CN109726579A - Resource access authority group technology and equipment - Google Patents

Resource access authority group technology and equipment Download PDF

Info

Publication number
CN109726579A
CN109726579A CN201711031968.0A CN201711031968A CN109726579A CN 109726579 A CN109726579 A CN 109726579A CN 201711031968 A CN201711031968 A CN 201711031968A CN 109726579 A CN109726579 A CN 109726579A
Authority
CN
China
Prior art keywords
resource
user
user grouping
parent
access authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711031968.0A
Other languages
Chinese (zh)
Other versions
CN109726579B (en
Inventor
胡兵
强琦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201711031968.0A priority Critical patent/CN109726579B/en
Publication of CN109726579A publication Critical patent/CN109726579A/en
Application granted granted Critical
Publication of CN109726579B publication Critical patent/CN109726579B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

The purpose of the application is to provide a kind of resource access authority group technology and equipment, the application is by establishing the corresponding relationship of resource, user grouping and access authority three, when the subsequent user in user grouping changes, it can be according to the corresponding relationship of three, realize that the corresponding resource of the user and its access authority can change automatically, without safeguarding the change of the corresponding resource of user and its permission one by one, simplify operation, guarantee resource and access authority in real time with the change active synchronization of user grouping.In addition, the present embodiment passes through resource index value, it is possible to reduce to the inquiry times of database, realize the user grouping inquired under the child resource and its parent resource to be checked more quickly, and then inquire the access authority of user grouping.

Description

Resource access authority group technology and equipment
Technical field
This application involves computer field more particularly to a kind of resource access authority group technologies and equipment.
Background technique
Can all there be so scene in many micro- applications: multiple people be added to inside a group, then to this group One specific rules of competence is set.Such as attendance group, certain departments, certain user can be got together and establish one and examine Diligent group, while an attendance rule is arranged to this attendance group, the user in the attendance group has to be examined by the attendance rule Diligent permission;For some file directory, certain departments (including user), certain groups (including user), certain user can be set Check permission or editing authority;For log template, certain people are set, certain departments just have permission and check use.
And in the prior art, when user change when, generally require business side oneself go the change for safeguarding user one by one and its The change of corresponding permission, it is cumbersome.
Summary of the invention
The purpose of the application is to provide a kind of resource access authority group technology and equipment, is able to solve when user becomes When more, need to safeguard the change of user and its change of corresponding permission, the cumbersome and slow problem of inquiry velocity one by one.
According to the one aspect of the application, a kind of resource access authority group technology is provided, this method comprises:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two Child resource under the parent resource of level and the parent resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource are established The corresponding relationship of index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with it is same A resource index value is corresponding.
Further, in the above method, establish the user grouping with its corresponding to resource access authority it is corresponding After relationship, further includes:
Obtain the increase and/or removal request of user in the user grouping;
According to the increase and/or removal request, increase and/or delete corresponding user in corresponding user grouping.
Further, in the above method, when resource corresponding to the user grouping and its is parent resource, described in foundation The corresponding relationship of the access authority of user grouping and the resource corresponding to it, comprising:
Establish the corresponding relationship of the access authority of the user grouping and the parent resource corresponding to it;
Establish the user grouping and its corresponding to parent resource under child resource access authority corresponding relationship.
Further, in the above method, resource of the number of levels in same threshold interval is included into the same resource index Later, further includes:
Obtain the request for inquiring the access authority of the corresponding user grouping of some child resource;
The parent resource of the child resource to be checked is determined according to the request;
According to resource index value corresponding to the child resource and its parent resource to be checked, the son to be checked is obtained User grouping under resource and its parent resource.
Further, in the above method, the user grouping institute obtained under the child resource and its parent resource to be checked is right After the access authority for the resource answered, further includes:
The user grouping and the user grouping under the child resource and its parent resource to be checked are shown with tree structure The access authority of corresponding resource.
Further, it in the above method, establishes in the corresponding relationship of resource and user grouping,
One user grouping only establishes corresponding relationship with a resource.
Further, in the above method, establish the user grouping with its corresponding to resource access authority it is corresponding In relationship,
Access authority of one user grouping only with a resource establishes corresponding relationship.
Further, in the above method, establish the user grouping with its corresponding to resource access authority it is corresponding In relationship,
Each user point when corresponding at least two user grouping of the same resource, at least two user grouping Group institute the corresponding same resource access authority difference.
Further, in the above method, the user grouping includes at least one user's subgroup, user's subgroup Including at least one user.
According to the another side of the application, also by a kind of resource access authority packet equipment, which includes:
Resource and user grouping device, for establishing the corresponding relationship of resource and user grouping, the user grouping includes At least one user;
User grouping and access authority device, for establishing the access authority of the user grouping and the resource corresponding to it Corresponding relationship;
Index value device, the quantity of the level for obtaining parent resource and child resource in the resource, wherein described Resource includes the child resource at least under the parent resource of two rank and the parent resource;According to the layer of the parent resource and child resource The quantity of grade, establishes the corresponding relationship of the parent resource and/or child resource and resource index value, wherein the quantity of level is same The parent resource and/or child resource in one threshold interval is corresponding with the same resource index value.
According to the another side of the application, a kind of equipment based on calculating is also provided, comprising:
Processor;And
It is arranged to the memory of storage computer executable instructions, the executable instruction makes the place when executed Manage device:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two Child resource under the parent resource of level and the parent resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource are established The corresponding relationship of index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with it is same A resource index value is corresponding.
According to the another side of the application, a kind of computer readable storage medium is also provided, being stored thereon with computer can hold Row instruction, wherein the computer executable instructions make processor when being executed by processor:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two Child resource under the parent resource of level and the parent resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource are established The corresponding relationship of index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with it is same A resource index value is corresponding.
Compared with prior art, the application is by establishing the corresponding relationship of resource, user grouping and access authority three, after When the continuous user in user grouping changes, the corresponding resource of the user and its visit can be realized according to the corresponding relationship of three It asks that permission can change automatically, without safeguarding the change of the corresponding resource of user and its permission one by one, simplifies operation, guarantee resource With access authority in real time with the change active synchronization of user grouping.
In addition, the present embodiment passes through resource index value, it is possible to reduce to the inquiry times of database, realization is looked into more quickly The user grouping under the child resource and its parent resource to be checked is ask, and then inquires the access authority of user grouping.
Detailed description of the invention
By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, the application's is other Feature, objects and advantages will become more apparent upon:
Fig. 1 shows the flow chart of the resource access authority group technology according to one embodiment of the application;
Fig. 2 shows the schematic diagrames of the corresponding relationship of the resource of one embodiment of the application, user grouping and access authority three;
Fig. 3 shows the input whether inquiry of one embodiment of the application user UID has the access authority of the resource path Interface schematic diagram;
Fig. 4 shows the schematic diagram that query result is shown with tree structure of one embodiment of the application;
Fig. 5 shows the schematic diagram that query result is shown with tree structure of another embodiment of the application;
Fig. 6 shows the schematic diagram of user's subgroup figure according to one embodiment of the application.
The same or similar appended drawing reference represents the same or similar component in attached drawing.
Specific embodiment
The application is described in further detail with reference to the accompanying drawing.
In a typical configuration of this application, terminal, the equipment of service network and trusted party include one or more Processor (CPU), input/output interface, network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data. The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM), Digital versatile disc (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices or Any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, computer Readable medium does not include non-temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
As illustrated in fig. 1 and 2, the application provides a kind of resource access authority group technology, this method comprises:
Step S1, establishes the corresponding relationship of resource and user grouping, and the user grouping includes at least one user;
For example, a user grouping Group can be created, the user grouping can be the set of user, department or group, It include at least one user in the department or group, setting this Group has corresponding relationship to some resource Resource, described Resource may include attendance check card, file or log template etc.;
Specifically, a resource can be indicated with resourceURI, such as resource 1 (Resource_1), the resource 2 of Fig. 2 (Resource_2).The specific format of resourceURI: tenant_id:domain:domain_id:*:biz_resource_ Path, wherein
Tenant_id: indicating the mark of business side, can generate to each access side and distribute one uniquely tenantId;
Domain: expression represents level-one domain, such as ORG/SPACE/..... belonging to resource
Domain_id: representing the mark in level-one domain belonging to resource, for example, level-one domain belonging to resource is ORG, then Corresponding domain_id can be orgId;
Biz_resource_path: the absolute path of resource is indicated;
In addition, when business side's setting certain user, department, group have specific access privileges to prescribe a time limit some resource, it can be handle A user grouping Group, while one globally unique groupId of corresponding generation is added in these users, department, group, such as schemes 2, user grouping A (GroupA), user grouping B (GroupB), user grouping C (GroupC), user grouping D (GroupD);
Step S2 establishes the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Then above step S1 can set this Group and have to the Resource corresponding to it in step s 2 Access authority (Policy), the access authority may include determine authority content or permission using rule, as shown in Fig. 2, with Family, which is grouped A, to be had access authority 1 (policy_1), user grouping B to have access authority 3 (policy_3) to resource 1 resource 1, uses Family grouping C has access authority 3 (policy_3), user grouping D to have access authority 4 (policy_4) to resource 2 resource 2;
The corresponding relationship for Resource, Group and Policy three that the present embodiment is established specifically can be as shown in Figure 2;
For example, an access authority may include a permission operating point ActionId and be made of the permission operating point Semi-structured configuration Policy, permission operating point ActionId such as read read, write write or execute execute,
Policy can be shaped like:
Above-mentioned Policy indicates that the permission operating point for reading read, writing write and executing execute be to allow permission Allow.Wherein, ActionIdContains represents prescribed profile, and Result represents the result Allow/ for meeting prescribed profile Deny;
Step S3 obtains the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes extremely Child resource under the parent resource and the parent resource of few two rank;
Here, the resource includes the child resource at least under the parent resource of two rank and the parent resource, for example, a resource Including two levels of child resource/A/B/ under parent resource/A/ and its, for another example, a resource includes parent resource/A/ and the son money under it Tri- source/A/B/ ,/A/B/C/ levels;
Parent resource refers to upper resource, and child resource refers to lower resource, and parent resource and child resource are an opposite concepts, certain One parent resource is parent resource for its lower resource, meanwhile, which is child resource for its upper layer;Correspondingly, certain One child resource is parent resource for its lower resource, meanwhile, which is child resource for its upper layer;
Step S4, according to the quantity of the level of the parent resource and child resource, establish the parent resource and/or child resource with The corresponding relationship of resource index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with The same resource index value is corresponding;
In the present embodiment, can according to the quantity of the level of the parent resource and child resource, establish the parent resource and/or Child resource and the corresponding relationship of resource index value rule, resource_path indicate resource absolute path, and query_index can To indicate the index value of resource absolute path, specifically query_index can be made into a point library and divide table key, such as a pair can be defined The rule that should be related to is as follows:
First threshold section [0,3): if quantity < 3 of the level of the absolute path of 0≤parent resource or child resource, resource The index value of absolute path takes the first order path of the absolute path of the parent resource or child resource;
Second threshold section [3,6): if quantity < 6 of the level of the absolute path of 3≤parent resource or child resource, resource The index value of absolute path takes the first of the absolute path of the parent resource or child resource to three-level path;
Second threshold section [6,9): if quantity < 9 of the level of the absolute path of 6≤parent resource or child resource, resource The index value of absolute path takes the first to six grade of path of the absolute path of the parent resource or child resource;
For example, the user grouping according to the rule of above-mentioned corresponding relationship, under the parent resource and/or child resource (resource_path) as shown in the table with the corresponding relationship of resource index value (query_index):
Table one
Wherein, according to the rule of corresponding relationship in above-mentioned table one, for example,
<1>.resourcePath='/A/B/C/', pathdepth are 3, are taken first to three-level path, query_index ='/A/B/C',;
<2>resourcePath='/A/B/C/D/E/F/G/H/', pathdepth are 8, take the first to six grade of path, Query_index='/A/B/C/D/E/F',;
<3>resourcePath='/A/B/C/D/*', pathdepth are 4, are taken first to three-level path, query_ Index='/A/B/C';
<4>resourcePath='/A/*', pathdepth are 1, take first order path, query_index='/A'
The parent resource and/or child resource and the corresponding relationship of resource index value rule, can be according to the resource of oneself The quantity of maximum level is adjusted, and the quantity of the maximum level of resource is bigger, and each threshold interval of setting is bigger.
Here, the present embodiment is by establishing the corresponding relationship of resource, user grouping and access authority three, it is subsequent to user When user in grouping changes, the corresponding resource of the user and its access authority energy can be realized according to the corresponding relationship of three Enough automatic changes simplify operation, guarantee resource and access right without safeguarding the change of the corresponding resource of user and its permission one by one Limit in real time with the change active synchronization of user grouping.
In addition, the present embodiment passes through resource index value, it is possible to reduce to the inquiry times of database, realization is looked into more quickly The user grouping under the child resource and its parent resource to be checked is ask, and then inquires the access authority of user grouping.
In one embodiment of resource access authority group technology of the application, the user grouping and the money corresponding to it are established After the corresponding relationship of the access authority in source, further includes:
Obtain the increase and/or removal request of user in the user grouping;
According to the increase and/or removal request, increase and/or delete corresponding user in corresponding user grouping.
Here, using the corresponding relationship of the resource of upper embodiment foundation, user grouping and access authority three, it is subsequent right When user in user grouping increases and/or deletes, can according to the corresponding relationship of three, realize the corresponding resource of the user and Its access authority can change automatically, without safeguarding the change of the corresponding resource of user and its permission one by one, simplify operation.
For example, the user list that can be changed in real time under Group can become in real time when group members change when departmental staff changes User list under more Group;
For another example, in access control system, some department, which can be set, can enter the gate inhibition of some meeting room, as some user When leaving this department, as long as the user is deleted from the department, so that it may accomplish that cancelling this person in real time enters this meeting room Access permission.
In one embodiment of resource access authority group technology of the application, when the user grouping and its corresponding to resource When being parent resource, the corresponding relationship of the access authority of the user grouping and the resource corresponding to it is established, comprising:
Establish the corresponding relationship of the access authority of the user grouping and the parent resource corresponding to it;
Establish the user grouping and its corresponding to parent resource under child resource access authority corresponding relationship.
The present embodiment by establish user grouping with its corresponding to parent resource access authority corresponding relationship it is same When, establish the user grouping and its corresponding to parent resource under child resource access authority corresponding relationship, realize father Resource can possess the access authority of its lower affiliated all child resource, that is, realize parent resource to its lower affiliated all sub- money The succession of the access authority in source.
For example, some department, which can be set, the permission for checking directory A (parent resource), when A mesh in file management system Under record when addition subdirectory (child resource), user is the All Files that may have access to subdirectory under department.Meanwhile department is one newly-increased When user, can also accomplish can real time inspection directory A and subdirectory file.
For another example, the access authority of parent resource/A/B/ (resourcePath='/A/B/*') is provided with to some group, User under so this Group possess automatically each child resource under parent resource such as/A/B/C ,/A/B/C1/D1 access authority.
Specifically, if biz_resource_pat='/A', represent user may have access under domain /A father money Source itself, user can also access/A under all child resources, such as/A/B/ ,/A/B/C/;
If biz_resource_pat='/A/B/', represent user may have access to domain under /A/B parent resource sheet Body, user can also access/A/B under all child resources, such as/A/B/C/ ,/A/B/C/D/;
If biz_resource_pat='/', represent user may have access to domain under/parent resource itself, use Family can also access/under all child resources, such as/A/ ,/A/B/.
Here, '/' is reserved keyword, biz_resource_pat is classified with '/', so the money of every level-one Cannot include in source identifier '/', obscure to avoid with the reserved keyword.
Since access authority of the parent resource to its lower affiliated all child resource is inherited, so possessing certain in inquiry When all users of the access authority of one resource, not only needs to obtain all users for the access authority for possessing the resource, also need All users for possessing the access authority of all parent resources of the resource are obtained, because possess all parent resources of the resource All users of access authority, also possess the access authority of the resource certainly, below by following examples for how to inquire All users for possessing the permission of a certain resource explain:
In one embodiment of resource access authority group technology of the application, in order to realize that inquiry possesses the access of a certain resource All users of permission, establish the user grouping with its corresponding to parent resource under child resource access authority it is corresponding pass After system, further includes:
Obtain the request for inquiring the access authority of the corresponding user grouping of some child resource;
Based on the parent resources at different levels for requesting to determine the child resource to be checked step by step;
The user grouping under the child resource and its parent resource to be checked of the determination is obtained step by step;
The user grouping got is summarized and duplicate removal.
For example, to inquire which user has access authority, i.e. inquiry bizResourcePath=to catalogue/A/B/C/D/E The access authority under all group lists under '/A/B/C/D/E ', it is assumed that dividing table key is Domain:DomainId.
Including carrying out following steps:
Inquiry pair/A/B/C/D/E has the group list of access authority;
Inquiry pair/A/B/C/D has the group list of access authority;
Inquiry pair/A/B/C has the group list of access authority;
Inquiry pair/A/B has the group list of access authority;
Inquiry pair/A has the group list of access authority;
Inquiry pair/* has the group list of access authority;
After finding all group, it can be done in memory and once summarize (Merge) and duplicate removal.
In one embodiment of resource access authority group technology of the application, in order to realize that inquiry possesses the access of a certain resource All users of permission, establish the user grouping with its corresponding to parent resource under child resource access authority it is corresponding pass After system, further includes:
Obtain the request for inquiring the access authority of the corresponding user grouping of some child resource;
Based on the request, in all resources under the domain where the child resource to be checked, filter out it is described to The parent resources at different levels of the child resource of inquiry;
User grouping under the child resource and its parent resource to be checked filtered out described in acquisition.
For example, to inquire which user has access authority to catalogue (child resource)/A/B/C/D/E,
All resource Domain:DomainId are as follows under domain under domain where catalogue (child resource)/A/B/C/D/E:
1./A/B
1./A/BB
2./A1/B1
3./A2/B2
So as to resource Domain all under domain under the domain where catalogue (child resource)/A/B/C/D/E: It is /A/B that catalogue (child resource)/A/B/C/D/E parent resource is matched in DomainId.
In this implementation, resource all under child resource and Domain:DomainId can be deposited inside and compare filtering, And then the user grouping under the child resource and its parent resource to be checked filtered out can be got.
In one embodiment of resource access authority group technology of the application, by resource of the number of levels in same threshold interval It is included into after the same resource index, further includes:
Obtain the request for inquiring the access authority of the corresponding user grouping of some child resource;
The parent resource of the child resource to be checked is determined according to the request;
According to resource index value corresponding to the child resource and its parent resource to be checked, the son to be checked is obtained User grouping under resource and its parent resource.
For example, when needing all Group under inquiry/A/B/C/D/E, according to the parent resource in upper embodiment table one And/or the corresponding relationship of the user grouping (resource_path) under child resource and resource index value (query_index), only It needs to inquire the data of query_index='/A'&&query_index='/A/B/C', then exists to the data found It is further filtered in memory, it is found that database (DB) number of operations can be reduced from original 5 times in the present embodiment To 2 times, if a Mysql query time needs 7ms, then the response time inquired reduces 21ms (60%).
In one embodiment of resource access authority group technology of the application, the child resource to be checked and his father's money are obtained After the access authority of resource corresponding to user grouping under source, further includes:
The user grouping and the user grouping under the child resource and its parent resource to be checked are shown with tree structure The access authority of corresponding resource.
Here, needing an O&M backstage that can be used to check problem or examine when realizing a Rights Management System The reason of whether a disconnected user possesses the permission of some resource and possesses this resource access authority.Such as in a Web page Face, as shown in figure 3, can be by inputting resource path resourceURI and user UID, to inquire whether the user UID has this The access authority of resource path, if returning to true/false, directly to indicate that the user id possesses permission to the resource path With no permission.But it is not intuitive enough in this way, without pilot process.It is unfavorable for diagnosis and problem investigation.
The present embodiment may include steps of:
Step 1: as shown in figure 3, input resourceURI and user UID;
Step 2: clicking inquiry button
Step 3: output the result is that a tree structure as shown in fig. 4 or 5.And tree structures node is deployable and closes And in Fig. 4 or 5, the business that tree structure represents is meant that: user belongs to this session of session id=53506390, while this Session belongs to the group of group=27001, and this resource is that initialization only has this group accessible, so user can visit Ask this resource, this result has listed this why accessible resource of user in detail.
The present embodiment not only may determine that can some user grouping access some resource, and can pass through tree structure Can list why this accessible resource, specifically a resource can be listed by the telescopic tree structure of dynamic generation benefit Under all user grouping, the permission decision sharpening that can be abstracted allows developer or client is open-and-shut finds out resource Whether may have access to, developer and client is facilitated to check and diagnose problem.The present embodiment can specifically be used in such as ACL/RBAC/ In the permission systems such as GBAC.
In one embodiment of resource access authority group technology of the application, the corresponding relationship of resource and user grouping is established In,
One user grouping only establishes corresponding relationship with a resource, guarantees that a Group is only capable of ownership one Resource, corresponding resource is obscured when user being avoided to update.
In one embodiment of resource access authority group technology of the application, the user grouping and the money corresponding to it are established In the corresponding relationship of the access authority in source,
Access authority of one user grouping only with a resource establishes corresponding relationship, guarantees that a Group can only be assigned A Policy is given, corresponding Policy obscures when user being avoided to update.
In one embodiment of resource access authority group technology of the application, the user grouping and the money corresponding to it are established In the corresponding relationship of the access authority in source,
Each user point when corresponding at least two user grouping of the same resource, at least two user grouping The access authority difference of the corresponding same resource of group institute, guarantees that a Resource can have multiple Group, but one Different Group corresponds to unused Policy certainly under a Resource, i.e. possesses same Policy's under a Resource User can be concluded the same Group, and Policy occurs mixed when the user of difference Group under same Resource being avoided to update Confuse.
In one embodiment of resource access authority group technology of the application, the user grouping includes at least one user Grouping, user's subgroup includes at least one user.
Here, as shown in fig. 6, user's subgroup Member is the component units under a user grouping Group, one User grouping Group includes one or more user's subgroup Member, and each user's subgroup Member includes at least one User Uid, user's subgroup Member may include subgroup type memberType and subgroup mark memberId.
For example having user's subgroup Member under Group is a department (deptId=123), then MemberType='dept', memberId=' 123 ';For another example, if having user's subgroup Member under Group is one A group (cid=456), then memberType='conv', memberId='456'.One group is by one or more MemberId+memberType composition.
Here, the present embodiment can be realized under each user grouping by the way that user's subgroup is arranged under user grouping The more fine-grained change of user in each user's set is used for example, there are two user's subgroup A1 and A2 under user grouping Family a is in user's subgroup A1, not in user's subgroup A2, as long as then doing the deletion of user a in user's subgroup A1, does not have to User's change is done in user's subgroup A2.
According to the another side of the application, a kind of resource access authority packet equipment is also provided, which includes:
Resource and user grouping device, for establishing the corresponding relationship of resource and user grouping, the user grouping includes At least one user;
User grouping and access authority device, for establishing the access authority of the user grouping and the resource corresponding to it Corresponding relationship;
Index value device, for the corresponding relationship in the access authority for establishing the user grouping and the resource corresponding to it Later, the quantity of the level of the parent resource and child resource in the resource is obtained, wherein the resource includes at least two rank Parent resource and the parent resource under child resource;According to the quantity of the level of the parent resource and child resource, described in foundation The corresponding relationship of parent resource and/or child resource and resource index value, wherein the quantity of level in same threshold interval described in Parent resource and/or child resource are corresponding with the same resource index value.
It further include change device in one embodiment of resource access authority packet equipment of the application, for described in the foundation After the corresponding relationship of the access authority of user grouping and the resource corresponding to it, the increase of user in the user grouping is obtained And/or removal request;According to the increase and/or removal request, increase and/or delete corresponding use in corresponding user grouping Family.
In one embodiment of resource access authority packet equipment of the application, user grouping and access authority device, for working as The user grouping and resource corresponding to it establish the visit of the user grouping and the parent resource corresponding to it when being parent resource Ask the corresponding relationship of permission;Establish the user grouping with its corresponding to parent resource under child resource access authority it is corresponding Relationship.
It further include inquiry unit in one embodiment of resource access authority packet equipment of the application, for number of levels to exist Resource in same threshold interval is included into after the same resource index, is obtained and is inquired the corresponding user grouping of some child resource The request of access authority;The parent resource of the child resource to be checked is determined according to the request;According to the son to be checked Resource index value corresponding to resource and its parent resource obtains the user point under the child resource and its parent resource to be checked Group.
In one embodiment of resource access authority packet equipment of the application, the inquiry unit is also used to tree structure Show the access of resource corresponding to the user grouping and the user grouping under the child resource and its parent resource to be checked Permission.
In one embodiment of resource access authority packet equipment of the application, the resource and user grouping device, being used for will One user grouping only establishes corresponding relationship with a resource.
In one embodiment of resource access authority packet equipment of the application, in user grouping and access authority device, it is used for Access authority by a user grouping only with a resource establishes corresponding relationship.
In one embodiment of resource access authority packet equipment of the application, in user grouping and access authority device, it is used for When corresponding at least two user grouping of the same resource, divide each user grouping at least two user grouping The access authority of the not corresponding same resource is different.
In one embodiment of resource access authority packet equipment of the application, the user grouping includes at least one user Grouping, user's subgroup includes at least one user.
According to the another side of the application, a kind of equipment based on calculating is also provided, comprising:
Processor;And
It is arranged to the memory of storage computer executable instructions, the executable instruction makes the place when executed Manage device:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
After establishing the corresponding relationship of access authority of the user grouping and the resource corresponding to it, the money is obtained The quantity of the level of parent resource and child resource in source, wherein the resource includes at least parent resource of two rank and described Child resource under parent resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource are established The corresponding relationship of index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with it is same A resource index value is corresponding.
According to the another side of the application, a kind of computer readable storage medium is also provided, being stored thereon with computer can hold Row instruction, wherein the computer executable instructions make processor when being executed by processor:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
After establishing the corresponding relationship of access authority of the user grouping and the resource corresponding to it, the money is obtained The quantity of the level of parent resource and child resource in source, wherein the resource includes at least parent resource of two rank and described Child resource under parent resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource are established The corresponding relationship of index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with it is same A resource index value is corresponding.
The detailed content of above equipment and each embodiment of computer readable storage medium, for details, reference can be made to each method embodiments Corresponding part, here, repeating no more.
Obviously, those skilled in the art can carry out various modification and variations without departing from the essence of the application to the application Mind and range.In this way, if these modifications and variations of the application belong to the range of the claim of this application and its equivalent technologies Within, then the application is also intended to include these modifications and variations.
It should be noted that the application can be carried out in the assembly of software and/or software and hardware, for example, can adopt With specific integrated circuit (ASIC), general purpose computer or any other realized similar to hardware device.In one embodiment In, the software program of the application can be executed to implement the above steps or functions by processor.Similarly, the application Software program (including relevant data structure) can be stored in computer readable recording medium, for example, RAM memory, Magnetic or optical driver or floppy disc and similar devices.In addition, hardware can be used to realize in some steps or function of the application, example Such as, as the circuit cooperated with processor thereby executing each step or function.
In addition, a part of the application can be applied to computer program product, such as computer program instructions, when its quilt When computer executes, by the operation of the computer, it can call or provide according to the present processes and/or technical solution. And the program instruction of the present processes is called, it is possibly stored in fixed or moveable recording medium, and/or pass through Broadcast or the data flow in other signal-bearing mediums and transmitted, and/or be stored according to described program instruction operation In the working storage of computer equipment.Here, including a device according to one embodiment of the application, which includes using Memory in storage computer program instructions and processor for executing program instructions, wherein when the computer program refers to When enabling by processor execution, method and/or skill of the device operation based on aforementioned multiple embodiments according to the application are triggered Art scheme.
It is obvious to a person skilled in the art that the application is not limited to the details of above-mentioned exemplary embodiment, Er Qie In the case where without departing substantially from spirit herein or essential characteristic, the application can be realized in other specific forms.Therefore, no matter From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and scope of the present application is by appended power Benefit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent elements of the claims Variation is included in the application.Any reference signs in the claims should not be construed as limiting the involved claims.This Outside, it is clear that one word of " comprising " does not exclude other units or steps, and odd number is not excluded for plural number.That states in device claim is multiple Unit or device can also be implemented through software or hardware by a unit or device.The first, the second equal words are used to table Show title, and does not indicate any particular order.

Claims (12)

1. a kind of resource access authority group technology, wherein this method comprises:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two rank Parent resource and the parent resource under child resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource index are established The corresponding relationship of value, wherein the parent resource and/or child resource and same money of the quantity of level in same threshold interval Source index value is corresponding.
2. according to the method described in claim 1, wherein, establishing the access authority of the user grouping and the resource corresponding to it Corresponding relationship after, further includes:
Obtain the increase and/or removal request of user in the user grouping;
According to the increase and/or removal request, increase and/or delete corresponding user in corresponding user grouping.
3. according to the method described in claim 1, wherein, when resource corresponding to the user grouping and its is parent resource, Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it, comprising:
Establish the corresponding relationship of the access authority of the user grouping and the parent resource corresponding to it;
Establish the user grouping and its corresponding to parent resource under child resource access authority corresponding relationship.
4. according to the method described in claim 1, wherein, resource of the number of levels in same threshold interval is included into the same money After the index of source, further includes:
Obtain the request for inquiring the access authority of the corresponding user grouping of some child resource;
The parent resource of the child resource to be checked is determined according to the request;
According to resource index value corresponding to the child resource and its parent resource to be checked, the child resource to be checked is obtained And its user grouping under parent resource.
5. according to the method described in claim 4, wherein, obtaining the user point under the child resource and its parent resource to be checked After the access authority of the corresponding resource of group, further includes:
Show that user grouping under the child resource and its parent resource to be checked and user grouping institute are right with tree structure The access authority for the resource answered.
6. according to the method described in claim 1, wherein, establish in the corresponding relationship of resource and user grouping,
One user grouping only establishes corresponding relationship with a resource.
7. according to the method described in claim 6, wherein, establishing the access authority of the user grouping and the resource corresponding to it Corresponding relationship in,
Access authority of one user grouping only with a resource establishes corresponding relationship.
8. according to the method described in claim 7, wherein, establishing the access authority of the user grouping and the resource corresponding to it Corresponding relationship in,
Each user grouping institute when corresponding at least two user grouping of the same resource, at least two user grouping The access authority of the corresponding same resource is different.
9. according to the method described in claim 1, wherein, the user grouping includes at least one user's subgroup, the use Family subgroup includes at least one user.
10. a kind of resource access authority packet equipment, wherein the equipment includes:
Resource and user grouping device, for establishing the corresponding relationship of resource and user grouping, the user grouping includes at least One user;
User grouping and access authority device, pair of the access authority for establishing the user grouping and the resource corresponding to it It should be related to;
Index value device, the quantity of the level for obtaining parent resource and child resource in the resource, wherein the resource Child resource under parent resource and the parent resource including at least two rank;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource index are established The corresponding relationship of value, wherein the parent resource and/or child resource and same money of the quantity of level in same threshold interval Source index value is corresponding.
11. a kind of equipment based on calculating, wherein include:
Processor;And
It is arranged to the memory of storage computer executable instructions, the executable instruction makes the processing when executed Device:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two rank Parent resource and the parent resource under child resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource index are established The corresponding relationship of value, wherein the parent resource and/or child resource and same money of the quantity of level in same threshold interval Source index value is corresponding.
12. a kind of computer readable storage medium, is stored thereon with computer executable instructions, wherein the computer is executable Instruction makes the processor when being executed by processor:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two rank Parent resource and the parent resource under child resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource index are established The corresponding relationship of value, wherein the parent resource and/or child resource and same money of the quantity of level in same threshold interval Source index value is corresponding.
CN201711031968.0A 2017-10-27 2017-10-27 Resource access authority grouping method and equipment Active CN109726579B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711031968.0A CN109726579B (en) 2017-10-27 2017-10-27 Resource access authority grouping method and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711031968.0A CN109726579B (en) 2017-10-27 2017-10-27 Resource access authority grouping method and equipment

Publications (2)

Publication Number Publication Date
CN109726579A true CN109726579A (en) 2019-05-07
CN109726579B CN109726579B (en) 2023-04-28

Family

ID=66291200

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711031968.0A Active CN109726579B (en) 2017-10-27 2017-10-27 Resource access authority grouping method and equipment

Country Status (1)

Country Link
CN (1) CN109726579B (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753059A (en) * 2019-10-25 2020-02-04 苏州浪潮智能科技有限公司 Authority management method, equipment and storage medium
CN112069541A (en) * 2020-09-08 2020-12-11 北京百度网讯科技有限公司 Authority management and query method and device
CN112465476A (en) * 2020-12-17 2021-03-09 中国农业银行股份有限公司 Access control method, device, equipment and medium
WO2021098275A1 (en) * 2019-11-22 2021-05-27 支付宝(杭州)信息技术有限公司 Smart graph computing-based privacy resource permission control method and apparatus, and device
CN112988286A (en) * 2021-03-12 2021-06-18 武汉蔚来能源有限公司 Resource maintenance method and device and computer storage medium
WO2021137757A1 (en) * 2019-12-31 2021-07-08 Envision Digital International Pte. Ltd. Authority management method and apparatus, and electronic device, and storage medium thereof
CN113127887A (en) * 2019-12-30 2021-07-16 中移信息技术有限公司 Data permission isolation judgment method, device, equipment and storage medium

Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003030032A2 (en) * 2001-09-28 2003-04-10 Oracle International Corporation An index structure to access hierarchical data in a relational database system
US20050228791A1 (en) * 2004-04-09 2005-10-13 Ashish Thusoo Efficient queribility and manageability of an XML index with path subsetting
CN1848022A (en) * 2005-04-13 2006-10-18 华为技术有限公司 Authority control method based on access control list
US20080306927A1 (en) * 2007-06-10 2008-12-11 Apple Computer, Inc. Index Partitioning and Scope Checking
US20090125494A1 (en) * 2007-11-08 2009-05-14 Oracle International Corporation Global query normalization to improve xml index based rewrites for path subsetted index
US20100235907A1 (en) * 2009-03-11 2010-09-16 Brian Payton Bowman Authorization Caching In A Multithreaded Object Server
CN102129539A (en) * 2011-03-11 2011-07-20 清华大学 Data resource authority management method based on access control list
CN102207981A (en) * 2011-07-13 2011-10-05 华为软件技术有限公司 Method and system for managing file
CN102231693A (en) * 2010-04-22 2011-11-02 北京握奇数据系统有限公司 Method and apparatus for managing access authority
US8631028B1 (en) * 2009-10-29 2014-01-14 Primo M. Pettovello XPath query processing improvements
CN103617295A (en) * 2013-12-16 2014-03-05 北京锐安科技有限公司 Method and device for processing geographic information vector data

Patent Citations (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003030032A2 (en) * 2001-09-28 2003-04-10 Oracle International Corporation An index structure to access hierarchical data in a relational database system
US20050228791A1 (en) * 2004-04-09 2005-10-13 Ashish Thusoo Efficient queribility and manageability of an XML index with path subsetting
CN1848022A (en) * 2005-04-13 2006-10-18 华为技术有限公司 Authority control method based on access control list
US20080306927A1 (en) * 2007-06-10 2008-12-11 Apple Computer, Inc. Index Partitioning and Scope Checking
US20090125494A1 (en) * 2007-11-08 2009-05-14 Oracle International Corporation Global query normalization to improve xml index based rewrites for path subsetted index
US20100235907A1 (en) * 2009-03-11 2010-09-16 Brian Payton Bowman Authorization Caching In A Multithreaded Object Server
US8631028B1 (en) * 2009-10-29 2014-01-14 Primo M. Pettovello XPath query processing improvements
CN102231693A (en) * 2010-04-22 2011-11-02 北京握奇数据系统有限公司 Method and apparatus for managing access authority
CN102129539A (en) * 2011-03-11 2011-07-20 清华大学 Data resource authority management method based on access control list
CN102207981A (en) * 2011-07-13 2011-10-05 华为软件技术有限公司 Method and system for managing file
CN103617295A (en) * 2013-12-16 2014-03-05 北京锐安科技有限公司 Method and device for processing geographic information vector data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
钮焱等: "一种信息仓库检索系统的设计和实现", 《中国集体经济》 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110753059A (en) * 2019-10-25 2020-02-04 苏州浪潮智能科技有限公司 Authority management method, equipment and storage medium
CN110753059B (en) * 2019-10-25 2022-01-04 苏州浪潮智能科技有限公司 Authority management method, equipment and storage medium
WO2021098275A1 (en) * 2019-11-22 2021-05-27 支付宝(杭州)信息技术有限公司 Smart graph computing-based privacy resource permission control method and apparatus, and device
CN113127887A (en) * 2019-12-30 2021-07-16 中移信息技术有限公司 Data permission isolation judgment method, device, equipment and storage medium
WO2021137757A1 (en) * 2019-12-31 2021-07-08 Envision Digital International Pte. Ltd. Authority management method and apparatus, and electronic device, and storage medium thereof
CN112069541A (en) * 2020-09-08 2020-12-11 北京百度网讯科技有限公司 Authority management and query method and device
CN112069541B (en) * 2020-09-08 2024-05-07 北京百度网讯科技有限公司 Authority management and query method and device
CN112465476A (en) * 2020-12-17 2021-03-09 中国农业银行股份有限公司 Access control method, device, equipment and medium
CN112988286A (en) * 2021-03-12 2021-06-18 武汉蔚来能源有限公司 Resource maintenance method and device and computer storage medium

Also Published As

Publication number Publication date
CN109726579B (en) 2023-04-28

Similar Documents

Publication Publication Date Title
CN109726579A (en) Resource access authority group technology and equipment
US11140166B2 (en) Multi-tenant authorization
US11748506B2 (en) Access controlled graph query spanning
US10819652B2 (en) Access management tags
US10977380B2 (en) Hybrid role and attribute based access control system
Al-Kahtani et al. A model for attribute-based user-role assignment
US8429191B2 (en) Domain based isolation of objects
RU2408070C2 (en) Detectability and listing mechanism in hierarchically protected data storage system
US9355261B2 (en) Secure data management
US9602513B2 (en) Access control of edges in graph index applications
WO2019226806A1 (en) Organization based access control system
US20160036860A1 (en) Policy based data processing
US8245291B2 (en) Techniques for enforcing access rights during directory access
Mazurek et al. Toward strong, usable access control for shared distributed data
WO2015108536A1 (en) Mapping tenant groups to identity management classes
JP2014086083A (en) Utilizing social graph for network access and admission control
CN111464487A (en) Access control method, device and system
Al-Zobbi et al. Implementing a framework for big data anonymity and analytics access control
US10205631B1 (en) Distributing an access control service to local nodes
US20110225202A1 (en) Multi-dimensional access control list
US8095970B2 (en) Dynamically associating attribute values with objects
US20190007457A1 (en) Access Policies Based on HDFS Extended Attributes
JP2007072581A (en) Policy group generation device and control method
Syalim et al. Grouping provenance information to improve efficiency of access control
US10708253B2 (en) Identity information including a schemaless portion

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant