CN107832592B - Authority management method, device and storage medium - Google Patents

Authority management method, device and storage medium Download PDF

Info

Publication number
CN107832592B
CN107832592B CN201711031078.XA CN201711031078A CN107832592B CN 107832592 B CN107832592 B CN 107832592B CN 201711031078 A CN201711031078 A CN 201711031078A CN 107832592 B CN107832592 B CN 107832592B
Authority
CN
China
Prior art keywords
account
management
authorization
user account
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711031078.XA
Other languages
Chinese (zh)
Other versions
CN107832592A (en
Inventor
金帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xiaomi Mobile Software Co Ltd
Original Assignee
Beijing Xiaomi Mobile Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xiaomi Mobile Software Co Ltd filed Critical Beijing Xiaomi Mobile Software Co Ltd
Priority to CN201711031078.XA priority Critical patent/CN107832592B/en
Publication of CN107832592A publication Critical patent/CN107832592A/en
Application granted granted Critical
Publication of CN107832592B publication Critical patent/CN107832592B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/06Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
    • G06Q10/063Operations research, analysis or management

Abstract

The disclosure discloses a permission management method, a permission management device and a storage medium, and belongs to the field of information management. The method comprises the following steps: when detecting that a user account successfully logs in a management system, determining the account type of the user account, wherein the account type is the own account type of the management system or the third party account type; allocating management authority to the user account based on the account type; and controlling the management operation of the user account based on the distributed management authority. According to the method and the system, the authority management is respectively carried out according to the user account types of the login management system, so that the authority management of the own account and the authority management of the third party account are not influenced mutually, and the flexibility and the accuracy of the management are improved.

Description

Authority management method, device and storage medium
Technical Field
The present disclosure relates to the field of information management, and in particular, to a method and an apparatus for managing permissions, and a storage medium.
Background
At present, many enterprises are provided with management systems, and enterprise employees can log in the management systems by using user accounts and manage enterprise services through the management systems. In addition, in order to meet the management requirement, different user accounts need to have different management authorities, so that the management authorities of the user accounts need to be effectively managed.
In the related technology, the management system can allocate employee user accounts for full-time employees of an enterprise, allocate temporary user accounts for temporary personnel outside the enterprise, and then manage the management authorities of the employee user accounts and the temporary user accounts in a unified manner.
Disclosure of Invention
In order to solve the problems in the related art, embodiments of the present disclosure provide a method and an apparatus for rights management, and a storage medium. The technical scheme is as follows:
according to a first aspect of the embodiments of the present disclosure, there is provided a rights management method applied in a server, the method including:
when detecting that a user account successfully logs in a management system, determining the account type of the user account, wherein the account type is the own account type of the management system or the third party account type;
allocating management authority to the user account based on the account type;
and controlling the management operation of the user account based on the distributed management authority.
Optionally, the allocating management authority to the user account based on the account type includes:
determining management authority corresponding to the account type based on a stored type authority corresponding relationship, wherein the type authority corresponding relationship comprises the owned account type and the corresponding management authority, and the management authority corresponding to a plurality of third party account types and each third party account type respectively;
and determining the management authority corresponding to the account type as the management authority of the user account.
Optionally, the management system includes a plurality of functional modules, and different functional modules are used for executing different management services;
when the user account is detected to be successfully logged in the management system, determining the account type of the user account comprises:
when the user account is detected to successfully log in the management system and an authority application sent by the user account is received, determining the account type of the user account;
the authority application comprises a user account identifier and an identifier of a designated function module applying management authority, wherein the user account identifier is used for indicating the type of the user account;
accordingly, the assigning management permissions to the user account based on the account type includes:
determining a designated authorization audit account based on the account type and the identification of the designated functional module;
sending the permission application to the specified authorization audit account;
and determining the management authority of the user account based on the authorization and audit result of the specified authorization and audit account.
Optionally, the determining a designated authorized audit account based on the account type and the identity of the designated function module includes:
determining a plurality of authorized auditing accounts corresponding to the appointed function module based on the identification of the appointed function module and the corresponding relation between the stored identification of the function module and the authorized auditing accounts, wherein the authorized auditing accounts are the authorized auditing accounts corresponding to a plurality of account types;
selecting an authorization audit account from the plurality of authorization audit accounts of the same account type as the user account;
and determining the selected authorization audit account as the designated authorization audit account.
Optionally, before sending the permission application to the designated authorized audit account, the method further includes:
receiving a submitted appointed member list of the appointed function module;
the appointed member list comprises a plurality of member accounts with the same account type as the user account and the appointed authorization audit account, and the appointed authorization audit account is used for authorizing and de-authorizing the plurality of member accounts for the management authority of the appointed function module;
correspondingly, the sending the permission application to the designated authorized audit account includes:
and when the user account is the same as any one of the plurality of member accounts, sending the permission application to the appointed authorization auditing account.
Optionally, after allocating the management authority to the user account based on the account type, the method further includes:
when the management authority distributed to the user account is the management authority of a designated function module in a plurality of function modules included in the management system and an authority removing request aiming at the user account sent by a designated authorization audit account of the designated function module is received, the management authority distributed to the user account is removed;
different functional modules in the plurality of functional modules are used for executing different management services, and the specified authorization audit account is an authorization audit account with the same account type as the user account.
According to a second aspect of the embodiments of the present disclosure, there is provided a rights management apparatus applied in a server, the apparatus including:
the system comprises a determining module, a judging module and a judging module, wherein the determining module is used for determining the account type of a user account when detecting that the user account successfully logs in a management system, and the account type is the own account type of the management system or the third party account type;
the allocation module is used for allocating management authority to the user account based on the account type;
and the control module is used for controlling the management operation of the user account based on the distributed management authority.
Optionally, the allocation module comprises:
the first determining submodule is used for determining the management authority corresponding to the account type based on a stored type authority corresponding relation, wherein the type authority corresponding relation comprises the owned account type and the corresponding management authority, and a plurality of third party account types and the management authority corresponding to each third party account type;
and the second determining submodule is used for determining the management authority corresponding to the account type as the management authority of the user account.
Optionally, the management system includes a plurality of functional modules, and different functional modules are used for executing different management services;
the determining module comprises:
the third determining submodule is used for determining the account type of the user account when detecting that the user account successfully logs in the management system and receives the authority application sent by the user account;
the authority application comprises a user account identifier and an identifier of a designated function module applying management authority, wherein the user account identifier is used for indicating the type of the user account;
accordingly, the allocation module comprises:
a fourth determining submodule, configured to determine a designated authorized audit account based on the account type and the identifier of the designated functional module;
the sending submodule is used for sending the permission application to the specified authorization auditing account;
and the fifth determining submodule is used for determining the management authority of the user account based on the authorization and audit result of the appointed authorization and audit account.
Optionally, the fourth determining submodule is mainly configured to:
determining a plurality of authorized auditing accounts corresponding to the appointed function module based on the identification of the appointed function module and the corresponding relation between the stored identification of the function module and the authorized auditing accounts, wherein the authorized auditing accounts are the authorized auditing accounts corresponding to a plurality of account types;
selecting an authorization audit account from the plurality of authorization audit accounts of the same account type as the user account;
and determining the selected authorization audit account as the designated authorization audit account.
Optionally, the allocation module further comprises:
the receiving submodule is used for receiving the submitted appointed member list of the appointed functional module;
the appointed member list comprises a plurality of member accounts with the same account type as the user account and the appointed authorization audit account, and the appointed authorization audit account is used for authorizing and de-authorizing the plurality of member accounts for the management authority of the appointed function module;
correspondingly, the sending submodule is mainly used for:
and when the user account is the same as any one of the plurality of member accounts, sending the permission application to the appointed authorization auditing account.
Optionally, the apparatus further comprises:
the release module is used for releasing the management authority distributed to the user account when the management authority distributed to the user account is the management authority of a specified function module in a plurality of function modules included in the management system and an authority release request aiming at the user account and sent by a specified authorization audit account of the specified function module is received;
different functional modules in the plurality of functional modules are used for executing different management services, and the specified authorization audit account is an authorization audit account with the same account type as the user account.
According to a third aspect of the embodiments of the present disclosure, there is provided a rights management apparatus, the apparatus including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform the steps of any of the methods of the first aspect described above.
According to a fourth aspect of embodiments of the present disclosure, there is provided a computer-readable storage medium having stored thereon instructions which, when executed by a processor, implement the steps of any one of the methods of the first aspect described above.
The technical scheme provided by the embodiment of the disclosure has the following beneficial effects: according to the method and the device, when the fact that the user account successfully logs in the management system is detected, the account type of the user account is determined, so that management authority is distributed to the user account according to the user account type of the login management system, and then management operation of the user account is controlled based on the distributed management authority.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present disclosure, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present disclosure, and it is obvious for those skilled in the art to obtain other drawings based on the drawings without creative efforts.
FIG. 1 is a flowchart of a rights management method provided by an embodiment of the present disclosure;
FIG. 2 is a flow chart of another rights management method provided by embodiments of the present disclosure;
fig. 3 is a schematic structural diagram of a rights management device according to an embodiment of the disclosure;
fig. 4 is a schematic structural diagram of another rights management device according to an embodiment of the disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the present disclosure more apparent, embodiments of the present disclosure will be described in detail with reference to the accompanying drawings.
For convenience of understanding, before explaining the embodiments of the present disclosure in detail, an application scenario related to the embodiments of the present disclosure will be described.
The embodiment of the disclosure is applied to a management system of an enterprise, and the management system is used for managing enterprise business. The management system may be any type of management system, such as a financial management system or a supply chain management system, and may also be other types of management systems.
The supply chain management system is a system for integrating all enterprise activities from raw material purchase to sale to end users in a seamless process for management by corresponding information system technology, and can connect suppliers, manufacturers, distributors, retailers and end users into an integrated functional network chain structure. Moreover, the supply chain management system is the most core system of an enterprise, and each link of the enterprise needs to be coordinated and managed through the supply chain management system.
In practical application, the management system can allocate corresponding user accounts to employees according to practical situations, then the employees can log in the management system based on the allocated user accounts to apply for the required management authority, and management operation in the authority can be executed in the management system after the application is successful. Furthermore, the management system can also comprise a plurality of function models, and employees can apply for the management authority of a certain function module.
For example, in a supply chain management system, when a certain manufacturer wants to know the sales volume of a product and then adjust the production volume, the manufacturer needs to log in the supply chain management system and apply for the information of a sales module to view management authority, and after the authorization is successful, the manufacturer can access the sales module to view the sales information in the authority.
For example, in a supply chain management system, when a certain seller finds that a certain batch of goods is always not supplied enough in time during sale, and wants to know whether a problem occurs in the transportation process, the seller can log in the supply chain management system, apply for information of a transportation module to check management authority, and after authorization is successful, the seller can access the transportation module to check transportation information in the authority.
Of course, the embodiment of the present disclosure may be applied to not only the two application scenarios, but also other application scenarios in practical application.
Because the management system faces complicated personnel, each management system inevitably faces the problem of authority management, and the authority management refers to allocating management authority to different user accounts or releasing the management authority of the user accounts, and controlling the management operation of the user accounts in the management system according to the management authority of each user account.
In the related art, the management system generally adopts an authority management mode of allocating employee user accounts for full-time employees of an enterprise, allocating temporary user accounts for temporary personnel outside the enterprise, and then uniformly managing the management authorities of the employee user accounts and the temporary user accounts, but in the uniform management process, the temporary user accounts interfere with authority management of the employee user accounts. For example, when a system administrator needs to clear the management authority of all temporary user accounts, if the system administrator fails to operate, there is a risk that the management authority of the employee user accounts is deleted by mistake.
After the application scenarios related to the embodiments of the present disclosure are introduced, the embodiments of the present disclosure are explained in detail below. Fig. 1 is a flowchart of a rights management method provided in an embodiment of the disclosure, and referring to fig. 1, the method includes the following steps:
step 101: when the fact that the user account successfully logs in the management system is detected, the account type of the user account is determined, and the account type is the own account type or the third party account type of the management system.
Step 102: an administrative privilege is assigned to the user account based on the account type.
Step 103: and controlling the management operation of the user account based on the distributed management authority.
In summary, according to the embodiment of the present disclosure, when it is detected that a user account successfully logs in a management system, an account type of the user account is determined, and then a management authority is allocated to the user account according to the user account type of the login management system, and then a management operation of the user account is controlled based on the allocated management authority.
Optionally, the management system includes a plurality of functional modules, and different functional modules are used for executing different management services;
when the user account is detected to be successfully logged in the management system, determining the account type of the user account, including:
when detecting that the user account successfully logs in the management system and receives an authority application sent by the user account, determining the account type of the user account;
the authority application comprises a user account identifier and an identifier of a designated function module applying management authority, wherein the user account identifier is used for indicating the type of the user account;
accordingly, assigning management permissions to the user account based on the account type includes:
determining a designated authorization audit account based on the account type and the identifier of the designated functional module;
sending the permission application to the appointed authorization checking account;
and determining the management authority of the user account based on the authorization and verification result of the specified authorization and verification account.
Optionally, determining a designated authorized audit account based on the account type and the identity of the designated functional module includes:
determining a plurality of authorized auditing accounts corresponding to the appointed function module based on the identification of the appointed function module and the corresponding relation between the stored identification of the function module and the authorized auditing accounts, wherein the authorized auditing accounts are the authorized auditing accounts corresponding to a plurality of account types;
selecting an authorization audit account with the same account type as the user account from the plurality of authorization audit accounts;
and determining the selected authorization audit account as the designated authorization audit account.
Optionally, before sending the permission application to the designated authorized audit account, the method further includes:
receiving a submitted appointed member list of the appointed function module;
the appointed member list comprises a plurality of member accounts of which the account types are the same as those of the user account and an appointed authorization audit account, and the appointed authorization audit account is used for authorizing and de-authorizing the plurality of member accounts aiming at the management authority of the appointed function module;
correspondingly, the permission application is sent to the specified authorization audit account, and the steps include:
and when the user account is the same as any one of the plurality of member accounts, sending the permission application to the appointed authorization auditing account.
Optionally, after allocating management authority to the user account based on the account type, the method further includes:
when the management authority distributed to the user account is the management authority of a designated function module in a plurality of function modules included in the management system and an authority removing request aiming at the user account and sent by a designated authorization checking account of the designated function module is received, the management authority distributed to the user account is removed;
different functional modules in the plurality of functional modules are used for executing different management services, and the specified authorization audit account is an authorization audit account with the same account type as the user account.
All the above optional technical solutions can be combined arbitrarily to form optional embodiments of the present disclosure, and the embodiments of the present disclosure are not described in detail again.
Fig. 2 is a flowchart of a rights management method provided by an embodiment of the present disclosure, where the method is applied to a server, where the server may be a background server of a management system, and referring to fig. 2, the method includes the following steps:
step 201: when the fact that the user account successfully logs in the management system is detected, the account type of the user account is determined, and the account type is the own account type or the third party account type of the management system.
The management system is used for managing enterprise services, and may be any type of management system, such as a financial management system or a supply chain management system, or may be other management systems, which is not limited in this disclosure.
The third-party account refers to other accounts except for the own account provided by the management system, and the third-party account may include multiple types of third-party accounts, such as an instant messaging application account, a social software application account, or other accounts, which is not limited to the embodiment of the present disclosure.
Additionally, each type of third party account may also include a user account for a third party application developed by a different application developer. For example, the instant messaging application account may include a first instant messaging application account and a second instant messaging application account, where the first instant messaging application account is a user account provided by a first instant messaging application developed by a first developer, and the second instant messaging application account is a user account provided by a second instant messaging application developed by a second developer.
Different from the related art, the management system provided by the embodiment of the disclosure supports not only the login of the own account, but also the login of the third party account. In practical application, full-time personnel of an enterprise can log in the management system through own accounts, and temporary personnel outside the enterprise can log in the management system through own third-party accounts, so that the problem that the temporary user accounts need to be distributed to the temporary personnel outside the enterprise, and interference is caused to authority management of the employee user accounts by the temporary user accounts in the authority management process is avoided.
When the user account is detected to successfully log in the management system, determining the account type of the user account comprises the following two implementation modes:
the first implementation mode comprises the following steps: when a login request of the user account is received and the user account is successfully logged in based on the login request, determining the account type of the user account.
The login request may include a user account identifier and a password, the user account identifier may include a user name and an account type, and accordingly, the account type of the user account may be determined according to the user account identifier.
That is, in the first implementation manner, when it is detected that the user account successfully logs in the management system, the account type of the logged-in user account may be directly determined.
The second implementation mode comprises the following steps: if the management system comprises a plurality of functional modules, when the fact that the user account successfully logs in the management system and receives the authority application sent by the user account is detected, the account type of the user account is determined.
The different function modules are used for executing different management services, the authority application comprises a user account identifier and an identifier of a designated function module applying for management authority, the user account identifier is used for indicating the type of the user account, and correspondingly, the account type of the user account can be determined according to the user account identifier.
That is, in the second manner, for a logged-in user account, the account type of the user account may also be determined when an authority application sent by any logged-in user account is received.
It should be noted that, when a user account logs in, authentication needs to be performed through a server, and different account types need to be authenticated in different servers. For example, when the user account is the own account type of the management system, the authentication needs to be performed at the server of the management system; when the user account is of the third-party account type, the management system needs to forward the login information of the user account to the third-party server, and the third-party server performs verification.
For example, when a third-party user account requests login based on a submitted user name and password, after the server of the management system receives the submitted user name and password, the user name and password may be forwarded to the third-party server corresponding to the third-party account for verification, and a verification result returned by the third-party server is received. It should be noted that the login manner of the third party user account is only an exemplary login manner given by the embodiment of the disclosure, and the disclosure is not limited thereto.
Step 202: an administrative privilege is assigned to the user account based on the account type.
It should be noted that the management authority corresponding to the account type may be a management authority for the entire management system, or may be a management authority for any functional module included in the management system.
Also, the management authority may be divided into a plurality of levels of management authority, with different levels of management authority indicating that different management operations are allowed. For example, the administrative rights may include primary administrative rights that allow access to operations and secondary administrative rights that allow access to operations and modification operations. Of course, there may be other grading modes in practical applications, and the embodiments of the present disclosure are not limited thereto.
Wherein, based on the account type, the management authority is allocated to the user account, and there are two possible implementation manners:
the first implementation mode comprises the following steps: when the account type of the user account is determined by using the first implementation manner in step 101, the management authority corresponding to the account type may be determined based on a stored type authority corresponding relationship, where the type authority corresponding relationship includes the owned account type and corresponding management authority, and management authorities respectively corresponding to a plurality of third-party account types and respective third-party account types, and the management authority corresponding to the account type is determined as the management authority of the user account.
The stored type authority corresponding relationship may be preset, for example, a system administrator may perform integral authorization on various types of user accounts in advance, and then the server may allocate management authority to various types of user accounts according to the stored type authority corresponding relationship.
It should be noted that, with the first possible implementation manner, it may be implemented that the management authority of a certain type of user account is wholly authorized according to the account type, so that corresponding management authority is integrally allocated to the certain type of user account, and all user accounts of the same type have a uniform management authority.
In practical application, the management authority of the whole management system can be wholly authorized for a certain type of user account, and when the management system comprises a plurality of functional modules, the management authority of a certain functional module in the management system can also be wholly authorized for a certain type of user account. Wherein, different functional modules are used for executing different management services.
For example, in a supply chain management system, if a certain type of user account has a large requirement on the management authority of the entire supply chain management system within a certain time period, an overall authorization manner may be adopted to assign management authorities to all user accounts of this type, such as assigning primary management authorities or secondary management authorities, and the like, and a specific management authority level may be assigned according to an actual situation.
For another example, in a supply chain management system, if a certain type of user account has a frequent requirement for the management authority of a sales module of the supply chain management system within a certain time period, a partial integral authorization mode may be adopted to perform integral authorization on the management authority of the sales module for the user account of the type, for example, a primary management authority or a secondary management authority for the sales module is allocated to the user account of the type, and a specific management authority level may be allocated according to an actual situation.
Further, when the management system comprises a plurality of function modules, the server may further store a member list of each function module, the member list of each function module comprises a plurality of user accounts, and the member list is used to indicate that only the user accounts in the member list can be granted the management authority of the function module. The member list of each functional module may be configured by a system administrator for the functional module, and may also be configured in other manners, which is not limited in this disclosure.
Further, in order to manage the owned account and the third party account respectively, the member list of each functional module may further include a member list of the owned account type and a member list of the third party account type, where all user accounts in the member list of the owned account type are owned accounts, and all user accounts in the member list of the third party account type are corresponding third party accounts. The member list of the third party account type may also be differentiated according to different third party account types, for example, the member list of the third party account type may include a member list of an instant messaging application account type, a member list of a social software application type, and the like.
Accordingly, when performing the overall authorization, the overall authorization may be performed on all user accounts in the member list of any functional module, or on all user accounts in the member list of a certain account type of any functional module.
The description of the value is that when the member of a certain functional module of the management system is wholly authorized, the management authorities between the functional modules do not affect each other, for example, in the supply chain management system, the management authority capable of looking up the order information is wholly allocated to all the members of the sales module, the management authority capable of looking up the order information is not available for the production module and the transportation module, that is, the management authority allocated to the sales module does not affect the management authorities of other modules such as the production module and the transportation module.
Correspondingly, when the member of a certain account type in a certain functional module of the management system is subjected to integral authorization, the management authorities among the functional modules cannot influence each other, and the management authorities among the members of different account types of the same functional module cannot influence each other. For example, in the supply chain management system, the management authority for modifying the order information is wholly allocated to the own account of the sales module, and the management authority for viewing the order information is wholly allocated to the third-party account of the sales module, such as the social software application account, so that the social software application account can only view the order information and cannot modify the order information, and the management authority of the own account and the management authority of the social software application account do not affect each other.
For example, the correspondence relationship between the type authority of a certain function module stored in the management system is as shown in table 1 below, and it is assumed that the determined account type of the user account is the "first instant messaging application account type", and it is assumed that the management authority corresponding to the account type is determined from the correspondence relationship shown in table 1 as the "primary management authority". At this time, the management authority "primary management authority" in table 1 may be determined as the management authority of the first instant messaging application account.
TABLE 1
Account type Managing permissions
Type of owned account Three level management authority
First instant messaging application account type First level management authority
Second instant messaging application account type Two level management authority
Social software application account types First level management authority
…… ……
Note that, in the embodiment of the present disclosure, only the type authority correspondence relationship shown in table 1 is taken as an example for description, and table 1 does not limit the embodiment of the present disclosure.
The second implementation mode comprises the following steps: when the account type of the user account is determined by adopting the second implementation manner in step 101, a specified authorized audit account may be determined based on the account type and the identifier of the specified functional module; sending the permission application to the appointed authorization checking account; and determining the management authority of the user account based on the authorization and verification result of the specified authorization and verification account.
Wherein determining a designated authorization audit account based on the account type and the identity of the designated function module may comprise: determining a plurality of authorized auditing accounts corresponding to the appointed function module based on the identification of the appointed function module and the corresponding relation between the stored identification of the function module and the authorized auditing accounts, wherein the authorized auditing accounts are the authorized auditing accounts corresponding to a plurality of account types; selecting an authorization audit account with the same account type as the user account from the plurality of authorization audit accounts; and determining the selected authorization audit account as the designated authorization audit account.
It should be noted that the designated authorization audit account is an authorization audit account of the same type as the user account, and the designated authorization audit account can only authorize the user account of the same type as the user account, but cannot authorize the user accounts of other account types. For example, if the account type of the designated authorization checking account is the owned account type, the designated authorization checking account can only check the authority application sent by the owned account for authorization, but cannot authorize other third party accounts such as the instant messaging application account.
In addition, the corresponding relationship between the identifier of the designated function module and the authorized audit account stored in the management system can be preset. For example, the correspondence between the identifier of the designated function module and the authorized audit account stored in the management system is shown in table 2 below, and it is assumed that the determined designated function module is a "production module", and it is assumed that the plurality of authorized audit accounts corresponding to the production module are determined from the correspondence shown in table 2 as an "owned account a, an instant messaging application account B, and a social software application account C … …". At this time, the authorized audit accounts "owned account a, instant messaging application account B, and social software application account C … …" in table 2 may be determined as a plurality of authorized audit accounts corresponding to the production module.
TABLE 2
Production module Transport module Sales module ……
Self-owned account A Own account 1 Owned account a ……
Instant messaging application account B Instant messaging application account 2 Instant messaging application account b ……
Social software application account C Social software application account 3 Social software application account c ……
…… …… …… ……
It should be noted that, in the embodiment of the present disclosure, only the correspondence between the identifier of the designated function module and the authorized audit account shown in table 2 is taken as an example for description, and table 2 does not limit the embodiment of the present disclosure.
In the related technology, the management system is usually authorized and operated by a system administrator facing the whole management system, that is, the authority application for any functional module is sent to a system administrator account and is authorized by the system administrator in a unified way, but because the system administrator facing the whole management system cannot completely direct the whole business process, the authority application for a user account can only passively accept requests, so that a large number of management authorities requested by the user account exceed the actually required management authorities, which easily brings potential safety hazards, and after safety problems occur, the responsibility of authorized personnel cannot be effectively defined, and management vulnerabilities are formed.
In the embodiment of the disclosure, a special authorization audit account can be set for each functional module, and is specially responsible for auditing and authorizing the permission application of the corresponding functional module, because the authorization audit account of each functional module is familiar to the service process of the responsible functional module, the authorization audit account of each functional module can be used for auditing and authorizing the management permission according to the actual situation, thereby improving the accuracy, avoiding the problem caused by blind authorization of a system administrator, facilitating centralized management, and after the safety problem occurs, determining responsible persons quickly and accurately through the authorization audit account, solving the management vulnerability of the responsible persons which can not be effectively defined in the related technology, enhancing the permission control capability of the system, and enhancing the safety of the system.
Further, before sending the permission application to the designated authorization and review account, a submitted designated member list of the designated function module may be received, and accordingly, when the user account is the same as any one of the plurality of member accounts, the permission application may be sent to the designated authorization and review account. The appointed member list comprises a plurality of member accounts of the same account type with the user account and the appointed authorization auditing account, and the appointed authorization auditing account is used for authorizing and de-authorizing the plurality of member accounts aiming at the management authority of the appointed function module.
It should be noted that the designated member list is used to indicate that only the user accounts in the designated member list can apply for the management authority of the designated function module, and the user accounts outside the designated member list cannot apply for the management authority of the designated function module. The designated member list may be set by a system administrator for a designated function module in advance, that is, the system administrator may designate a member list and an authorized audit account in the member list for each function module of the management system.
Step 203: and controlling the management operation of the user account based on the distributed management authority.
The management operation of controlling the user account based on the assigned management authority refers to controlling the user account to execute the management operation within the range allowed by the management authority. For example, when the management authority of the user account is the access authority, only the user account is allowed to perform the access operation on the management system, and operations other than the access operation, such as a modification operation, a deletion operation, and the like, are not allowed to be performed.
Further, when the management authority allocated to the user account is the management authority for a certain functional module, the user account can only perform management operation within the management authority on the functional module.
It should be noted that each user account logged into the management system is operated according to the assigned management authority. When the management system allocates the management authority to all the user accounts, all the user accounts can execute the operation in the management authority; when the management system allocates the management authority to all the user accounts of the designated functional module through the designated authorization audit account, all the user accounts of the designated functional module can execute the operation in the management authority; when the management system allocates the management authority to the user account of the specified account type of the specified functional module through the specified authorization audit account, the user account of the specified account type of the specified functional module can execute the operation in the management authority.
For example, when a certain user account sends an authority application to a specified authorization audit account to request to view information of a certain specified function module, after the authorization allocation is successful, the user account can perform a view operation on the information of the function module, but cannot perform other operations such as information modification and information deletion, and if the other operations are to be performed, the user account needs to perform a request to manage the authority again, and the operation can be performed only after the authorization is successful.
In addition, after the management authority is allocated to the user account, the management system can also release the management authority of the user account according to the operation request at any time.
Step 204: when an authority release request for the user account is received, the management authority allocated to the user account is released.
Wherein, when receiving an authority release request for the user account, releasing the management authority allocated to the user account may include: when the management authority allocated to the user account is the management authority of a designated function module in a plurality of function modules included in the management system and an authority canceling request for the user account sent by a designated authorization audit account of the designated function module is received, the management authority allocated to the user account is canceled. And the appointed authorization auditing account is an authorization auditing account with the same account type as the user account.
In addition to individually releasing the management authority of a certain user account in response to the authority release request for the certain user account, the management system may release the management authority of a plurality of user accounts as a whole. For example, the management authority of a user account of a certain account type may be collectively released, the management authorities of all members of a certain functional module may be collectively released, the management authorities of members of a certain account type of a certain functional module may be collectively released, and the like.
In practical application, when receiving a request for releasing the management authority of all user accounts in the management system, the management authority of all user accounts can be released integrally; when receiving a request for removing the management authority of a certain account type, the method can integrally remove all the user account management authorities of the account type; when receiving a request for releasing the management authority of a specified functional module, the management authority of all user accounts of the specified functional module can be released; when an administrative authority release request for a specific account type of a specific function module is received, the administrative authorities of all user accounts of the specific account type of the specific function module can be released.
For example, in supply chain management, when a request for releasing the management authority of the third-party account type on the sales module is received, the management authority of the third-party account on the sales module can be released as a whole. And when the management authority of the third-party account on the sales module is removed integrally, the authority management of the third-party account on other functional modules such as a production module and a transportation module is not influenced, and the management authority of other account types is effectively prevented from being removed by mistake or the management authority of the same account type of other functional modules is deleted by mistake.
In summary, according to the embodiment of the present disclosure, when it is detected that a user account successfully logs in a management system, an account type of the user account is determined, and then a management authority is allocated to the user account according to the user account type of the login management system, and then a management operation of the user account is controlled based on the allocated management authority. In addition, when the management authority is distributed based on the user account, the appointed authorization audit account is selected from the appointed function module, then the appointed authorization account is used for auditing and authorizing the authority application, because the appointed authorization audit account is familiar to the service process of the appointed function module, the authorization and authorization of the management authority can be carried out according to the actual situation, the problem caused by blind authorization by a system administrator is avoided, the centralized management is convenient, and after the safety problem occurs, the responsible person can be quickly and accurately determined through the authorization audit account, the problem that the management vulnerability of the responsible person can not be effectively defined after the safety problem occurs in the related technology is solved, the authority control capability of the system is enhanced, and the safety of the system is enhanced.
Fig. 3 is a schematic structural diagram of a rights management device according to an embodiment of the disclosure. Referring to fig. 3, the apparatus includes: a determination module 301, an assignment module 302, and a control module 303.
The determining module 301 is configured to determine an account type of a user account when it is detected that the user account successfully logs in a management system, where the account type is an own account type of the management system or a third-party account type;
an allocation module 302, configured to allocate management permissions to the user account based on the account type;
and a control module 303, configured to control a management operation of the user account based on the assigned management authority.
Optionally, the assignment module 302 includes:
the first determining submodule is used for determining the management authority corresponding to the account type based on the stored type authority corresponding relation, wherein the type authority corresponding relation comprises the owned account type and the corresponding management authority, and the management authority corresponding to a plurality of third party account types and each third party account type respectively;
and the second determining submodule is used for determining the management authority corresponding to the account type as the management authority of the user account.
Optionally, the management system includes a plurality of functional modules, and different functional modules are used for executing different management services;
the determination module 301 includes:
the third determining submodule is used for determining the account type of the user account when detecting that the user account successfully logs in the management system and receives the authority application sent by the user account;
the authority application comprises a user account identifier and an identifier of a designated function module applying management authority, wherein the user account identifier is used for indicating the type of the user account;
accordingly, the assignment module 302 includes:
a fourth determining sub-module, configured to determine a designated authorized audit account based on the account type and the identifier of the designated functional module;
the sending submodule is used for sending the permission application to the specified authorization checking account;
and the fifth determining submodule is used for determining the management authority of the user account based on the authorization and audit result of the specified authorization and audit account.
Optionally, the fourth determining submodule is mainly configured to:
determining a plurality of authorized auditing accounts corresponding to the appointed function module based on the identification of the appointed function module and the corresponding relation between the stored identification of the function module and the authorized auditing accounts, wherein the authorized auditing accounts are the authorized auditing accounts corresponding to a plurality of account types;
selecting an authorization audit account with the same account type as the user account from the plurality of authorization audit accounts;
and determining the selected authorization audit account as the designated authorization audit account.
Optionally, the allocating module 302 further comprises:
the receiving submodule is used for receiving the submitted appointed member list of the appointed functional module;
the appointed member list comprises a plurality of member accounts of which the account types are the same as those of the user account and an appointed authorization audit account, and the appointed authorization audit account is used for authorizing and de-authorizing the plurality of member accounts aiming at the management authority of the appointed function module;
accordingly, the sending submodule is mainly used for:
and when the user account is the same as any one of the plurality of member accounts, sending the permission application to the appointed authorization auditing account.
Optionally, the apparatus further comprises:
the release module is used for releasing the management authority distributed to the user account when the management authority distributed to the user account is the management authority of a specified function module in a plurality of function modules included in the management system and an authority release request aiming at the user account and sent by a specified authorization audit account of the specified function module is received;
different functional modules in the plurality of functional modules are used for executing different management services, and the specified authorization audit account is an authorization audit account with the same account type as the user account.
In summary, in the embodiment of the present disclosure, when it is detected that a user account successfully logs in a management system, an account type of the user account is determined, so as to allocate a management right to the user account according to the user account type of the login management system, and then control a management operation of the user account based on the allocated management right.
It should be noted that: in the rights management device provided in the above embodiment, only the division of the functional modules is exemplified when performing the rights management, and in practical applications, the function distribution may be completed by different functional modules according to needs, that is, the internal structure of the server is divided into different functional modules to complete all or part of the functions described above. In addition, the right management apparatus and the right management method provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments and are not described herein again.
Fig. 4 is a schematic structural diagram of a rights management device 400 according to an embodiment of the disclosure. For example, the apparatus 400 may be provided as a server. Referring to fig. 4, the apparatus 400 includes a processor 422, which further includes one or more processors, and memory resources, represented by memory 432, for storing instructions, such as applications, that are executable by the processor 422. The application programs stored in memory 432 may include one or more modules that each correspond to a set of instructions. Further, processor 422 is configured to execute instructions to perform the methods provided by the embodiments illustrated in fig. 1-2 and described above.
The apparatus 400 may also include a power component 426 configured to perform power management of the apparatus 400, a wired or wireless network interface 450 configured to connect the apparatus 400 to a network, and an input output (I/O) interface 458. The apparatus 400 may operate based on an operating system stored in the memory 432, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, or the like.
In an exemplary embodiment, a non-transitory computer readable storage medium comprising instructions, such as the memory 432 comprising instructions, executable by the processor 422 of the apparatus 400 to perform the above-described method is also provided. For example, the non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims (6)

1. A method for managing authority, which is applied to a server, comprises the following steps:
when detecting that a user account successfully logs in a management system and receives an authority application sent by the user account, determining the account type of the user account, wherein the authority application comprises a user account identifier and an identifier of a designated function module applying for management authority, the user account identifier is used for indicating the type of the user account, the account type is the owned account type of the management system or a third party account type, and the third party account type is other account types except the owned account type provided by the management system;
determining a designated authorization auditing account based on the account type and the identification of the designated functional module, sending the permission application to the designated authorization auditing account, and determining the management permission of the user account based on the authorization auditing result of the designated authorization auditing account;
controlling the management operation of the user account based on the distributed management authority; when receiving a permission removing request aiming at the user account and sent by a designated authorization checking account of the designated functional module, removing the management permission distributed for the user account, wherein the designated authorization checking account is an authorization checking account with the same account type as the user account;
the management system comprises a plurality of functional modules for executing different management services, wherein each functional module in the plurality of functional modules corresponds to a plurality of authorization checking accounts, the plurality of authorization checking accounts are authorization checking accounts corresponding to a plurality of account types, and each authorization checking account is used for authorization checking of a corresponding user account;
before sending the permission application to the designated authorized audit account, the method further includes:
receiving a submitted appointed member list of the appointed function module, wherein the appointed member list comprises a plurality of member accounts with the same account types as the user account and an appointed authorization auditing account, the appointed authorization auditing account is used for authorizing and de-authorizing the plurality of member accounts aiming at the management authority of the appointed function module, and different function modules correspond to different member lists;
correspondingly, the sending the permission application to the designated authorized audit account includes:
and when the user account is the same as any one of the plurality of member accounts, sending the permission application to the appointed authorization auditing account.
2. The method of claim 1, wherein determining a designated authorized audit account based on the account type and the identification of the designated functional module comprises:
determining a plurality of authorized auditing accounts corresponding to the appointed function module based on the identification of the appointed function module and the corresponding relation between the stored identification of the appointed function module and the authorized auditing accounts;
selecting an authorization audit account from the plurality of authorization audit accounts of the same account type as the user account;
and determining the selected authorization audit account as the designated authorization audit account.
3. A rights management device, for use in a server, the device comprising:
the system comprises a determining module, a judging module and a judging module, wherein the determining module is used for determining the account type of a user account when detecting that the user account successfully logs in a management system, the account type is the owned account type of the management system or a third party account type, and the third party account type is other account types except the owned account type provided by the management system;
the allocation module is used for allocating management authority to the user account based on the account type;
the control module is used for controlling the management operation of the user account based on the distributed management authority;
the management system comprises a plurality of functional modules for executing different management services, wherein each functional module in the plurality of functional modules corresponds to a plurality of authorization checking accounts, the plurality of authorization checking accounts are authorization checking accounts corresponding to a plurality of account types, and each authorization checking account is used for authorization checking of a corresponding user account;
the determining module comprises:
the third determining submodule is used for determining the account type of the user account when detecting that the user account successfully logs in the management system and receives the authority application sent by the user account;
the authority application comprises a user account identifier and an identifier of a designated function module applying management authority, wherein the user account identifier is used for indicating the type of the user account;
accordingly, the allocation module comprises:
a fourth determining submodule, configured to determine a designated authorized audit account based on the account type and the identifier of the designated functional module;
the sending submodule is used for sending the permission application to the specified authorization auditing account;
a fifth determining submodule, configured to determine, based on an authorization and audit result of the specified authorization and audit account, a management permission of the user account;
the fourth determination submodule is mainly configured to:
determining a plurality of authorized auditing accounts corresponding to the appointed function module based on the identification of the appointed function module and the corresponding relation between the stored identification of the appointed function module and the authorized auditing accounts;
selecting an authorization audit account from the plurality of authorization audit accounts of the same account type as the user account;
determining the selected authorization audit account as the appointed authorization audit account;
the distribution module further comprises:
the receiving submodule is used for receiving the submitted appointed member list of the appointed functional module;
the appointed member list comprises a plurality of member accounts with the same account type as the user account and the appointed authorization auditing account, the appointed authorization auditing account is used for authorizing and de-authorizing the plurality of member accounts aiming at the management authority of the appointed function module, and different function modules correspond to different member lists;
correspondingly, the sending submodule is mainly used for:
when the user account is the same as any one of the plurality of member accounts, sending the permission application to the appointed authorization auditing account;
the device further comprises:
and the release module is used for releasing the management authority distributed to the user account when receiving an authority release request aiming at the user account and sent by an appointed authorization audit account of the appointed function module, wherein the appointed authorization audit account is an authorization audit account with the same account type as the user account.
4. The apparatus of claim 3, wherein the assignment module comprises:
the first determining submodule is used for determining the management authority corresponding to the account type based on a stored type authority corresponding relation, wherein the type authority corresponding relation comprises the owned account type and the corresponding management authority, and a plurality of third party account types and the management authority corresponding to each third party account type;
and the second determining submodule is used for determining the management authority corresponding to the account type as the management authority of the user account.
5. A rights management apparatus, characterized in that the apparatus comprises:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to perform the steps of the method of any one of claims 1-2.
6. A computer readable storage medium having instructions stored thereon, wherein the instructions, when executed by a processor, implement the steps of the method of any of claims 1-2.
CN201711031078.XA 2017-10-30 2017-10-30 Authority management method, device and storage medium Active CN107832592B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711031078.XA CN107832592B (en) 2017-10-30 2017-10-30 Authority management method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711031078.XA CN107832592B (en) 2017-10-30 2017-10-30 Authority management method, device and storage medium

Publications (2)

Publication Number Publication Date
CN107832592A CN107832592A (en) 2018-03-23
CN107832592B true CN107832592B (en) 2020-11-10

Family

ID=61650963

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711031078.XA Active CN107832592B (en) 2017-10-30 2017-10-30 Authority management method, device and storage medium

Country Status (1)

Country Link
CN (1) CN107832592B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109711988A (en) * 2018-12-14 2019-05-03 北京向上一心科技有限公司 Management method, managing device, equipment and the medium of stock account
CN110162946B (en) * 2019-05-30 2022-08-16 奇安信科技集团股份有限公司 Mobile storage management and control method and device
CN110895606B (en) * 2019-11-14 2022-06-07 上海易点时空网络有限公司 Internal system management method and device suitable for newly-built account and storage medium
CN112434333B (en) * 2020-11-23 2022-04-08 中原银行股份有限公司 Event management method, device and system
CN113011616A (en) * 2021-04-23 2021-06-22 贵州兴泰科技有限公司 Permission management system and management method applied to maintenance cloud service platform
CN114637977A (en) * 2022-01-26 2022-06-17 安徽点亮网络技术有限公司 Account authority management method, system and device based on finger vein authentication

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102420690B (en) * 2010-09-28 2014-05-21 上海可鲁系统软件有限公司 Fusion and authentication method and system of identity and authority in industrial control system
US9081982B2 (en) * 2011-04-18 2015-07-14 Raytheon Company Authorized data access based on the rights of a user and a location
CN102546770B (en) * 2011-12-26 2015-05-27 中兴通讯股份有限公司 Unified account management method and third-party account management system
CN104065612B (en) * 2013-03-18 2017-11-14 中国移动通信集团公司 A kind of user management method, device and Union user management system
CN104702421B (en) * 2013-12-05 2019-01-18 中国银联股份有限公司 Configuration management system based on Web
US9355235B1 (en) * 2013-12-06 2016-05-31 Emc Corporation Validating a user of a virtual machine for administrator/root access
CN105205580A (en) * 2014-06-30 2015-12-30 青岛日日顺物流有限公司 Authority setting method and system
CN104392299A (en) * 2014-10-29 2015-03-04 中国建设银行股份有限公司 Business information processing method and system
CN106445399A (en) * 2015-08-05 2017-02-22 中兴通讯股份有限公司 Control method of storage system, and storage system
CN105809021A (en) * 2016-03-04 2016-07-27 深圳市茁壮网络股份有限公司 Method and device for distributing user permissions
CN106411837A (en) * 2016-05-30 2017-02-15 深圳市永兴元科技有限公司 Privilege management method and apparatus
CN106445824B (en) * 2016-09-30 2019-06-25 南京途牛科技有限公司 A kind of interface synthesis management system of based role
CN106778345B (en) * 2016-12-19 2019-10-15 网易(杭州)网络有限公司 The treating method and apparatus of data based on operating right

Also Published As

Publication number Publication date
CN107832592A (en) 2018-03-23

Similar Documents

Publication Publication Date Title
CN107832592B (en) Authority management method, device and storage medium
US8572709B2 (en) Method for managing shared accounts in an identity management system
US9692765B2 (en) Event analytics for determining role-based access
CN109474632B (en) Method, apparatus, system, and medium for authenticating and managing rights of user
EP3805961A1 (en) Systems and method for authenticating users of a data processing platform from multiple identity providers
US20190229922A1 (en) Authentication and authorization using tokens with action identification
US9356939B1 (en) System and method for dynamic access control based on individual and community usage patterns
KR20090106541A (en) Time based permissioning
US10178103B2 (en) System and method for accessing a service
US20180351957A1 (en) Centralized Authenticating Abstraction Layer With Adaptive Assembly Line Pathways
US20130144633A1 (en) Enforcement and assignment of usage rights
US10044722B2 (en) Behavioral multi-level adaptive authorization mechanisms
CN109766708B (en) Data resource access method, system, computer system and storage medium
US9026456B2 (en) Business-responsibility-centric identity management
CN105959309A (en) User permission management method and system
CN111062028A (en) Authority management method and device, storage medium and electronic equipment
US9760734B2 (en) Catalog-based user authorization to access to multiple applications
US20240007458A1 (en) Computer user credentialing and verification system
US20130085800A1 (en) System and Method of Business Risk Based Authorization
CN113722725A (en) Resource data acquisition method and system
US20230179591A1 (en) Mechanism of common authentication for both supervisor and guest clusters
US9836711B2 (en) Job execution system, job execution program, and job execution method
KR102108125B1 (en) A method for allocating a service and an apparatus for allocating a service
CN112491848A (en) Method and equipment for supporting extensible secure docking of third-party system
JP6957223B2 (en) Information processing system, control method and its program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant