CN110365715A - A kind of multi-tenant operating right determines method and device - Google Patents
A kind of multi-tenant operating right determines method and device Download PDFInfo
- Publication number
- CN110365715A CN110365715A CN201910790435.3A CN201910790435A CN110365715A CN 110365715 A CN110365715 A CN 110365715A CN 201910790435 A CN201910790435 A CN 201910790435A CN 110365715 A CN110365715 A CN 110365715A
- Authority
- CN
- China
- Prior art keywords
- user
- role
- mapping relations
- menu
- operating right
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of multi-tenant operating rights to determine method and device, which comprises obtains the user identifier of user;According to the mapping relations between the mapping relations and role's the first operation corresponding with role between the user identifier and user identifier and role of the user, the first operation corresponding with the user is obtained;According to the mapping relations between the user identifier of the user and user identifier and the second operation, the second operation corresponding with the user is obtained;The union of corresponding first operation of the user the second operation corresponding with the user is determined as to the operating right of the user.The effect that this method and device are finally realized is distributed by role, is completed for user's batch under same role, quick authorization improves the efficiency of system manager's authority distribution.
Description
Technical field
The present invention relates to data management fields, determine method and device more particularly, to a kind of multi-tenant operating right.
Background technique
Current common Permission Management Model is based role to realize the distribution and management of permission, the advantages of being achieved
It can be achieved on the bulk management of user right distribution, still, the authority content of user is excessively limited to role, authority information
Distribution can not accomplish personalization.
Another pure permission control based on user, is accomplished that primary complete licensing process can only solve a member
The authority distribution of work, it is too big to bring authority distribution workload, data excessively redundancy the problem of.
Also some enterprises are in order to realize flexible rights management, it has to pass through the Rights Management System of customization, increase
A large amount of manpower and material resources are taken while development difficulty.
In conclusion it is a set of simple, flexible Permission Management Model may be implemented just by user's urgent need.
Summary of the invention
Problem of the existing technology: the authority content of user is excessively limited to role, and the distribution of authority information can not be done
To personalization.
In view of the defects existing in the prior art, in a first aspect, the present invention provides a kind of multi-tenant operating right determination sides
Method, which comprises
Obtain the user identifier of user;
According between the user identifier and user identifier and user role of the user mapping relations and user
Mapping relations between role's the first operation corresponding with the role, obtain the first operation corresponding with the user;
According to the mapping relations between the user identifier of the user and the user identifier and the second operation, obtain
The second operation corresponding with the user;
The union of corresponding first operation of the user the second operation corresponding with the user is determined
The operating right of the user.
Further, the mapping relations between the role the first operation corresponding with the role include:
The mapping relations between mapping relations and first menu and the first operation between role and the first menu.
Further, the mapping relations between the role and first menu include:
The mapping relations between mapping relations and menu directory and the first menu between the role and menu directory.
Further, the user it is corresponding second operation include: it is corresponding to the user first operation increase or
The permission of reduction modifies instruction;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as the user
Operating right:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the use
The operating right at family.
Further, the mapping relations between the user identifier and the second operation include:
The mapping between mapping relations and the second menu and the second operation between the user identifier and the second menu is closed
System.
Further, the mapping relations between the user identifier and the second menu include:
Reflecting between the mapping relations and the second menu directory and the second menu between user identifier and the second menu directory
Penetrate relationship.
Second aspect, the present invention provides a kind of multi-tenant operating right determining device, described device includes:
Module is obtained, for obtaining the user identifier of user;
First operation module, between the user identifier and user identifier and user role according to the user
Mapping relations between mapping relations and user role the first operation corresponding with the role, obtain corresponding with the user
First operation;
Second operation module, for according to the user identifier of the user and the user identifier and the second operation
Between mapping relations, obtain it is corresponding with the user second operation;
Merging module, for the union of corresponding first operation of the user the second operation corresponding with the user is true
It is set to the operating right of the user.
Further, the mapping relations between the role the first operation corresponding with the role include:
The mapping relations between mapping relations and menu and the first operation between role and the first menu.
Further, the mapping relations between the role and menu include:
The mapping relations between mapping relations and menu directory and menu between the role and menu directory.
Further, the user it is corresponding second operation include: it is corresponding to the user first operation increase or
The permission of reduction modifies instruction;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as the user
Operating right:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the use
The operating right at family.
The beneficial effects of the present invention are:
The effect that this method and device are finally realized is distributed by role, is completed for the user under same role crowd
Amount, quick authorization improve the efficiency of system manager's authority distribution.
By user right distribution module, the authority distribution for special user's personalization is completed, requests and is fixed against angle
The authority distribution of color limits, and it is different to realize the content that the different user of the same role is seen.
By regional information by way of user privileges, it is given to user, realizes the different region management of same role
The information that permission is seen is different.Realize accurately permission control.
Detailed description of the invention
Fig. 1 is the flow diagram that a kind of multi-tenant operating right of the invention determines method;
Fig. 2 is a kind of structural schematic diagram of multi-tenant operating right determining device of the invention.
Specific embodiment
In being described below, for illustration and not for limitation, propose such as project equipment structure, interface, technology it
The detail of class, to understand thoroughly the present invention.However, it will be clear to one skilled in the art that there is no these specific
The present invention also may be implemented in the other embodiments of details.In other situations, omit to well-known device, circuit and
The detailed description of method, in case unnecessary details interferes description of the invention.
As shown in Figure 1, the present invention provides a kind of multi-tenant operating rights to determine method, which comprises
S1: the user identifier of user is obtained;
S2: according to the mapping relations between the user identifier and user identifier and user role of the user, Yi Jiyong
Mapping relations between family role the first operation corresponding with the role, obtain the first operation corresponding with the user;
S3: it according to the mapping relations between the user identifier of the user and the user identifier and the second operation, obtains
To the second operation corresponding with the user;
S4: the union of corresponding first operation of the user the second operation corresponding with the user is determined as the use
The operating right at family.
Multi-tenant operating right it be inquire into realize how in multi-user in the environment of share identical system or journey
Sequence component, and still can ensure that the isolation of data between each user.A set of program can be shared between i.e. multiple tenants but for number
Isolation exist according to resource again between.
Signified multi-tenant of the invention just refers to several users.
In the authority distributing method of based role, the demand that two kinds of functions can be achieved is designed, the first is to complete single angle
The user role of color multi-user or polygonal color multi-user distribution, character object selected first, then select the character object institute
Associated user object, it is established that the incidence relation of role and user are completed quickly, the authority distribution of batch;Second is pair
In newly added single role's type ascribed role authority content, by distributing original menu directory, menu and menu operation
Authority information gives newly-established character object, realizes the association of character object and permission raw information, after role creates just
Role can be carried out to the information association of user.
Authority distributing method based on user is the supplement of the batch rights management to based role.This method is with user
It first modifies to the Role Information of user, this completes single after getting the special user for distribution foundation
The authority distribution of the multiple roles of user-association, then, user passes through and original menu directory, the permission of menu and menu operation
Information establishes connection, in the form of user is directly linked authority information, the exclusive privilege of user is completed, moreover, logical for user
Cross role's acquisition permission can also in authorization table by change state or be inserted into after the permission specify special state into
Row limitation realizes that the personalized permission based on user is matched by the granularity of delineation of power from Characters drive to smaller permissions data
It sets.
The menu can be understood as corresponding file under a user's operation permission system, and the menu directory can manage
Solution is the corresponding file of menu file under a user's operation permission system.
The present invention provides a kind of method for flexibly realizing multi-tenant management, the method passes through the mark of user and role
Between connection erect the incidence relation between user and role;
The incidence relation between catalogue and role is erected by menu directory mark and role identification.
Then the catalogue being allocated under the menu that role possesses by the menu of role association passes through Character menu catalogue
It is identified with menu operation and establishes connection, complete the incidence relation of role and catalogue, role and menu and role and operation to build
Indirect association relationship between vertical role and catalogue, role and menu and role and operation.
On the other hand, the method for flexible realization multi-tenant management of the invention also passes through direct user identifier and catalogue, uses
The connection that family mark is direct and menu and user identifier are directly between operation completes user to catalogue, menu and operation
It is directly linked.
The menu directory that final method of the invention directly acquires user, the dish of menu and operating right and indirect gain
The permission of monocular record, menu and operation does union.
The present invention, which is realized, carries out bulk management to the permission after user role distribution, also achieves user's explicit permissions pipe
The user individual authority distribution of reason.And the expansion of permission is enhanced by privilege, realize high flexibility, high expansion
Multi-tenant management.
In some illustrative embodiments, the mapping relations packet between the role the first operation corresponding with the role
It includes:
The mapping relations between mapping relations and first menu and the first operation between role and the first menu.
In some illustrative embodiments, the mapping relations between the role and first menu include:
The mapping relations between mapping relations and menu directory and the first menu between the role and menu directory.
In some illustrative embodiments, corresponding second operation of the institute user includes: corresponding to the user the
The permission modification instruction that one operation is increased or decreased;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as the user
Operating right:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the use
The operating right at family.
In some illustrative embodiments, the mapping relations between the user identifier and the second operation include:
The mapping between mapping relations and the second menu and the second operation between the user identifier and the second menu is closed
System.
In some illustrative embodiments, the mapping relations between the user identifier and the second menu include:
Reflecting between the mapping relations and the second menu directory and the second menu between user identifier and the second menu directory
Penetrate relationship.
The beneficial effect of the method is:
The effect that this method and device are finally realized is distributed by role, is completed for the user under same role crowd
Amount, quick authorization improve the efficiency of system manager's authority distribution.
By user right distribution module, the authority distribution for special user's personalization is completed, requests and is fixed against angle
The authority distribution of color limits, and it is different to realize the content that the different user of the same role is seen.
By regional information by way of user privileges, it is given to user, realizes the different region management of same role
The information that permission is seen is different, realizes accurately permission control.
First operation is the action type of general permission, and second operation is the operation class of particularity permission
Type.
First menu is the file type of general permission, and second menu is the files classes of particularity permission
Type.
As shown in Fig. 2, the present invention also provides a kind of multi-tenant operating right determining device, described device includes:
Module 100 is obtained, for obtaining the user identifier of user;
First operation module 200, between the user identifier and user identifier and user role according to the user
Mapping relations and user role it is corresponding with the role first operation between mapping relations, obtain and the user couple
The first operation answered;
Second operation module 300, for according to the user identifier of the user and the user identifier and the second operation
Between mapping relations, obtain it is corresponding with the user second operation;
Merging module 400, for by the user it is corresponding first operation it is corresponding with the user second operate and
Collection is determined as the operating right of the user.
In some illustrative embodiments, the mapping relations packet between the role the first operation corresponding with the role
It includes:
The mapping relations between mapping relations and menu and the first operation between role and the first menu.
In some illustrative embodiments, the mapping relations between the role and menu include:
The mapping relations between mapping relations and menu directory and menu between the role and menu directory.
In some illustrative embodiments, corresponding second operation of the user includes: corresponding to the user first
Operate the permission modification instruction increased or decreased;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as the user
Operating right:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the use
The operating right at family.This set program will create more set permissions datas and resource, program are total to register to use by multiple enterprises or user
With but mutually isolated, existing respective public something in common, and be able to satisfy the uniqueness of multiple tenants.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description,
The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with
It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit
It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components
It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or
The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit
It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit
The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple
In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme
's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit
It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list
Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product
When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially
The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words
It embodies, which is stored in a storage medium, including some instructions are used so that a computer
Equipment (can be personal computer, logistics management server or the network equipment etc.) executes described in each embodiment of the application
The all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read-
Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can be with
Store the medium of program code.
The above, above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although referring to before
Embodiment is stated the application is described in detail, those skilled in the art should understand that: it still can be to preceding
Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these
It modifies or replaces, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.
Claims (10)
1. a kind of multi-tenant operating right determines method, which is characterized in that the described method includes:
Obtain the user identifier of user;
According to the mapping relations and user role between the user identifier and user identifier and user role of the user
Mapping relations between the first operation corresponding with the role obtain the first operation corresponding with the user;
According to the mapping relations between the user identifier of the user and the user identifier and the second operation, obtain and institute
State corresponding second operation of user;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as to the behaviour of the user
Make permission.
2. multi-tenant operating right according to claim 1 determines method, which is characterized in that the role and the role couple
Answer first operation between mapping relations include:
The mapping relations between mapping relations and first menu and the first operation between role and the first menu.
3. multi-tenant operating right according to claim 2 determines method, which is characterized in that the role and described first
Mapping relations between menu include:
The mapping relations between mapping relations and menu directory and the first menu between the role and menu directory.
4. multi-tenant operating right according to claim 1-3 determines method, which is characterized in that the user couple
The second operation answered includes: the permission modification instruction that the first operation corresponding to the user is increased or decreased;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as to the behaviour of the user
Make permission:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the user's
Operating right.
5. multi-tenant operating right according to claim 4 determines method, which is characterized in that the user identifier and second
Mapping relations between operation include:
The mapping relations between mapping relations and the second menu and the second operation between the user identifier and the second menu.
6. multi-tenant operating right according to claim 5 determines method, which is characterized in that the user identifier and second
Mapping relations between menu include:
Mapping between mapping relations and the second menu directory and the second menu between user identifier and the second menu directory is closed
System.
7. a kind of multi-tenant operating right determining device, which is characterized in that described device includes:
Module is obtained, for obtaining the user identifier of user;
First operation module, for the mapping between the user identifier and user identifier and user role according to the user
Mapping relations between relationship and user role the first operation corresponding with the role, obtain corresponding with the user the
One operation;
Second operation module, for according between the user identifier of the user and the user identifier and the second operation
Mapping relations obtain the second operation corresponding with the user;
Merging module, for the union of corresponding first operation of the user the second operation corresponding with the user to be determined as
The operating right of the user.
8. multi-tenant operating right determining device according to claim 7, which is characterized in that the role and the role couple
Answer first operation between mapping relations include:
The mapping relations between mapping relations and menu and the first operation between role and the first menu.
9. multiple groups family operating right determining device according to claim 8, which is characterized in that between the role and menu
Mapping relations include:
The mapping relations between mapping relations and menu directory and menu between the role and menu directory.
10. according to multi-tenant operating right determining device described in claim any one of 7-9, which is characterized in that the use
Corresponding second operation in family includes: the permission modification instruction that the first operation corresponding to the user is increased or decreased;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as to the behaviour of the user
Make permission:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the user's
Operating right.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910790435.3A CN110365715A (en) | 2019-08-26 | 2019-08-26 | A kind of multi-tenant operating right determines method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910790435.3A CN110365715A (en) | 2019-08-26 | 2019-08-26 | A kind of multi-tenant operating right determines method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110365715A true CN110365715A (en) | 2019-10-22 |
Family
ID=68224336
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910790435.3A Pending CN110365715A (en) | 2019-08-26 | 2019-08-26 | A kind of multi-tenant operating right determines method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110365715A (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101656625A (en) * | 2008-08-18 | 2010-02-24 | 中兴通讯股份有限公司 | Enterprise unified communication based distributed policy management method |
CN103020497A (en) * | 2011-09-20 | 2013-04-03 | 镇江金软计算机科技有限责任公司 | RBAC (Role-Based Access Control) model based temporary authorizing system |
CN103377336A (en) * | 2013-01-21 | 2013-10-30 | 航天数联信息技术(深圳)有限公司 | Method and system for controlling computer system user rights |
CN104112085A (en) * | 2013-04-19 | 2014-10-22 | 阿里巴巴集团控股有限公司 | Data permission control method and device for application system clusters |
US20170111367A1 (en) * | 2010-05-05 | 2017-04-20 | Microsoft Technology Licensing, Llc | Data driven role based security |
CN108111495A (en) * | 2017-12-13 | 2018-06-01 | 郑州云海信息技术有限公司 | A kind of authority control method and device |
CN108259422A (en) * | 2016-12-29 | 2018-07-06 | 中兴通讯股份有限公司 | A kind of multi-tenant access control method and device |
-
2019
- 2019-08-26 CN CN201910790435.3A patent/CN110365715A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101656625A (en) * | 2008-08-18 | 2010-02-24 | 中兴通讯股份有限公司 | Enterprise unified communication based distributed policy management method |
US20170111367A1 (en) * | 2010-05-05 | 2017-04-20 | Microsoft Technology Licensing, Llc | Data driven role based security |
CN103020497A (en) * | 2011-09-20 | 2013-04-03 | 镇江金软计算机科技有限责任公司 | RBAC (Role-Based Access Control) model based temporary authorizing system |
CN103377336A (en) * | 2013-01-21 | 2013-10-30 | 航天数联信息技术(深圳)有限公司 | Method and system for controlling computer system user rights |
CN104112085A (en) * | 2013-04-19 | 2014-10-22 | 阿里巴巴集团控股有限公司 | Data permission control method and device for application system clusters |
CN108259422A (en) * | 2016-12-29 | 2018-07-06 | 中兴通讯股份有限公司 | A kind of multi-tenant access control method and device |
CN108111495A (en) * | 2017-12-13 | 2018-06-01 | 郑州云海信息技术有限公司 | A kind of authority control method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN106375176B (en) | A kind of method of physical machine access cloud platform | |
US9047462B2 (en) | Computer account management system and realizing method thereof | |
CN101976200B (en) | Virtual machine system for input/output equipment virtualization outside virtual machine monitor | |
CN110443010A (en) | One kind permission visual configuration control method, device, terminal and storage medium in information system | |
CN103761082A (en) | Componential research and development mode and domain driving model combined application development system and platform | |
CN106503091A (en) | A kind of implementation method of changeable data structure automatic synchronization coupling | |
CN105871880B (en) | Across tenant access control method based on trust model under a kind of cloud environment | |
CN103780686A (en) | Method and system for customizing application approval procedure in cloud organization | |
CN103207965A (en) | Method and device for License authentication in virtual environment | |
EP2328301A1 (en) | Method and apparatus for managing the authority in workflow component based on authority component | |
CN102571815A (en) | Method of integrated ERP (Enterprise Resource Planning) user authentication for e-procurement private cloud | |
CN111092936A (en) | Application service authority management method and terminal based on cloud platform | |
CN105867944A (en) | Web front-end terminal operating layer and implementing method thereof | |
DE112022002736T5 (en) | TRANSFERRING TASK DATA BETWEEN EDGE UNITS IN EDGE COMPUTING | |
CN104298761A (en) | Implementation method for master data matching between heterogeneous software systems | |
CN105072193A (en) | Cloud sea OS (Operating System) deployment method under multi-data centre | |
CN101014044A (en) | Network GIS system and data transmitting method thereof | |
CN102945264B (en) | Method for intelligently starting distributed transaction | |
CN111950866B (en) | Role-based multi-tenant organization structure management system, method, equipment and medium | |
CN111752539B (en) | BI service cluster system and construction method thereof | |
CN110992005B (en) | Method and system for realizing data authority control processing in big data application | |
CN110365715A (en) | A kind of multi-tenant operating right determines method and device | |
CN114650170B (en) | Cross-cluster resource management method, device, equipment and storage medium | |
CN115174177B (en) | Rights management method, device, electronic apparatus, storage medium, and program product | |
KR20070076342A (en) | User Group Role / Permission Management System and Access Control Methods in a Grid Environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20191022 |
|
RJ01 | Rejection of invention patent application after publication |