area where data corresponding to the access authority policy is located, and may refer to a specific physical location, such as europe or china, or may refer to a certain virtual location, such as a second-number server.
And the access data attribution information is the owner identification of the data corresponding to the access authority policy or the identification of the corresponding data server.
The access data authorization information is an authorized user identification of the access authority policy.
The preparation policy generation module 31 can generate an access right preparation policy by setting the access right configuration information. Through the access authority preparation strategy, a user with an authorized user identification can access the identification data of a specific position through a corresponding interface, and meanwhile, the authorized user can obtain owner information of the identification data and the data operation type which can be executed by the authorized user.
The access data interface information, the access data identification information, the access data position information, the access data attribution information and the access data authorization information are different access authority configuration information. Therefore, the preparation policy generating module 31 may generate a plurality of access right preparation policies according to the obtained access right configuration information, and if a user needs to obtain data access conditions of a plurality of access data interfaces, a corresponding number of access right preparation policies may be generated through different access data interfaces.
The access right preparation policy is only an access right policy generated according to user prediction, and the access right policy does not necessarily meet the data access requirement desired by the user, so that all the access right preparation policies need to be verified in the subsequent steps to find an access right policy which meets the requirement and runs stably.
The policy operation module 32 then obtains the access right traffic information from the outside, which may include traffic information of the type of the access data and traffic information of the time of the access data.
The flow information of the access data type can be a service type of the access data flow, a data access operation type corresponding to the access data flow, a resource type corresponding to the access data flow, and the like.
The traffic information of the access data time may be information of a time period in which the access data traffic occurs.
In this way, the policy operation module 32 may perform policy operation on the obtained access permission preparation policy according to the access permission traffic information, that is, determine the policy operation time and the policy operation object of the access permission preparation policy. In order to avoid the influence of the access right preparation strategy on the existing data access system, the authority strategy configuration device can perform strategy operation on the access right preparation strategy in a preset sandbox environment, so that a preparation strategy operation result is obtained.
The operation result of the preparation policy herein is an operation result of the access right preparation policy in a preset sandbox environment, such as a trend range of data access request amount during operation of the preparation policy, an error code distribution range of data access, a request service distribution range of data access, and the like.
The access right policy obtaining module 33 then obtains a preset threshold, where the preset threshold may be at least one of a request amount trend range, an error code distribution range, and a request service distribution range preset by the user. The preset threshold value is the range of the expected strategy operation result after the user adjusts the access authority strategy.
Then, the access right policy obtaining module 33 uses the preset threshold to screen the preparation policy operation result obtained by the policy operation module, so as to obtain a preparation policy operation result meeting the requirement of the preset threshold; and setting the access authority preparation strategy corresponding to the corresponding preparation strategy operation result as an access authority strategy.
Finally, the configuration module 34 performs configuration operation on the access right policy acquired by the access right policy acquisition module 33 on the corresponding data access system. If the access right policy obtaining module 33 obtains multiple access right policies, the access right policy closest to the preset threshold is automatically selected or a user selects one access right policy from the access right policies for configuration operation.
This completes the data access permission policy configuration process of the permission policy configuration device 30 of the present embodiment.
The permission policy configuration device of this embodiment generates a corresponding access permission preparation policy based on the access permission configuration information and the access permission traffic information, and screens all the access permission preparation policies in a preset sandbox environment, thereby greatly improving the configuration efficiency of the access permission preparation policy and improving the operation stability of the configured access permission preparation policy.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a permission policy configuration device according to a second embodiment of the present invention. The authorization policy configuration device of this embodiment can be implemented using the second embodiment of the authorization policy configuration method, and the authorization policy configuration device 40 of this embodiment includes a preparation policy generation module 41, a policy operation module 42, an access authorization policy acquisition module 44, a configuration module 45, and a threshold setting module 43.
The preparation policy generating module 41 is configured to obtain the access right configuration information, and generate at least one access right preparation policy based on the access right configuration information; the policy operation module 42 is configured to obtain the access right flow information, and perform policy operation on the access right preparation policy in a preset sandbox environment according to the access right flow information to obtain a preparation policy operation result; the access authority policy obtaining module 44 uses a preset threshold to screen the operation result of the preparation policy to obtain a corresponding access authority policy; the configuration module 45 is configured to perform configuration operation on the access right policy on the corresponding data access system; the threshold setting module 43 is configured to determine a preset threshold based on the operation result of the existing access permission policy and a preset floating range.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a policy operation module of a permission policy configuration device according to a second embodiment of the present invention. The policy operation module 42 includes a first policy operation unit 51, a second policy operation unit 52, and a conversion unit 53.
The first policy operation unit 51 is configured to perform policy operation on an access permission preparation policy in a preset sandbox environment by using access information corresponding to a flow of a preset access data type; the second policy operation unit 52 is configured to perform policy operation on the access right preparation policy in a preset sandbox environment by using access information corresponding to traffic of a preset access data time; the conversion unit 53 is configured to convert the traffic of each access data type of the preset access data time into the traffic of the preset access data type based on a preset conversion formula.
When the authorization policy configuration device 40 of the present embodiment is used, the preparation policy generation module 41 (such as an access authorization policy configuration server) first obtains access authorization configuration information from the outside. Here, the access right configuration information is basic information of the access right policy, that is, each part constituting the access right policy.
The access authority configuration information may include access data identification information, access data interface information, access data location information, access data attribution information, access data authorization information, and the like.
The preparation policy generation module 41 may then generate a plurality of access right preparation policies by the setting of the above-described access right configuration information. Different access right preparation strategies correspond to different access data interface information, different access data position information, different access data attribution information and/or different access data authorization information.
The access data interface information, the access data identification information, the access data position information, the access data attribution information and the access data authorization information are different access authority configuration information. Therefore, the preparation policy generation module can generate a plurality of access right preparation policies according to the acquired access right configuration information, and if a user needs to acquire data access conditions of a plurality of access data interfaces, a corresponding number of access right preparation policies can be generated through different access data interfaces.
The policy execution module 42 then obtains the access right traffic information from the outside, which may include traffic information of the type of the access data and traffic information of the time of the access data.
In this way, the policy operation module 42 may perform policy operation on the obtained access permission preparation policy according to the access permission traffic information, that is, determine a policy operation time and a policy operation object of the access permission preparation policy. In order to avoid the influence of the access right preparation policy on the existing data access system, here, the policy operation module 42 may perform policy operation on the access right preparation policy in a preset sandbox environment, so as to obtain a preparation policy operation result.
Specifically, here, the first policy running unit 51 of the policy running module 42 may directly use the access information corresponding to the traffic of the preset access data type to perform policy running on the access right preparation policy in the preset sandbox environment. Namely, the test operation of the access right preparation strategy is carried out according to the flow of the type of the test access data desired by the user.
Here, the second policy running unit 52 of the policy running module 42 may also directly use the access information corresponding to the traffic of the preset access data time to perform policy running on the access right preparation policy in the preset sandbox environment. Namely, the test operation of the access right preparation strategy is carried out according to the flow of the time when the user wants to test the access data. Furthermore, the access right preparation policy may be tested by using the traffic of a certain historical access data time, or the access right preparation policy may be tested by directly using the real-time traffic.
The policy operation module 42 may also perform policy operation on the access right preparation policy in the preset sandbox environment by using the access information corresponding to the traffic of the preset access data type and the access information corresponding to the traffic of the preset access data time at the same time. Specifically, the conversion unit 53 of the policy operation module 42 may convert the traffic of each access data type of the preset access data time into the traffic of the preset access data type based on a preset conversion formula, so as to simulate the traffic pressure of all the access data types by using the traffic of the same access data type. Subsequently, the second policy running unit 52 of the policy running module 42 performs policy running on the access right preparation policy in the preset sandbox environment by using the access information corresponding to the converted traffic of the preset access data type, that is, performs a test operation on the access right preparation policy according to the traffic of the access data type that the user wants to test.
The policy operation module 42 may further perform policy operation on at least two access right preparation policies simultaneously in the same preset sandbox environment according to the access right flow information. The two access right preparation strategies which are operated simultaneously should have approximately the same preparation strategy operation results, so that the configuration efficiency of the access right preparation strategies can be further improved by performing strategy operation simultaneously through a plurality of access right preparation strategies, and meanwhile, the diversity of the access right preparation strategies is further improved by the combined operation of at least two access right preparation strategies, so that a user can find and operate the more stable access right strategies.
The threshold setting module 43 then determines a preset threshold based on the operation result of the existing access authority policy and the preset floating range. In order to avoid the influence of the environment on the operation result of the policy, the threshold setting module 43 of the present embodiment determines the modified access permission policy based on the operation result of the existing access permission policy, that is, adds a preset floating range to the operation result of the existing access permission policy to determine the preset threshold for determining the operation result of the modified access permission policy.
The preset threshold may be at least one of a request amount trend range, an error code distribution range, and a request traffic distribution range.
Subsequently, the access right policy obtaining module 44 uses the preset threshold value obtained by the threshold value setting module 43 to screen the preparation policy operation result obtained by the policy operation module, so as to obtain a preparation policy operation result meeting the requirement of the preset threshold value; and setting the access authority preparation strategy corresponding to the corresponding preparation strategy operation result as an access authority strategy.
Finally, the configuration module 45 performs configuration operation on the access right policy acquired by the access right policy acquisition module 44 on the corresponding data access system. If the access right policy obtaining module 44 obtains multiple access right policies, the access right policy closest to the preset threshold is automatically selected or a user selects one access right policy from the access right policies for configuration operation.
This completes the data access permission policy configuration process of the permission policy configuration device 40 of the present embodiment.
On the basis of the first embodiment, the permission policy configuration apparatus of this embodiment can generate a plurality of access permission preparation policies at the same time, and can test the plurality of access permission preparation policies at the same time by using a plurality of methods, thereby further improving the configuration efficiency of the access permission preparation policies and further improving the operation stability of the configured access permission preparation policies.
The following describes a specific operation principle of the authorization policy configuration method and the authorization policy configuration apparatus according to a specific embodiment of the present invention. Referring to fig. 6, fig. 6 is a flowchart of an authorization policy configuration method and an authorization policy configuration device according to an embodiment of the present invention.
The permission policy configuration method and the permission policy configuration device of the present invention are provided on the access permission policy configuration server 60, so as to receive instructions of a user or a database administrator to efficiently set and change the access permission policy.
Referring to fig. 6, the access right policy configuration server 60 includes a data management system 61, a version management system 62, a sandbox configuration system 63, a policy diagnosis system 64, and a policy issuing system 65.
Wherein the data management system 61 is used for receiving an authentication request of an existing data access system, namely access right configuration information, from the outside; and simultaneously, performing data storage operation on the access authority strategy finally determined by the strategy diagnosis system. The version management system 62 is configured to generate a corresponding access permission preparation policy according to the access permission configuration information, that is, create, change, and delete an existing access permission policy to generate a plurality of access permission preparation policies for policy operation in a sandbox environment. Sandbox configuration system 63 is used to provide one or more sets of sandbox environments for access rights preparation policies for policy operations. The policy diagnosis system 64 is configured to perform diagnosis and analysis on the policy operation result in the sandbox environment according to a preset threshold, and determine an access authority policy meeting the requirement of the preset threshold. The policy issuing system 65 performs a configuration operation on the corresponding data access system for the access authority policy determined by the policy diagnosis system.
The data management system 61 should include the received access right configuration information, which may include access data identification information, access data interface information, access data location information, access data attribution information, access data authorization information, and the like. The access authority configuration information comprises the access authority configuration information which is operated by the corresponding data access system or the access authority configuration information which is operated by the user
The specific access right configuration information may include a data request identifier (eventID), an operation service identifier (actionService), an operation interface identifier (actioninterafacename), a resource owner identifier (resourceOwnerID), a service identifier (resourcerervice) to which the resource belongs, a region identifier (resourcerefield) to which the resource belongs, an owner identifier (resourceObject), an authorized user identifier (userID), an authentication return code (returnCode), and authentication return information (returnDetail).
Meanwhile, the data management system 61 stores the operation result of the access right preparation policy in the sandbox environment, which may include a trend range of total request amount of data access, a trend range of request amount of different service types, an error code distribution range, a request service distribution range, and the like. Therefore, the user can compare the operation result with the corresponding preset threshold value to determine the access authority strategy meeting the requirement of the preset threshold value.
The version management system 62 is used to generate various access right preparation policies according to the access right configuration information. At least part of access right configuration information corresponding to each access right preparation strategy is different, the version management system completes the creation of the access right preparation strategy and generates a corresponding version number, creation time and a related mark, and a user can describe the specific meaning of the version through the mark.
The sandbox configuration system may 63 verify all access rights preparation policies using different traffic policies. The sandbox configuration system can perform policy operation on a certain access right preparation policy and also perform policy operation on a combination of a plurality of access right preparation policies so as to meet more complex verification requirements of users.
If a client currently creates two strategies, StrategyA and StrategB, wherein the StrategyA has two strategy versions, StrategyA _ ver1.0, StrategyA _ ver2.0, and StrategyB has three strategy versions, namely, StrategB _ ver1.0, StrategyB _ ver2.0 and StrategyB _ ver3.0, a strategy version combination consisting of StrategyA _ ver2.0 and StrategyB _ ver3.0 can be selected in a strategy verification process for strategy operation.
Meanwhile, the sandbox configuration system 63 may also verify the access right preparation policy by using different traffic policy verifications, where the traffic policy includes that traffic may be imported according to a service type, an operation type, a resource type, or a user set. For example, a client may select an access request related to the cloud server and executing a certain sub-account to perform a policy operation. Meanwhile, the client can select to import the real-time flow of the current data access system and also select the strategy operation performed by the flow of the data access system in a certain period of history.
The policy diagnosis system 64 is configured to perform diagnosis and analysis on the policy operation result of the sandbox configuration system according to the preset threshold, and output an access right policy meeting the requirement of the preset threshold. The diagnostic analysis here includes analyzing inconsistent request ratios, such as dimensions of business type ratio, operation type ratio, resource type ratio, user ratio and the like in inconsistent requests.
The policy issuing system 65 performs configuration issuing operation on the access right policy determined by the policy diagnosis system on the corresponding data access system, and performs statistical analysis on the issued operation index.
When the permission policy configuration apparatus of the present embodiment is used, first, the data management system 61 receives the access permission configuration information of the existing data access system from the outside; then the version management system generates a plurality of access right preparation strategies according to the received access right configuration information; then the sandbox configuration system 63 provides a sandbox environment to operate the access right preparation strategy based on the flow strategy, and obtains a corresponding strategy operation result; subsequently, the policy diagnosis system 64 performs diagnostic analysis on the policy operation result of the sandbox configuration system based on the preset threshold, outputs an access authority policy meeting the requirement of the preset threshold, and stores the access authority policy in the data management system 61. Finally, the policy issuing system 65 performs configuration issuing operation on the access right policy stored in the data management system 61, and performs statistical analysis on the issued operation index.
Thus, the authorization policy configuration method and the data access authorization policy configuration process of the authorization policy configuration device of the present embodiment are completed.
The permission policy configuration method and the permission policy configuration device generate the corresponding access permission preparation policy based on the access permission configuration information, and screen all the access permission preparation policies in the preset sandbox environment, so that the configuration efficiency of the access permission preparation policy is greatly improved, and the operation stability of the configured access permission preparation policy is improved; the technical problems that the configuration efficiency and the configuration stability of the conventional permission policy configuration method and the configuration device are low are effectively solved.
As used herein, the terms "component," "module," "system," "interface," "process," and the like are generally intended to refer to a computer-related entity: hardware, a combination of hardware and software, or software in execution. For example, a component may be, but is not limited to being, a process running on a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a controller and the controller can be a component. One or more components can reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers.
FIG. 7 and the following discussion provide a brief, general description of an operating environment of an electronic device in which the rights policy configuration mechanism of the present invention is implemented. The operating environment of FIG. 7 is only one example of a suitable operating environment and is not intended to suggest any limitation as to the scope of use or functionality of the operating environment. Example electronic devices 712 include, but are not limited to, wearable devices, head-mounted devices, medical health platforms, personal computers, server computers, hand-held or laptop devices, mobile devices (such as mobile phones, Personal Digital Assistants (PDAs), media players, and the like), multiprocessor systems, consumer electronics, minicomputers, mainframe computers, distributed computing environments that include any of the above systems or devices, and the like.
Although not required, embodiments are described in the general context of "computer readable instructions" being executed by one or more electronic devices. Computer readable instructions may be distributed via computer readable media (discussed below). Computer readable instructions may be implemented as program modules, such as functions, objects, Application Programming Interfaces (APIs), data structures, etc. that perform particular tasks or implement particular abstract data types. Typically, the functionality of the computer readable instructions may be combined or distributed as desired in various environments.
Fig. 7 illustrates an example of an electronic device 712 that includes one or more embodiments of the rights policy configuration mechanism of the present invention. In one configuration, the electronic device 712 includes at least one processing unit 716 and memory 718. Depending on the exact configuration and type of electronic device, memory 718 may be volatile (such as RAM), non-volatile (such as ROM, flash memory, etc.) or some combination of the two. This configuration is illustrated in fig. 7 by dashed line 714.
In other embodiments, electronic device 712 may include additional features and/or functionality. For example, device 712 may also include additional storage (e.g., removable and/or non-removable) including, but not limited to, magnetic storage, optical storage, and the like. Such additional storage is illustrated in fig. 7 by storage 720. In one embodiment, computer readable instructions to implement one or more embodiments provided herein may be in storage 720. Storage 720 may also store other computer readable instructions to implement an operating system, an application program, and the like. Computer readable instructions may be loaded in memory 718 for execution by processing unit 716, for example.
The term "computer readable media" as used herein includes computer storage media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions or other data. Memory 718 and storage 720 are examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by electronic device 712. Any such computer storage media may be part of electronic device 712.
Electronic device 712 may also include communication connection(s) 726 that allow electronic device 712 to communicate with other devices. Communication connection(s) 726 may include, but is not limited to, a modem, a Network Interface Card (NIC), an integrated network interface, a radio frequency transmitter/receiver, an infrared port, a USB connection, or other interfaces for connecting electronic device 712 to other electronic devices. Communication connection 726 may include a wired connection or a wireless connection. Communication connection 726 may transmit and/or receive communication media.
The term "computer readable media" may include communication media. Communication media typically embodies computer readable instructions or other data in a "modulated data signal" such as a carrier wave or other transport mechanism and includes any information delivery media. The term "modulated data signal" may include signals that: one or more of the signal characteristics may be set or changed in such a manner as to encode information in the signal.
The electronic device 712 may include input device(s) 724 such as a keyboard, a mouse, a pen, a voice input device, a touch input device, an infrared camera, a video input device, and/or any other input device. Output device(s) 722 such as one or more displays, speakers, printers, and/or any other output device may also be included in device 712. The input device 724 and the output device 722 may be connected to the electronic device 712 via a wired connection, a wireless connection, or any combination thereof. In one embodiment, an input device or an output device from another electronic device may be used as input device 724 or output device 722 for electronic device 712.
The components of electronic device 712 may be connected by various interconnects, such as a bus. Such interconnects may include Peripheral Component Interconnect (PCI), such as PCI express, Universal Serial Bus (USB), firewire (IEEE1394), optical bus structures, and the like. In another embodiment, components of electronic device 712 may be interconnected by a network. For example, memory 718 may be comprised of multiple physical memory units located in different physical locations interconnected by a network.
Those skilled in the art will realize that storage devices utilized to store computer readable instructions may be distributed across a network. For example, an electronic device 730 accessible via network 728 may store computer readable instructions to implement one or more embodiments provided by the present invention. Electronic device 712 may access electronic device 730 and download a part or all of the computer readable instructions for execution. Alternatively, electronic device 712 may download pieces of the computer readable instructions, as needed, or some instructions may be executed at electronic device 712 and some at electronic device 730.
Various operations of embodiments are provided herein. In one embodiment, the one or more operations may constitute computer readable instructions stored on one or more computer readable media, which when executed by an electronic device, will cause the computing device to perform the operations. The order in which some or all of the operations are described should not be construed as to imply that these operations are necessarily order dependent. Those skilled in the art will appreciate alternative orderings having the benefit of this description. Moreover, it should be understood that not all operations are necessarily present in each embodiment provided herein.
Also, although the disclosure has been shown and described with respect to one or more implementations, equivalent alterations and modifications will occur to others skilled in the art based upon a reading and understanding of this specification and the annexed drawings. The present disclosure includes all such modifications and alterations, and is limited only by the scope of the appended claims. In particular regard to the various functions performed by the above described components (e.g., elements, resources, etc.), the terms used to describe such components are intended to correspond, unless otherwise indicated, to any component which performs the specified function of the described component (e.g., that is functionally equivalent), even though not structurally equivalent to the disclosed structure which performs the function in the herein illustrated exemplary implementations of the disclosure. In addition, while a particular feature of the disclosure may have been disclosed with respect to only one of several implementations, such feature may be combined with one or more other features of the other implementations as may be desired and advantageous for a given or particular application. Furthermore, to the extent that the terms "includes," has, "" contains, "or variants thereof are used in either the detailed description or the claims, such terms are intended to be inclusive in a manner similar to the term" comprising.
Each functional unit in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium. The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc. Each apparatus or system described above may perform the method in the corresponding method embodiment.
In summary, although the present invention has been disclosed in the foregoing embodiments, the serial numbers before the embodiments are used for convenience of description only, and the sequence of the embodiments of the present invention is not limited. Furthermore, the above embodiments are not intended to limit the present invention, and those skilled in the art can make various changes and modifications without departing from the spirit and scope of the present invention, therefore, the scope of the present invention shall be limited by the appended claims.

Claims (15)

1. A permission policy configuration method is characterized by comprising the following steps:
acquiring access authority configuration information, and generating at least one access authority preparation strategy based on the access authority configuration information;
obtaining access right flow information, and performing policy operation on the access right preparation policy in a preset sandbox environment according to the access right flow information to obtain a preparation policy operation result;
screening the operation result of the preparation strategy by using a preset threshold value to obtain a corresponding access authority strategy; and
and carrying out configuration operation on the access authority strategy on a corresponding data access system.
2. The permission policy configuration method according to claim 1, wherein the access permission configuration information includes access data interface information, access data identification information, access data location information, access data attribution information, and access data authorization information;
the step of generating at least one access right preparation policy based on the access right configuration information comprises:
generating a plurality of access right preparation strategies based on the access right configuration information; the access data interface information, the access data position information, the access data attribution information and/or the access data authorization information corresponding to different access right preparation strategies are different.
3. The permission policy configuration method according to claim 1, wherein the access permission traffic information includes traffic information of a preset access data type or traffic information of a preset access data time;
the step of performing policy operation on the access right preparation policy in a preset sandbox environment according to the access right flow information comprises:
performing policy operation on the access permission preparation policy in a preset sandbox environment by using access information corresponding to flow of a preset access data type; or
And performing policy operation on the access authority preparation policy in a preset sandbox environment by using access information corresponding to the flow of preset access data time.
4. The permission policy configuration method according to claim 3, wherein the step of performing policy operation on the access permission preparation policy in a preset sandbox environment using access information corresponding to traffic of a preset access data time comprises:
and performing policy operation on the access permission preparation policy in a preset sandbox environment by using access information corresponding to real-time flow.
5. The permission policy configuration method according to claim 3, wherein the step of performing policy operation on the access permission preparation policy in a preset sandbox environment according to the access permission traffic information comprises:
based on a preset conversion formula, converting the flow of each access data type of the preset access data time into the flow of the preset access data type;
and performing policy operation on the access permission preparation policy in a preset sandbox environment by using access information corresponding to the flow of a preset access data type.
6. The permission policy configuration method according to claim 2, wherein the step of performing policy operation on the access permission preparation policy in a preset sandbox environment according to the access permission traffic information comprises:
and simultaneously carrying out policy operation on at least two access right preparation policies in the same preset sandbox environment according to the access right flow information.
7. The permission policy configuration method according to claim 1, wherein the preset threshold includes at least one of a request amount trend range, an error code distribution range, and a request traffic distribution range;
the step of screening the operation result of the preparation strategy by using a preset threshold value to obtain a corresponding access authority strategy comprises the following steps:
and determining the preset threshold value based on the operation result of the existing access authority strategy and a preset floating range.
8. An authorization policy configuration apparatus, comprising:
the preparation strategy generation module is used for acquiring access authority configuration information and generating at least one access authority preparation strategy based on the access authority configuration information;
the policy operation module is used for acquiring access authority flow information and performing policy operation on the access authority preparation policy in a preset sandbox environment according to the access authority flow information to obtain a preparation policy operation result;
the access authority strategy acquisition module is used for screening the operation result of the preparation strategy by using a preset threshold value so as to obtain a corresponding access authority strategy; and
and the configuration module is used for configuring the access authority policy on a corresponding data access system.
9. The permission policy configuration device according to claim 8, wherein the access permission configuration information includes access data interface information, access data identification information, access data location information, access data attribution information, and access data authorization information;
the preparation policy generation module is specifically configured to generate a plurality of access right preparation policies based on the access right configuration information; the access data interface information, the access data position information, the access data attribution information and/or the access data authorization information corresponding to different access right preparation strategies are different.
10. The permission policy configuration device according to claim 8, wherein the access permission traffic information includes traffic information of a preset access data type or traffic information of a preset access data time;
the policy operation module includes:
the first policy operation unit is used for performing policy operation on the access permission preparation policy in a preset sandbox environment by using access information corresponding to flow of a preset access data type; and
and the second policy operation unit is used for performing policy operation on the access permission preparation policy in a preset sandbox environment by using access information corresponding to the flow of preset access data time.
11. The permission policy configuration device according to claim 10, wherein the second policy running unit is further configured to perform policy running on the access permission preparation policy in a preset sandbox environment by using access information corresponding to real-time traffic.
12. The permission policy configuration device according to claim 10, wherein the policy execution module includes:
the conversion unit is used for converting the flow of each access data type of the preset access data time into the flow of the preset access data type based on a preset conversion formula; and
and the second policy operation unit is used for performing policy operation on the access permission preparation policy in a preset sandbox environment by using access information corresponding to the flow of preset access data time.
13. The permission policy configuration device according to claim 9, wherein the policy operation module is configured to perform policy operation on at least two access permission preparation policies simultaneously in a same preset sandbox environment according to the access permission traffic information.
14. The apparatus for configuring authority policy according to claim 8, wherein the preset threshold includes at least one of a request amount trend range, an error code distribution range and a request traffic distribution range;
the permission policy configuration device further includes:
and the threshold setting module is used for determining the preset threshold based on the operation result of the existing access authority strategy and a preset floating range.
15. A computer-readable storage medium having stored therein processor-executable instructions, the instructions being loaded by one or more processors to perform the rights policy configuration method of any of claims 1-7.
CN201811201709.2A 2018-10-16 2018-10-16 Permission policy configuration method and device and computer readable storage medium Active CN109462576B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811201709.2A CN109462576B (en) 2018-10-16 2018-10-16 Permission policy configuration method and device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811201709.2A CN109462576B (en) 2018-10-16 2018-10-16 Permission policy configuration method and device and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN109462576A CN109462576A (en) 2019-03-12
CN109462576B true CN109462576B (en) 2020-04-21

Family

ID=65607707

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811201709.2A Active CN109462576B (en) 2018-10-16 2018-10-16 Permission policy configuration method and device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN109462576B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111814174B (en) * 2020-09-04 2020-12-08 平安国际智慧城市科技股份有限公司 Data access control method and device and computer equipment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104715209A (en) * 2015-04-03 2015-06-17 山东华软金盾软件有限公司 Outgoing document encryption protection method
CN107895116A (en) * 2017-11-29 2018-04-10 山东渔翁信息技术股份有限公司 APP data guard methods, equipment, mobile terminal and computer-readable recording medium

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4935899B2 (en) * 2007-03-08 2012-05-23 富士通株式会社 Access authority setting program, method and apparatus
CN102289628A (en) * 2011-07-21 2011-12-21 浙江大学城市学院 Sandbox-technology-based shell script security operating method and system
CN102427610A (en) * 2011-12-29 2012-04-25 陈佳阳 Wireless router with built-in user management function, system and networking method thereof
US9973505B2 (en) * 2015-01-14 2018-05-15 Samsung Electronics Co., Ltd. Method for controlling contents and electronic device thereof
CN107480554B (en) * 2017-07-28 2020-08-14 中科创达软件科技(深圳)有限公司 Authority management method, authority management device and intelligent terminal
CN108021400B (en) * 2017-11-29 2022-03-29 腾讯科技(深圳)有限公司 Data processing method and device, computer storage medium and equipment
CN108427886B (en) * 2018-01-25 2020-06-02 上海掌门科技有限公司 Method, system, device and readable medium for setting access authority of application program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104715209A (en) * 2015-04-03 2015-06-17 山东华软金盾软件有限公司 Outgoing document encryption protection method
CN107895116A (en) * 2017-11-29 2018-04-10 山东渔翁信息技术股份有限公司 APP data guard methods, equipment, mobile terminal and computer-readable recording medium

Also Published As

Publication number Publication date
CN109462576A (en) 2019-03-12

Similar Documents

Publication Publication Date Title
US11036696B2 (en) Resource allocation for database provisioning
US11669503B2 (en) Building and managing data-processing attributes for modeled data sources
CN106778303B (en) Authorization policy optimization method and authorization policy optimization device
US11632397B2 (en) Temporary interface to provide intelligent application access
US20170140171A1 (en) System for Managing Personal Data
US10547616B2 (en) Systems and methods for supporting information security and sub-system operational protocol conformance
CN111226197A (en) Cognitive learning workflow execution
CN105765527A (en) Method and apparatus for custom software development kit (SDK) generation
US10623410B2 (en) Multi-level, distributed access control between services and applications
US10656939B2 (en) Modeling lifetime of hybrid software application using application manifest
US11316693B2 (en) Trusted platform module-based prepaid access token for commercial IoT online services
US11526431B2 (en) Systems and methods for automated provisioning of a virtual mainframe test environment
KR102327083B1 (en) System and method for sharing software component
CN105740057A (en) Information processing method and device
CN110138767B (en) Transaction request processing method, device, equipment and storage medium
US10884713B2 (en) Transformations of a user-interface modality of an application
CN109462576B (en) Permission policy configuration method and device and computer readable storage medium
US9354849B2 (en) Modification of compiled applications and application management using retrievable policies
US20190166029A1 (en) Tracking usage of computing resources
CN115039073A (en) Autonomic TERRAFORM across cloud infrastructure
CN110717315B (en) System data batch modification method and device, storage medium and electronic equipment
CN111435348A (en) Method for creating runtime executable program for data analysis function
US20190340542A1 (en) Computational Efficiency in Symbolic Sequence Analytics Using Random Sequence Embeddings
CN112307449B (en) Authority hierarchical management method, device, electronic equipment and readable storage medium
CN115170268B (en) Financial product generation method and device, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant