CN109726579A - Resource access authority group technology and equipment - Google Patents
Resource access authority group technology and equipment Download PDFInfo
- Publication number
- CN109726579A CN109726579A CN201711031968.0A CN201711031968A CN109726579A CN 109726579 A CN109726579 A CN 109726579A CN 201711031968 A CN201711031968 A CN 201711031968A CN 109726579 A CN109726579 A CN 109726579A
- Authority
- CN
- China
- Prior art keywords
- resource
- user
- user grouping
- parent
- access authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The purpose of the application is to provide a kind of resource access authority group technology and equipment, the application is by establishing the corresponding relationship of resource, user grouping and access authority three, when the subsequent user in user grouping changes, it can be according to the corresponding relationship of three, realize that the corresponding resource of the user and its access authority can change automatically, without safeguarding the change of the corresponding resource of user and its permission one by one, simplify operation, guarantee resource and access authority in real time with the change active synchronization of user grouping.In addition, the present embodiment passes through resource index value, it is possible to reduce to the inquiry times of database, realize the user grouping inquired under the child resource and its parent resource to be checked more quickly, and then inquire the access authority of user grouping.
Description
Technical field
This application involves computer field more particularly to a kind of resource access authority group technologies and equipment.
Background technique
Can all there be so scene in many micro- applications: multiple people be added to inside a group, then to this group
One specific rules of competence is set.Such as attendance group, certain departments, certain user can be got together and establish one and examine
Diligent group, while an attendance rule is arranged to this attendance group, the user in the attendance group has to be examined by the attendance rule
Diligent permission;For some file directory, certain departments (including user), certain groups (including user), certain user can be set
Check permission or editing authority;For log template, certain people are set, certain departments just have permission and check use.
And in the prior art, when user change when, generally require business side oneself go the change for safeguarding user one by one and its
The change of corresponding permission, it is cumbersome.
Summary of the invention
The purpose of the application is to provide a kind of resource access authority group technology and equipment, is able to solve when user becomes
When more, need to safeguard the change of user and its change of corresponding permission, the cumbersome and slow problem of inquiry velocity one by one.
According to the one aspect of the application, a kind of resource access authority group technology is provided, this method comprises:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two
Child resource under the parent resource of level and the parent resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource are established
The corresponding relationship of index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with it is same
A resource index value is corresponding.
Further, in the above method, establish the user grouping with its corresponding to resource access authority it is corresponding
After relationship, further includes:
Obtain the increase and/or removal request of user in the user grouping;
According to the increase and/or removal request, increase and/or delete corresponding user in corresponding user grouping.
Further, in the above method, when resource corresponding to the user grouping and its is parent resource, described in foundation
The corresponding relationship of the access authority of user grouping and the resource corresponding to it, comprising:
Establish the corresponding relationship of the access authority of the user grouping and the parent resource corresponding to it;
Establish the user grouping and its corresponding to parent resource under child resource access authority corresponding relationship.
Further, in the above method, resource of the number of levels in same threshold interval is included into the same resource index
Later, further includes:
Obtain the request for inquiring the access authority of the corresponding user grouping of some child resource;
The parent resource of the child resource to be checked is determined according to the request;
According to resource index value corresponding to the child resource and its parent resource to be checked, the son to be checked is obtained
User grouping under resource and its parent resource.
Further, in the above method, the user grouping institute obtained under the child resource and its parent resource to be checked is right
After the access authority for the resource answered, further includes:
The user grouping and the user grouping under the child resource and its parent resource to be checked are shown with tree structure
The access authority of corresponding resource.
Further, it in the above method, establishes in the corresponding relationship of resource and user grouping,
One user grouping only establishes corresponding relationship with a resource.
Further, in the above method, establish the user grouping with its corresponding to resource access authority it is corresponding
In relationship,
Access authority of one user grouping only with a resource establishes corresponding relationship.
Further, in the above method, establish the user grouping with its corresponding to resource access authority it is corresponding
In relationship,
Each user point when corresponding at least two user grouping of the same resource, at least two user grouping
Group institute the corresponding same resource access authority difference.
Further, in the above method, the user grouping includes at least one user's subgroup, user's subgroup
Including at least one user.
According to the another side of the application, also by a kind of resource access authority packet equipment, which includes:
Resource and user grouping device, for establishing the corresponding relationship of resource and user grouping, the user grouping includes
At least one user;
User grouping and access authority device, for establishing the access authority of the user grouping and the resource corresponding to it
Corresponding relationship;
Index value device, the quantity of the level for obtaining parent resource and child resource in the resource, wherein described
Resource includes the child resource at least under the parent resource of two rank and the parent resource;According to the layer of the parent resource and child resource
The quantity of grade, establishes the corresponding relationship of the parent resource and/or child resource and resource index value, wherein the quantity of level is same
The parent resource and/or child resource in one threshold interval is corresponding with the same resource index value.
According to the another side of the application, a kind of equipment based on calculating is also provided, comprising:
Processor;And
It is arranged to the memory of storage computer executable instructions, the executable instruction makes the place when executed
Manage device:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two
Child resource under the parent resource of level and the parent resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource are established
The corresponding relationship of index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with it is same
A resource index value is corresponding.
According to the another side of the application, a kind of computer readable storage medium is also provided, being stored thereon with computer can hold
Row instruction, wherein the computer executable instructions make processor when being executed by processor:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two
Child resource under the parent resource of level and the parent resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource are established
The corresponding relationship of index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with it is same
A resource index value is corresponding.
Compared with prior art, the application is by establishing the corresponding relationship of resource, user grouping and access authority three, after
When the continuous user in user grouping changes, the corresponding resource of the user and its visit can be realized according to the corresponding relationship of three
It asks that permission can change automatically, without safeguarding the change of the corresponding resource of user and its permission one by one, simplifies operation, guarantee resource
With access authority in real time with the change active synchronization of user grouping.
In addition, the present embodiment passes through resource index value, it is possible to reduce to the inquiry times of database, realization is looked into more quickly
The user grouping under the child resource and its parent resource to be checked is ask, and then inquires the access authority of user grouping.
Detailed description of the invention
By reading a detailed description of non-restrictive embodiments in the light of the attached drawings below, the application's is other
Feature, objects and advantages will become more apparent upon:
Fig. 1 shows the flow chart of the resource access authority group technology according to one embodiment of the application;
Fig. 2 shows the schematic diagrames of the corresponding relationship of the resource of one embodiment of the application, user grouping and access authority three;
Fig. 3 shows the input whether inquiry of one embodiment of the application user UID has the access authority of the resource path
Interface schematic diagram;
Fig. 4 shows the schematic diagram that query result is shown with tree structure of one embodiment of the application;
Fig. 5 shows the schematic diagram that query result is shown with tree structure of another embodiment of the application;
Fig. 6 shows the schematic diagram of user's subgroup figure according to one embodiment of the application.
The same or similar appended drawing reference represents the same or similar component in attached drawing.
Specific embodiment
The application is described in further detail with reference to the accompanying drawing.
In a typical configuration of this application, terminal, the equipment of service network and trusted party include one or more
Processor (CPU), input/output interface, network interface and memory.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/or
The forms such as Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is computer-readable medium
Example.
Computer-readable medium includes permanent and non-permanent, removable and non-removable media can be by any method
Or technology come realize information store.Information can be computer readable instructions, data structure, the module of program or other data.
The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory (SRAM), moves
State random access memory (DRAM), other kinds of random access memory (RAM), read-only memory (ROM), electric erasable
Programmable read only memory (EEPROM), flash memory or other memory techniques, read-only disc read only memory (CD-ROM) (CD-ROM),
Digital versatile disc (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices or
Any other non-transmission medium, can be used for storage can be accessed by a computing device information.As defined in this article, computer
Readable medium does not include non-temporary computer readable media (transitory media), such as the data-signal and carrier wave of modulation.
As illustrated in fig. 1 and 2, the application provides a kind of resource access authority group technology, this method comprises:
Step S1, establishes the corresponding relationship of resource and user grouping, and the user grouping includes at least one user;
For example, a user grouping Group can be created, the user grouping can be the set of user, department or group,
It include at least one user in the department or group, setting this Group has corresponding relationship to some resource Resource, described
Resource may include attendance check card, file or log template etc.;
Specifically, a resource can be indicated with resourceURI, such as resource 1 (Resource_1), the resource 2 of Fig. 2
(Resource_2).The specific format of resourceURI: tenant_id:domain:domain_id:*:biz_resource_
Path, wherein
Tenant_id: indicating the mark of business side, can generate to each access side and distribute one uniquely
tenantId;
Domain: expression represents level-one domain, such as ORG/SPACE/..... belonging to resource
Domain_id: representing the mark in level-one domain belonging to resource, for example, level-one domain belonging to resource is ORG, then
Corresponding domain_id can be orgId;
Biz_resource_path: the absolute path of resource is indicated;
In addition, when business side's setting certain user, department, group have specific access privileges to prescribe a time limit some resource, it can be handle
A user grouping Group, while one globally unique groupId of corresponding generation is added in these users, department, group, such as schemes
2, user grouping A (GroupA), user grouping B (GroupB), user grouping C (GroupC), user grouping D (GroupD);
Step S2 establishes the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Then above step S1 can set this Group and have to the Resource corresponding to it in step s 2
Access authority (Policy), the access authority may include determine authority content or permission using rule, as shown in Fig. 2, with
Family, which is grouped A, to be had access authority 1 (policy_1), user grouping B to have access authority 3 (policy_3) to resource 1 resource 1, uses
Family grouping C has access authority 3 (policy_3), user grouping D to have access authority 4 (policy_4) to resource 2 resource 2;
The corresponding relationship for Resource, Group and Policy three that the present embodiment is established specifically can be as shown in Figure 2;
For example, an access authority may include a permission operating point ActionId and be made of the permission operating point
Semi-structured configuration Policy, permission operating point ActionId such as read read, write write or execute execute,
Policy can be shaped like:
Above-mentioned Policy indicates that the permission operating point for reading read, writing write and executing execute be to allow permission
Allow.Wherein, ActionIdContains represents prescribed profile, and Result represents the result Allow/ for meeting prescribed profile
Deny;
Step S3 obtains the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes extremely
Child resource under the parent resource and the parent resource of few two rank;
Here, the resource includes the child resource at least under the parent resource of two rank and the parent resource, for example, a resource
Including two levels of child resource/A/B/ under parent resource/A/ and its, for another example, a resource includes parent resource/A/ and the son money under it
Tri- source/A/B/ ,/A/B/C/ levels;
Parent resource refers to upper resource, and child resource refers to lower resource, and parent resource and child resource are an opposite concepts, certain
One parent resource is parent resource for its lower resource, meanwhile, which is child resource for its upper layer;Correspondingly, certain
One child resource is parent resource for its lower resource, meanwhile, which is child resource for its upper layer;
Step S4, according to the quantity of the level of the parent resource and child resource, establish the parent resource and/or child resource with
The corresponding relationship of resource index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with
The same resource index value is corresponding;
In the present embodiment, can according to the quantity of the level of the parent resource and child resource, establish the parent resource and/or
Child resource and the corresponding relationship of resource index value rule, resource_path indicate resource absolute path, and query_index can
To indicate the index value of resource absolute path, specifically query_index can be made into a point library and divide table key, such as a pair can be defined
The rule that should be related to is as follows:
First threshold section [0,3): if quantity < 3 of the level of the absolute path of 0≤parent resource or child resource, resource
The index value of absolute path takes the first order path of the absolute path of the parent resource or child resource;
Second threshold section [3,6): if quantity < 6 of the level of the absolute path of 3≤parent resource or child resource, resource
The index value of absolute path takes the first of the absolute path of the parent resource or child resource to three-level path;
Second threshold section [6,9): if quantity < 9 of the level of the absolute path of 6≤parent resource or child resource, resource
The index value of absolute path takes the first to six grade of path of the absolute path of the parent resource or child resource;
For example, the user grouping according to the rule of above-mentioned corresponding relationship, under the parent resource and/or child resource
(resource_path) as shown in the table with the corresponding relationship of resource index value (query_index):
Table one
Wherein, according to the rule of corresponding relationship in above-mentioned table one, for example,
<1>.resourcePath='/A/B/C/', pathdepth are 3, are taken first to three-level path, query_index
='/A/B/C',;
<2>resourcePath='/A/B/C/D/E/F/G/H/', pathdepth are 8, take the first to six grade of path,
Query_index='/A/B/C/D/E/F',;
<3>resourcePath='/A/B/C/D/*', pathdepth are 4, are taken first to three-level path, query_
Index='/A/B/C';
<4>resourcePath='/A/*', pathdepth are 1, take first order path, query_index='/A'
The parent resource and/or child resource and the corresponding relationship of resource index value rule, can be according to the resource of oneself
The quantity of maximum level is adjusted, and the quantity of the maximum level of resource is bigger, and each threshold interval of setting is bigger.
Here, the present embodiment is by establishing the corresponding relationship of resource, user grouping and access authority three, it is subsequent to user
When user in grouping changes, the corresponding resource of the user and its access authority energy can be realized according to the corresponding relationship of three
Enough automatic changes simplify operation, guarantee resource and access right without safeguarding the change of the corresponding resource of user and its permission one by one
Limit in real time with the change active synchronization of user grouping.
In addition, the present embodiment passes through resource index value, it is possible to reduce to the inquiry times of database, realization is looked into more quickly
The user grouping under the child resource and its parent resource to be checked is ask, and then inquires the access authority of user grouping.
In one embodiment of resource access authority group technology of the application, the user grouping and the money corresponding to it are established
After the corresponding relationship of the access authority in source, further includes:
Obtain the increase and/or removal request of user in the user grouping;
According to the increase and/or removal request, increase and/or delete corresponding user in corresponding user grouping.
Here, using the corresponding relationship of the resource of upper embodiment foundation, user grouping and access authority three, it is subsequent right
When user in user grouping increases and/or deletes, can according to the corresponding relationship of three, realize the corresponding resource of the user and
Its access authority can change automatically, without safeguarding the change of the corresponding resource of user and its permission one by one, simplify operation.
For example, the user list that can be changed in real time under Group can become in real time when group members change when departmental staff changes
User list under more Group;
For another example, in access control system, some department, which can be set, can enter the gate inhibition of some meeting room, as some user
When leaving this department, as long as the user is deleted from the department, so that it may accomplish that cancelling this person in real time enters this meeting room
Access permission.
In one embodiment of resource access authority group technology of the application, when the user grouping and its corresponding to resource
When being parent resource, the corresponding relationship of the access authority of the user grouping and the resource corresponding to it is established, comprising:
Establish the corresponding relationship of the access authority of the user grouping and the parent resource corresponding to it;
Establish the user grouping and its corresponding to parent resource under child resource access authority corresponding relationship.
The present embodiment by establish user grouping with its corresponding to parent resource access authority corresponding relationship it is same
When, establish the user grouping and its corresponding to parent resource under child resource access authority corresponding relationship, realize father
Resource can possess the access authority of its lower affiliated all child resource, that is, realize parent resource to its lower affiliated all sub- money
The succession of the access authority in source.
For example, some department, which can be set, the permission for checking directory A (parent resource), when A mesh in file management system
Under record when addition subdirectory (child resource), user is the All Files that may have access to subdirectory under department.Meanwhile department is one newly-increased
When user, can also accomplish can real time inspection directory A and subdirectory file.
For another example, the access authority of parent resource/A/B/ (resourcePath='/A/B/*') is provided with to some group,
User under so this Group possess automatically each child resource under parent resource such as/A/B/C ,/A/B/C1/D1 access authority.
Specifically, if biz_resource_pat='/A', represent user may have access under domain /A father money
Source itself, user can also access/A under all child resources, such as/A/B/ ,/A/B/C/;
If biz_resource_pat='/A/B/', represent user may have access to domain under /A/B parent resource sheet
Body, user can also access/A/B under all child resources, such as/A/B/C/ ,/A/B/C/D/;
If biz_resource_pat='/', represent user may have access to domain under/parent resource itself, use
Family can also access/under all child resources, such as/A/ ,/A/B/.
Here, '/' is reserved keyword, biz_resource_pat is classified with '/', so the money of every level-one
Cannot include in source identifier '/', obscure to avoid with the reserved keyword.
Since access authority of the parent resource to its lower affiliated all child resource is inherited, so possessing certain in inquiry
When all users of the access authority of one resource, not only needs to obtain all users for the access authority for possessing the resource, also need
All users for possessing the access authority of all parent resources of the resource are obtained, because possess all parent resources of the resource
All users of access authority, also possess the access authority of the resource certainly, below by following examples for how to inquire
All users for possessing the permission of a certain resource explain:
In one embodiment of resource access authority group technology of the application, in order to realize that inquiry possesses the access of a certain resource
All users of permission, establish the user grouping with its corresponding to parent resource under child resource access authority it is corresponding pass
After system, further includes:
Obtain the request for inquiring the access authority of the corresponding user grouping of some child resource;
Based on the parent resources at different levels for requesting to determine the child resource to be checked step by step;
The user grouping under the child resource and its parent resource to be checked of the determination is obtained step by step;
The user grouping got is summarized and duplicate removal.
For example, to inquire which user has access authority, i.e. inquiry bizResourcePath=to catalogue/A/B/C/D/E
The access authority under all group lists under '/A/B/C/D/E ', it is assumed that dividing table key is Domain:DomainId.
Including carrying out following steps:
Inquiry pair/A/B/C/D/E has the group list of access authority;
Inquiry pair/A/B/C/D has the group list of access authority;
Inquiry pair/A/B/C has the group list of access authority;
Inquiry pair/A/B has the group list of access authority;
Inquiry pair/A has the group list of access authority;
Inquiry pair/* has the group list of access authority;
After finding all group, it can be done in memory and once summarize (Merge) and duplicate removal.
In one embodiment of resource access authority group technology of the application, in order to realize that inquiry possesses the access of a certain resource
All users of permission, establish the user grouping with its corresponding to parent resource under child resource access authority it is corresponding pass
After system, further includes:
Obtain the request for inquiring the access authority of the corresponding user grouping of some child resource;
Based on the request, in all resources under the domain where the child resource to be checked, filter out it is described to
The parent resources at different levels of the child resource of inquiry;
User grouping under the child resource and its parent resource to be checked filtered out described in acquisition.
For example, to inquire which user has access authority to catalogue (child resource)/A/B/C/D/E,
All resource Domain:DomainId are as follows under domain under domain where catalogue (child resource)/A/B/C/D/E:
1./A/B
1./A/BB
2./A1/B1
3./A2/B2
So as to resource Domain all under domain under the domain where catalogue (child resource)/A/B/C/D/E:
It is /A/B that catalogue (child resource)/A/B/C/D/E parent resource is matched in DomainId.
In this implementation, resource all under child resource and Domain:DomainId can be deposited inside and compare filtering,
And then the user grouping under the child resource and its parent resource to be checked filtered out can be got.
In one embodiment of resource access authority group technology of the application, by resource of the number of levels in same threshold interval
It is included into after the same resource index, further includes:
Obtain the request for inquiring the access authority of the corresponding user grouping of some child resource;
The parent resource of the child resource to be checked is determined according to the request;
According to resource index value corresponding to the child resource and its parent resource to be checked, the son to be checked is obtained
User grouping under resource and its parent resource.
For example, when needing all Group under inquiry/A/B/C/D/E, according to the parent resource in upper embodiment table one
And/or the corresponding relationship of the user grouping (resource_path) under child resource and resource index value (query_index), only
It needs to inquire the data of query_index='/A'&&query_index='/A/B/C', then exists to the data found
It is further filtered in memory, it is found that database (DB) number of operations can be reduced from original 5 times in the present embodiment
To 2 times, if a Mysql query time needs 7ms, then the response time inquired reduces 21ms (60%).
In one embodiment of resource access authority group technology of the application, the child resource to be checked and his father's money are obtained
After the access authority of resource corresponding to user grouping under source, further includes:
The user grouping and the user grouping under the child resource and its parent resource to be checked are shown with tree structure
The access authority of corresponding resource.
Here, needing an O&M backstage that can be used to check problem or examine when realizing a Rights Management System
The reason of whether a disconnected user possesses the permission of some resource and possesses this resource access authority.Such as in a Web page
Face, as shown in figure 3, can be by inputting resource path resourceURI and user UID, to inquire whether the user UID has this
The access authority of resource path, if returning to true/false, directly to indicate that the user id possesses permission to the resource path
With no permission.But it is not intuitive enough in this way, without pilot process.It is unfavorable for diagnosis and problem investigation.
The present embodiment may include steps of:
Step 1: as shown in figure 3, input resourceURI and user UID;
Step 2: clicking inquiry button
Step 3: output the result is that a tree structure as shown in fig. 4 or 5.And tree structures node is deployable and closes
And in Fig. 4 or 5, the business that tree structure represents is meant that: user belongs to this session of session id=53506390, while this
Session belongs to the group of group=27001, and this resource is that initialization only has this group accessible, so user can visit
Ask this resource, this result has listed this why accessible resource of user in detail.
The present embodiment not only may determine that can some user grouping access some resource, and can pass through tree structure
Can list why this accessible resource, specifically a resource can be listed by the telescopic tree structure of dynamic generation benefit
Under all user grouping, the permission decision sharpening that can be abstracted allows developer or client is open-and-shut finds out resource
Whether may have access to, developer and client is facilitated to check and diagnose problem.The present embodiment can specifically be used in such as ACL/RBAC/
In the permission systems such as GBAC.
In one embodiment of resource access authority group technology of the application, the corresponding relationship of resource and user grouping is established
In,
One user grouping only establishes corresponding relationship with a resource, guarantees that a Group is only capable of ownership one
Resource, corresponding resource is obscured when user being avoided to update.
In one embodiment of resource access authority group technology of the application, the user grouping and the money corresponding to it are established
In the corresponding relationship of the access authority in source,
Access authority of one user grouping only with a resource establishes corresponding relationship, guarantees that a Group can only be assigned
A Policy is given, corresponding Policy obscures when user being avoided to update.
In one embodiment of resource access authority group technology of the application, the user grouping and the money corresponding to it are established
In the corresponding relationship of the access authority in source,
Each user point when corresponding at least two user grouping of the same resource, at least two user grouping
The access authority difference of the corresponding same resource of group institute, guarantees that a Resource can have multiple Group, but one
Different Group corresponds to unused Policy certainly under a Resource, i.e. possesses same Policy's under a Resource
User can be concluded the same Group, and Policy occurs mixed when the user of difference Group under same Resource being avoided to update
Confuse.
In one embodiment of resource access authority group technology of the application, the user grouping includes at least one user
Grouping, user's subgroup includes at least one user.
Here, as shown in fig. 6, user's subgroup Member is the component units under a user grouping Group, one
User grouping Group includes one or more user's subgroup Member, and each user's subgroup Member includes at least one
User Uid, user's subgroup Member may include subgroup type memberType and subgroup mark memberId.
For example having user's subgroup Member under Group is a department (deptId=123), then
MemberType='dept', memberId=' 123 ';For another example, if having user's subgroup Member under Group is one
A group (cid=456), then memberType='conv', memberId='456'.One group is by one or more
MemberId+memberType composition.
Here, the present embodiment can be realized under each user grouping by the way that user's subgroup is arranged under user grouping
The more fine-grained change of user in each user's set is used for example, there are two user's subgroup A1 and A2 under user grouping
Family a is in user's subgroup A1, not in user's subgroup A2, as long as then doing the deletion of user a in user's subgroup A1, does not have to
User's change is done in user's subgroup A2.
According to the another side of the application, a kind of resource access authority packet equipment is also provided, which includes:
Resource and user grouping device, for establishing the corresponding relationship of resource and user grouping, the user grouping includes
At least one user;
User grouping and access authority device, for establishing the access authority of the user grouping and the resource corresponding to it
Corresponding relationship;
Index value device, for the corresponding relationship in the access authority for establishing the user grouping and the resource corresponding to it
Later, the quantity of the level of the parent resource and child resource in the resource is obtained, wherein the resource includes at least two rank
Parent resource and the parent resource under child resource;According to the quantity of the level of the parent resource and child resource, described in foundation
The corresponding relationship of parent resource and/or child resource and resource index value, wherein the quantity of level in same threshold interval described in
Parent resource and/or child resource are corresponding with the same resource index value.
It further include change device in one embodiment of resource access authority packet equipment of the application, for described in the foundation
After the corresponding relationship of the access authority of user grouping and the resource corresponding to it, the increase of user in the user grouping is obtained
And/or removal request;According to the increase and/or removal request, increase and/or delete corresponding use in corresponding user grouping
Family.
In one embodiment of resource access authority packet equipment of the application, user grouping and access authority device, for working as
The user grouping and resource corresponding to it establish the visit of the user grouping and the parent resource corresponding to it when being parent resource
Ask the corresponding relationship of permission;Establish the user grouping with its corresponding to parent resource under child resource access authority it is corresponding
Relationship.
It further include inquiry unit in one embodiment of resource access authority packet equipment of the application, for number of levels to exist
Resource in same threshold interval is included into after the same resource index, is obtained and is inquired the corresponding user grouping of some child resource
The request of access authority;The parent resource of the child resource to be checked is determined according to the request;According to the son to be checked
Resource index value corresponding to resource and its parent resource obtains the user point under the child resource and its parent resource to be checked
Group.
In one embodiment of resource access authority packet equipment of the application, the inquiry unit is also used to tree structure
Show the access of resource corresponding to the user grouping and the user grouping under the child resource and its parent resource to be checked
Permission.
In one embodiment of resource access authority packet equipment of the application, the resource and user grouping device, being used for will
One user grouping only establishes corresponding relationship with a resource.
In one embodiment of resource access authority packet equipment of the application, in user grouping and access authority device, it is used for
Access authority by a user grouping only with a resource establishes corresponding relationship.
In one embodiment of resource access authority packet equipment of the application, in user grouping and access authority device, it is used for
When corresponding at least two user grouping of the same resource, divide each user grouping at least two user grouping
The access authority of the not corresponding same resource is different.
In one embodiment of resource access authority packet equipment of the application, the user grouping includes at least one user
Grouping, user's subgroup includes at least one user.
According to the another side of the application, a kind of equipment based on calculating is also provided, comprising:
Processor;And
It is arranged to the memory of storage computer executable instructions, the executable instruction makes the place when executed
Manage device:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
After establishing the corresponding relationship of access authority of the user grouping and the resource corresponding to it, the money is obtained
The quantity of the level of parent resource and child resource in source, wherein the resource includes at least parent resource of two rank and described
Child resource under parent resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource are established
The corresponding relationship of index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with it is same
A resource index value is corresponding.
According to the another side of the application, a kind of computer readable storage medium is also provided, being stored thereon with computer can hold
Row instruction, wherein the computer executable instructions make processor when being executed by processor:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
After establishing the corresponding relationship of access authority of the user grouping and the resource corresponding to it, the money is obtained
The quantity of the level of parent resource and child resource in source, wherein the resource includes at least parent resource of two rank and described
Child resource under parent resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource are established
The corresponding relationship of index value, wherein the parent resource of the quantity of level in same threshold interval and/or child resource with it is same
A resource index value is corresponding.
The detailed content of above equipment and each embodiment of computer readable storage medium, for details, reference can be made to each method embodiments
Corresponding part, here, repeating no more.
Obviously, those skilled in the art can carry out various modification and variations without departing from the essence of the application to the application
Mind and range.In this way, if these modifications and variations of the application belong to the range of the claim of this application and its equivalent technologies
Within, then the application is also intended to include these modifications and variations.
It should be noted that the application can be carried out in the assembly of software and/or software and hardware, for example, can adopt
With specific integrated circuit (ASIC), general purpose computer or any other realized similar to hardware device.In one embodiment
In, the software program of the application can be executed to implement the above steps or functions by processor.Similarly, the application
Software program (including relevant data structure) can be stored in computer readable recording medium, for example, RAM memory,
Magnetic or optical driver or floppy disc and similar devices.In addition, hardware can be used to realize in some steps or function of the application, example
Such as, as the circuit cooperated with processor thereby executing each step or function.
In addition, a part of the application can be applied to computer program product, such as computer program instructions, when its quilt
When computer executes, by the operation of the computer, it can call or provide according to the present processes and/or technical solution.
And the program instruction of the present processes is called, it is possibly stored in fixed or moveable recording medium, and/or pass through
Broadcast or the data flow in other signal-bearing mediums and transmitted, and/or be stored according to described program instruction operation
In the working storage of computer equipment.Here, including a device according to one embodiment of the application, which includes using
Memory in storage computer program instructions and processor for executing program instructions, wherein when the computer program refers to
When enabling by processor execution, method and/or skill of the device operation based on aforementioned multiple embodiments according to the application are triggered
Art scheme.
It is obvious to a person skilled in the art that the application is not limited to the details of above-mentioned exemplary embodiment, Er Qie
In the case where without departing substantially from spirit herein or essential characteristic, the application can be realized in other specific forms.Therefore, no matter
From the point of view of which point, the present embodiments are to be considered as illustrative and not restrictive, and scope of the present application is by appended power
Benefit requires rather than above description limits, it is intended that all by what is fallen within the meaning and scope of the equivalent elements of the claims
Variation is included in the application.Any reference signs in the claims should not be construed as limiting the involved claims.This
Outside, it is clear that one word of " comprising " does not exclude other units or steps, and odd number is not excluded for plural number.That states in device claim is multiple
Unit or device can also be implemented through software or hardware by a unit or device.The first, the second equal words are used to table
Show title, and does not indicate any particular order.
Claims (12)
1. a kind of resource access authority group technology, wherein this method comprises:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two rank
Parent resource and the parent resource under child resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource index are established
The corresponding relationship of value, wherein the parent resource and/or child resource and same money of the quantity of level in same threshold interval
Source index value is corresponding.
2. according to the method described in claim 1, wherein, establishing the access authority of the user grouping and the resource corresponding to it
Corresponding relationship after, further includes:
Obtain the increase and/or removal request of user in the user grouping;
According to the increase and/or removal request, increase and/or delete corresponding user in corresponding user grouping.
3. according to the method described in claim 1, wherein, when resource corresponding to the user grouping and its is parent resource,
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it, comprising:
Establish the corresponding relationship of the access authority of the user grouping and the parent resource corresponding to it;
Establish the user grouping and its corresponding to parent resource under child resource access authority corresponding relationship.
4. according to the method described in claim 1, wherein, resource of the number of levels in same threshold interval is included into the same money
After the index of source, further includes:
Obtain the request for inquiring the access authority of the corresponding user grouping of some child resource;
The parent resource of the child resource to be checked is determined according to the request;
According to resource index value corresponding to the child resource and its parent resource to be checked, the child resource to be checked is obtained
And its user grouping under parent resource.
5. according to the method described in claim 4, wherein, obtaining the user point under the child resource and its parent resource to be checked
After the access authority of the corresponding resource of group, further includes:
Show that user grouping under the child resource and its parent resource to be checked and user grouping institute are right with tree structure
The access authority for the resource answered.
6. according to the method described in claim 1, wherein, establish in the corresponding relationship of resource and user grouping,
One user grouping only establishes corresponding relationship with a resource.
7. according to the method described in claim 6, wherein, establishing the access authority of the user grouping and the resource corresponding to it
Corresponding relationship in,
Access authority of one user grouping only with a resource establishes corresponding relationship.
8. according to the method described in claim 7, wherein, establishing the access authority of the user grouping and the resource corresponding to it
Corresponding relationship in,
Each user grouping institute when corresponding at least two user grouping of the same resource, at least two user grouping
The access authority of the corresponding same resource is different.
9. according to the method described in claim 1, wherein, the user grouping includes at least one user's subgroup, the use
Family subgroup includes at least one user.
10. a kind of resource access authority packet equipment, wherein the equipment includes:
Resource and user grouping device, for establishing the corresponding relationship of resource and user grouping, the user grouping includes at least
One user;
User grouping and access authority device, pair of the access authority for establishing the user grouping and the resource corresponding to it
It should be related to;
Index value device, the quantity of the level for obtaining parent resource and child resource in the resource, wherein the resource
Child resource under parent resource and the parent resource including at least two rank;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource index are established
The corresponding relationship of value, wherein the parent resource and/or child resource and same money of the quantity of level in same threshold interval
Source index value is corresponding.
11. a kind of equipment based on calculating, wherein include:
Processor;And
It is arranged to the memory of storage computer executable instructions, the executable instruction makes the processing when executed
Device:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two rank
Parent resource and the parent resource under child resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource index are established
The corresponding relationship of value, wherein the parent resource and/or child resource and same money of the quantity of level in same threshold interval
Source index value is corresponding.
12. a kind of computer readable storage medium, is stored thereon with computer executable instructions, wherein the computer is executable
Instruction makes the processor when being executed by processor:
The corresponding relationship of resource and user grouping is established, the user grouping includes at least one user;
Establish the corresponding relationship of the access authority of the user grouping and the resource corresponding to it;
Obtain the quantity of the level of the parent resource and child resource in the resource, wherein the resource includes at least two rank
Parent resource and the parent resource under child resource;
According to the quantity of the level of the parent resource and child resource, the parent resource and/or child resource and resource index are established
The corresponding relationship of value, wherein the parent resource and/or child resource and same money of the quantity of level in same threshold interval
Source index value is corresponding.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711031968.0A CN109726579B (en) | 2017-10-27 | 2017-10-27 | Resource access authority grouping method and equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711031968.0A CN109726579B (en) | 2017-10-27 | 2017-10-27 | Resource access authority grouping method and equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109726579A true CN109726579A (en) | 2019-05-07 |
CN109726579B CN109726579B (en) | 2023-04-28 |
Family
ID=66291200
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711031968.0A Active CN109726579B (en) | 2017-10-27 | 2017-10-27 | Resource access authority grouping method and equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109726579B (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110753059A (en) * | 2019-10-25 | 2020-02-04 | 苏州浪潮智能科技有限公司 | Authority management method, equipment and storage medium |
CN112069541A (en) * | 2020-09-08 | 2020-12-11 | 北京百度网讯科技有限公司 | Authority management and query method and device |
CN112465476A (en) * | 2020-12-17 | 2021-03-09 | 中国农业银行股份有限公司 | Access control method, device, equipment and medium |
WO2021098275A1 (en) * | 2019-11-22 | 2021-05-27 | 支付宝(杭州)信息技术有限公司 | Smart graph computing-based privacy resource permission control method and apparatus, and device |
CN112988286A (en) * | 2021-03-12 | 2021-06-18 | 武汉蔚来能源有限公司 | Resource maintenance method and device and computer storage medium |
WO2021137757A1 (en) * | 2019-12-31 | 2021-07-08 | Envision Digital International Pte. Ltd. | Authority management method and apparatus, and electronic device, and storage medium thereof |
CN113127887A (en) * | 2019-12-30 | 2021-07-16 | 中移信息技术有限公司 | Data permission isolation judgment method, device, equipment and storage medium |
Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003030032A2 (en) * | 2001-09-28 | 2003-04-10 | Oracle International Corporation | An index structure to access hierarchical data in a relational database system |
US20050228791A1 (en) * | 2004-04-09 | 2005-10-13 | Ashish Thusoo | Efficient queribility and manageability of an XML index with path subsetting |
CN1848022A (en) * | 2005-04-13 | 2006-10-18 | 华为技术有限公司 | Authority control method based on access control list |
US20080306927A1 (en) * | 2007-06-10 | 2008-12-11 | Apple Computer, Inc. | Index Partitioning and Scope Checking |
US20090125494A1 (en) * | 2007-11-08 | 2009-05-14 | Oracle International Corporation | Global query normalization to improve xml index based rewrites for path subsetted index |
US20100235907A1 (en) * | 2009-03-11 | 2010-09-16 | Brian Payton Bowman | Authorization Caching In A Multithreaded Object Server |
CN102129539A (en) * | 2011-03-11 | 2011-07-20 | 清华大学 | Data resource authority management method based on access control list |
CN102207981A (en) * | 2011-07-13 | 2011-10-05 | 华为软件技术有限公司 | Method and system for managing file |
CN102231693A (en) * | 2010-04-22 | 2011-11-02 | 北京握奇数据系统有限公司 | Method and apparatus for managing access authority |
US8631028B1 (en) * | 2009-10-29 | 2014-01-14 | Primo M. Pettovello | XPath query processing improvements |
CN103617295A (en) * | 2013-12-16 | 2014-03-05 | 北京锐安科技有限公司 | Method and device for processing geographic information vector data |
-
2017
- 2017-10-27 CN CN201711031968.0A patent/CN109726579B/en active Active
Patent Citations (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003030032A2 (en) * | 2001-09-28 | 2003-04-10 | Oracle International Corporation | An index structure to access hierarchical data in a relational database system |
US20050228791A1 (en) * | 2004-04-09 | 2005-10-13 | Ashish Thusoo | Efficient queribility and manageability of an XML index with path subsetting |
CN1848022A (en) * | 2005-04-13 | 2006-10-18 | 华为技术有限公司 | Authority control method based on access control list |
US20080306927A1 (en) * | 2007-06-10 | 2008-12-11 | Apple Computer, Inc. | Index Partitioning and Scope Checking |
US20090125494A1 (en) * | 2007-11-08 | 2009-05-14 | Oracle International Corporation | Global query normalization to improve xml index based rewrites for path subsetted index |
US20100235907A1 (en) * | 2009-03-11 | 2010-09-16 | Brian Payton Bowman | Authorization Caching In A Multithreaded Object Server |
US8631028B1 (en) * | 2009-10-29 | 2014-01-14 | Primo M. Pettovello | XPath query processing improvements |
CN102231693A (en) * | 2010-04-22 | 2011-11-02 | 北京握奇数据系统有限公司 | Method and apparatus for managing access authority |
CN102129539A (en) * | 2011-03-11 | 2011-07-20 | 清华大学 | Data resource authority management method based on access control list |
CN102207981A (en) * | 2011-07-13 | 2011-10-05 | 华为软件技术有限公司 | Method and system for managing file |
CN103617295A (en) * | 2013-12-16 | 2014-03-05 | 北京锐安科技有限公司 | Method and device for processing geographic information vector data |
Non-Patent Citations (1)
Title |
---|
钮焱等: "一种信息仓库检索系统的设计和实现", 《中国集体经济》 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110753059A (en) * | 2019-10-25 | 2020-02-04 | 苏州浪潮智能科技有限公司 | Authority management method, equipment and storage medium |
CN110753059B (en) * | 2019-10-25 | 2022-01-04 | 苏州浪潮智能科技有限公司 | Authority management method, equipment and storage medium |
WO2021098275A1 (en) * | 2019-11-22 | 2021-05-27 | 支付宝(杭州)信息技术有限公司 | Smart graph computing-based privacy resource permission control method and apparatus, and device |
CN113127887A (en) * | 2019-12-30 | 2021-07-16 | 中移信息技术有限公司 | Data permission isolation judgment method, device, equipment and storage medium |
WO2021137757A1 (en) * | 2019-12-31 | 2021-07-08 | Envision Digital International Pte. Ltd. | Authority management method and apparatus, and electronic device, and storage medium thereof |
CN112069541A (en) * | 2020-09-08 | 2020-12-11 | 北京百度网讯科技有限公司 | Authority management and query method and device |
CN112069541B (en) * | 2020-09-08 | 2024-05-07 | 北京百度网讯科技有限公司 | Authority management and query method and device |
CN112465476A (en) * | 2020-12-17 | 2021-03-09 | 中国农业银行股份有限公司 | Access control method, device, equipment and medium |
CN112988286A (en) * | 2021-03-12 | 2021-06-18 | 武汉蔚来能源有限公司 | Resource maintenance method and device and computer storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN109726579B (en) | 2023-04-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN109726579A (en) | Resource access authority group technology and equipment | |
US11140166B2 (en) | Multi-tenant authorization | |
US11748506B2 (en) | Access controlled graph query spanning | |
US10819652B2 (en) | Access management tags | |
US10977380B2 (en) | Hybrid role and attribute based access control system | |
Al-Kahtani et al. | A model for attribute-based user-role assignment | |
US8429191B2 (en) | Domain based isolation of objects | |
RU2408070C2 (en) | Detectability and listing mechanism in hierarchically protected data storage system | |
US9355261B2 (en) | Secure data management | |
US9602513B2 (en) | Access control of edges in graph index applications | |
WO2019226806A1 (en) | Organization based access control system | |
US20160036860A1 (en) | Policy based data processing | |
US8245291B2 (en) | Techniques for enforcing access rights during directory access | |
Mazurek et al. | Toward strong, usable access control for shared distributed data | |
WO2015108536A1 (en) | Mapping tenant groups to identity management classes | |
JP2014086083A (en) | Utilizing social graph for network access and admission control | |
CN111464487A (en) | Access control method, device and system | |
Al-Zobbi et al. | Implementing a framework for big data anonymity and analytics access control | |
US10205631B1 (en) | Distributing an access control service to local nodes | |
US20110225202A1 (en) | Multi-dimensional access control list | |
US8095970B2 (en) | Dynamically associating attribute values with objects | |
US20190007457A1 (en) | Access Policies Based on HDFS Extended Attributes | |
JP2007072581A (en) | Policy group generation device and control method | |
Syalim et al. | Grouping provenance information to improve efficiency of access control | |
US10708253B2 (en) | Identity information including a schemaless portion |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |