CN110365715A - A kind of multi-tenant operating right determines method and device - Google Patents

A kind of multi-tenant operating right determines method and device Download PDF

Info

Publication number
CN110365715A
CN110365715A CN201910790435.3A CN201910790435A CN110365715A CN 110365715 A CN110365715 A CN 110365715A CN 201910790435 A CN201910790435 A CN 201910790435A CN 110365715 A CN110365715 A CN 110365715A
Authority
CN
China
Prior art keywords
user
role
mapping relations
menu
operating right
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201910790435.3A
Other languages
Chinese (zh)
Inventor
马晓璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Si Tech Information Technology Co Ltd
Original Assignee
Beijing Si Tech Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Si Tech Information Technology Co Ltd filed Critical Beijing Si Tech Information Technology Co Ltd
Priority to CN201910790435.3A priority Critical patent/CN110365715A/en
Publication of CN110365715A publication Critical patent/CN110365715A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of multi-tenant operating rights to determine method and device, which comprises obtains the user identifier of user;According to the mapping relations between the mapping relations and role's the first operation corresponding with role between the user identifier and user identifier and role of the user, the first operation corresponding with the user is obtained;According to the mapping relations between the user identifier of the user and user identifier and the second operation, the second operation corresponding with the user is obtained;The union of corresponding first operation of the user the second operation corresponding with the user is determined as to the operating right of the user.The effect that this method and device are finally realized is distributed by role, is completed for user's batch under same role, quick authorization improves the efficiency of system manager's authority distribution.

Description

A kind of multi-tenant operating right determines method and device
Technical field
The present invention relates to data management fields, determine method and device more particularly, to a kind of multi-tenant operating right.
Background technique
Current common Permission Management Model is based role to realize the distribution and management of permission, the advantages of being achieved It can be achieved on the bulk management of user right distribution, still, the authority content of user is excessively limited to role, authority information Distribution can not accomplish personalization.
Another pure permission control based on user, is accomplished that primary complete licensing process can only solve a member The authority distribution of work, it is too big to bring authority distribution workload, data excessively redundancy the problem of.
Also some enterprises are in order to realize flexible rights management, it has to pass through the Rights Management System of customization, increase A large amount of manpower and material resources are taken while development difficulty.
In conclusion it is a set of simple, flexible Permission Management Model may be implemented just by user's urgent need.
Summary of the invention
Problem of the existing technology: the authority content of user is excessively limited to role, and the distribution of authority information can not be done To personalization.
In view of the defects existing in the prior art, in a first aspect, the present invention provides a kind of multi-tenant operating right determination sides Method, which comprises
Obtain the user identifier of user;
According between the user identifier and user identifier and user role of the user mapping relations and user Mapping relations between role's the first operation corresponding with the role, obtain the first operation corresponding with the user;
According to the mapping relations between the user identifier of the user and the user identifier and the second operation, obtain The second operation corresponding with the user;
The union of corresponding first operation of the user the second operation corresponding with the user is determined
The operating right of the user.
Further, the mapping relations between the role the first operation corresponding with the role include:
The mapping relations between mapping relations and first menu and the first operation between role and the first menu.
Further, the mapping relations between the role and first menu include:
The mapping relations between mapping relations and menu directory and the first menu between the role and menu directory.
Further, the user it is corresponding second operation include: it is corresponding to the user first operation increase or The permission of reduction modifies instruction;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as the user Operating right:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the use The operating right at family.
Further, the mapping relations between the user identifier and the second operation include:
The mapping between mapping relations and the second menu and the second operation between the user identifier and the second menu is closed System.
Further, the mapping relations between the user identifier and the second menu include:
Reflecting between the mapping relations and the second menu directory and the second menu between user identifier and the second menu directory Penetrate relationship.
Second aspect, the present invention provides a kind of multi-tenant operating right determining device, described device includes:
Module is obtained, for obtaining the user identifier of user;
First operation module, between the user identifier and user identifier and user role according to the user Mapping relations between mapping relations and user role the first operation corresponding with the role, obtain corresponding with the user First operation;
Second operation module, for according to the user identifier of the user and the user identifier and the second operation Between mapping relations, obtain it is corresponding with the user second operation;
Merging module, for the union of corresponding first operation of the user the second operation corresponding with the user is true It is set to the operating right of the user.
Further, the mapping relations between the role the first operation corresponding with the role include:
The mapping relations between mapping relations and menu and the first operation between role and the first menu.
Further, the mapping relations between the role and menu include:
The mapping relations between mapping relations and menu directory and menu between the role and menu directory.
Further, the user it is corresponding second operation include: it is corresponding to the user first operation increase or The permission of reduction modifies instruction;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as the user Operating right:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the use The operating right at family.
The beneficial effects of the present invention are:
The effect that this method and device are finally realized is distributed by role, is completed for the user under same role crowd Amount, quick authorization improve the efficiency of system manager's authority distribution.
By user right distribution module, the authority distribution for special user's personalization is completed, requests and is fixed against angle The authority distribution of color limits, and it is different to realize the content that the different user of the same role is seen.
By regional information by way of user privileges, it is given to user, realizes the different region management of same role The information that permission is seen is different.Realize accurately permission control.
Detailed description of the invention
Fig. 1 is the flow diagram that a kind of multi-tenant operating right of the invention determines method;
Fig. 2 is a kind of structural schematic diagram of multi-tenant operating right determining device of the invention.
Specific embodiment
In being described below, for illustration and not for limitation, propose such as project equipment structure, interface, technology it The detail of class, to understand thoroughly the present invention.However, it will be clear to one skilled in the art that there is no these specific The present invention also may be implemented in the other embodiments of details.In other situations, omit to well-known device, circuit and The detailed description of method, in case unnecessary details interferes description of the invention.
As shown in Figure 1, the present invention provides a kind of multi-tenant operating rights to determine method, which comprises
S1: the user identifier of user is obtained;
S2: according to the mapping relations between the user identifier and user identifier and user role of the user, Yi Jiyong Mapping relations between family role the first operation corresponding with the role, obtain the first operation corresponding with the user;
S3: it according to the mapping relations between the user identifier of the user and the user identifier and the second operation, obtains To the second operation corresponding with the user;
S4: the union of corresponding first operation of the user the second operation corresponding with the user is determined as the use The operating right at family.
Multi-tenant operating right it be inquire into realize how in multi-user in the environment of share identical system or journey Sequence component, and still can ensure that the isolation of data between each user.A set of program can be shared between i.e. multiple tenants but for number Isolation exist according to resource again between.
Signified multi-tenant of the invention just refers to several users.
In the authority distributing method of based role, the demand that two kinds of functions can be achieved is designed, the first is to complete single angle The user role of color multi-user or polygonal color multi-user distribution, character object selected first, then select the character object institute Associated user object, it is established that the incidence relation of role and user are completed quickly, the authority distribution of batch;Second is pair In newly added single role's type ascribed role authority content, by distributing original menu directory, menu and menu operation Authority information gives newly-established character object, realizes the association of character object and permission raw information, after role creates just Role can be carried out to the information association of user.
Authority distributing method based on user is the supplement of the batch rights management to based role.This method is with user It first modifies to the Role Information of user, this completes single after getting the special user for distribution foundation The authority distribution of the multiple roles of user-association, then, user passes through and original menu directory, the permission of menu and menu operation Information establishes connection, in the form of user is directly linked authority information, the exclusive privilege of user is completed, moreover, logical for user Cross role's acquisition permission can also in authorization table by change state or be inserted into after the permission specify special state into Row limitation realizes that the personalized permission based on user is matched by the granularity of delineation of power from Characters drive to smaller permissions data It sets.
The menu can be understood as corresponding file under a user's operation permission system, and the menu directory can manage Solution is the corresponding file of menu file under a user's operation permission system.
The present invention provides a kind of method for flexibly realizing multi-tenant management, the method passes through the mark of user and role Between connection erect the incidence relation between user and role;
The incidence relation between catalogue and role is erected by menu directory mark and role identification.
Then the catalogue being allocated under the menu that role possesses by the menu of role association passes through Character menu catalogue It is identified with menu operation and establishes connection, complete the incidence relation of role and catalogue, role and menu and role and operation to build Indirect association relationship between vertical role and catalogue, role and menu and role and operation.
On the other hand, the method for flexible realization multi-tenant management of the invention also passes through direct user identifier and catalogue, uses The connection that family mark is direct and menu and user identifier are directly between operation completes user to catalogue, menu and operation It is directly linked.
The menu directory that final method of the invention directly acquires user, the dish of menu and operating right and indirect gain The permission of monocular record, menu and operation does union.
The present invention, which is realized, carries out bulk management to the permission after user role distribution, also achieves user's explicit permissions pipe The user individual authority distribution of reason.And the expansion of permission is enhanced by privilege, realize high flexibility, high expansion Multi-tenant management.
In some illustrative embodiments, the mapping relations packet between the role the first operation corresponding with the role It includes:
The mapping relations between mapping relations and first menu and the first operation between role and the first menu.
In some illustrative embodiments, the mapping relations between the role and first menu include:
The mapping relations between mapping relations and menu directory and the first menu between the role and menu directory.
In some illustrative embodiments, corresponding second operation of the institute user includes: corresponding to the user the The permission modification instruction that one operation is increased or decreased;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as the user Operating right:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the use The operating right at family.
In some illustrative embodiments, the mapping relations between the user identifier and the second operation include:
The mapping between mapping relations and the second menu and the second operation between the user identifier and the second menu is closed System.
In some illustrative embodiments, the mapping relations between the user identifier and the second menu include:
Reflecting between the mapping relations and the second menu directory and the second menu between user identifier and the second menu directory Penetrate relationship.
The beneficial effect of the method is:
The effect that this method and device are finally realized is distributed by role, is completed for the user under same role crowd Amount, quick authorization improve the efficiency of system manager's authority distribution.
By user right distribution module, the authority distribution for special user's personalization is completed, requests and is fixed against angle The authority distribution of color limits, and it is different to realize the content that the different user of the same role is seen.
By regional information by way of user privileges, it is given to user, realizes the different region management of same role The information that permission is seen is different, realizes accurately permission control.
First operation is the action type of general permission, and second operation is the operation class of particularity permission Type.
First menu is the file type of general permission, and second menu is the files classes of particularity permission Type.
As shown in Fig. 2, the present invention also provides a kind of multi-tenant operating right determining device, described device includes:
Module 100 is obtained, for obtaining the user identifier of user;
First operation module 200, between the user identifier and user identifier and user role according to the user Mapping relations and user role it is corresponding with the role first operation between mapping relations, obtain and the user couple The first operation answered;
Second operation module 300, for according to the user identifier of the user and the user identifier and the second operation Between mapping relations, obtain it is corresponding with the user second operation;
Merging module 400, for by the user it is corresponding first operation it is corresponding with the user second operate and Collection is determined as the operating right of the user.
In some illustrative embodiments, the mapping relations packet between the role the first operation corresponding with the role It includes:
The mapping relations between mapping relations and menu and the first operation between role and the first menu.
In some illustrative embodiments, the mapping relations between the role and menu include:
The mapping relations between mapping relations and menu directory and menu between the role and menu directory.
In some illustrative embodiments, corresponding second operation of the user includes: corresponding to the user first Operate the permission modification instruction increased or decreased;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as the user Operating right:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the use The operating right at family.This set program will create more set permissions datas and resource, program are total to register to use by multiple enterprises or user With but mutually isolated, existing respective public something in common, and be able to satisfy the uniqueness of multiple tenants.
It is apparent to those skilled in the art that for convenience and simplicity of description, the system of foregoing description, The specific work process of device and unit, can refer to corresponding processes in the foregoing method embodiment, and details are not described herein.
In several embodiments provided herein, it should be understood that disclosed system, device and method can be with It realizes by another way.For example, the apparatus embodiments described above are merely exemplary, for example, the unit It divides, only a kind of logical function partition, there may be another division manner in actual implementation, such as multiple units or components It can be combined or can be integrated into another system, or some features can be ignored or not executed.Another point, it is shown or The mutual coupling, direct-coupling or communication connection discussed can be through some interfaces, the indirect coupling of device or unit It closes or communicates to connect, can be electrical property, mechanical or other forms.
The unit as illustrated by the separation member may or may not be physically separated, aobvious as unit The component shown may or may not be physical unit, it can and it is in one place, or may be distributed over multiple In network unit.It can select some or all of unit therein according to the actual needs to realize the mesh of this embodiment scheme 's.
It, can also be in addition, each functional unit in each embodiment of the application can integrate in one processing unit It is that each unit physically exists alone, can also be integrated in one unit with two or more units.Above-mentioned integrated list Member both can take the form of hardware realization, can also realize in the form of software functional units.
If the integrated unit is realized in the form of SFU software functional unit and sells or use as independent product When, it can store in a computer readable storage medium.Based on this understanding, the technical solution of the application is substantially The all or part of the part that contributes to existing technology or the technical solution can be in the form of software products in other words It embodies, which is stored in a storage medium, including some instructions are used so that a computer Equipment (can be personal computer, logistics management server or the network equipment etc.) executes described in each embodiment of the application The all or part of the steps of method.And storage medium above-mentioned includes: USB flash disk, mobile hard disk, read-only memory (ROM, Read- Only Memory), random access memory (RAM, Random Access Memory), magnetic or disk etc. are various can be with Store the medium of program code.
The above, above embodiments are only to illustrate the technical solution of the application, rather than its limitations;Although referring to before Embodiment is stated the application is described in detail, those skilled in the art should understand that: it still can be to preceding Technical solution documented by each embodiment is stated to modify or equivalent replacement of some of the technical features;And these It modifies or replaces, the spirit and scope of each embodiment technical solution of the application that it does not separate the essence of the corresponding technical solution.

Claims (10)

1. a kind of multi-tenant operating right determines method, which is characterized in that the described method includes:
Obtain the user identifier of user;
According to the mapping relations and user role between the user identifier and user identifier and user role of the user Mapping relations between the first operation corresponding with the role obtain the first operation corresponding with the user;
According to the mapping relations between the user identifier of the user and the user identifier and the second operation, obtain and institute State corresponding second operation of user;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as to the behaviour of the user Make permission.
2. multi-tenant operating right according to claim 1 determines method, which is characterized in that the role and the role couple Answer first operation between mapping relations include:
The mapping relations between mapping relations and first menu and the first operation between role and the first menu.
3. multi-tenant operating right according to claim 2 determines method, which is characterized in that the role and described first Mapping relations between menu include:
The mapping relations between mapping relations and menu directory and the first menu between the role and menu directory.
4. multi-tenant operating right according to claim 1-3 determines method, which is characterized in that the user couple The second operation answered includes: the permission modification instruction that the first operation corresponding to the user is increased or decreased;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as to the behaviour of the user Make permission:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the user's Operating right.
5. multi-tenant operating right according to claim 4 determines method, which is characterized in that the user identifier and second Mapping relations between operation include:
The mapping relations between mapping relations and the second menu and the second operation between the user identifier and the second menu.
6. multi-tenant operating right according to claim 5 determines method, which is characterized in that the user identifier and second Mapping relations between menu include:
Mapping between mapping relations and the second menu directory and the second menu between user identifier and the second menu directory is closed System.
7. a kind of multi-tenant operating right determining device, which is characterized in that described device includes:
Module is obtained, for obtaining the user identifier of user;
First operation module, for the mapping between the user identifier and user identifier and user role according to the user Mapping relations between relationship and user role the first operation corresponding with the role, obtain corresponding with the user the One operation;
Second operation module, for according between the user identifier of the user and the user identifier and the second operation Mapping relations obtain the second operation corresponding with the user;
Merging module, for the union of corresponding first operation of the user the second operation corresponding with the user to be determined as The operating right of the user.
8. multi-tenant operating right determining device according to claim 7, which is characterized in that the role and the role couple Answer first operation between mapping relations include:
The mapping relations between mapping relations and menu and the first operation between role and the first menu.
9. multiple groups family operating right determining device according to claim 8, which is characterized in that between the role and menu Mapping relations include:
The mapping relations between mapping relations and menu directory and menu between the role and menu directory.
10. according to multi-tenant operating right determining device described in claim any one of 7-9, which is characterized in that the use Corresponding second operation in family includes: the permission modification instruction that the first operation corresponding to the user is increased or decreased;
The union of corresponding first operation of the user the second operation corresponding with the user is determined as to the behaviour of the user Make permission:
It is increased or decreased according to permission modification instruction the first operation corresponding to the user, obtains the user's Operating right.
CN201910790435.3A 2019-08-26 2019-08-26 A kind of multi-tenant operating right determines method and device Pending CN110365715A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910790435.3A CN110365715A (en) 2019-08-26 2019-08-26 A kind of multi-tenant operating right determines method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910790435.3A CN110365715A (en) 2019-08-26 2019-08-26 A kind of multi-tenant operating right determines method and device

Publications (1)

Publication Number Publication Date
CN110365715A true CN110365715A (en) 2019-10-22

Family

ID=68224336

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910790435.3A Pending CN110365715A (en) 2019-08-26 2019-08-26 A kind of multi-tenant operating right determines method and device

Country Status (1)

Country Link
CN (1) CN110365715A (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656625A (en) * 2008-08-18 2010-02-24 中兴通讯股份有限公司 Enterprise unified communication based distributed policy management method
CN103020497A (en) * 2011-09-20 2013-04-03 镇江金软计算机科技有限责任公司 RBAC (Role-Based Access Control) model based temporary authorizing system
CN103377336A (en) * 2013-01-21 2013-10-30 航天数联信息技术(深圳)有限公司 Method and system for controlling computer system user rights
CN104112085A (en) * 2013-04-19 2014-10-22 阿里巴巴集团控股有限公司 Data permission control method and device for application system clusters
US20170111367A1 (en) * 2010-05-05 2017-04-20 Microsoft Technology Licensing, Llc Data driven role based security
CN108111495A (en) * 2017-12-13 2018-06-01 郑州云海信息技术有限公司 A kind of authority control method and device
CN108259422A (en) * 2016-12-29 2018-07-06 中兴通讯股份有限公司 A kind of multi-tenant access control method and device

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101656625A (en) * 2008-08-18 2010-02-24 中兴通讯股份有限公司 Enterprise unified communication based distributed policy management method
US20170111367A1 (en) * 2010-05-05 2017-04-20 Microsoft Technology Licensing, Llc Data driven role based security
CN103020497A (en) * 2011-09-20 2013-04-03 镇江金软计算机科技有限责任公司 RBAC (Role-Based Access Control) model based temporary authorizing system
CN103377336A (en) * 2013-01-21 2013-10-30 航天数联信息技术(深圳)有限公司 Method and system for controlling computer system user rights
CN104112085A (en) * 2013-04-19 2014-10-22 阿里巴巴集团控股有限公司 Data permission control method and device for application system clusters
CN108259422A (en) * 2016-12-29 2018-07-06 中兴通讯股份有限公司 A kind of multi-tenant access control method and device
CN108111495A (en) * 2017-12-13 2018-06-01 郑州云海信息技术有限公司 A kind of authority control method and device

Similar Documents

Publication Publication Date Title
CN106375176B (en) A kind of method of physical machine access cloud platform
US9047462B2 (en) Computer account management system and realizing method thereof
CN101976200B (en) Virtual machine system for input/output equipment virtualization outside virtual machine monitor
CN110443010A (en) One kind permission visual configuration control method, device, terminal and storage medium in information system
CN103761082A (en) Componential research and development mode and domain driving model combined application development system and platform
CN106503091A (en) A kind of implementation method of changeable data structure automatic synchronization coupling
CN105871880B (en) Across tenant access control method based on trust model under a kind of cloud environment
CN103780686A (en) Method and system for customizing application approval procedure in cloud organization
CN103207965A (en) Method and device for License authentication in virtual environment
EP2328301A1 (en) Method and apparatus for managing the authority in workflow component based on authority component
CN102571815A (en) Method of integrated ERP (Enterprise Resource Planning) user authentication for e-procurement private cloud
CN111092936A (en) Application service authority management method and terminal based on cloud platform
CN105867944A (en) Web front-end terminal operating layer and implementing method thereof
DE112022002736T5 (en) TRANSFERRING TASK DATA BETWEEN EDGE UNITS IN EDGE COMPUTING
CN104298761A (en) Implementation method for master data matching between heterogeneous software systems
CN105072193A (en) Cloud sea OS (Operating System) deployment method under multi-data centre
CN101014044A (en) Network GIS system and data transmitting method thereof
CN102945264B (en) Method for intelligently starting distributed transaction
CN111950866B (en) Role-based multi-tenant organization structure management system, method, equipment and medium
CN111752539B (en) BI service cluster system and construction method thereof
CN110992005B (en) Method and system for realizing data authority control processing in big data application
CN110365715A (en) A kind of multi-tenant operating right determines method and device
CN114650170B (en) Cross-cluster resource management method, device, equipment and storage medium
CN115174177B (en) Rights management method, device, electronic apparatus, storage medium, and program product
KR20070076342A (en) User Group Role / Permission Management System and Access Control Methods in a Grid Environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20191022

RJ01 Rejection of invention patent application after publication