CN115438333A - Authority distribution method and device - Google Patents
Authority distribution method and device Download PDFInfo
- Publication number
- CN115438333A CN115438333A CN202210895950.XA CN202210895950A CN115438333A CN 115438333 A CN115438333 A CN 115438333A CN 202210895950 A CN202210895950 A CN 202210895950A CN 115438333 A CN115438333 A CN 115438333A
- Authority
- CN
- China
- Prior art keywords
- authority
- determining
- role attribute
- role
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2228—Indexing structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a device for permission allocation, and relates to the technical field of computers. One embodiment of the method comprises: acquiring login information of a distribution object; determining a plurality of role attributes corresponding to the distribution object according to the login information; determining the authorities corresponding to the role attributes respectively, and determining the authority set of the distributed object according to each authority; and determining a target authority from the authority set, and distributing the target authority to the distributed objects. According to the method, the role attributes can be used as resources, the authority corresponding to each role attribute is synchronously distributed through a universal distribution method, the corresponding distribution method does not need to be established for each role attribute, the universality is high, and meanwhile, certain expandability is achieved. Meanwhile, a binary storage mode is adopted, so that the calculation efficiency is greatly improved, and the storage space is saved.
Description
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method and an apparatus for right assignment.
Background
In an information system, the operation rights for different users are all achieved through rights management. At present, most permission management modes are that permission management systems corresponding to various role attributes are determined according to different role attributes (a department to which a user belongs, a post to which the user belongs and an administrative division in which the user is located), and then permission allocation of the user is realized through different permission management systems, but a general allocation mode aiming at a plurality of role attributes corresponding to different permission management systems is lacked, and when the role attributes are updated, the system application is large in limitation and low in expandability.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for permission allocation, which can use multiple role attributes as resources, and synchronously allocate permissions corresponding to each role attribute through a general allocation method, without constructing a corresponding allocation method for each role attribute, so that the method and the apparatus are strong in universality and have certain extensibility.
To achieve the above object, according to an aspect of an embodiment of the present invention, a method of right assignment is provided.
The method for distributing the authority of the embodiment of the invention comprises the following steps: acquiring login information of a distribution object; determining a plurality of role attributes corresponding to the distribution object according to the login information; determining the authorities corresponding to the role attributes respectively, and determining the authority set of the distributed object according to each authority; and determining a target authority from the authority set, and distributing the target authority to the distributed objects.
Optionally, the method further comprises: recording one or more authorities included in the set of authorities and/or the preset hierarchical authorization policy by using binary; the determining the target permission from the permission set includes: and performing logic AND operation on the permission set and one or more permissions included in a preset hierarchical authorization strategy to obtain the target permission.
Optionally, the determining the target permission from the permission set includes: and responding to an allocation instruction, and determining a target authority corresponding to the allocation instruction from the authority set.
Optionally, when the permission set corresponding to the allocation object is updated, the method further includes: re-determining the logical AND operation result according to the updated authority set; and updating the target authority of the distributed object according to the operation result.
Optionally, recording the authority of the role attribute by using a mapping relation table; the mapping relation table comprises a key name and a key value of the role attribute;
the determining the permissions corresponding to the plurality of role attributes respectively comprises: determining a target mapping relation table corresponding to the role attribute from the mapping relation table; determining a key value corresponding to the role attribute according to the target mapping relation table and the key name of the role attribute; and determining the authority corresponding to the role attribute according to the key value.
Optionally, the key value includes a first field indicating the content of the right and a second field indicating the operation of the right; the determining the authority corresponding to the role attribute according to the key value comprises the following steps: determining the authority content code corresponding to the role attribute according to the first field, and determining the authority operation code corresponding to the role attribute according to the second field; and determining the authority corresponding to the role attribute according to the authority content code and the authority operation code.
Optionally, the first field and/or the second field are/is represented in a binary manner; determining the authority corresponding to the role attribute according to the authority content code and the authority operation code, wherein the method comprises the following steps: determining the authority corresponding to the role attribute according to the numerical value respectively corresponding to each content code in the authority content code and the numerical value respectively corresponding to each operation code in the authority operation code; and aiming at each item of authority content and/or authority operation, a first preset value 0 represents that the authority is not available, and a second preset value 1 represents that the authority is available.
Optionally, the method further comprises: and configuring field digits and field positions corresponding to the first field and/or the second field respectively according to the authority content of the authority and/or the type of the authority operation.
Optionally, the method further comprises: registering the preset role attribute according to the preset role attribute and the preset operation corresponding to the preset role attribute to generate a key value and a key name of the preset role attribute; and storing the key value and the key name into the mapping relation table.
Optionally, the method further comprises: aiming at the condition of adding a new role attribute, registering the new role attribute according to the new role attribute and a preset operation corresponding to the new role attribute to generate a key value and a key name of the new role attribute; and storing the key value and the key name of the new role attribute into a new mapping relation table.
Optionally, the method further comprises: and aiming at the condition that the role attribute is newly added with the authority content and/or the authority operation, updating the key name and the key value in a mapping relation table corresponding to the role attribute according to the newly added authority content and/or the authority operation.
To achieve the above object, according to still another aspect of an embodiment of the present invention, there is provided an apparatus for right assignment.
The device for distributing the authority of the embodiment of the invention comprises: the acquisition module is used for acquiring login information of the distribution object; the determining module is used for determining a plurality of role attributes corresponding to the distribution object according to the login information; the authority module is used for determining authorities corresponding to the role attributes respectively and determining an authority set of the distributed object according to the authorities; and the distribution module is used for determining the target authority from the authority set and distributing the target authority to the distributed objects.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided an electronic device for rights assignment.
An electronic device for right assignment according to an embodiment of the present invention includes: one or more processors; a storage device, configured to store one or more programs, which when executed by the one or more processors, cause the one or more processors to implement a method for right assignment according to an embodiment of the present invention.
To achieve the above object, according to still another aspect of embodiments of the present invention, there is provided a computer-readable storage medium.
A computer-readable storage medium of an embodiment of the present invention stores thereon a computer program that, when executed by a processor, implements a method of rights assignment of an embodiment of the present invention.
One embodiment of the above invention has the following advantages or benefits: the method has the advantages that the role attributes can be used as resources, the authority corresponding to each role attribute is synchronously distributed through a universal distribution method, the corresponding distribution method does not need to be established for each role attribute, the universality is strong, and meanwhile, certain expandability is achieved.
Further effects of the above-mentioned non-conventional alternatives will be described below in connection with the embodiments.
Drawings
The drawings are included to provide a better understanding of the invention and are not to be construed as unduly limiting the invention. Wherein:
FIG. 1 is a schematic diagram of the main steps of a method of rights assignment according to an embodiment of the invention;
FIG. 2 is a diagram illustrating the main steps in the case of updating the set of permissions corresponding to an assigned object according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating the main steps of determining permissions corresponding to a plurality of role attributes, respectively, according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating the main steps of pre-configuring a mapping table according to an embodiment of the present invention;
fig. 5 is a schematic diagram of main steps of determining a right corresponding to a role attribute according to a key value according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of the main steps for the case of adding new role attributes, according to an embodiment of the present invention;
FIG. 7 is a diagram illustrating specific steps of a rights assignment according to an embodiment of the invention;
FIG. 8 is a schematic diagram of the main modules of an apparatus for rights assignment according to an embodiment of the present invention;
FIG. 9 is an exemplary system architecture diagram in which embodiments of the present invention may be employed;
fig. 10 is a schematic block diagram of a computer system suitable for use in implementing a terminal device or server according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, in which various details of embodiments of the invention are included to assist understanding, and which are to be considered as merely exemplary. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted in the following description for clarity and conciseness.
It should be noted that the embodiments of the present invention and the technical features of the embodiments may be combined with each other without conflict.
Fig. 1 is a schematic diagram of the main steps of a method of rights assignment according to an embodiment of the present invention.
As shown in fig. 1, the method for right assignment according to the embodiment of the present invention mainly includes the following steps:
step S101: acquiring login information of a distribution object;
step S102: determining a plurality of role attributes corresponding to the distribution object according to the login information;
step S103: determining authorities corresponding to the role attributes respectively, and determining an authority set of the distributed objects according to the authorities;
step S104: and determining a target authority from the authority set, and distributing the target authority to the distributed objects.
The role attribute refers to an identifier capable of describing a specific index of a role, and the same role attribute includes multiple roles, such as a position attribute, an organization attribute, various index attributes, and the like. For the same role in an enterprise, it is necessary to include a plurality of role attributes, for example, if role a is the manager of the enterprise department, and at the same time, if role a is written by party, the attributes of role a include: department of business (role attribute 1), manager (role attribute 2), and party attorney (role attribute 3). Meanwhile, under the same role attribute, a plurality of specific role attributes may exist, for example, in the organization attribute, the role a may belong to both the ministry of personnel and the party organization, and also belong to the volunteer organization.
Further, different permissions are corresponding to each role attribute. Illustratively, as a manager (role attribute 2), there are employee profile viewing authority (authority 1), salary statistical authority (authority 2), and employee scoring authority (authority 3), and as a party exercise book (role attribute 4), there are party member modification authority (authority 4), party organization change authority (authority 5), and organization branch activity authority (authority 6). By analogy, each role attribute corresponding to the same role has different permissions. It should be noted that the set of permissions in step S103 is a set of permissions corresponding to each role attribute, and includes all permissions corresponding to the role.
For enterprise management, the highest level manager, as a super user, usually has the highest authority under each role attribute. Different authorities are respectively distributed according to the sizes of different manager levels, and the authority of each level of user is defined by the manager at the previous level, so that the authority distribution needs to be carried out step by step. In an optional embodiment, the allocation object in the embodiment of the present invention may be a super user, or may be any level manager, and the allocated object is a next level user corresponding to the allocation object.
In an alternative embodiment, the set of permissions and/or one or more permissions included in the preset hierarchical authorization policy are recorded using a binary. Further to the process of determining the target right from the right set in step S104, in an alternative embodiment, the process may be implemented by a preset hierarchical authorization policy, which specifically includes: and performing logic AND operation on the permission set and one or more permissions included in the preset hierarchical authorization strategy to obtain the target permission. In another alternative embodiment, the target right corresponding to the assignment instruction may be determined from the set of rights in response to the assignment instruction.
The preset hierarchical authorization policy can be understood as a calculation standard of hierarchical authorization, and a target authority can be obtained only through certain logic calculation. The distribution instruction obtains the target authority through a direct instruction and does not need an intermediate calculation process.
It should be noted that, the binary system is used to record one or more permissions included in the permission set and/or the preset hierarchical authorization policy, so that the operation rate during the logical and operation can be ensured. For the logic and operation, a specific example is described below, and it is assumed that the permission set includes permission 1, permission 2, and permission 3, and the role a is set to possess permission in all three permissions, the first preset value 0 represents that the permission is not possessed, and the second preset value 1 represents that the permission is possessed, then the permission record of the role a is 111 (where each bit corresponds to one permission). Setting a preset hierarchical authorization policy to 101, that is, assigning authority 1 and authority 3 to the next-level role B, but not assigning authority 2, then through the logic and operation between 111 and 101, the authority result of 101 can be obtained, that is, the authority corresponding to the role B is: rights 1 and rights 3. When the authority of the role A changes, the authority of the role B also changes. And if the command is responded, the role A directly issues 101 to the role B to allocate the authority 1 and the authority 3 to the role B, and the authority of the role B is always 101 no matter whether the authority of the role A changes or not.
In the case where the authority of the role a changes, that is, in the case where the authority set corresponding to the allocation object is updated, as shown in fig. 2, the method further includes:
step S201: re-determining the logical AND operation result according to the updated authority set;
step S202: and updating the target authority of the distributed object according to the operation result.
Illustratively, still taking the authority record of the role a as 111 and the preset hierarchical authorization policy as 101 as an example, and taking the updated authority record of the role a as 100, the obtained target authority is 100, that is, the authority of the role B, by performing a logical and operation on 100 and 101.
For the process of acquiring the login information of the allocation object in step S101, in an optional embodiment, the login information of the allocation object may be acquired only after the authentication of the server and the client. After the distribution object logs in, various identity authentication information (such as an account number, a mobile phone number, a password, a fingerprint and a face) is submitted through a client (such as an APP, a browser and an agent), and the identity authentication information submitted by the client is authenticated through a server so as to ensure the authenticity of the distribution object and prevent the distribution object information from being stolen and the like. In the case that the authentication is passed, the client may also perform a series of authentication, for example, authentication and other steps, to confirm whether the logged-in user is valid, and the embodiment of the present invention does not limit the authentication method, and may further acquire the login information of the allocation object through a protocol or an encryption mechanism in the case that the identity of the logged-in allocation object is valid.
In an optional embodiment of the present invention, the authority of the role attribute is recorded by using a mapping relation table; the mapping relation table comprises key names and key values of the role attributes. Further, the step of determining the authority corresponding to each of the plurality of role attributes in step S103 may further include, as shown in fig. 3:
step S301: determining a target mapping relation table corresponding to the role attributes from the mapping relation table;
step S302: determining a key value corresponding to the role attribute according to the target mapping relation table and the key name of the role attribute;
step S303: and determining the authority corresponding to the role attribute according to the key value.
It should be noted that, in order to implement that the mapping relationship table can be used to obtain the key name corresponding to the key value of the role attribute, in an alternative embodiment, the mapping relationship table needs to be configured in advance according to each role attribute, and a specific configuration process is shown in fig. 4 and includes:
step S401: registering the preset role attribute according to the preset role attribute and preset operation corresponding to the preset role attribute to generate a key value and a key name of the preset role attribute;
step S402: and storing the key value and the key name into a mapping relation table.
Regarding the existence form of the key value in step S302, in an alternative embodiment, the key value includes a first field indicating the rights content and a second field indicating the rights operation, that is, for each type of rights, a plurality of types of rights contents and the rights operation corresponding to each type of rights contents are further included. For example, for the mailbox authority, three kinds of authority contents including an inbox authority, an outbox authority and a draft box authority are included, and for each kind of authority content, the corresponding authority operation can further include creating, modifying, inquiring and deleting. Therefore, step S303, as shown in fig. 5, may further include:
step S501: determining the authority content code corresponding to the role attribute according to the first field, and determining the authority operation code corresponding to the role attribute according to the second field;
step S502: and determining the authority corresponding to the role attribute according to the authority content code and the authority operation code.
In an optional embodiment, the first field and/or the second field are also represented in a binary manner, and for each item of the right content and/or the right operation, a first preset value 0 represents that no right is provided, and a second preset value 1 represents that the right is provided.
In order to determine the authority content and the authority operation corresponding to the role attribute according to the first field and/or the second field, in an optional embodiment, the number of bits of the field and the position of the field corresponding to the first field and/or the second field need to be configured according to the authority content of the authority and/or the type of the authority operation. After the field bit number and the field position of the first field and/or the second field are configured in advance, specific positions in the key value can be known to indicate the content of the authority, and specific positions indicate the operation of the authority. For example, the key value corresponding to the key name of the role a is 11009101, which is 0 th bit to 8 th bit from right to left. According to the field bit number and the field position respectively corresponding to the first field and/or the second field which are configured in advance, the authority contents are totally 4, and respectively correspond to the last 4 bits in the key value, namely 1100 (the 4 authority contents respectively correspond to the 6 th bit to the 8 th bit from right to left). The authority operations are 5 kinds, and correspond to the first 5 bits in the key value, i.e. 10101 (from right to left, corresponding to the 0 th bit to the 5 th bit, respectively). Therefore, what the authority content code and the authority operation code corresponding to the role attribute are can be determined by the field bit number and the field position of the first field and/or the second field in the key value respectively.
After the authority content code and the authority operation code corresponding to each field position are determined, whether the authority is provided under the code can be judged according to a specific numerical value. That is, step S501 may further include: and determining the authority corresponding to the role attribute according to the numerical values respectively corresponding to the content codes coded in the authority content and the numerical values respectively corresponding to the operation codes in the authority operation codes. Similarly, taking the key value 11009101 as an example, the authority of the role a under the role attribute is the 1 st, 3 rd and 5 th operation authorities in the third authority content and the fourth authority content.
Because the key value is represented by binary, after the character string corresponding to the key value is obtained, that is, after the authority content code and the authority operation code are obtained, the code needs to be further converted to obtain the corresponding authority content and authority operation. In an optional embodiment, after registering the preset role attribute according to the preset role attribute and the preset operation corresponding to the preset role attribute, the method further includes: and storing the authority content codes corresponding to the same role attribute and the field positions of the authority operation codes corresponding to the key values into a service dictionary. The service dictionary is stored in a Bit-map form. The following table 1 is given as an example:
TABLE 1 service dictionary
By the storage mode, after the key value is obtained, the authority content and the authority operation corresponding to the authority content code and the authority operation code corresponding to each position in the key value can be obtained only according to the service dictionary.
It should be noted that the basic idea of the Bit-map is to mark a Key Value (Value) corresponding to each element with a byte Bit (Bit), and the Key name (Key) is the element. Usually, there are 8 byte bits in a byte, that is, 8 bits, and each bit stores a right content and/or right operation, so that if there are 2048 bits for a certain role attribute, the corresponding byte number is 2048/8. Because the data is stored by using the byte bit as a unit, the space can be greatly saved in the aspect of storage space.
For the role attribute, the rights content or the rights operation, in order to meet different requirements of the user and the change of the requirements, in an optional embodiment, the adding of the rights content and/or the rights operation to the role attribute includes: and updating the key name and the key value in the mapping relation table corresponding to the role attribute according to the newly-added authority content and/or the authority operation. In another alternative embodiment, for the case of adding a new role attribute, as shown in fig. 6, the method includes:
step S601: registering the new role attribute according to the new role attribute and a preset operation corresponding to the new role attribute to generate a key value and a key name of the new role attribute;
step S602: and storing the key value and the key name of the new role attribute into a new mapping relation table.
The embodiment of the invention can meet various additions and deletions of users to role attributes, authority contents or authority operation by designing the mapping relation table, and can not influence the existing mapping relation table in the updating process of the mapping relation table, namely, the normal operation of the whole system, and has small limitation to system application and strong expandability.
It is further explained that, because the embodiment of the present invention adopts a binary storage manner, the logic and operation between the permission set and one or more permissions included in the preset hierarchical authorization policy can realize a faster calculation process, and compared with a decimal calculation logic, the present invention greatly improves the calculation efficiency and saves the calculation time.
The following describes a method for right assignment according to a specific example, as shown in fig. 7, the method includes:
step S701: receiving a login request of an allocation object;
step S702: acquiring login information of the distributed object from the login request meeting the legality and validity;
step S703: determining a plurality of role attributes corresponding to the distribution object according to the login information;
step S704: determining a target mapping relation table corresponding to each role attribute from the mapping relation table;
step S705: determining a key value corresponding to each specific role attribute according to the key name of the specific role attribute under each role attribute in the target mapping relation table;
step S706: respectively determining authority content codes and authority operation codes corresponding to the specific role attributes according to field positions in a first field and a second field in the key value;
step S707: determining the authority corresponding to each authority content code and each authority operation code according to the numerical value of each field position in the key value;
step S708; determining authority content and authority operation corresponding to the authority content code and the authority operation code through a service dictionary;
step S709: determining a permission set of the distributed object according to the permissions corresponding to the role attributes;
step S710: and performing logic AND operation on the permission set and one or more permissions included in the preset hierarchical authorization strategy to obtain target permissions, and distributing the target permissions to the distributed objects.
According to the permission allocation method provided by the embodiment of the invention, a plurality of role attributes can be used as resources, permission corresponding to each role attribute is synchronously allocated through a universal allocation method, a corresponding allocation method does not need to be established for each role attribute, the universality is strong, and meanwhile, certain expandability is realized.
Fig. 8 is a schematic diagram of main blocks of a device for right assignment according to an embodiment of the present invention.
As shown in fig. 8, an apparatus 800 for right assignment according to an embodiment of the present invention includes:
an obtaining module 801, configured to obtain login information of an allocation object;
a determining module 802, configured to determine, according to the login information, a plurality of role attributes corresponding to the allocation object;
an authority module 803, configured to determine authorities corresponding to the multiple role attributes respectively, and determine an authority set of the distributed object according to each authority;
an assigning module 804, configured to determine a target permission from the permission set, and assign the target permission to an assigned object.
In an optional embodiment, the apparatus further includes a storage module, configured to record, using a binary system, one or more rights included in the set of rights and/or the preset hierarchical authorization policy;
the allocating module 804 is further configured to perform a logical and operation on the permission set and one or more permissions included in a preset hierarchical authorization policy to obtain the target permission.
In an optional embodiment, the allocating module 804 is further configured to determine, in response to an allocating instruction, a target right corresponding to the allocating instruction from the right set.
In an optional embodiment, the apparatus further includes an updating module, configured to, when a permission set corresponding to the allocation object is updated, re-determine an operation result of a logical and according to the updated permission set; and updating the target authority of the distributed object according to the operation result.
In an optional embodiment, the storage device is further configured to record the authority of the role attribute by using a mapping relation table; the mapping relation table comprises key names and key values of the role attributes;
the permission module 803 is further configured to determine a target mapping relationship table corresponding to the role attribute from the mapping relationship table; determining a key value corresponding to the role attribute according to the target mapping relation table and the key name of the role attribute; and determining the authority corresponding to the role attribute according to the key value.
In an alternative embodiment, the key value comprises a first field indicating the content of the right and a second field indicating the operation of the right; the permission module 803 is further configured to determine a permission content code corresponding to a role attribute according to the first field, and determine a permission operation code corresponding to the role attribute according to the second field; and determining the authority corresponding to the role attribute according to the authority content code and the authority operation code.
In an alternative embodiment, the storage device is further configured to represent the first field and/or the second field in a binary manner; the permission module 803 is further configured to determine a permission corresponding to the role attribute according to a numerical value corresponding to each content code in the permission content code and a numerical value corresponding to each operation code in the permission operation code; and aiming at each item of authority content and/or authority operation, a first preset value 0 represents that the authority is not available, and a second preset value 1 represents that the authority is available.
In an optional embodiment, the apparatus further includes a configuration module, configured to configure, according to a right content of the right and/or a type of the right operation, a field bit number and a field position corresponding to the first field and/or the second field, respectively.
In an optional embodiment, the configuration module is further configured to register a preset role attribute according to the preset role attribute and a preset operation corresponding to the preset role attribute, and generate a key value and a key name of the preset role attribute; and storing the key value and the key name into the mapping relation table.
In an optional embodiment, the configuration module is further configured to, for a case of adding a new role attribute, register the new role attribute according to the new role attribute and a preset operation corresponding to the new role attribute, and generate a key value and a key name of the new role attribute; and storing the key value and the key name of the new role attribute into a new mapping relation table.
In an optional embodiment, the configuration module is further configured to, for a case that the role attribute is newly added with the rights content and/or the rights operation, update the key name and the key value in the mapping relationship table corresponding to the role attribute according to the newly added rights content and/or the rights operation.
According to the device for authority distribution, which is disclosed by the embodiment of the invention, a plurality of role attributes can be used as resources, authority corresponding to each role attribute is synchronously distributed through a universal distribution method, a corresponding distribution method does not need to be constructed for each role attribute, the universality is strong, and meanwhile, certain expandability is realized.
Fig. 9 shows an exemplary system architecture 900 of a device to which the method of rights assignment or rights assignment of an embodiment of the invention may be applied.
As shown in fig. 9, the system architecture 900 may include terminal devices 901, 902, 903, a network 904, and a server 905. Network 904 is the medium used to provide communication links between terminal devices 901, 902, 903 and server 905. Network 904 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
A user may use terminal devices 901, 902, 903 to interact with a server 905 over a network 904 to receive or send messages or the like. The terminal devices 901, 902, 903 may have various communication client applications installed thereon, such as a shopping application, a web browser application, a search application, an instant messaging tool, a mailbox client, social platform software, and the like.
The terminal devices 901, 902, 903 may be various electronic devices having a display screen and supporting web browsing, including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, and the like.
The server 905 may be a server that provides various services, such as a background management server that supports login information transmitted by a user using the terminal apparatuses 901, 902, and 903. The backend management server may perform processing such as analysis on data such as the allocation instruction and the like, and feed back a processing result (for example, the target authority) to the terminal device, in response to the login request indicating the login information.
It should be noted that the method for right assignment provided in the embodiment of the present invention is generally executed by the server 905, and accordingly, a device for right assignment is generally disposed in the server 905.
It should be understood that the number of terminal devices, networks, and servers in fig. 9 are merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
Referring now to FIG. 10, a block diagram of a computer system 1000 suitable for use with a terminal device implementing an embodiment of the invention is shown. The terminal device shown in fig. 10 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present invention.
As shown in fig. 10, the computer system 1000 includes a Central Processing Unit (CPU) 1001 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1002 or a program loaded from a storage section 1008 into a Random Access Memory (RAM) 1003. In the RAM 1003, various programs and data necessary for the operation of the system 1000 are also stored. The CPU 1001, ROM 1002, and RAM 1003 are connected to each other via a bus 1004. An input/output (I/O) first interface 1005 is also connected to the bus 1004.
The following components are connected to the I/O first interface 1005: an input section 1006 including a keyboard, a mouse, and the like; an output section 1007 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage portion 1008 including a hard disk and the like; and a communication portion 1009 including a network first interface card such as a LAN card, a modem, or the like. The communication section 1009 performs communication processing via a network such as the internet. The driver 1010 is also connected to the I/O first interface 1005 as necessary. A removable medium 1011 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1010 as necessary, so that a computer program read out therefrom is mounted into the storage section 1008 as necessary.
In particular, according to the embodiments of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication part 1009 and/or installed from the removable medium 1011. The computer program executes the above-described functions defined in the system of the present invention when executed by the Central Processing Unit (CPU) 1001.
It should be noted that the computer readable medium shown in the present invention can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of the present invention, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present invention, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules described in the embodiments of the present invention may be implemented by software or hardware. The described modules may also be provided in a processor, which may be described as: a processor includes an acquisition module, a determination module, a permission module, and an assignment module. The names of these modules do not constitute a limitation to the module itself in some cases, and for example, the acquisition module may also be described as a "module for acquiring login information of an allocation object".
As another aspect, the present invention also provides a computer-readable medium that may be contained in the apparatus described in the above embodiments; or may be separate and not assembled into the device. The computer readable medium carries one or more programs which, when executed by a device, cause the device to comprise: acquiring login information of a distribution object; determining a plurality of role attributes corresponding to the distribution object according to the login information; determining the authorities corresponding to the role attributes respectively, and determining the authority set of the distributed object according to each authority; and determining a target authority from the authority set, and distributing the target authority to the distributed objects.
According to the technical scheme of the embodiment of the invention, a plurality of role attributes can be used as resources, the authority corresponding to each role attribute is synchronously distributed through a universal distribution method, a corresponding distribution method does not need to be established for each role attribute, the universality is strong, and meanwhile, the expandability is certain. Meanwhile, a binary storage mode is adopted, so that the calculation efficiency is greatly improved, and the storage space is saved.
The above-described embodiments should not be construed as limiting the scope of the invention. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (12)
1. A method of rights assignment, comprising:
acquiring login information of a distribution object;
determining a plurality of role attributes corresponding to the distribution object according to the login information;
determining the authorities corresponding to the role attributes respectively, and determining the authority set of the distributed object according to each authority;
and determining a target authority from the authority set, and distributing the target authority to the distributed objects.
2. The method of claim 1, further comprising:
recording one or more authorities included in the set of authorities and/or the preset hierarchical authorization policy by using binary;
the determining the target permission from the permission set includes: performing logic and operation on the permission set and one or more permissions included in a preset hierarchical authorization strategy to obtain the target permission;
and/or the presence of a gas in the gas,
and responding to an allocation instruction, and determining a target authority corresponding to the allocation instruction from the authority set.
3. The method according to claim 2, wherein when the set of permissions corresponding to the allocation object is updated, the method further comprises:
re-determining the logical AND operation result according to the updated authority set;
and updating the target authority of the distributed object according to the operation result.
4. The method of claim 1, further comprising:
recording the authority of the role attribute by using a mapping relation table; the mapping relation table comprises a key name and a key value of the role attribute;
the determining the permissions corresponding to the plurality of role attributes respectively includes:
determining a target mapping relation table corresponding to the role attribute from the mapping relation table;
determining a key value corresponding to the role attribute according to the target mapping relation table and the key name of the role attribute;
and determining the authority corresponding to the role attribute according to the key value.
5. The method of claim 4, wherein the key value comprises a first field indicating a rights content and a second field indicating a rights operation; the determining the authority corresponding to the role attribute according to the key value includes:
determining the authority content code corresponding to the role attribute according to the first field, and determining the authority operation code corresponding to the role attribute according to the second field;
and determining the authority corresponding to the role attribute according to the authority content code and the authority operation code.
6. The method according to claim 5, characterized in that the first field and/or the second field are represented in a binary manner; the determining the authority corresponding to the role attribute according to the authority content code and the authority operation code comprises the following steps:
determining the authority corresponding to the role attribute according to the numerical value respectively corresponding to each content code in the authority content code and the numerical value respectively corresponding to each operation code in the authority operation code;
and aiming at each item of authority content and/or authority operation, a first preset value 0 represents that the authority is not available, and a second preset value 1 represents that the authority is available.
7. The method of claim 6, further comprising:
and configuring field digit and field position corresponding to the first field and/or the second field respectively according to the authority content of the authority and/or the type of the authority operation.
8. The method of claim 4, further comprising:
registering the preset role attribute according to the preset role attribute and the preset operation corresponding to the preset role attribute to generate a key value and a key name of the preset role attribute;
and storing the key value and the key name into the mapping relation table.
9. The method of claim 8, further comprising:
aiming at the condition of adding a new role attribute, registering the new role attribute according to the new role attribute and a preset operation corresponding to the new role attribute to generate a key value and a key name of the new role attribute;
storing the key value and the key name of the new role attribute into a new mapping relation table;
and/or the presence of a gas in the gas,
and aiming at the condition that the role attribute is newly added with the authority content and/or the authority operation, updating the key name and the key value in a mapping relation table corresponding to the role attribute according to the newly added authority content and/or the authority operation.
10. An apparatus for rights assignment, comprising:
the acquisition module is used for acquiring login information of the distribution object;
the determining module is used for determining a plurality of role attributes corresponding to the distribution object according to the login information;
the authority module is used for determining authorities corresponding to the role attributes respectively and determining an authority set of the distributed object according to the authorities;
and the distribution module is used for determining the target authority from the authority set and distributing the target authority to the distributed objects.
11. An electronic device for rights assignment, comprising:
one or more processors;
a storage device for storing one or more programs,
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method recited in any of claims 1-9.
12. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out the method according to any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210895950.XA CN115438333A (en) | 2022-07-27 | 2022-07-27 | Authority distribution method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210895950.XA CN115438333A (en) | 2022-07-27 | 2022-07-27 | Authority distribution method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115438333A true CN115438333A (en) | 2022-12-06 |
Family
ID=84242387
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210895950.XA Pending CN115438333A (en) | 2022-07-27 | 2022-07-27 | Authority distribution method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115438333A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116522414A (en) * | 2023-06-26 | 2023-08-01 | 深圳市亲邻科技有限公司 | Data storage method, IC card and data storage device |
-
2022
- 2022-07-27 CN CN202210895950.XA patent/CN115438333A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116522414A (en) * | 2023-06-26 | 2023-08-01 | 深圳市亲邻科技有限公司 | Data storage method, IC card and data storage device |
| CN116522414B (en) * | 2023-06-26 | 2023-10-13 | 深圳市亲邻科技有限公司 | Data storage method, IC card and data storage device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11122031B2 (en) | Privacy-aware ID gateway | |
| CN113495921B (en) | Routing method and device for database cluster | |
| CN111698228A (en) | System access authority granting method, device, server and storage medium | |
| US7703667B2 (en) | Management and application of entitlements | |
| CN110569667B (en) | Access control method and device, computer equipment and storage medium | |
| US9189643B2 (en) | Client based resource isolation with domains | |
| EP3537684A1 (en) | Apparatus, method, and program for managing data | |
| CN109522751B (en) | Access right control method and device, electronic equipment and computer readable medium | |
| CN113271311B (en) | Digital identity management method and system in cross-link network | |
| CN112468482B (en) | Data transmission method, device, server, storage medium and system | |
| CN112039826A (en) | Login method and device applied to applet terminal | |
| CN107844488B (en) | Data query method and device | |
| CN113111341A (en) | Account sharing and login method and device | |
| CN112016117A (en) | Securing user data | |
| CN115438333A (en) | Authority distribution method and device | |
| CN112699407A (en) | Service data access method, device, equipment and storage medium | |
| CN111858586A (en) | Data processing method and device | |
| WO2021051569A1 (en) | Data isolation method and apparatus, computer device and storage medium | |
| WO2023098433A1 (en) | Secure policy distribution in a cloud environment | |
| CN113312669B (en) | Password synchronization method, device and storage medium | |
| CN111191256B (en) | Method and device for configuring user permission | |
| CN109683942B (en) | Script management method, script management device, script management medium and electronic equipment | |
| KR101986690B1 (en) | Key chain management method and key chain management system for end-to-end encryption of message | |
| CN110633273A (en) | Authority management method and device | |
| CN112069517B (en) | Method and device for managing user rights |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |