CN111680310A - Authority control method and device, electronic equipment and storage medium - Google Patents
Authority control method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111680310A CN111680310A CN202010457011.8A CN202010457011A CN111680310A CN 111680310 A CN111680310 A CN 111680310A CN 202010457011 A CN202010457011 A CN 202010457011A CN 111680310 A CN111680310 A CN 111680310A
- Authority
- CN
- China
- Prior art keywords
- role
- authority
- service
- authority information
- identifier
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the application provides a method and a device for controlling authority, electronic equipment and a storage medium, wherein the method comprises the following steps: when a service request aiming at a target service system is received, determining service authority information required by processing the service request; wherein, the service request comprises a target user identification; determining an authority character string corresponding to the target user identifier; splitting the authority character string to obtain one or more role identification sets; respectively determining role authority information sets corresponding to one or more role identification sets; generating a user authority information set corresponding to the target user identification by adopting the role authority information sets corresponding to all the role identification sets; and when the matching of the user authority information set and the service authority information is detected, calling the target service system to process the service request. According to the embodiment of the application, the control of the authority among a plurality of service systems in the integrated management information system is realized, the process of authority control is simplified, and the efficiency of authority control is improved.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method and an apparatus for controlling an authority, an electronic device, and a storage medium.
Background
ERP (Enterprise Resource Planning) is a management platform which is established on the basis of information technology, integrates information technology and advanced management ideas, and provides decision means for Enterprise employees and decision layers by using a systematic management idea.
At present, many enterprises use the ERP system, so that the integrated management of production, supply, marketing and finance of the enterprises is realized, and the daily business processing of each department personnel is also carried out in the ERP system.
However, in the ERP application of an enterprise, with the increase of service systems and users, the management of permissions between the service systems becomes very complex, and the management of the permissions of the users faces challenges, whereas in the permission control based on roles in the prior art, the roles are allocated to the users only by defining various roles and the permissions corresponding to the roles, which is difficult to be applied to the situations that the service systems are complex, the users are numerous, and different systems serve as different roles, resulting in low management efficiency and high error rate.
Disclosure of Invention
In view of the above, it is proposed to provide a method and apparatus, an electronic device, a storage medium for controlling rights that overcome or at least partially solve the above problems, including:
a method of authority control, the method being applied to an integrated management information system, the integrated management information system being integrated with a plurality of service systems, the method comprising:
when a service request aiming at a target service system is received, determining service authority information required by processing the service request; wherein, the service request comprises a target user identification;
determining an authority character string corresponding to the target user identifier; the authority character string consists of one or more role identification sets, and each role identification set corresponds to a service system;
splitting the authority character string to obtain one or more role identification sets;
respectively determining role authority information sets corresponding to the one or more role identification sets;
generating a user authority information set corresponding to the target user identification by adopting the role authority information sets corresponding to all the role identification sets;
and when the user permission information set is matched with the service permission information, calling the target service system to process the service request.
Optionally, the step of splitting the authority character string to obtain one or more role identifier sets includes:
determining a separation character in the authority character string;
and splitting the authority character string according to the separation character to obtain one or more role identification sets.
Optionally, each role identifier set includes a plurality of role identifiers, and the step of determining the role authority information sets corresponding to the one or more role identifier sets respectively includes:
respectively determining first authority group identifications corresponding to a plurality of role identifications aiming at each role identification set;
determining authority information corresponding to the first authority group identifier;
and generating a role authority information set corresponding to the role identification set by adopting the authority information corresponding to the first authority group identification.
Optionally, the step of respectively determining the role authority information sets corresponding to the one or more role identification sets further includes:
judging whether role identifiers with a parent-child relationship exist or not according to each role identifier set;
if the role identification with the parent-child relationship exists, determining the authority information corresponding to the child role identification from the authority information corresponding to the parent role identification; the authority information corresponding to the child role identifier is a subset of the authority information corresponding to the parent role identifier;
and generating a role authority information set corresponding to the role identification set by adopting the authority information corresponding to the sub role identification.
Optionally, the step of determining, from the authority information corresponding to the parent role identifier, the authority information corresponding to the child role identifier includes:
determining a second authority group identifier corresponding to the parent role identifier;
determining authority information corresponding to the second authority group identifier;
and determining the authority information corresponding to the sub-role identifier from the authority information corresponding to the second authority group identifier.
Optionally, the step of invoking the target service system to process the service request when it is detected that the user permission information set matches the service permission information includes:
when the user authority information set is matched with the service authority information, user attribute information corresponding to the target user identification is obtained;
and calling the target service system to process the service request according to the user attribute information.
Optionally, the step of invoking the target service system to process the service request according to the user attribute information includes:
acquiring first data corresponding to the user authority information set from the target service system;
determining second data corresponding to the user attribute information from the first data;
and displaying the second data.
An apparatus for controlling authority, the apparatus including an integrated management information system integrated with a plurality of service systems, the apparatus comprising:
the system comprises a service authority information determining module, a service authority information determining module and a service authority information processing module, wherein the service authority information determining module is used for determining service authority information required by processing a service request when the service request aiming at a target service system is received; wherein, the service request comprises a target user identification;
the authority character string determining module is used for determining the authority character string corresponding to the target user identifier; the authority character string consists of one or more role identification sets, and each role identification set corresponds to a service system;
a role identification set obtaining module, configured to split the authority character string to obtain one or more role identification sets;
a role authority information set determining module, configured to determine role authority information sets corresponding to the one or more role identifier sets respectively;
the user authority information set generating module is used for generating a user authority information set corresponding to the target user identifier by adopting the role authority information sets corresponding to all the role identifier sets;
and the service request processing module is used for calling the target service system to process the service request when the matching of the user permission information set and the service permission information is detected.
An electronic device comprising a processor, a memory and a computer program stored on the memory and being executable on the processor, the computer program, when executed by the processor, implementing the steps of the method of rights control as described above.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of rights control as described above.
The embodiment of the application has the following advantages:
in the embodiment of the application, when a service request aiming at a target service system is received, service authority information required for processing the service request is determined, the service request comprises a target user identifier, an authority character string corresponding to the target user identifier is determined, the authority character string consists of one or more role identifier sets, each role identifier set corresponds to one service system, the authority character string is split to obtain one or more role identifier sets, the role authority information sets corresponding to the one or more role identifier sets are respectively determined, the role authority information sets corresponding to all the role identifier sets are adopted to generate a user authority information set corresponding to the target user identifier, when the user authority information set is detected to be matched with the service authority information, the target service system is called to process the service request, and the authority control between a plurality of service systems in an integrated management information system is realized, and loose coupling among users, roles and authorities can be kept, the process of authority control is simplified, the efficiency of authority control is improved, and the error rate is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings needed to be used in the description of the present application will be briefly introduced below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive labor.
FIG. 1 is a flowchart illustrating steps of a method for controlling permissions according to an embodiment of the present application;
FIG. 2 is a flow chart illustrating steps of another method for controlling permissions according to an embodiment of the present application;
FIG. 3 is a flow chart illustrating steps of another method for controlling permissions according to an embodiment of the present application;
fig. 4 is a schematic structural diagram of an apparatus for controlling authority according to an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the technical field of data processing, ERP (Enterprise Resource Planning) is not only low in management efficiency but also easy to careless for the situations that a business system is complex, users are numerous, and different systems play different roles.
In an enterprise ERP application, a user at a certain post has different roles in different business systems, and therefore, corresponding permissions are different. For example, a product manager in a personnel management system may have the role of a local observer, and may have the authority to query all data except for wages; in the financial management system, no role exists, so that no authority is provided; in the fixed asset management, there may be a local administrator role, that is, an add/delete check function for the product department & development department, and the like. Different role authorities are distributed to users of different posts in different business systems, and the user authority is updated along with the change of the posts, so that the ERP system administrator is complex work.
The ERP system can also set group permission according to groups, ERP users are added into corresponding groups, the group permission is inherited, the positions of the enterprise personnel are changed, the user permission does not need to be reset, and the users only need to be added into the corresponding groups. However, this method has a relatively coarse privilege management granularity, requires setting a complete set of privileges, and is difficult to effectively assign different privileges to different users in a detailed manner.
In order to solve the problem of high difficulty in expansion and modification, a user role mapping table and a permission information list are generated when the user permission is set; and when an access request is received, acquiring a role name corresponding to the user name according to a user name query mapping table, and then determining the content displayed to the user according to a weight item information list corresponding to the role name.
In order to improve the authorization stability, the role type is used as an intermediary to authorize the resources to the role type, then the user is added to the role, the direct authorization and cancellation between the user and the resources are avoided, a human resource multi-level administrator is used for carrying out hierarchical authorization on the role type, the workload of a single system administrator is reduced, and the management is easy.
In order to solve the problems of low management efficiency and easy careless mistakes under the conditions that a service system is complex, users are numerous and different systems play different roles, the invention provides a method for controlling authority, which comprises the following specific steps:
referring to fig. 1, a flowchart illustrating steps of a method for controlling permissions according to an embodiment of the present application is shown, where the method may be applied to an integrated management information system, where the integrated management information system integrates multiple service systems, such as an asset management system, and specifically includes the following steps:
step 101, when receiving a service request for a target service system, determining service authority information required for processing the service request; wherein, the service request comprises a target user identification;
as an example, the service request may include an asset management product viewing request and the service permission information may include asset management product viewing permissions.
When a user needs to check the related service of the target service system, the user can firstly send a service request to the integrated management information system, and for example, when the user checks a product sales report form in the asset management system, the user can firstly send an asset management product checking request to the integrated management information system.
After receiving the service request, the integrated management information system may first determine service permission information required to process the service request, and if receiving an asset management product viewing request sent by a user, the integrated management information system may first obtain asset management product viewing permission required to process the asset management product viewing request.
In an embodiment of the present application, before step 101, the method may further include the following steps:
receiving a login request; wherein the login request comprises user login information; when the user login information passes the verification, returning a service system list; wherein the service system list comprises a plurality of service system identifications.
The login information may be a character string or a character string combination indicating the identity of the user, such as "asset management director" or "asset | | | manpower";
the service system identification may include a text or an icon corresponding to the service system, and the text or the icon may be information corresponding to different service systems;
when a user needs to check related services of a target service system, the user may log in the integrated management information system first, and specifically, may send login information, such as account information, and password information corresponding to the account information to the integrated management information system first.
After receiving the login information sent by the user, the integrated management information system can check the login information, for example, when the login information sent by the user is received, the integrated management information system searches whether the login information is stored in the system in advance, if the login information is found to be stored in the integrated management information system in advance, the check is successful, and if the login information stored in advance cannot be found in the integrated management information system, the check is failed.
After the integrated management information system successfully verifies the login information, the network used by the user side can be verified, and after the network used by the user side is also successfully verified, a service system list can be returned to the user, wherein the service system list comprises a plurality of service system identifications, and the user can click the service system identifications to send service requests aiming at different service systems.
In the embodiment of the application, the login information of the user and the network used during login can be verified, so that the identity information of the user is ensured, and the safety of the information in the integrated management information system is ensured.
Step 102, determining an authority character string corresponding to the target user identification; the authority character string consists of one or more role identification sets, and each role identification set corresponds to a service system;
the target user identifier may be character information associated with the user, such as "asset management".
After the service authority information required for processing the service request is determined, a target user identifier formed by the authority character strings can be extracted from the service request, and then the authority character string corresponding to the target user identifier is determined.
In an embodiment of the present application, before step 102, the method may further include the following steps:
and decrypting the authority character string.
After determining the authority character string corresponding to the target user identifier, it may be determined whether the authority character string is encrypted, and if the authority character string is encrypted, the authority character string is decrypted first, specifically, the pre-stored certificate information and the encrypted authority character string may be sent to the computing unit, and the computing unit decrypts the authority character string according to the sent digital certificate, so as to obtain the decrypted authority character string.
103, splitting the authority character string to obtain one or more role identification sets;
the role identification set can be identification sets corresponding to different service systems, in the integrated management information system, users at different posts have different roles in a plurality of different service systems, and available resources or executable operations are different, so corresponding authorities are different. Therefore, the mapping relation between each post of the enterprise and the role identification set of each business system can be predefined, and when the right is distributed to the user, the corresponding role of the user can be determined by inquiring the table for storing the mapping relation according to the post of the user.
To improve efficiency, mapping between a user and its corresponding role or roles can be accomplished by setting a set of role identifiers without manually configuring or assigning roles to the user one by one. For example, the position of a certain user can participate in asset management and customer service management, and the user role name set for the user can be "asset _ customer service", for example. That is, the characters corresponding to the user are connected in series to form a character string, and each character name is divided by a specific character.
After determining the authority string corresponding to the target user identifier, the authority string may be split to obtain one or more role identifier sets, and each role identifier set corresponds to a service system, for example, splitting "resource management __ annuity | | manpower" into "resource management __ annuity" and "manpower", "resource management __ annuity" corresponds to a resource management service system, and "manpower" corresponds to a human-powered service system.
In an embodiment of the present application, step 103 may include the following sub-steps:
determining a separation character in the authority character string; and splitting the authority character string according to the separation character to obtain one or more role identification sets.
The separation character may be "|", a comma, or any predetermined character such as "or" and the like.
In a specific implementation, a preset separation character may be searched in the permission string, for example, the preset separation character is "|".
After the separation character is determined, the authority character string may be split according to the position of the separation character to obtain one or more character identifier sets, for example, the separation character "|", the authority character string "resources __ annuity | | |" manpower "is split, and finally the character identifier set" resources __ annuity "and" manpower "are obtained.
104, respectively determining role authority information sets corresponding to the one or more role identification sets;
after the one or more split character identifier sets are obtained, the character authority information sets corresponding to the one or more character identifier sets may be determined, for example, after the character identifier sets "resource __ annuity" and "manpower" are obtained, the character authority information set corresponding to the "resource __ annuity" is obtained as resource management product authority information of an annuity channel, and the character authority information set corresponding to the "manpower" is obtained as human resource authority information.
105, generating a user authority information set corresponding to the target user identifier by adopting the role authority information sets corresponding to all the role identifier sets;
the user right information set may be character information associated with a right, for example, "resource management viewing right".
After role authority information sets corresponding to all role identification sets are obtained, the role authority information sets corresponding to all role identification sets are integrated together to generate a user authority information set corresponding to a target user identification, for example, a user identification 'resource management __ annuity | | | manpower', wherein a role authority information set corresponding to a role identification set 'resource management __ annuity' is 'asset management product authority information sold by an annuity department', a role authority information set corresponding to a role identification set 'manpower' is 'manpower resource authority information', and a user authority information set corresponding to a user identification 'resource management __ annuity | | | manpower' is 'asset management product authority information and manpower resource authority information sold by an annuity department'.
And 106, when the user permission information set is matched with the service permission information, calling the target service system to process the service request.
After determining the user authority information set corresponding to the target user identifier, matching the user authority information set with the acquired service authority information, in practical application, judging whether the user authority information set contains the service authority information, if the user authority information set contains the service authority information, successfully matching the user authority information set with the acquired service authority information, and after the user authority information set is successfully matched with the acquired service authority information, calling the target service system to process the service request by the integrated management information system.
In an embodiment of the present application, step 106 may include the following sub-steps:
when the user authority information set is matched with the service authority information, user attribute information corresponding to the target user identification is obtained; and calling the target service system to process the service request according to the user attribute information.
In the integrated management information system, a right content management interface can be provided to configure specific right content for specific personnel. In particular, rights can be transferred to individuals and a common approach is used in rights management, for example, fund managers a and B are both fund managers but see different funds, enabling more flexible configuration and presentation of content.
Specifically, when it is detected that the user permission information set matches the service permission information, that is, after passing authentication, user attribute information corresponding to the target user identifier, such as fund information operable by the user, may be obtained, and then the target service system may be invoked to process the service request according to the difference of the user attribute information, so as to implement personalized processing for different users.
In an embodiment of the present application, the step of invoking the target service system to process the service request according to the user attribute information includes:
acquiring first data corresponding to the user authority information set from the target service system; determining second data corresponding to the user attribute information from the first data; and displaying the second data.
In a specific implementation, first data corresponding to the user permission information set may be obtained from the target service system, that is, the first data of the permission group may be obtained, and then, according to a difference of user attribute information of each user, second data adapted to the user may be screened from the first data of the permission group, and then, the second data may be displayed for the user to operate.
In the embodiment of the application, when a service request aiming at a target service system is received, service authority information required for processing the service request is determined, the service request comprises a target user identifier, an authority character string corresponding to the target user identifier is determined, the authority character string consists of one or more role identifier sets, each role identifier set corresponds to one service system, the authority character string is split to obtain one or more role identifier sets, the role authority information sets corresponding to the one or more role identifier sets are respectively determined, the role authority information sets corresponding to all the role identifier sets are adopted to generate a user authority information set corresponding to the target user identifier, when the user authority information set is detected to be matched with the service authority information, the target service system is called to process the service request, and the authority control between a plurality of service systems in an integrated management information system is realized, and loose coupling among users, roles and authorities can be kept, the process of authority control is simplified, the efficiency of authority control is improved, and the error rate is reduced.
Referring to fig. 2, a flowchart illustrating steps of another method for controlling an authority according to an embodiment of the present application is shown, which may specifically include the following steps:
since a user can belong to multiple permission groups, each permission group has a unique permission group identifier, for each role identifier set, multiple role identifiers contained in the role identifier set can be determined, and then the permission group corresponding to each role identifier can be determined to obtain a first permission group identifier.
for each permission group, different permission information can be set, and after the first permission group identifier is determined, the permission information corresponding to the first permission group identifier can be determined.
after determining the permission information corresponding to the first permission group identifier, the permission information corresponding to the first permission group identifier may be used to generate a role permission information set corresponding to the role identifier set, where the role permission information set may include the permission information corresponding to the first permission group identifier.
and 208, when the user permission information set is matched with the service permission information, calling the target service system to process the service request.
In the embodiment of the application, the first authority group identifications corresponding to the plurality of role identifications are respectively determined aiming at each role identification set, the authority information corresponding to the first authority group identifications is determined, the authority information corresponding to the first authority group identifications is adopted, the role authority information sets corresponding to the role identification sets are generated, the purpose that the same user can belong to the plurality of authority groups is achieved, the plurality of authority groups can be cross-system authority groups, and the authority management efficiency is improved.
Referring to fig. 3, a flowchart illustrating steps of another method for controlling an authority according to an embodiment of the present application is shown, which may specifically include the following steps:
when determining the role authority information set corresponding to the role identifier set, it may be determined whether a parent-child relationship exists between the role identifiers in the role identifier set, where the parent-child relationship may be determined through a preset relationship mapping, for example, the role identifier set is "asset management __ annuity", and if a mapping relationship between "asset management" and "annuity" is stored in a pre-stored parent-child relationship mapping table, the role identifier "asset management" exists a parent-child relationship for the role identifier "annuity".
The role identification set can include a base role identification and a permission group identification. The permission group identifier may be a name of a permission group identifier formed by a plurality of general permission identifiers, and a user who joins the permission group identifier may inherit a plurality of permission information corresponding to the permission group identifier.
For example, a common authority for asset management may be set as an authority group, and when a user can perform asset management, a mapping relationship between the user and multiple authorities in the "asset management" authority group may be established by adding an identifier of the "asset management" authority group to the role name of the user.
In a specific implementation, the basic role identifier may be a parent of all child roles to which the service system belongs, a plurality of basic roles represent different child service systems, and there is generally no direct association between the basic roles, for example, a role a is a basic role of a human resource system, a role B is a basic role of an investment management system, and all basic roles are in a parallel relationship, and one user may have a plurality of basic roles, which are generally designed, and the basic roles include all permissions of the subsystem;
for each basic role, each basic role can be inherited by a child role, the child role is refined for a parent basic role, namely, the authority defined by the child role is a subset of the parent role, and all conflicting authority information is subject to the authority information corresponding to the child role.
In addition, in the application, for each service system, a basic role can be defined in each layer, and for example, the basic role C of the human resource management system is a page viewing right, the basic role D is an operation right, the role E is a report generation right, and the like, and can also be combined according to service needs.
305, if the role identifier with the parent-child relationship exists, determining authority information corresponding to the child role identifier from the authority information corresponding to the parent role identifier; the authority information corresponding to the child role identifier is a subset of the authority information corresponding to the parent role identifier;
when there are character identifiers having a parent-child relationship, a child character identifier as a child identifier and a parent character identifier as a parent identifier are specified in the character identifiers having the parent-child relationship, and for example, if a character identifier set is "asset __ annuity", and if a parent character identifier whose "asset" is "annuity" is stored in a prestored parent-child relationship mapping table, a parent character identifier whose "asset" is "annuity" is specified in the character identifier set "asset __ annuity".
After the parent role identification and the child role identification are determined, the authority information corresponding to the parent role identification can be determined, and then the authority information corresponding to the child role identification can be determined in the authority information corresponding to the parent role identification, so that the inheritance of the authority is realized.
In an embodiment of the present invention, step 305 may include the following sub-steps:
determining a second authority group identifier corresponding to the parent role identifier; determining authority information corresponding to the second authority group identifier; and determining the authority information corresponding to the sub-role identifier from the authority information corresponding to the second authority group identifier.
In a specific implementation, the second permission group identifier corresponding to the parent role identifier may be determined first, then the permission information corresponding to the second permission group identifier may be determined, and then the permission information corresponding to the child role identifier may be determined from the permission information corresponding to the second permission group identifier.
307, generating a user permission information set corresponding to the target user identifier by using the role permission information sets corresponding to all the role identifier sets;
In the embodiment of the application, whether the role identifier with the parent-child relationship exists or not is judged according to each role identifier set, if the role identifier with the parent-child relationship exists, the authority information corresponding to the child role identifier is determined from the authority information corresponding to the parent role identifier, the authority information corresponding to the child role identifier is adopted, the role authority information set corresponding to the role identifier set is generated, the inheritance of the authority is realized, a user can obtain partial authority of a certain authority group, and the flexibility of authority control is improved.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the embodiments. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred and that no particular act is required of the embodiments of the application.
Referring to fig. 4, a block diagram of an apparatus for controlling permissions according to an embodiment of the present application is shown, where the apparatus includes an integrated management information system, and the integrated management information system integrates multiple service systems, and the apparatus includes the following modules:
a service permission information determining module 401, configured to determine, when a service request for a target service system is received, service permission information required to process the service request; wherein, the service request comprises a target user identification;
an authority string determining module 402, configured to determine an authority string corresponding to the target user identifier; the authority character string consists of one or more role identification sets, and each role identification set corresponds to a service system;
a role identifier set obtaining module 403, configured to split the authority character string to obtain one or more role identifier sets;
a role authority information set determining module 404, configured to determine role authority information sets corresponding to the one or more role identifier sets respectively;
a user permission information set generating module 405, configured to generate a user permission information set corresponding to the target user identifier by using the role permission information sets corresponding to all the role identifier sets;
a service request processing module 406, configured to invoke the target service system to process the service request when it is detected that the user permission information set matches the service permission information.
In an embodiment of the present application, the role identification set obtaining module 403 includes:
the separation character determining submodule is used for determining separation characters in the authority character string;
and the authority character string splitting submodule is used for splitting the authority character string according to the separation characters to obtain one or more role identification sets.
In an embodiment of the present application, each role identifier set includes a plurality of role identifiers, and the role authority information set determining module 404 includes:
the first permission group identification determining submodule is used for respectively determining first permission group identifications corresponding to the plurality of role identifications aiming at each role identification set;
a first authority group identifier authority determining submodule, configured to determine authority information corresponding to the first authority group identifier;
and the permission generation submodule is used for generating a role permission information set corresponding to the role identification set by adopting permission information corresponding to the first permission group identification.
In an embodiment of the present application, the role authority information set determining module 404 further includes:
a parent-child relationship judgment submodule for judging whether a role identifier having a parent-child relationship exists for each role identifier set;
the child role identification permission determining submodule is used for determining permission information corresponding to the child role identification from permission information corresponding to the parent role identification if the role identification with the parent-child relationship exists; the authority information corresponding to the child role identifier is a subset of the authority information corresponding to the parent role identifier;
and the sub role identification permission generation sub-module is used for generating a role permission information set corresponding to the role identification set by adopting permission information corresponding to the sub role identification.
In an embodiment of the present application, the child role identifier authority determining sub-module includes:
a second permission group identifier determining unit, configured to determine a second permission group identifier corresponding to the parent role identifier;
the second authority group identifier authority determining unit is used for determining authority information corresponding to the second authority group identifier;
and the permission determining unit is used for determining permission information corresponding to the sub-role identifier from the permission information corresponding to the second permission group identifier.
In an embodiment of the present application, the service request processing module 406 includes:
a user attribute information obtaining submodule, configured to obtain user attribute information corresponding to the target user identifier when it is detected that the user permission information set matches the service permission information;
and the processing submodule is used for calling the target service system to process the service request according to the user attribute information.
In an embodiment of the present application, the processing sub-module according to the user attribute information includes:
a first data obtaining unit, configured to obtain, from the target service system, first data corresponding to the user permission information set;
a second data determination unit configured to determine second data corresponding to the user attribute information from the first data;
and the second data display unit is used for displaying the second data.
In the embodiment of the application, when a service request aiming at a target service system is received, service authority information required for processing the service request is determined, the service request comprises a target user identifier, an authority character string corresponding to the target user identifier is determined, the authority character string consists of one or more role identifier sets, each role identifier set corresponds to one service system, the authority character string is split to obtain one or more role identifier sets, the role authority information sets corresponding to the one or more role identifier sets are respectively determined, the role authority information sets corresponding to all the role identifier sets are adopted to generate a user authority information set corresponding to the target user identifier, when the user authority information set is detected to be matched with the service authority information, the target service system is called to process the service request, and the authority control between a plurality of service systems in an integrated management information system is realized, and loose coupling among users, roles and authorities can be kept, the process of authority control is simplified, the efficiency of authority control is improved, and the error rate is reduced.
An embodiment of the present application also provides an electronic device, which may include a processor, a memory, and a computer program stored on the memory and capable of running on the processor, and when the computer program is executed by the processor, the steps of the method for controlling the authority are implemented.
An embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the method for controlling the authority as described above.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing terminal to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing terminal to cause a series of operational steps to be performed on the computer or other programmable terminal to produce a computer implemented process such that the instructions which execute on the computer or other programmable terminal provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or terminal that comprises the element.
The method and apparatus for controlling authority, the electronic device, and the storage medium provided above are introduced in detail, and a specific example is applied in this document to explain the principle and the implementation of the present application, and the description of the above embodiment is only used to help understand the method and the core idea of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (10)
1. A method for controlling authority, wherein the method is applied to an integrated management information system, the integrated management information system is integrated with a plurality of service systems, and the method comprises:
when a service request aiming at a target service system is received, determining service authority information required by processing the service request; wherein, the service request comprises a target user identification;
determining an authority character string corresponding to the target user identifier; the authority character string consists of one or more role identification sets, and each role identification set corresponds to a service system;
splitting the authority character string to obtain one or more role identification sets;
respectively determining role authority information sets corresponding to the one or more role identification sets;
generating a user authority information set corresponding to the target user identification by adopting the role authority information sets corresponding to all the role identification sets;
and when the user permission information set is matched with the service permission information, calling the target service system to process the service request.
2. The method of claim 1, wherein the step of splitting the permission string to obtain one or more role identification sets comprises:
determining a separation character in the authority character string;
and splitting the authority character string according to the separation character to obtain one or more role identification sets.
3. The method of claim 2, wherein each role identification set comprises a plurality of role identifications, and the step of determining the role authority information sets corresponding to the one or more role identification sets respectively comprises:
respectively determining first authority group identifications corresponding to a plurality of role identifications aiming at each role identification set;
determining authority information corresponding to the first authority group identifier;
and generating a role authority information set corresponding to the role identification set by adopting the authority information corresponding to the first authority group identification.
4. The method according to claim 2 or 3, wherein the step of determining the sets of role authority information corresponding to the one or more sets of role identifiers respectively further comprises:
judging whether role identifiers with a parent-child relationship exist or not according to each role identifier set;
if the role identification with the parent-child relationship exists, determining the authority information corresponding to the child role identification from the authority information corresponding to the parent role identification; the authority information corresponding to the child role identifier is a subset of the authority information corresponding to the parent role identifier;
and generating a role authority information set corresponding to the role identification set by adopting the authority information corresponding to the sub role identification.
5. The method of claim 4, wherein the step of determining the authority information corresponding to the child role identifier from the authority information corresponding to the parent role identifier comprises:
determining a second authority group identifier corresponding to the parent role identifier;
determining authority information corresponding to the second authority group identifier;
and determining the authority information corresponding to the sub-role identifier from the authority information corresponding to the second authority group identifier.
6. The method of claim 5, wherein the step of invoking the target service system to process the service request when detecting that the set of user permission information matches the service permission information comprises:
when the user authority information set is matched with the service authority information, user attribute information corresponding to the target user identification is obtained;
and calling the target service system to process the service request according to the user attribute information.
7. The method of claim 6, wherein the step of invoking the target service system to process the service request according to the user attribute information comprises:
acquiring first data corresponding to the user authority information set from the target service system;
determining second data corresponding to the user attribute information from the first data;
and displaying the second data.
8. An apparatus for controlling authority, the apparatus comprising an integrated management information system integrated with a plurality of service systems, the apparatus comprising:
the system comprises a service authority information determining module, a service authority information determining module and a service authority information processing module, wherein the service authority information determining module is used for determining service authority information required by processing a service request when the service request aiming at a target service system is received; wherein, the service request comprises a target user identification;
the authority character string determining module is used for determining the authority character string corresponding to the target user identifier; the authority character string consists of one or more role identification sets, and each role identification set corresponds to a service system;
a role identification set obtaining module, configured to split the authority character string to obtain one or more role identification sets;
a role authority information set determining module, configured to determine role authority information sets corresponding to the one or more role identifier sets respectively;
the user authority information set generating module is used for generating a user authority information set corresponding to the target user identifier by adopting the role authority information sets corresponding to all the role identifier sets;
and the service request processing module is used for calling the target service system to process the service request when the matching of the user permission information set and the service permission information is detected.
9. An electronic device, comprising a processor, a memory and a computer program stored on the memory and capable of running on the processor, the computer program, when executed by the processor, implementing the steps of the method of rights control according to any one of claims 1 to 7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the method of rights control according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010457011.8A CN111680310B (en) | 2020-05-26 | 2020-05-26 | Authority control method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010457011.8A CN111680310B (en) | 2020-05-26 | 2020-05-26 | Authority control method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111680310A true CN111680310A (en) | 2020-09-18 |
| CN111680310B CN111680310B (en) | 2023-08-25 |
Family
ID=72453900
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010457011.8A Active CN111680310B (en) | 2020-05-26 | 2020-05-26 | Authority control method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111680310B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615872A (en) * | 2020-12-22 | 2021-04-06 | 广州技象科技有限公司 | Internet of things node security management method, device, equipment and storage medium |
| CN112635034A (en) * | 2020-12-30 | 2021-04-09 | 微医云(杭州)控股有限公司 | Service authority system, authority distribution method, electronic device and storage medium |
| CN112988286A (en) * | 2021-03-12 | 2021-06-18 | 武汉蔚来能源有限公司 | Resource maintenance method and device and computer storage medium |
| CN115640605A (en) * | 2022-10-19 | 2023-01-24 | 中电金信软件有限公司 | Authority management method for financial institution |
| CN117056885A (en) * | 2023-07-21 | 2023-11-14 | 广州盈风网络科技有限公司 | User permission determination method, device, equipment and storage medium |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20100053402A (en) * | 2008-11-11 | 2010-05-20 | (주)티아이스퀘어 | Method and apparatus for structuralize keyword string and searching keyword string |
| US20140172849A1 (en) * | 2012-12-13 | 2014-06-19 | Microsoft Corporation | Facilitating personas in communication exchange environments |
| CN104519072A (en) * | 2015-01-14 | 2015-04-15 | 浪潮(北京)电子信息产业有限公司 | Authority control method and device |
| CN105303084A (en) * | 2015-09-24 | 2016-02-03 | 北京奇虎科技有限公司 | Privilege management system and method |
| CN109670768A (en) * | 2018-09-27 | 2019-04-23 | 深圳壹账通智能科技有限公司 | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain |
| CN110457629A (en) * | 2019-07-19 | 2019-11-15 | 口碑(上海)信息技术有限公司 | Permission processing, authority control method and device |
| CN110472111A (en) * | 2019-08-08 | 2019-11-19 | 广州城市信息研究所有限公司 | Rights management, user right inquiry and resource information authorization method |
| CN110516452A (en) * | 2019-08-07 | 2019-11-29 | 浙江大搜车软件技术有限公司 | RBAC access authorization for resource distribution method, device, electronic equipment and storage medium |
| CN110727929A (en) * | 2019-10-12 | 2020-01-24 | 北京明略软件系统有限公司 | AOP-based line-level authority control method, device and client |
| CN110750780A (en) * | 2019-10-16 | 2020-02-04 | 北京微星优财网络科技有限公司 | User role permission fusion method, device and equipment based on multi-service system |
| CN110909373A (en) * | 2018-09-18 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Access control method, device, system and storage medium |
| CN111104652A (en) * | 2019-10-17 | 2020-05-05 | 贝壳技术有限公司 | Authority management method and device, computer readable storage medium and electronic equipment |
-
2020
- 2020-05-26 CN CN202010457011.8A patent/CN111680310B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20100053402A (en) * | 2008-11-11 | 2010-05-20 | (주)티아이스퀘어 | Method and apparatus for structuralize keyword string and searching keyword string |
| US20140172849A1 (en) * | 2012-12-13 | 2014-06-19 | Microsoft Corporation | Facilitating personas in communication exchange environments |
| CN104519072A (en) * | 2015-01-14 | 2015-04-15 | 浪潮(北京)电子信息产业有限公司 | Authority control method and device |
| CN105303084A (en) * | 2015-09-24 | 2016-02-03 | 北京奇虎科技有限公司 | Privilege management system and method |
| CN110909373A (en) * | 2018-09-18 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Access control method, device, system and storage medium |
| CN109670768A (en) * | 2018-09-27 | 2019-04-23 | 深圳壹账通智能科技有限公司 | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain |
| CN110457629A (en) * | 2019-07-19 | 2019-11-15 | 口碑(上海)信息技术有限公司 | Permission processing, authority control method and device |
| CN110516452A (en) * | 2019-08-07 | 2019-11-29 | 浙江大搜车软件技术有限公司 | RBAC access authorization for resource distribution method, device, electronic equipment and storage medium |
| CN110472111A (en) * | 2019-08-08 | 2019-11-19 | 广州城市信息研究所有限公司 | Rights management, user right inquiry and resource information authorization method |
| CN110727929A (en) * | 2019-10-12 | 2020-01-24 | 北京明略软件系统有限公司 | AOP-based line-level authority control method, device and client |
| CN110750780A (en) * | 2019-10-16 | 2020-02-04 | 北京微星优财网络科技有限公司 | User role permission fusion method, device and equipment based on multi-service system |
| CN111104652A (en) * | 2019-10-17 | 2020-05-05 | 贝壳技术有限公司 | Authority management method and device, computer readable storage medium and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 兰洋;尤磊;: "RBAC模型在管理系统中的设计与实现", 信阳农业高等专科学校学报, no. 04 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615872A (en) * | 2020-12-22 | 2021-04-06 | 广州技象科技有限公司 | Internet of things node security management method, device, equipment and storage medium |
| CN112615872B (en) * | 2020-12-22 | 2022-02-22 | 广州技象科技有限公司 | Internet of things node security management method, device, equipment and storage medium |
| CN112635034A (en) * | 2020-12-30 | 2021-04-09 | 微医云(杭州)控股有限公司 | Service authority system, authority distribution method, electronic device and storage medium |
| CN112988286A (en) * | 2021-03-12 | 2021-06-18 | 武汉蔚来能源有限公司 | Resource maintenance method and device and computer storage medium |
| CN115640605A (en) * | 2022-10-19 | 2023-01-24 | 中电金信软件有限公司 | Authority management method for financial institution |
| CN117056885A (en) * | 2023-07-21 | 2023-11-14 | 广州盈风网络科技有限公司 | User permission determination method, device, equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111680310B (en) | 2023-08-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111680310B (en) | Authority control method and device, electronic equipment and storage medium | |
| US7827598B2 (en) | Grouped access control list actions | |
| KR101486613B1 (en) | Transferable restricted security tokens | |
| CN108351771B (en) | Maintaining control over restricted data during deployment to a cloud computing environment | |
| WO2018121445A1 (en) | Multi-tenant access control method and apparatus | |
| US9509672B1 (en) | Providing seamless and automatic access to shared accounts | |
| US20240160705A1 (en) | Controlling access to computer resources | |
| CN113297550A (en) | Authority control method, device, equipment, storage medium and program product | |
| WO2017193074A1 (en) | Script manager for distributed systems | |
| JP2020053091A (en) | Individual number management device, individual number management method, and individual number management program | |
| US11704441B2 (en) | Charter-based access controls for managing computer resources | |
| US20200233907A1 (en) | Location-based file recommendations for managed devices | |
| CN111062028A (en) | Authority management method and device, storage medium and electronic equipment | |
| US8763158B2 (en) | Directory service distributed product activation | |
| CN112702348A (en) | System authority management method and device | |
| US8132261B1 (en) | Distributed dynamic security capabilities with access controls | |
| CN116438778A (en) | Persistent source value of assumed alternate identity | |
| US9390239B2 (en) | Software system template protection | |
| US11411813B2 (en) | Single user device staging | |
| US11436349B2 (en) | Method and system for implementing a cloud machine learning environment | |
| US20230077995A1 (en) | Application Programming Interface (API) Automation Framework | |
| US20230315880A1 (en) | Using smart contracts to manage hyper protect database as a service | |
| US11868494B1 (en) | Synchronization of access management tags between databases | |
| Huawei Technologies Co., Ltd. | Database Security Fundamentals | |
| Laukkanen | Implementation of Time-Based Access Control in Sailpoint IdentityIQ |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |