CN111191254B - Access verification method, device, computer equipment and storage medium - Google Patents

Access verification method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN111191254B
CN111191254B CN201910707077.5A CN201910707077A CN111191254B CN 111191254 B CN111191254 B CN 111191254B CN 201910707077 A CN201910707077 A CN 201910707077A CN 111191254 B CN111191254 B CN 111191254B
Authority
CN
China
Prior art keywords
information
access
type
target account
access information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910707077.5A
Other languages
Chinese (zh)
Other versions
CN111191254A (en
Inventor
沈妍
黄亚萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tencent Technology Shenzhen Co Ltd
Original Assignee
Tencent Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tencent Technology Shenzhen Co Ltd filed Critical Tencent Technology Shenzhen Co Ltd
Priority to CN201910707077.5A priority Critical patent/CN111191254B/en
Publication of CN111191254A publication Critical patent/CN111191254A/en
Application granted granted Critical
Publication of CN111191254B publication Critical patent/CN111191254B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q20/00Payment architectures, schemes or protocols
    • G06Q20/38Payment protocols; Details thereof
    • G06Q20/40Authorisation, e.g. identification of payer or payee, verification of customer or shop credentials; Review and approval of payers, e.g. check credit lines or negative lists
    • G06Q20/401Transaction verification
    • G06Q20/4014Identity check for transactions
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q40/00Finance; Insurance; Tax strategies; Processing of corporate or income taxes
    • G06Q40/04Trading; Exchange, e.g. stocks, commodities, derivatives or currency exchange
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Accounting & Taxation (AREA)
  • Theoretical Computer Science (AREA)
  • Finance (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Strategic Management (AREA)
  • General Business, Economics & Management (AREA)
  • Development Economics (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Technology Law (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses an access verification method, an access verification device, computer equipment and a storage medium, and relates to the field of internet information management. The method can determine whether the target account has the first permission to execute the target operation according to at least one type of access information carried in a request of the target account to execute the target operation and a preset judgment strategy of the at least one type of access information, and if the server determines that the target account has the first permission to execute the target operation, the access verification is successful. Because the permission for judging whether the target account of the user executes the target operation is determined according to the preset judging strategy and at least one type of access information of the target account acquired in real time, the flexibility of access verification is better.

Description

Access verification method, device, computer equipment and storage medium
Technical Field
The present invention relates to the field of internet information management, and in particular, to an access verification method, an access verification device, a computer device, and a storage medium.
Background
The rights are generally security rules or security policies set according to practical situations, and the server can allow the user to access and only access resources corresponding to the authorized rights according to the rights possessed by the user.
In the related art, the authority manager may allocate the authority of each user in advance, and when the user accesses a resource corresponding to a certain authority, the server may check whether to allow the user to access the resource according to the authority of the user.
However, since the rights of the user are pre-assigned by the rights manager, the flexibility of the access check is poor.
Disclosure of Invention
The embodiment of the invention provides an access verification method, an access verification device, computer equipment and a storage medium, which can solve the problem of poor access verification flexibility in the related technology. The technical scheme is as follows:
in one aspect, an access verification method is provided, the method including:
receiving a request of executing a target operation by a target account;
acquiring at least one type of access information of the target account;
judging whether the target account number has a first right for executing the target operation according to the at least one type of access information and a preset judgment policy of the at least one type of access information;
and if the target account number has the first authority for executing the target operation, the access verification is successful.
In another aspect, there is provided an access verification apparatus, the apparatus comprising:
The receiving module is used for receiving a request of executing a target operation by the target account;
the first acquisition module is used for acquiring at least one type of access information of the target account;
the first judging module is used for judging whether the target account number has a first right for executing the target operation according to the at least one type of access information and a preset judging strategy of the at least one type of access information;
and the verification module is used for successfully performing access verification if the target account number has the first authority for executing the target operation.
In yet another aspect, a computer device is provided that includes a processor and a memory having stored therein at least one instruction, at least one program, code set, or instruction set that is loaded and executed by the processor to implement an access verification method as described in the above aspects.
In yet another aspect, a computer readable storage medium having stored therein at least one instruction, at least one program, code set, or instruction set loaded and executed by a processor to implement an access verification method as described in the above aspects is provided.
The beneficial effects that this application provided technical scheme brought include at least:
the method can determine whether the target account has the first permission to execute the target operation according to at least one type of access information carried in a request of executing the target operation by the target account and a preset judgment policy of the at least one type of access information, and if the server determines that the target account has the first permission to execute the target operation, the access verification is successful. Because the permission for judging whether the target account of the user executes the target operation is determined according to the preset judging strategy and at least one type of access information of the target account acquired in real time, the flexibility of access verification is better.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an implementation environment related to an access verification method according to an embodiment of the present invention;
FIG. 2 is a flowchart of an access verification method according to an embodiment of the present invention;
FIG. 3 is a flowchart of another access verification method provided by an embodiment of the present invention;
FIG. 4 is a schematic diagram of a relationship between roles and rights provided by an embodiment of the present invention;
FIG. 5 is a schematic diagram of a right possessed by an operator role according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of access information provided by an embodiment of the present invention;
FIG. 7 is a flowchart of determining whether a target account has a first right of a target operation according to an embodiment of the present invention;
FIG. 8 is a flow chart of yet another access verification method provided by an embodiment of the present invention;
FIG. 9 is a schematic structural diagram of an access verification device according to an embodiment of the present invention;
FIG. 10 is a schematic diagram of another access verification device according to an embodiment of the present invention;
fig. 11 is a schematic structural diagram of a first judging module according to an embodiment of the present invention;
fig. 12 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the embodiments of the present invention will be described in further detail below with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of an implementation environment related to an access verification method according to an embodiment of the present invention. As can be seen with reference to fig. 1, the implementation environment may include a terminal 01 and a server 02. The terminal 01 can be a computer, a tablet computer, a smart phone, a vehicle navigator, a multimedia player or wearable equipment, etc. The server 02 may be a server, or a server cluster formed by a plurality of servers, or a cloud computing service center.
As can be seen with reference to fig. 1, a connection may be established between a terminal 01 and a server 02 via a wired or wireless network.
In the embodiment of the present invention, an application program may be installed in the terminal 01, and a user may input his own account through the application program and request to perform a corresponding operation, when the server 02 receives a request for performing an operation on the user's account, at least one type of access information of the user's account may be obtained first, and according to a preset determination policy of the at least one type of access information and the at least one type of access information, it is determined whether the user's account has permission to perform the operation, and when the user's account has permission to perform the operation, the user may be allowed to perform the operation. In the embodiment of the invention, whether the account of the user has the authority to execute certain operation is determined according to the preset judging strategy and at least one type of access information of the account of the user acquired in real time, so that the flexibility of access verification is better.
Fig. 2 is a flowchart of an access verification method according to an embodiment of the present invention. The method can be applied to the server 02 shown in fig. 1. As can be seen with reference to fig. 2, the method may include:
step 101, a request of executing a target operation by a target account is received.
In the embodiment of the invention, the authority manager can allocate an account number for the user through the application program installed in the terminal, and the user can execute corresponding operation through the account number of the user. When the user requests to execute the target operation through the own target account, the server can receive the request of executing the target operation by the target account of the user.
Step 102, obtaining at least one type of access information of the target account.
In the embodiment of the invention, the request of executing the target operation by the target account can carry at least one type of access information of the target account. The at least one type of access information may include: body information, resource information, and environment information.
The subject information may be information of a user of the resource or an initiator of the request, such as account registration duration information of the target account, and account department information. The resource information may be data information to be accessed by the target account, such as web page data or information of a system component, etc., where the target account executes the amount information corresponding to the target operation. Or merchant information, transaction flow or cash registers, etc. The environment information may be information of the environment at the time of access of the target account number. For example, access time information, and internet protocol (internet protocol, IP) address information used at the time of access.
Step 103, judging whether the target account number has the first permission to execute the target operation according to the at least one type of access information and a preset judgment policy of the at least one type of access information.
In the embodiment of the present invention, a preset judgment policy of each type of access information in the at least one type of access information may be stored in the server in advance. The server may determine, according to at least one type of access information carried in the received request for executing the target operation by the target account, and a preset judgment policy corresponding to the at least one type of access information stored in the server in advance, whether the target account has the first authority for executing the target operation.
For example, if the server receives that the access information carried in the request for executing the target operation by the target account is access time information, the server may determine, according to the access time information and an access time judgment policy stored in advance in the server, whether the target account has the first permission to execute the target operation.
Step 104, if the target account number has the first authority to execute the target operation, the access verification is successful.
In the embodiment of the invention, when the server determines that the target account number has the first authority to execute the target operation, the server can determine that the access verification is successful. Accordingly, when the server determines that the target account does not have the first authority to perform the target operation, the server may determine that the access verification fails.
In summary, the embodiment of the present invention provides an access verification method, where the method may determine, according to at least one type of access information carried in a request for executing a target operation by a target account and a preset judgment policy of the at least one type of access information, whether the target account has a first right to execute the target operation, and if the server determines that the target account has the first right to execute the target operation, the access verification is successful. Because the permission for judging whether the target account of the user executes the target operation is determined according to the preset judgment strategy and at least one type of access information of the target account acquired in real time, the access verification has better flexibility.
Fig. 3 is a flowchart of another access verification method according to an embodiment of the present invention. The method can be applied to the server 02 shown in fig. 1. As can be seen with reference to fig. 3, the method may include:
step 201, a request of executing a target operation by a target account is received.
In the embodiment of the invention, the authority manager can allocate an account number for the user through the application program installed in the terminal, and the user can execute corresponding operation through the account number of the user. When the user requests to execute the target operation through the own target account, the server can receive the request of executing the target operation by the target account of the user.
For example, assuming that the user performs a refund operation with his target account, the server may receive a request for the target account to perform the refund operation. Alternatively, the user may perform the query transaction record operation through his or her target account number, and the server may receive a request from the target account number to perform the query transaction record operation.
Step 202, obtaining authority information of the target account.
In the embodiment of the invention, the target account number can have at least one role, and each role can have at least one authority. For example, the target account number may have an administrator role or an operator role. The administrator role may have the right to query merchant information, the right to query transaction records, the right to download transaction records, refund rights, and the right to modify merchant information. The operator roles may only have the right to query merchant information, the right to query transaction records, the right to download transaction records, and the refund right. With reference to fig. 4, the roles of the target account and the permissions of each role may be preconfigured by the permission manager. For example, a role may be assigned to account 1 or account 2, and three rights may be configured for the role: rights 1, rights 2, and rights 3. And, the preset judgment policy of at least one type of access information acquired by the server may be associated with the authority corresponding to the target operation. Referring to fig. 4, authority 1 may be associated with preset judgment policy 1 and preset judgment policy 2, and authority 2 may be associated with preset judgment policy 3.
When the server receives a request of executing a target operation by a target account of a user, the server can acquire authority information of the target account according to the request. The permission information may be information of permission of a role possessed by the target account. Rights may refer to rights to operate on a resource, e.g., rights may include: read, write, add, delete, change or check resources, etc.
For example, referring to fig. 5, both account 1 and account 2 may have an operator role, and the server may obtain rights information of both account 1 and account 2 as follows: querying the authority of merchant information, querying the authority of transaction records, downloading the authority of transaction records and refund authority. That is, neither account number 1 nor account number 2 has the right to modify merchant information.
Referring to fig. 5, when the account 1 or the account 2 performs the operation of querying the merchant information and the operation of querying the transaction record, the access information may be: access time information. When the account 1 or the account 2 executes the refund operation, the access information may be: access time information, amount information, account department information, account registration duration information, and IP address information.
In the embodiment of the present invention, when the target account of the user has multiple roles, the step 202 may also be: and acquiring a union set of authority information of each role in at least one role of the target account, and determining the union set as the authority information of the target account.
For example, assuming that the target account of the user has both an administrator role and an operator role, the server may obtain a union of authority information of the administrator role and the operator role of the target account, and determine the union as the authority information of the target account. That is, the authority information of the target account acquired by the server may be: querying the authority of the merchant information, querying the authority of the transaction record, downloading the authority of the transaction record, refund authority and modifying the authority of the merchant information.
In the embodiment of the invention, in order to facilitate obtaining the authority information of the target account, the server may allocate an authority identifier (privilege identification, PID) to each authority, and each authority identifier may be a character string capable of uniquely identifying the authority, for example, may be an authority number. The rights possessed by each character may be represented by an n-dimensional vector, which may be an identifier (role identification, RID) of the character, n may be the number of rights, and n may be a positive integer greater than 1.
For example, the n-dimensional vector may be { z1, z2, z3,..once, zn }, where z1 may be used to indicate whether the character possesses a first right, z2 may be used to indicate whether the character possesses a second right, z3 may be used to indicate whether the character possesses a third right, and zn may be used to indicate whether the character possesses an nth right. The server can determine the authority information of the target account according to the obtained n-dimensional vector.
In order to facilitate the indication of whether the character has a certain right, the right may be indicated by a numeral 1, and the non-right may be indicated by a numeral 0. By way of example, assume that rights include: querying the authority of the merchant information, querying the authority of the transaction record, downloading the authority of the transaction record, refund authority and modifying the authority of the merchant information. The authority usage vector representation possessed by each role may be { z1, z2, z3, z4, z5}. z1 is used for indicating whether the character has the right of inquiring the merchant information, z2 is used for indicating whether the character has the right of inquiring the transaction record, z3 is used for indicating whether the character has the right of downloading the transaction record, z4 is used for indicating whether the character has the refund right, and z5 is used for indicating whether the character has the right of modifying the merchant information.
Assuming that the target account has an operator role with the right to query merchant information, the right to query transaction records, the right to download transaction records, and the refund right without the right to modify merchant information, the right of the operator may be represented by a vector {1, 0}, and the server may determine the right information of the target account according to the obtained vector.
Step 203, according to the authority information, it is determined whether the target account number has the second authority for executing the target operation.
In the embodiment of the invention, the server can judge whether the target account has the second authority for executing the target operation according to the acquired authority information of the target account. The second authority may be a basic authority of the target account.
For example, assume that the authority information of the target account number acquired by the server is: querying the authority of merchant information, querying the authority of transaction records, downloading the authority of transaction records and refund authority. If the user executes the refund operation through the target account, the server can determine that the target account has the authority to execute the refund operation. If the user performs the operation of modifying the merchant information through the target account, the server may determine that the target account does not have the authority to perform the operation of modifying the merchant information.
When the server determines that the target account number has the second right to perform the target operation, the following step 204 may be performed continuously. When the server determines that the target account does not have the second right to perform the target operation, the server may determine that the target account fails the access verification.
In the embodiment of the invention, before at least one type of access information of the target account is acquired, whether the target account has the second authority for executing the target operation is determined, so that when the target account does not have the second authority for executing the target operation, the following step of determining whether the target account has the first authority for executing the target operation is not required to be executed, the power consumption of a server is reduced, and the efficiency of access verification is improved.
Step 204, at least one type of access information of the target account is obtained.
In the embodiment of the invention, the request of executing the target operation by the target account can carry at least one type of access information of the target account. Referring to fig. 6, the at least one type of access information may include: body information, resource information, and environment information.
The subject information may be information of a user of the resource or an initiator of the request, such as account registration duration information of the target account, and account department information. The resource information may be data information to be accessed by the target account, such as web page data or system components, and the amount information corresponding to the target account executing the target operation. Or merchant information, transaction flow or cash registers, etc. The environment information may be information of the environment at the time of access of the target account number. For example, access time information, and IP address information used at the time of access.
For example, assuming that the account registration duration of the target account is 20 days, the time when the user performs the refund operation is 15 points, the IP address used is 192.10.1.0, and the refund amount is 20 yuan. The at least one type of access information of the target account number acquired by the server includes: the account registration duration is 20 days, the access time is 15 points, the IP address 192.10.1.0, and the refund amount is 20 yuan.
It should be noted that, when the server obtains at least one type of access information of the target account, only one type of main body information, resource information and environment information may be obtained, or the main body information, the resource information and the environment information may be obtained at the same time. The embodiment of the present invention is not limited thereto.
For example, referring to fig. 5, when the server receives an operation of inquiring about a transaction record by account 1 or account 2, the server may acquire access time information for performing the operation. When the server receives the operation of executing the download operation record by the account 1 or the account 2, the server can acquire the access time information for executing the operation. When receiving the refund operation of the account 1 or the account 2, the server can acquire access time information, amount information, account department information, account registration duration information and IP address information for executing the refund operation.
Step 205, obtaining indication information of whether each type of access information in at least one type of access information is located in an allowed access set corresponding to each type of access information.
In the embodiment of the invention, in any type of access information, the preset judgment policy of any type of access information comprises an allowed access set corresponding to any type of access information. When any one type of access information in at least one type of access information acquired by the server is located in the allowed access set corresponding to the any type of access information, the indication information of the any type of access information can be determined to be 1, namely the indication information acquired by the server is 1. When any one type of access information in at least one type of access information acquired by the server is not located in the access set corresponding to the any type of access information, the indication information of the any type of access information can be determined to be-1, namely the indication information acquired by the server is-1.
Optionally, the set of allowed accesses corresponding to any type of access information may be a condition whether the access information of any type is allowed to be accessed.
For example, assuming that the access information is access time information, the allowed access set corresponding to the access information may be a time range in which access is allowed, such as 9 pm to 6 pm. That is, when the target account performs the target operation at 9 a.m. to 6 a.m. such as 12 a.m., the server may determine that the obtained access information is located in the allowed access set corresponding to the access information, that is, the indication information of the access information is 1. When the target account number does not execute the target operation at 9 am to 6 pm, for example, at 5 am, the server may determine that the obtained access information is not located in the allowed access set corresponding to the access information, that is, the indication information of the access information is-1.
Alternatively, assuming that the access information is IP address information used at the time of access, the permitted access set corresponding to the access information may be a range of IP addresses permitted to access, and the permitted access set may be a regular expression, for example, may be 192.10.1. Wherein, can be any value. That is, when the IP address of the target account executing the target operation includes "192.10.1", "is an arbitrary value, the server may determine that the obtained access information is located in the allowed access set corresponding to the access information. For example, when the IP address of the target account performing the target operation is 192.10.1.1, the server may determine that the obtained access information is located in the allowed access set corresponding to the access information, that is, the indication information of the access information is 1. When the IP address of the target account performing the target operation is 191.10.1.0, the server may determine that the obtained access information is not located in the allowed access set corresponding to the access information, that is, the indication information of the access information is-1.
It should be noted that, the preset judging policy of any type of access information may further include an identifier (attribute identification, AID) of the any type of access information, when the server receives a request for executing a target operation by the target account, the preset judging policy of the at least one type of access information may be determined according to at least one type of access information of the target account carried in the request for executing the target operation and the identifier of the any type of access information stored in the server in advance, and further, the indication information of the at least one type of access information may be determined according to the allowed access set in the preset judging policy. The identification of any type of access information may include: information name, and information type.
For example, if the access information is registration duration information, the information name may be: a registration period. The information types may be: numerical value type. The allowed access set corresponding to the registration duration information may be: greater than 1 month. That is, when the registration duration of the target account is less than or equal to 1 month, the server may determine that the acquired registration duration information is not located in the allowed access set corresponding to the registration duration information, that is, the indication information of the registration duration information is-1. When the registration time of the target account is longer than 1 month, the server can determine that the acquired registration time information is located in the allowed access set corresponding to the registration time information, that is, the indication information of the registration time information is 1. For example, when the server receives a request for executing a target operation by using a target account, the indication information of the registration duration information may be determined to be 1 according to the registration duration information of the target account carried in the request for executing the target operation, the identification "registration duration" of the registration duration information and the identification "numerical value" of the registration duration information stored in the server in advance, and the allowed access set "greater than 1 month" in the preset judgment policy of the registration duration information is determined.
If the access information is account department information, the information name may be: the account department, the information type can be: character type. The allowed access set corresponding to the account department information may be: after-sales department. That is, when the account department information of the target account is an after-sales department, it may be determined that the obtained account department information is located in an allowed access set corresponding to the account department information, that is, the indication information of the account department information is 1. When the account department information of the target account is other departments, the acquired allowed access set corresponding to the account department information part and the account department information can be determined, namely the indication information of the account department information is-1. For example, when the server receives a request for executing a target operation by using a target account, the server may determine, according to the account department information "after-sales department" of the target account carried in the request for executing the target operation, and the identifier "account department" and the "character" of the account department information stored in advance in the server, an allowed access set "after-sales department" in a preset determination policy of the account department information, and determine that the indication information of the account department information is 1.
If the access information is the amount information, the information name may be: the amount, information type may be: numerical value type. The allowed access set corresponding to the account amount information may be: less than 50 yuan. That is, when the amount of the refund operation performed by the target account is less than 50 yuan, the server may determine that the obtained amount information is located in the allowed access set corresponding to the amount information, that is, the indication information of the amount information is 1, and when the amount of the refund operation performed by the target account is equal to or greater than 50 yuan, the server may determine that the obtained amount information is not located in the allowed access set corresponding to the amount information, that is, the indication information of the amount information is-1. For example, when the server receives a request for executing a target operation by using a target account, it may determine that the indication information of the amount information is 1 according to the amount information "20 yuan" of the target account carried in the request for executing the target operation, the identification "amount" and the "numerical value" of the amount information stored in advance in the server, and the allowed access set "less than 50 yuan" in the preset judgment policy of the amount information.
Of course, the access information may also be other information, and the embodiments of the present invention are not described herein.
Alternatively, when the access information is subject information, the server may determine the permitted access set of the subject information from a subject information database stored in advance in itself. When the access information is the IP address information at the time of access, the server can determine the allowed access set of the IP address at the time of access according to the IP address blacklist recorded in the wind control system.
It should be noted that, any type of access information corresponding allowed access set may be expressed as { (x-y) |, ∈ =, +.. Where x may be an upper limit value of the allowed access set and y may be a lower limit value of the allowed access set. The method can represent any operation symbol such as equal number "=", different number "noteq", less than number "<", less than or equal to number "+%, greater than number" > ", or greater than or equal to number" +".
For example, the set of allowed accesses corresponding to the access time information may be {9< t <18}, where x may be equal to 18, y may be equal to 9, to may be less than the number "<", and t may be a condition satisfied by the time of allowed access.
Step 206, determining whether the target account number has the first authority to execute the target operation according to the indication information.
In the embodiment of the invention, if the instruction information acquired by the server is 1, it can be determined that the target account has the authority to execute the target operation. If the indication information acquired by the server is-1, it can be determined that the target account does not have the right to execute the target operation.
In an embodiment of the present invention, referring to fig. 7, step 206 may include the steps of:
step 2061, obtaining an average value of the indication information of at least one type of access information.
In the embodiment of the invention, the server can acquire the indication information of each type of access information in at least one type of access information, and the server can determine the average value according to the indication information of the at least one type of access information. The average value may be used to indicate whether the target account number has a first right to perform the target operation.
Alternatively, the average value s1 of the indication information may satisfy:
where mi may refer to indication information of the ith access information, and k may refer to the number of indication information acquired by the server.
For example, assuming that the server obtains indication information of access time information as 1, indication information of IP address information used at the time of access as-1, indication information of registration duration information as 1, indication information of account department information as 1, indication information of amount information as 1, and number of indication information as 5, the server may obtain an average value of the indication information as [1+ (-1) +1+1+1 ]/5=0.6.
Step 2062, determining that the target account number has the first authority to execute the target operation when the average value is greater than 0.
In the embodiment of the invention, when the average value of the indication information of at least one type of access information obtained by the server is greater than 0, it can be determined that the target account number has the first authority to execute the target operation.
For example, assuming that the average value of the indication information obtained by the server is 0.6, it may be determined that the target account number has the first authority to execute the target operation.
Step 2063, determining that the target account number does not have the first authority to execute the target operation when the average value is less than or equal to 0.
In the embodiment of the invention, when the average value of the indication information of at least one type of access information acquired by the server is smaller than or equal to 0, it can be determined that the target account does not have the first authority to execute the target operation.
For example, assuming that the average value of the indication information obtained by the server is-0.1, it may be determined that the target account number does not have the first authority to execute the target operation.
It should be noted that, in the at least one type of access information, the preset judgment policy of any type of access information may further include a weight corresponding to any type of access information, and the server may obtain a weighted average of indication information of the at least one type of access information. Wherein the weight may be used to represent the magnitude of the impact of the access information on the access check.
Alternatively, the weighted average s2 of the indication information may satisfy:
where wi may refer to the weight of the i-th access information.
For example, assume that the weight corresponding to the access time information included in the preset determination policy of the access time information is 0.5, the indication information of the access time information is 1, the weight corresponding to the IP address information included in the preset determination policy of the IP address information used during access is 0.8, the indication information of the IP address used during access is-1, the weight corresponding to the registration duration information included in the preset determination policy of the registration duration information is 0.3, the indication information of the registration duration information is 1, the weight corresponding to the account department information included in the preset determination policy of the account department information is 0.9, the indication information of the account department information is 1, the weight corresponding to the amount information included in the preset determination policy of the amount information is 0.7, and the indication information of the amount information is 1. The server may obtain a weighted average of the indication information of the at least one type of access information of [0.5 x 1+0.8 x (-1) +0.3 x 1+0.9 x 1+0.7 x 1]/5 = 1.6. If the weighted average is greater than 0, the server may determine that the target account has the first authority to perform the target operation.
It should be further noted that, in order to facilitate the server to determine whether the target account number has the first authority to execute the target operation, an average value or a weighted average value of the indication information of at least one type of access information acquired by the server may be output through a sign () function. For example, when the average value or weighted average value of the acquired indication information of the at least one type of access information is greater than 0, the value of the sign () output may be 1, and when the average value or weighted average value of the acquired indication information of the at least one type of access information is equal to or less than 0, the value of the sign () output may be-1.
That is, the value P of the sign () output of the sign function may satisfy:
or->
Alternatively, the value P of the sign () output of the sign function may satisfy:
or->
When the value of the sign () output of the sign function is 1, it may be determined that the target account has the first authority to perform the target operation, and when the value of the sign () output of the sign function is-1, it may be determined that the target account does not have the first authority to perform the target operation.
Step 207, if the target account number has the first authority to execute the target operation, the access check is successful.
In the embodiment of the invention, when the server determines that the target account number has the first right for executing the target operation, the access check is successful, and when the server determines that the target account number does not have the first right for executing the target operation, the access check is failed.
For example, when the value of the sign () output of the sign function is 1, it may be determined that the target account has the first authority to execute the target operation, the access check is successful, and when the value of the sign () output of the sign function is-1, it may be determined that the target account does not have the first authority to execute the target operation, and the access check fails.
In the embodiment of the present invention, referring to fig. 8, the brief steps of the access verification method provided in the embodiment of the present invention are as follows: after the target account requests to execute the target operation, the server may acquire authority information of the target account, determine whether the target account has second authority to execute the target operation according to the authority information, when it is determined that the target account does not have the second authority to execute the target operation, fail access verification, when it is determined that the target account has the second authority to execute the target operation, acquire a preset determination policy corresponding to the access information carried in the request, where the access information may include main body information, resource information, and environment information, acquire indication information according to the access information and the preset determination policy, determine whether the target account has first authority to execute the target operation according to the indication information, and when it is determined that the target account does not have the first authority to execute the target operation, fail access verification, and when it is determined that the target account has the first authority to execute the target operation, succeed access verification.
It should be noted that, the sequence of the steps of the access verification method provided by the embodiment of the invention can be properly adjusted, and the steps can be correspondingly increased or decreased according to the situation. For example, steps 202 and 203 may be deleted as appropriate. Any method that can be easily conceived by those skilled in the art within the technical scope of the present disclosure should be covered in the protection scope of the present application, and thus will not be repeated.
In summary, the embodiment of the present invention provides an access verification method, where the method may determine, according to at least one type of access information carried in a request for executing a target operation by a target account and a preset judgment policy of the at least one type of access information, whether the target account has a first right to execute the target operation, and if the server determines that the target account has the first right to execute the target operation, the access verification is successful. Because the permission for judging whether the target account of the user executes the target operation is determined according to the preset judging strategy and at least one type of access information of the target account acquired in real time, the flexibility of access verification is better.
Fig. 9 is a schematic structural diagram of an access verification device according to an embodiment of the present invention. As can be seen with reference to fig. 9, the apparatus may comprise:
The receiving module 301 is configured to receive a request for performing a target operation by a target account.
The first obtaining module 302 is configured to obtain at least one type of access information of the target account.
The first determining module 303 is configured to determine whether the target account has a first right to execute the target operation according to the at least one type of access information and a preset determining policy of the at least one type of access information.
And the verification module 304 is configured to, if the target account number has the first authority to execute the target operation, succeed in access verification.
Fig. 10 is a schematic structural diagram of another access verification apparatus according to an embodiment of the present invention. As can be seen with reference to fig. 10, the apparatus may further comprise:
a second obtaining module 305, configured to obtain rights information of the target account.
And a second judging module 306, configured to judge whether the target account has the second permission to execute the target operation according to the permission information.
The first obtaining module 302 may obtain at least one type of access information for the target account when the target account has a second right to perform the target operation. When the target account does not have the second right to execute the target operation, the target account fails to access and check.
Optionally, the target account has at least one role, each role has at least one authority, and the second obtaining module 305 may be configured to:
and acquiring a union of authority information of each role in the at least one role of the target account, and determining the union as the authority information of the target account.
Optionally, in the at least one type of access information, a preset judging policy of any type of access information includes an allowed access set corresponding to any type of access information, and referring to fig. 11, the first judging module 303 includes:
the obtaining submodule 3031 is configured to obtain indication information about whether each type of access information in the at least one type of access information is located in the allowed access set corresponding to each type of access information.
A determining submodule 3032, configured to determine whether the target account number has the first right to execute the target operation according to the indication information.
Optionally, the acquiring submodule 3031 may be used to:
when any one type of access information in the at least one type of access information is located in the allowed access set corresponding to the any type of access information, determining that the indication information of the any type of access information is 1.
When any type of access information in the at least one type of access information is not located in the allowed access set corresponding to the any type of access information, determining that the indication information of the any type of access information is-1.
The determination submodule 3032 may be used to:
and obtaining the average value of the indication information of the at least one type of access information. And when the average value is smaller than or equal to 0, determining that the target account number does not have the first authority to execute the target operation.
Optionally, the preset judging policy of any type of access information includes a weight corresponding to the any type of access information, and the determining submodule 3032 may be further configured to:
a weighted average of the indication information of the at least one type of access information is obtained.
Optionally, the at least one type of access information includes: at least two of account registration duration information, account department information, access time information, amount information corresponding to the target operation and Internet protocol address information used during access.
In summary, the embodiment of the present invention provides an access verification device, where the access verification device may determine, according to at least one type of access information carried in a request for executing a target operation by a target account and a preset judgment policy of the at least one type of access information, whether the target account has a first right to execute the target operation, and if the server determines that the target account has the first right to execute the target operation, the access verification is successful. Because the permission for judging whether the target account of the user executes the target operation is determined according to the preset judging strategy and at least one type of access information of the target account acquired in real time, the flexibility of access verification is better.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working processes of the above-described apparatus, modules and sub-modules may refer to corresponding processes in the foregoing method embodiments, which are not described herein again.
Fig. 12 is a schematic structural diagram of a computer device according to an embodiment of the present invention. The computer device 400 may be: notebook or desktop computers. Computer device 400 may also be referred to by other names of user devices, portable terminals, laptop terminals, desktop terminals, and the like. Alternatively, the computer device 400 may also be a server.
In general, the computer device 400 includes: a processor 401 and a memory 402.
Processor 401 may include one or more processing cores such as a 4-core processor, an 8-core processor, etc. The processor 401 may be implemented in at least one hardware form of digital signal processing (digital signal processing, DSP), field-programmable gate array (field-programmable gate array, FPGA), programmable logic array (programmable logic array, PLA). The processor 401 may also include a main processor, which is a processor for processing data in an awake state, also referred to as a central processor (central processing unit, CPU), and a coprocessor; a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, the processor 401 may be integrated with an image processor (graphics processing unit, GPU) for taking care of rendering and drawing of content that the display screen needs to display. In some embodiments, the processor 401 may also include an artificial intelligence (artificial intelligence, AI) processor for processing computing operations related to machine learning.
Memory 402 may include one or more computer-readable storage media, which may be non-transitory. Memory 402 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 402 is used to store at least one instruction for execution by processor 401 to implement the access verification method provided by the method embodiments herein.
In some embodiments, the computer device 400 may optionally further include: a peripheral interface 403 and at least one peripheral. The processor 401, memory 402, and peripheral interface 403 may be connected by a bus or signal line. The individual peripheral devices may be connected to the peripheral device interface 403 via buses, signal lines or a circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 404, a touch display 405, a camera 406, audio circuitry 407, a positioning component 408, and a power supply 409.
Peripheral interface 403 may be used to connect at least one input/output (I/O) related peripheral device to processor 401 and memory 402. In some embodiments, processor 401, memory 402, and peripheral interface 403 are integrated on the same chip or circuit board; in some other embodiments, either or both of the processor 401, memory 402, and peripheral interface 403 may be implemented on separate chips or circuit boards, which is not limited in this embodiment.
The radio frequency circuit 404 is used to receive and transmit Radio Frequency (RF) signals, also known as electromagnetic signals. The radio frequency circuitry 404 communicates with a communication network and other communication devices via electromagnetic signals. The radio frequency circuit 404 converts an electrical signal into an electromagnetic signal for transmission, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 404 includes: antenna systems, RF transceivers, one or more amplifiers, tuners, oscillators, digital signal processors, codec chipsets, subscriber identity module cards, and so forth. The radio frequency circuitry 404 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocol includes, but is not limited to: metropolitan area networks, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or wireless fidelity (wireless fidelity, wiFi) networks. In some embodiments, the radio frequency circuitry 404 may also include near field communication (near field communication, NFC) related circuitry, which is not limited in this application.
The display screen 405 is used to display a User Interface (UI). The UI may include graphics, text, icons, video, and any combination thereof. When the display screen 405 is a touch display screen, the display screen 405 also has the ability to collect touch signals at or above the surface of the display screen 405. The touch signal may be input as a control signal to the processor 401 for processing. At this time, the display screen 405 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display screen 405 may be one, providing a front panel of the computer device 400; in other embodiments, the display 405 may be at least two, respectively disposed on different surfaces of the computer device 400 or in a folded design; in still other embodiments, the display 405 may be a flexible display disposed on a curved surface or a folded surface of the computer device 400. Even more, the display screen 405 may be arranged in an irregular pattern that is not rectangular, i.e. a shaped screen. The display 405 may be made of a material such as a liquid crystal display (liquid crystal display, LCD) or an organic light-emitting diode (OLED).
The camera assembly 406 is used to capture images or video. Optionally, camera assembly 406 includes a front camera and a rear camera. Typically, the front camera is disposed on a front panel of the computer device and the rear camera is disposed on a rear surface of the computer device. In some embodiments, the at least two rear cameras are any one of a main camera, a depth camera, a wide-angle camera and a tele camera, so as to realize that the main camera and the depth camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize a panoramic shooting and Virtual Reality (VR) shooting function or other fusion shooting functions. In some embodiments, camera assembly 406 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The dual-color temperature flash lamp refers to a combination of a warm light flash lamp and a cold light flash lamp, and can be used for light compensation under different color temperatures.
The audio circuit 407 may include a microphone and a speaker. The microphone is used for collecting sound waves of users and environments, converting the sound waves into electric signals, and inputting the electric signals to the processor 401 for processing, or inputting the electric signals to the radio frequency circuit 404 for realizing voice communication. The microphone may be provided in a plurality of different locations of the computer device 400 for stereo acquisition or noise reduction purposes. The microphone may also be an array microphone or an omni-directional pickup microphone. The speaker is used to convert electrical signals from the processor 401 or the radio frequency circuit 404 into sound waves. The speaker may be a conventional thin film speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only the electric signal can be converted into a sound wave audible to humans, but also the electric signal can be converted into a sound wave inaudible to humans for ranging and other purposes. In some embodiments, audio circuit 407 may also include a headphone jack.
The location component 408 is used to locate the current geographic location of the computer device 400 to enable navigation or location based services (location based service, LBS). The positioning component 408 may be a positioning component based on the U.S. global positioning system (global positioning system, GPS), the beidou system of china, the grainer system of russia, or the galileo system of the european union.
The power supply 409 is used to power the various components in the computer device 400. The power supply 409 may be an alternating current, a direct current, a disposable battery, or a rechargeable battery. When power supply 409 comprises a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.
In some embodiments, computer device 400 also includes one or more sensors 410. The one or more sensors 410 include, but are not limited to: acceleration sensor 411, gyroscope sensor 412, pressure sensor 413, fingerprint sensor 414, optical sensor 415, and proximity sensor 416.
The acceleration sensor 411 may detect the magnitudes of accelerations on three coordinate axes of the coordinate system established with the computer device 400. For example, the acceleration sensor 411 may be used to detect components of gravitational acceleration on three coordinate axes. The processor 401 may control the touch display screen 405 to display a user interface in a lateral view or a longitudinal view according to the gravitational acceleration signal acquired by the acceleration sensor 411. The acceleration sensor 411 may also be used for the acquisition of motion data of a game or a user.
The gyro sensor 412 may detect the body direction and the rotation angle of the computer device 400, and the gyro sensor 412 may collect the 3D motion of the user to the computer device 400 in cooperation with the acceleration sensor 411. The processor 401 may implement the following functions according to the data collected by the gyro sensor 412: motion sensing (e.g., changing UI according to a tilting operation by a user), image stabilization at shooting, game control, and inertial navigation.
The pressure sensor 413 may be disposed at a side frame of the computer device 400 and/or at an underlying layer of the touch screen 405. When the pressure sensor 413 is disposed at a side frame of the computer device 400, a grip signal of the computer device 400 by a user may be detected, and the processor 401 performs a left-right hand recognition or a shortcut operation according to the grip signal collected by the pressure sensor 413. When the pressure sensor 413 is disposed at the lower layer of the touch display screen 405, the processor 401 controls the operability control on the UI interface according to the pressure operation of the user on the touch display screen 405. The operability controls include at least one of a button control, a scroll bar control, an icon control, and a menu control.
The fingerprint sensor 414 is used to collect a fingerprint of the user, and the processor 401 identifies the identity of the user based on the fingerprint collected by the fingerprint sensor 414, or the fingerprint sensor 414 identifies the identity of the user based on the collected fingerprint. Upon recognizing that the user's identity is a trusted identity, the user is authorized by the processor 401 to perform relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, etc. The fingerprint sensor 414 may be provided on the front, back or side of the computer device 400. When a physical key or vendor Logo is provided on the computer device 400, the fingerprint sensor 414 may be integrated with the physical key or vendor Logo.
The optical sensor 415 is used to collect the ambient light intensity. In one embodiment, the processor 401 may control the display brightness of the touch display screen 405 according to the ambient light intensity collected by the optical sensor 415. Specifically, when the intensity of the ambient light is high, the display brightness of the touch display screen 405 is turned up; when the ambient light intensity is low, the display brightness of the touch display screen 405 is turned down. In another embodiment, the processor 401 may also dynamically adjust the shooting parameters of the camera assembly 406 according to the ambient light intensity collected by the optical sensor 415.
A proximity sensor 416, also referred to as a distance sensor, is typically provided on the front panel of the computer device 400. The proximity sensor 416 is used to collect distance between the user and the front of the computer device 400. In one embodiment, when the proximity sensor 416 detects a gradual decrease in the distance between the user and the front of the computer device 400, the processor 401 controls the touch display 405 to switch from the bright screen state to the off screen state; when the proximity sensor 416 detects a gradual increase in the distance between the user and the front of the computer device 400, the touch display 405 is controlled by the processor 401 to switch from the off-screen state to the on-screen state.
Those skilled in the art will appreciate that the architecture shown in fig. 12 is not limiting of the computer device 400, and may include more or fewer components than shown, or may combine certain components, or employ a different arrangement of components.
Embodiments of the present invention also provide a computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, the at least one instruction, the at least one program, the set of codes, or the set of instructions being loaded and executed by a processor to implement an access verification method as provided by the method embodiments described above.
The foregoing description of the preferred embodiments is merely exemplary in nature and is in no way intended to limit the invention, since it is intended that all modifications, equivalents, improvements, etc. that fall within the spirit and scope of the invention.

Claims (8)

1. An access verification method, the method comprising:
receiving a request of executing a target operation by a target account;
acquiring authority information of the target account, wherein the authority information is a union set of authority information of each role in at least one role possessed by the target account, the authority information is used for indicating the condition of the target account on each authority in n authorities, n is the number of the authorities and n is an integer greater than 1, each authority is respectively allocated with an authority number, and the authority number is used for uniquely identifying the authority; the authority of each role is represented by an n-dimensional vector, the ith bit in the n-dimensional vector indicates whether the authority of the ith item is possessed or not, and the n-dimensional vector is used as the identification of the role;
Judging whether the target account number has a second authority for executing the target operation or not according to the authority information;
when the target account does not have the second right for executing the target operation, the target account fails to access and check;
when the target account has the second right of executing the target operation, acquiring access information of the target account in real time from the request, wherein the access information comprises main body information, resource information and environment information, and the main body information is information of a user of the resource or an initiator of the request and comprises account registration duration information and account department information of the target account; the resource information is data information to be accessed by the target account, and comprises amount information corresponding to the target operation; the environment information is information of the environment when the target account is accessed, and comprises access time information and Internet protocol address information used during access;
judging whether the target account number has a first right for executing the target operation or not according to the access information and a preset judging strategy of the access information;
if the target account number has the first authority to execute the target operation, the access check is successful,
The preset judging policy of any type of access information includes an allowed access set corresponding to any type of access information, and the judging whether the target account has the first permission to execute the target operation according to the access information and the preset judging policy of the access information includes:
acquiring indication information of whether each type of access information in the access information is located in an allowed access set corresponding to each type of access information, wherein the allowed access set corresponding to any type of access information is a condition whether any type of access information can be allowed to access, and when any type of access information in the access information is located in the allowed access set corresponding to any type of access information, determining that the indication information of any type of access information is 1; when any type of access information in the access information is not located in the allowed access set corresponding to any type of access information, determining that the indication information of any type of access information is-1;
acquiring an average value of the indication information of the access information;
when the average value is greater than 0, determining that the target account number has a first right to execute the target operation;
And when the average value is smaller than or equal to 0, determining that the target account number does not have the first authority to execute the target operation.
2. The method of claim 1, wherein the preset determination policy of any type of access information further includes an identifier of any type of access information, where the identifier of any type of access information includes an information name and an information type;
the method further comprises the steps of:
and determining a preset judgment strategy of any type of access information according to the access information of the target account and the prestored identifier of any type of access information.
3. The method of claim 1, wherein the preset determining policy of any type of access information includes a weight corresponding to the any type of access information, and the obtaining the average value of the indication information of the access information includes:
and acquiring a weighted average value of the indication information of the access information.
4. An access verification apparatus, the apparatus comprising:
the receiving module is used for receiving a request of executing a target operation by the target account;
the first acquisition module is used for acquiring the authority information of the target account, wherein the authority information is a union set of the authority information of each role in at least one role possessed by the target account, the authority information is used for indicating the condition of the target account on each authority in n authorities, n is the number of the authorities and n is an integer greater than 1, each authority is respectively allocated with an authority number, and the authority numbers are used for uniquely identifying the authorities; the authority of each role is represented by an n-dimensional vector, the ith bit in the n-dimensional vector indicates whether the authority of the ith item is possessed or not, and the n-dimensional vector is used as the identification of the role;
The first judging module is used for judging whether the target account number has the second permission for executing the target operation according to the permission information;
the verification module is used for failing to verify the access of the target account when the target account does not have the second right for executing the target operation;
the second obtaining module is used for obtaining access information of the target account in real time from the request when the target account has a second right for executing the target operation, wherein the access information comprises main body information, resource information and environment information, and the main body information is information of a user of the resource or an initiator of the request and comprises account registration duration information and account department information of the target account; the resource information is data information to be accessed by the target account, and comprises amount information corresponding to the target operation; the environment information is information of the environment when the target account is accessed, and comprises access time information and Internet protocol address information used during access;
the second judging module is used for judging whether the target account number has the first permission for executing the target operation according to the access information and a preset judging strategy of the access information;
The verification module is further configured to, if the target account number has a first right to execute the target operation, succeed in access verification,
the second judging module comprises:
the first acquisition sub-module is used for acquiring indication information of whether each type of access information in the access information is located in an allowed access set corresponding to each type of access information, wherein the allowed access set corresponding to any type of access information is a condition whether any type of access information can be allowed to access, and when any type of access information in the access information is located in the allowed access set corresponding to any type of access information, the indication information of any type of access information is determined to be 1; when any type of access information in the access information is not located in the allowed access set corresponding to any type of access information, determining that the indication information of any type of access information is-1;
the first determining submodule is used for acquiring the average value of the indication information of the access information; when the average value is greater than 0, determining that the target account number has a first right to execute the target operation; and when the average value is smaller than or equal to 0, determining that the target account number does not have the first authority to execute the target operation.
5. The apparatus of claim 4, wherein the preset determination policy of any type of access information further comprises an identifier of any type of access information, and the identifier of any type of access information comprises an information name and an information type;
the apparatus further comprises:
and the third acquisition module is used for determining a preset judgment strategy of any type of access information according to the access information of the target account and the prestored identifier of any type of access information.
6. The apparatus of claim 4, wherein the preset determination policy of any type of access information includes a weight corresponding to the any type of access information,
the first determining submodule is used for obtaining a weighted average value of the indication information of the access information.
7. A computer device comprising a processor and a memory having stored therein at least one instruction, at least one program, code set or instruction set, the at least one instruction, at least one program, code set or instruction set being loaded and executed by the processor to implement the access verification method of any one of claims 1 to 3.
8. A computer readable storage medium having stored therein at least one instruction, at least one program, code set, or instruction set, the at least one instruction, the at least one program, the code set, or instruction set being loaded and executed by a processor to implement the access verification method of any one of claims 1 to 3.
CN201910707077.5A 2019-08-01 2019-08-01 Access verification method, device, computer equipment and storage medium Active CN111191254B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910707077.5A CN111191254B (en) 2019-08-01 2019-08-01 Access verification method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910707077.5A CN111191254B (en) 2019-08-01 2019-08-01 Access verification method, device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN111191254A CN111191254A (en) 2020-05-22
CN111191254B true CN111191254B (en) 2024-02-27

Family

ID=70707143

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910707077.5A Active CN111191254B (en) 2019-08-01 2019-08-01 Access verification method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN111191254B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113689283A (en) * 2021-08-04 2021-11-23 德邦证券股份有限公司 Authority management method, device and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267339A (en) * 2008-02-28 2008-09-17 华为技术有限公司 User management method and device
CN105512569A (en) * 2015-12-17 2016-04-20 浪潮电子信息产业股份有限公司 Database security reinforcing method and device
CN106469261A (en) * 2015-08-21 2017-03-01 阿里巴巴集团控股有限公司 A kind of auth method and device
CN107918911A (en) * 2016-10-10 2018-04-17 卡巴斯基实验室股份制公司 System and method for performing safe web bank transaction
CN109088884A (en) * 2018-09-26 2018-12-25 平安医疗健康管理股份有限公司 Network address access method, device, server and the storage medium of identity-based verifying

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9021594B2 (en) * 2013-06-19 2015-04-28 International Business Machines Corporation Intelligent risk level grouping for resource access recertification

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101267339A (en) * 2008-02-28 2008-09-17 华为技术有限公司 User management method and device
CN106469261A (en) * 2015-08-21 2017-03-01 阿里巴巴集团控股有限公司 A kind of auth method and device
CN105512569A (en) * 2015-12-17 2016-04-20 浪潮电子信息产业股份有限公司 Database security reinforcing method and device
CN107918911A (en) * 2016-10-10 2018-04-17 卡巴斯基实验室股份制公司 System and method for performing safe web bank transaction
CN109088884A (en) * 2018-09-26 2018-12-25 平安医疗健康管理股份有限公司 Network address access method, device, server and the storage medium of identity-based verifying

Also Published As

Publication number Publication date
CN111191254A (en) 2020-05-22

Similar Documents

Publication Publication Date Title
CN108805560B (en) Numerical value integration method and device, electronic equipment and computer readable storage medium
CN111190748B (en) Data sharing method, device, equipment and storage medium
CN110851823B (en) Data access method, device, terminal and storage medium
CN110290191B (en) Resource transfer result processing method, device, server, terminal and storage medium
CN111866140A (en) Fusion management apparatus, management system, service calling method, and medium
CN111881423B (en) Method, device and system for authorizing restricted function use
CN110825465B (en) Log data processing method and device, electronic equipment and storage medium
CN110737692A (en) data retrieval method, index database establishment method and device
CN111191254B (en) Access verification method, device, computer equipment and storage medium
CN112597417B (en) Page updating method and device, electronic equipment and storage medium
CN112988177B (en) Application installation package release method, application program operation method, server and terminal
CN110570123B (en) Resource information management method, system and device based on block chain
CN111125095B (en) Method, device, electronic equipment and medium for adding data prefix
CN111158780B (en) Method, device, electronic equipment and medium for storing application data
CN110968549B (en) File storage method, device, electronic equipment and medium
CN112764824B (en) Method, device, equipment and storage medium for triggering identity verification in application program
CN112052153B (en) Product version testing method and device
CN112214115A (en) Input mode identification method and device, electronic equipment and storage medium
CN112765571A (en) Authority management method, system, device, server and storage medium
CN113076452A (en) Application classification method, device, equipment and computer readable storage medium
CN112612397B (en) Multimedia list management method, device, equipment and storage medium
CN113746831B (en) Authority verification method and device and storage medium
CN111930686B (en) Method and device for storing logs and computer equipment
CN112817768B (en) Animation processing method, device, equipment and computer readable storage medium
CN113449948B (en) Service processing method, device, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant