Summary of the invention
The technical problem to be solved in the embodiments of the present application is that role's optimization method in a kind of RBAC permission system is provided,
The case where identical permission in different role or overlapping can be reduced.
Correspondingly, the embodiment of the present application also provides the roles in a kind of RBAC permission system to optimize device, to guarantee
The realization and application of the above method.
To solve the above-mentioned problems, this application discloses role's optimization methods in a kind of RBAC permission system, comprising:
Calculate the similarity in assigned role between any two roles;
Using one of role in the assigned role as starting point, it is up to traversal item according to similarity between role
Part carries out digraph traversal in the assigned role;
Similar role is determined according to traversing result;
According to the set of permission identical between the similar role and the set of difference permission, the similar role is determined
Optimize role.
Further, the similarity calculated in assigned role between any two roles, comprising:
Calculate assigned role in any two roles permission set between Jaccard similarity, as it is described any two
Similarity between role.
Further, it in the set according to permission identical between the similar role and the set of difference permission, determines
Before the optimization role of the similar role, the method also includes:
Judge whether the similarity between the similar role is greater than or equal to similarity threshold, if so, again according to described in
The set of the set of identical permission and difference permission between similar role determines the optimization role of the similar role.
It is further, described that similar role is determined according to traversing result, comprising:
If the traversing result is chain type result, it is determined that be located at first and deputy role in the chain type result
Or highest two roles of similarity are similar role in the chain type result, wherein the chain type result is to have described
Into figure traversal, the result be successively directed toward between the role formed after assigned role traversal.
It is further, described that similar role is determined according to traversing result, comprising:
If the traversing result is Shuangzi result, it is determined that two roles being mutually directed toward in the Shuangzi result are similar
Role, wherein the Shuangzi result is the result that two roles are mutually directed toward in digraph traversal.
It is further, described that similar role is determined according to traversing result, comprising:
If the traversing result be circulation as a result, if determine circulation be directed toward role, wherein the circulation result for
In the digraph traversal, multiple roles recycle the result being directed toward.
Maximum two roles of similarity in the role of the circulation direction are determined as similar role.
Further, described according to the set of permission identical between the similar role and the set of difference permission, determine institute
State the optimization role of similar role, comprising:
Calculate the set of the set of identical permission and difference permission between the similar role;
Count the online utilization rate of each permission in the set of the difference permission;
The permission that the online utilization rate of permission in the set of the difference permission is lower than default utilization rate threshold value is deleted, is obtained most
The set of whole difference permission;
The set of the set of permission identical between the similar role and the final difference permission is determined as described excellent
Change the permission set of role.
Disclosed herein as well is the roles in a kind of RBAC permission system to optimize device, comprising:
Computing unit is configured as calculating the similarity in assigned role between any two roles;
Traversal Unit is configured as using one of role in the assigned role as starting point, according to phase between role
It is up to ergodic condition like degree, digraph traversal is carried out in the assigned role;
Role's determination unit is configured as determining similar role according to traversing result;
Optimize unit, be configured as the set of the set and difference permission according to permission identical between the similar role,
Determine the optimization role of the similar role.
Further, described device further include:
Judging unit, is configured as judging whether the similarity between the similar role is greater than or equal to similarity threshold
Value;
The optimization unit, the similarity for being configured as determining between the similar role when the judging unit be greater than or
When equal to similarity threshold, according to the set of permission identical between the similar role and the set of difference permission, determine described in
The optimization role of similar role determines optimization role.
Further, role's determination unit, if being specifically configured to the traversing result is chain type result, it is determined that institute
State that be located at first and deputy role in chain type result be similar role, wherein the chain type result is described oriented
Scheme in traversal, the result being successively directed toward between the role formed after the assigned role traversal;If the traversing result is double
Sub- result, it is determined that two roles being mutually directed toward in the Shuangzi result be similar role, wherein the Shuangzi result be
In digraph traversal, result that two roles are mutually directed toward;If the traversing result be circulation as a result, if determine to recycle
The role of direction, wherein the circulation result is in digraph traversal, and multiple roles recycle the result being directed toward;By institute
It states maximum two roles of similarity in the role that circulation is directed toward and is determined as similar role.
Further, the optimization unit includes:
Computation subunit is configured as calculating the collection of the set of identical permission and difference permission between the similar role
It closes;
Subelement is counted, the online utilization rate of each permission in the set for counting the difference permission is configured as;
Subelement is deleted, the online utilization rate of permission in the set for deleting the difference permission is configured as and is used lower than default
The permission of rate threshold value obtains the set of final difference permission;
It determines subelement, is configured as the set of permission identical between the similar role and the final difference permission
Set be determined as it is described optimization role permission set.
Compared with prior art, the embodiment of the present application includes the following advantages:
The embodiment of the present application is up to ergodic condition by obtaining the similarity between role, according to similarity between role
Role's traversal is carried out, the set after the similar role for determining to need to optimize, according to identical permission between similar role
And the set of difference permission optimizes similar role, so that the permission set between each role is completely independent as far as possible, and
A business meaning is represented jointly, the case where identical permission or overlapping occurs to reduce in different role, and then reduce
The unreasonable caused system security hidden trouble of role is distributed to user.
Specific embodiment
In order to make the above objects, features, and advantages of the present application more apparent, with reference to the accompanying drawing and it is specific real
Applying mode, the present application will be further described in detail.
Referring to Fig.1, the step of showing role's optimization method embodiment in a kind of RBAC permission system of the application stream
Cheng Tu can specifically include following steps:
Step 101, the similarity in assigned role between any two roles is calculated.
In this step, assigned role can be all angles in the one authority relation table of role of certain system under RBAC permission system
Color or the role for partially needing to optimize.Similarity between two roles can be counted according to the permission set of two roles
It calculates, for calculating jaccard similarity:
Wherein, J (A, B) is the similarity between role A and role B, is the permission set of role A and the permission of role B
The intersection of set, divided by the union of the permission set of the permission set and role B of role A.When A, B are mutually indepedent, phase
It is 0 like degree.When the intersection of A and B is equal to the union of A and B, similarity 100%.
It, can will be between role obtained in obtaining assigned role after similarity between any role and other roles
Similarity be added similarity list in, in order to subsequent query.
Step 102, using one of role in assigned role as starting point, it is up to traversal according to similarity between role
Condition carries out digraph traversal in assigned role.
It can arbitrarily select a role as starting point in assigned role in this step, also can according to need or preset rule
Then select a role as starting point in assigned role, herein without limitation.
After selecting as the role of starting point, it can select to make with the maximum role of its similarity according to similarity list
For the role that starting point role is directed toward, then the maximum role of role's similarity of reselection and the direction is as next direction
Role, successively recursion cycle is up to ergodic condition according to similarity between role, digraph time carried out in assigned role
It goes through, obtains traversing result.For example, 1 → 2 → 3 → ....
Traversing result may there are many, such as traversing result be chain type as a result, or Shuangzi as a result, or circulation result.
Wherein, chain type result is successively to be directed toward between the role that assigned role is formed after traversing in digraph traversal
Result.For example, traversal order is: 1 → 2 → 3 → 4, the traversal of all assigned roles is disposably completed, is not present in the result
Duplicate role.
Shuangzi result is the result that two roles are mutually directed toward in digraph traversal.For example, role 1 → 2 → 3 → 2 →
3, wherein role 2,3 is mutually directed toward.
Recycling result is in digraph traversal, and multiple roles recycle the result being directed toward.For example, role 1 → 2 → 3 → 4 →
2 → 3 → 4, wherein role 2,3,4, which recycles, to be directed toward.
Step 103, similar role is determined according to traversing result.
After the traversing result that upper step obtains, this step can determine the role for needing to optimize according to traversing result,
It is denoted as similar role.
For chain type as a result, first can will be located in chain type result with deputy role as similar role, example
Such as the role 1,2 in 1 → 2 → 3 → 4 → 5 → 6;Or by highest two roles of similarity in chain type result be similar role,
Such as the role 3,4 in 1 → 2 → 3 → 4 → 5 → 6.
For Shuangzi as a result, can be similar role by two roles being mutually directed toward in Shuangzi result, for example, 1 → 2 →
Role 2,3 in 3 → 2 → 3.
For circulation as a result, all or part of roles are as similar role in the role that circulation can be directed toward, for example, 1
Role 2,3,4 or role 2,3 in → 2 → 3 → 4 → 2 → 3 → 4 etc..
Step 104, according to the set of identical permission and the set of difference permission between similar role, similar role is determined
Optimize role.
In this step, the set of the identical permission between similar role and the set of difference permission can be obtained, then root
The optimization role after optimizing to similar role is determined according to these set.Specifically, can be directly by the phase between similar role
With the set of permission and the set of difference permission as the permission set for optimizing role, can also set to the identical permission and
After the set of difference permission carries out certain permission screening respectively, it is ultimately determined to the permission set of optimization role.
Permission set in optimization role is more prone to independently of each other, and the similarity between role reduces.
Above-mentioned steps 101~104 can repeat, until institute optimization in need role optimization completion.
The embodiment of the present application is up to ergodic condition by obtaining the similarity between role, according to similarity between role
Role's traversal is carried out, the set after the similar role for determining to need to optimize, according to identical permission between similar role
And the set of difference permission optimizes similar role, so that the permission set between each role is completely independent as far as possible, and
A business meaning is represented jointly, the case where identical permission or overlapping occurs to reduce in different role, and then reduce
The unreasonable caused system security hidden trouble of role is distributed to user.
Referring to Fig. 2, the step of showing role's optimization method embodiment in another RBAC permission system of the application
Flow chart can specifically include following steps:
Step 201, the similarity in assigned role between any two roles is calculated.
Step 202, using one of role in assigned role as starting point, it is up to traversal according to similarity between role
Condition carries out digraph traversal in assigned role.
Step 201~202 are similar with previous embodiment.
In this step, for example, using role 1 as starting point, according to similarity list, selection and the maximum angle of its similarity
The role that color 2 is directed toward as the role 1, i.e., 1 → 2, then reselection is with the maximum role 3 of 2 similarity of role as next
The role of a direction, i.e., 1 → 2 → 3, successively recursion cycle, is up to ergodic condition according to similarity between role, at specified angle
Digraph traversal is carried out in color, obtains traversing result.In the present embodiment, after one maximum role of similarity of every acquisition,
I.e. the chained list 1 → 2 → 3 → ... in one role of every addition when, can detect in the chained list with the presence or absence of following
The role of ring, such as 1 → 2 → 3 → 2 → 3,1 → 2 → 3 → 4 → 2 → 3 → 4 etc., if it is present such as by the role of the circulation
2, in 3 or 2,3, the 4 supreme similarity character lists of storage, if there is no the role of circulation in entire ergodic process, it is complete
After traversing at digraph, the chained list that entire traversal comes out can be obtained.
Step 203, similar role is determined according to traversing result.
In this step, the step in the method and previous embodiment of similar role is determined according to chain type result and Shuangzi result
103 is similar.In the present embodiment, when determining similar role according to circulation result, as shown in figure 3, may further include:
Step 301, if traversing result be circulation as a result, if determine circulation be directed toward role, wherein circulation result be
In digraph traversal, multiple roles recycle the result being directed toward.
For example, traversing result is 1 → 2 → 3 → 4 → 2 → 3 → 4, then the role for recycling direction is 2,3,4.
Step 302, maximum two roles of similarity in the role of circulation direction are determined as similar role.
When being optimized simultaneously to three or three or more roles, since complexity is higher, so in this step, it can
It is subsequent successive optimization to be carried out by repeated optimization step first therefrom two similar roles to be selected to optimize, thus
Reduce the complexity of role's optimization.
For example, 3,4 similarities are maximum in the role 2,3,4 that circulation is directed toward, then role 3,4 is determined as similar role.
Step 204, judge whether the similarity between similar role is greater than or equal to similarity threshold.
In the present embodiment, after determining similar role, also further to judge whether is similarity between similar role
It more than or equal to default similarity threshold, is optimized if so, being transferred to step 205, if it is not, then without optimization.
Different traversing results can correspond to different default similarity thresholds, which, which can according to need, sets
It sets and changes.
Step 205, according to the set of identical permission and the set of difference permission between similar role, similar role is determined
Optimize role.
In this step, the process of optimization role is determined, as shown in figure 4, may further include:
Step 401, the set of identical permission and the set of difference permission between similar role are calculated.
For example, the authority set of similar role 1 is combined into A, B, C, the authority set of similar role 2 is combined into A, B, D, E, then similar angle
The set of identical permission between color 1,2 is A, B, and the collection of difference permission is combined into C, D, E.
Step 402, in the set of statistical discrepancy permission each permission online utilization rate.
This step can specifically count C in the online utilization rate of each permission in predetermined amount of time, such as difference permission set,
D, online utilization rate of the E in nearly one month is C:0, D:5, E:10.
Step 403, the permission that the online utilization rate of permission in the set of difference permission is lower than default utilization rate threshold value is deleted, is obtained
Obtain the set of final difference permission.
The utilization rate threshold value can according to need setting, can change at any time.For example, the utilization rate threshold value is 1, then it can be with
Permission C in difference permission set is deleted.
Step 404, the set of the set of permission identical between similar role and final difference permission is determined as optimizing angle
The permission set of color.
The set of the set of identical permission and final difference permission can be used as the optimization role after similar role 1,2 optimizes
Permission set.For example, the authority set of optimization role 1 ' is combined into (A, B), similar role 1 is substituted;Optimize the authority set of role 2 '
It is combined into (D, E), substitutes similar role 2.
After obtaining optimization role, the present embodiment can also repeat step 201~205, especially for above-mentioned step
Circulation is directed toward other higher roles of similarity in role in rapid 302, until the similarity between similar role is less than similarity
Threshold value, without optimizing.
The similarity between role can be gradually decreased by recycling above-mentioned Optimization Steps, so that the permission between each role
Set is completely independent as far as possible.
When withdrawing the former role of user and redistributing optimization role, need to keep the permission of user constant.
It should be noted that for simple description, therefore, it is stated as a series of action groups for embodiment of the method
It closes, but those skilled in the art should understand that, the embodiment of the present application is not limited by the described action sequence, because according to
According to the embodiment of the present application, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art also should
Know, the embodiments described in the specification are all preferred embodiments, and related movement not necessarily the application is implemented
Necessary to example.
Referring to Fig. 5, the structural block diagram that the role in a kind of RBAC permission system of the application optimizes Installation practice is shown,
It can specifically include such as lower unit:
Computing unit 501 is configured as calculating the similarity in assigned role between any two roles.
Traversal Unit 502 is configured as using one of role in the assigned role as starting point, according between role
Similarity is up to ergodic condition, and digraph traversal is carried out in the assigned role.
Role's determination unit 503 is configured as determining similar role according to traversing result.
Optimize unit 504, is configured as the collection of the set and difference permission according to permission identical between the similar role
It closes, determines the optimization role of the similar role.
The embodiment of the present application obtains the similarity between role by said units, is up to according to similarity between role
Ergodic condition carries out role's traversal, after the similar role for determining to need to optimize, according to identical power between similar role
The set of limit and the set of difference permission optimize similar role, so that the permission set between each role is as complete as possible
It is independent, and a business meaning is represented jointly, there is the case where identical permission or overlapping to reduce in different role, in turn
Reduce and distributes the unreasonable caused system security hidden trouble of role to user.
In another embodiment, computing unit 501 can be specifically configured to calculate the power of any two roles in assigned role
Jaccard similarity between limit set, as the similarity between any two described roles.
In another embodiment of the application, as shown in fig. 6, the device can also include:
Judging unit 601, is configured as judging whether the similarity between the similar role is greater than or equal to similarity
Threshold value.
Optimize unit 504, is configured as determining that the similarity between the similar role is greater than when the judging unit 601
Or when being equal to similarity threshold, according to the set of permission identical between the similar role and the set of difference permission, determine institute
The optimization role for stating similar role determines optimization role.
In another embodiment, role's determination unit 503, be specifically configured to if the traversing result be chain type as a result, if
Determine that being located at first and deputy role in the chain type result is similar role, wherein the chain type result is in institute
It states in digraph traversal, the result being successively directed toward between the role formed after the assigned role traversal;If the traversal knot
Fruit is Shuangzi result, it is determined that two roles being mutually directed toward in the Shuangzi result are similar role, wherein the Shuangzi knot
Fruit is the result that two roles are mutually directed toward in digraph traversal;If the traversing result is circulation result, it is determined that
The role of direction is recycled out, wherein the circulation result is in digraph traversal, and multiple roles recycle the knot being directed toward
Fruit;Maximum two roles of similarity in the role of the circulation direction are determined as similar role.
In another embodiment, as shown in fig. 7, optimization unit 504 may further include:
Computation subunit 701 is configured as calculating the set of identical permission and difference permission between the similar role
Set.
Subelement 702 is counted, the online utilization rate of each permission in the set for counting the difference permission is configured as.
Subelement 703 is deleted, is configured as in the set for deleting the difference permission the online utilization rate of permission lower than default
The permission of utilization rate threshold value obtains the set of final difference permission.
It determines subelement 704, is configured as the set of permission identical between the similar role and the final difference
The set of permission is determined as the permission set of the optimization role.
The embodiment of the present application also provides a kind of electronic equipment, including memory and processor.
Processor and memory are connected with each other by bus;Bus can be isa bus, pci bus or eisa bus etc..
The bus can be divided into address bus, data/address bus, control bus etc..
Wherein, memory is for storing one section of program, and specifically, program may include program code, said program code
Including computer operation instruction.Memory may include high speed RAM memory, it is also possible to further include nonvolatile memory
(non-volatile memory), for example, at least a magnetic disk storage.
Processor is used to read the program code in memory, executes following steps:
Calculate the similarity in assigned role between any two roles;
Using one of role in the assigned role as starting point, it is up to traversal item according to similarity between role
Part carries out digraph traversal in the assigned role;
Similar role is determined according to traversing result;
According to the set of permission identical between the similar role and the set of difference permission, the similar role is determined
Optimize role.
For device embodiment, since it is basically similar to the method embodiment, related so being described relatively simple
Place illustrates referring to the part of embodiment of the method.
All the embodiments in this specification are described in a progressive manner, the highlights of each of the examples are with
The difference of other embodiments, the same or similar parts between the embodiments can be referred to each other.
It should be understood by those skilled in the art that, the embodiments of the present application may be provided as method, apparatus or calculating
Machine program product.Therefore, the embodiment of the present application can be used complete hardware embodiment, complete software embodiment or combine software and
The form of the embodiment of hardware aspect.Moreover, the embodiment of the present application can be used one or more wherein include computer can
With in the computer-usable storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.) of program code
The form of the computer program product of implementation.
In a typical configuration, the computer equipment includes one or more processors (CPU), input/output
Interface, network interface and memory.Memory may include the non-volatile memory in computer-readable medium, random access memory
The forms such as device (RAM) and/or Nonvolatile memory, such as read-only memory (ROM) or flash memory (flash RAM).Memory is to calculate
The example of machine readable medium.Computer-readable medium includes that permanent and non-permanent, removable and non-removable media can be with
Realize that information is stored by any method or technique.Information can be computer readable instructions, data structure, the module of program or
Other data.The example of the storage medium of computer includes, but are not limited to phase change memory (PRAM), static random access memory
(SRAM), dynamic random access memory (DRAM), other kinds of random access memory (RAM), read-only memory
(ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory techniques, CD-ROM are read-only
Memory (CD-ROM), digital versatile disc (DVD) or other optical storage, magnetic cassettes, tape magnetic disk storage or
Other magnetic storage devices or any other non-transmission medium, can be used for storage can be accessed by a computing device information.According to
Herein defines, and computer-readable medium does not include non-persistent computer readable media (transitory media), such as
The data-signal and carrier wave of modulation.
The embodiment of the present application is referring to according to the method for the embodiment of the present application, terminal device (system) and computer program
The flowchart and/or the block diagram of product describes.It should be understood that flowchart and/or the block diagram can be realized by computer program instructions
In each flow and/or block and flowchart and/or the block diagram in process and/or box combination.It can provide these
Computer program instructions are set to general purpose computer, special purpose computer, Embedded Processor or other programmable data processing terminals
Standby processor is to generate a machine, so that being held by the processor of computer or other programmable data processing terminal devices
Capable instruction generates for realizing in one or more flows of the flowchart and/or one or more blocks of the block diagram
The device of specified function.
These computer program instructions, which may also be stored in, is able to guide computer or other programmable data processing terminal devices
In computer-readable memory operate in a specific manner, so that instruction stored in the computer readable memory generates packet
The manufacture of command device is included, which realizes in one side of one or more flows of the flowchart and/or block diagram
The function of being specified in frame or multiple boxes.
These computer program instructions can also be loaded into computer or other programmable data processing terminal devices, so that
Series of operation steps are executed on computer or other programmable terminal equipments to generate computer implemented processing, thus
The instruction executed on computer or other programmable terminal equipments is provided for realizing in one or more flows of the flowchart
And/or in one or more blocks of the block diagram specify function the step of.
Although preferred embodiments of the embodiments of the present application have been described, once a person skilled in the art knows bases
This creative concept, then additional changes and modifications can be made to these embodiments.So the following claims are intended to be interpreted as
Including preferred embodiment and all change and modification within the scope of the embodiments of the present application.
Finally, it is to be noted that, herein, relational terms such as first and second and the like be used merely to by
One entity or operation are distinguished with another entity or operation, without necessarily requiring or implying these entities or operation
Between there are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant meaning
Covering non-exclusive inclusion, so that process, method, article or terminal device including a series of elements not only wrap
Those elements are included, but also including other elements that are not explicitly listed, or further includes for this process, method, article
Or the element that terminal device is intrinsic.In the absence of more restrictions, limited by sentence " including one ... "
Element, it is not excluded that including identical being wanted in the process, method of the element, article or terminal device there is also other
Element.
Above to the role's optimization method and a kind of RBAC permission body in a kind of RBAC permission system provided herein
Role in system optimizes device, is described in detail, used herein principle and embodiment party of the specific case to the application
Formula is expounded, the description of the example is only used to help understand the method for the present application and its core ideas;Meanwhile it is right
In those of ordinary skill in the art, according to the thought of the application, change is had in specific embodiments and applications
Place, in conclusion the contents of this specification should not be construed as limiting the present application.