CN110348184B - Industrial cloud-based permission resource configuration method, system and storage medium - Google Patents
Industrial cloud-based permission resource configuration method, system and storage medium Download PDFInfo
- Publication number
- CN110348184B CN110348184B CN201910451892.XA CN201910451892A CN110348184B CN 110348184 B CN110348184 B CN 110348184B CN 201910451892 A CN201910451892 A CN 201910451892A CN 110348184 B CN110348184 B CN 110348184B
- Authority
- CN
- China
- Prior art keywords
- resource
- attribute value
- authority
- resources
- attribute
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The invention relates to an authority resource configuration method, an authority resource configuration system and a storage medium based on an industrial cloud, wherein the method comprises the following steps: abstracting the authority resources into different attributes according to the resource types; extracting the ID and the code of each resource item in the authority resources as an attribute value under the attribute corresponding to the authority resources; inquiring whether a resource item corresponding to each attribute value exists or not according to each attribute value, if the resource item corresponding to each attribute value exists, not processing, if the resource item corresponding to each attribute value does not exist, making the attribute value invalid, inquiring whether the attribute value corresponding to each resource item exists or not according to the ID and the code of each resource item, if the attribute value exists, not processing, and if the attribute value does not exist, regarding the resource item without the attribute value and corresponding to the resource item, taking the ID and the code of the resource item as the attribute value under the attribute to which the resource item belongs so as to realize the synchronization of the resource attribute values; each attribute value and operation is combined to form a permission, the permission is granted to the role, and the role is granted to the user.
Description
Technical Field
The invention relates to the technical field of authority management of industrial application, in particular to an authority resource configuration method, an authority resource configuration system and a storage medium based on an industrial cloud.
Background
The industrial internet (industrial cloud) refers to a complete and organic interconnected information system formed by a decision command system concentrated on a cloud end and various business production systems distributed in a production enterprise. The industrial internet application systems include, for example, an enterprise information management system ERP, a production and manufacturing information management system MES, an equipment health management system, an energy environmental protection system and a scheduling command system, and the business processes of these application systems need close use of authority services, for example, the authorities of approval of the equipment and the production scheduling command process need to be controlled, which relates to authority management of each application business data resource. The definition of the authority resource management is used for realizing the control of the user on the access to the application system resource, and the user can be controlled according to the security rule or the security policy and only can access the authorized resource.
However, different industrial internet application systems have different types and specificities of the rights resources to be managed, and the data size is huge, so that the rights resources cannot be stored in the rights resource management system one by one. How to provide uniform authority setting and resource management for different industrial internet application systems is a technical problem in the prior art.
Currently, there are two access control policies of an ACL (access policy control) model and an RBAC (role based access control) model mainly for rights resource management.
The access control based on the ACL model forms a list whether each resource can be accessed or not, and the user and the authority are directly hooked. However, complexity in granting is increased, permission data is huge and is not easy to maintain, the minimum permission principle is difficult to realize, and access control based on the ACL model has the characteristic of a complex security policy, so that authorization efficiency is seriously affected.
Based on the RBAC model, roles are associated with permissions, and users gain permission to the appropriate roles by becoming members of those roles. The advantage of this design is that the user only needs to be granted the appropriate role, and the role can have various rights and can be inherited. However, the limitation of the existing control method based on the RBAC model is that the type of the controlled resource is relatively narrow, different resource types need corresponding permission data, and different types of permission resources are often difficult to manage, so that the implementation process is complex and cannot be flexibly used.
Therefore, the two right resource management methods in the prior art cannot be well adapted to unified right setting and resource management of right resources of different industrial internet application systems.
Disclosure of Invention
In order to solve the technical problems, the invention provides a solution for an industrial cloud-based privilege system based on an RBAC model, which realizes unified management and configuration of different types of privilege resources in different industrial internet application systems, is suitable for management of the industrial cloud-based privilege resources, and provides possibility for unified privilege setting and resource management of different industrial internet application systems.
According to one aspect of the invention, an authority resource configuration method based on an industrial cloud is provided, which comprises the following steps:
abstracting the authority resources into different attributes according to the resource types;
extracting the ID and the code of each resource item in the authority resources as an attribute value under the attribute corresponding to the authority resources;
inquiring whether the resource item corresponding to each attribute value exists or not, if the resource item corresponding to the attribute value exists, not processing, if the resource item corresponding to the attribute value does not exist, making the attribute value invalid,
inquiring whether the attribute value corresponding to each resource item exists according to the ID and the code of each resource item, if so, not processing, and if not, regarding the resource item without the attribute value and corresponding to the attribute value, using the ID and the code of the resource item as the attribute value under the attribute to which the resource item belongs so as to realize the synchronization of the resource attribute value; and
each attribute value and operation is combined to form a permission, the permission is granted to a role, and the role is granted to a user to implement a rights resource configuration.
Preferably, the method is applied to a business system, the permission resources include static resources and dynamic resources, the static resources include menus, pages, page controls and page elements, and the dynamic resources include business data of the business system using the permission system.
Preferably, the abstracting the privilege resource into different attributes according to resource types includes:
abstracting the static resource into menu page attributes; and
abstracting the dynamic resource into data attributes.
Preferably, said combining each attribute value and operation to form a permit comprises:
generating authentication objects by configuring operations on attribute values such that at least one of said authentication objects is included in each license.
Preferably, the operation refers to a permission operation that can be performed on the permission resource, and the permission operation can be customized and supports dynamic expansion, including but not limited to: add, delete, modify, query, import, and export.
According to another aspect of the present invention, there is provided an industrial cloud-based right resource configuration system, including:
the abstraction module is used for abstracting the authority resources into different attributes according to the resource types;
the synchronous module is used for processing resource initialization and resource change, and the ID and the code of each resource item in the authority resources are extracted as the attribute value under the attribute corresponding to the authority resources during the resource initialization; when the resource is changed, inquiring whether the resource item corresponding to each attribute value exists or not, if the resource item corresponding to the attribute value exists, not processing, and if the resource item corresponding to the attribute value does not exist, making the attribute value invalid; inquiring whether the attribute value corresponding to each resource item exists according to the ID and the code of each resource item, if so, not processing, and if not, regarding the resource item without the attribute value and corresponding to the attribute value, taking the ID and the code of the resource item as the attribute value under the attribute to which the resource item belongs; and
a configuration module to combine each attribute value and operation to form a permission, to grant the permission to the role, and to grant the role to the user.
Preferably, the privilege resources include static resources and dynamic resources, the static resources include menus, pages, page controls, and page elements, and the dynamic resources include business data of a business system that configures a system using the privilege resources, and wherein the abstraction module is further configured to:
abstracting the static resource into menu page attributes; and
abstracting the dynamic resource into data attributes.
Preferably, said combining each attribute value and operation to form a permit comprises:
generating authentication objects by configuring operations on attribute values such that at least one of said authentication objects is included in each license.
Preferably, the operation refers to a permission operation that can be performed on the permission resource, and the permission operation can be customized and supports dynamic expansion, including but not limited to: add, delete, modify, query, import, and export.
According to another aspect of the present invention, there is provided a storage medium having stored thereon executable code, which, when executed by a processor, causes the processor to perform the industrial cloud-based privilege resource configuration method provided by the present invention.
Compared with the prior art, one or more embodiments in the above scheme can have the following advantages or beneficial effects:
according to the method and the system for configuring the authority resources based on the industrial cloud, provided by the embodiment of the invention, for the authority resources of different industrial internet application systems, the ID and the code of each resource item in the authority resources are extracted as the attribute values under the attribute corresponding to the authority resources, so that the unified configuration and management of different types of authority resources in different industrial internet application systems are realized, and the method and the system are suitable for data of a service system using the authority resource configuration system, namely data which can be controlled by the authority, such as device data, boundary zone data and the like.
In the authorization process, only corresponding authority needs to be allocated to each attribute value, a resource table and a resource-authority association table of different authority resources do not need to be established, the process of authority resource allocation is greatly reduced, when the service requirement changes, the synchronization of the authority resources is realized through self query and processing of the system, a back-end development code and a resource table and a resource-authority association table of different authority resources do not need to be modified, and the method and the system have the advantages of convenience in maintenance, flexibility in use, convenience in use and easiness in expansibility.
The invention abstracts and manages the data of different resource types uniformly, reduces the development and maintenance cost of the authority system and facilitates the uniform processing of different industrial internet application systems.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.
Fig. 1 schematically shows the RBAC model.
Fig. 2 schematically illustrates a schematic diagram of an existing RBAC model-based right resource configuration.
FIG. 3 shows a flowchart of an industrial cloud-based privilege resource configuration method according to an embodiment of the invention.
Fig. 4 illustrates a UML class diagram of an industrial cloud-based privilege resource configuration method according to an embodiment of the present invention.
FIG. 5 schematically illustrates a block diagram of an industrial cloud-based rights resource configuration system, according to an embodiment of the invention.
Detailed Description
The following detailed description of the embodiments of the present invention will be provided with reference to the drawings and examples, so that how to apply the technical means to solve the technical problems and achieve the technical effects can be fully understood and implemented. It should be noted that, as long as there is no conflict, the embodiments and the features of the embodiments of the present invention may be combined with each other, and the technical solutions formed are within the scope of the present invention.
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without these specific details or with a specific implementation described herein.
In order to be able to better understand the industrial cloud based rights system solution of the present invention. First, the principle of the RBAC model will be briefly described.
RBAC supports recognized security principles: a minimum authority principle, a responsibility separation principle and a data abstraction principle. These three principles are explained in detail in the prior art and will not be described in detail here. The RBAC contains user (Users), role (rolls), Permissions (Permissions), object (Objects), Operations (Operations), Assignment (Assignment) and Session (Session) information, and the RBAC model is used to indicate the relationship between Users, Roles, access rights and sessions.
Fig. 1 schematically shows the RBAC model. As shown in fig. 1, five basic data elements of a user, a role, an object, an operation, and a permission are contained in the RBAC model. And a session represents a mapping between a user and a set of active roles.
In the RBAC model, a user refers to a person under an organization, and is a specific person. For any user, first, he must belong to a certain department, which is an administrative unit, and a certain department may also contain a plurality of users. For example, if a company has 10 employees in the market department, the market department is a department, and the 10 employees are 10 users, so that the relationship between the department and the users is a one-to-many relationship.
The role is the carrier of the license with the aim of isolating the logical relationship of the user to the license. One role may include a plurality of users, and one user may also belong to a plurality of roles, so that the relationship between the role and the user is a many-to-many relationship. For example, zhang san serves as both a research and development department manager and a vice head manager in a company, so that for zhang san, the user has two roles, one role is the research and development department manager, and the other role is the vice head manager, which means that the user mentioned above can belong to multiple roles. For another example, the chief deputy of the company has lie four and wang five in addition to zhang three, so that for the role of chief deputy, there are three users of zhang three, lie four and wang five, and that is, the above-mentioned role may contain multiple users.
A license is a collection of a certain number of rights, which is the subject of the rights management system, including objects and operations. Objects are generally resources, which are simply summarized as static resources (menus, pages, page controls, and page elements) and dynamic resources (data), also referred to as object resources and data resources, respectively. The operation is customizable, supports dynamic augmentation, and includes, but is not limited to: add, delete, modify, query, delete, import, export operations, etc.
In the RBAC model, permissions are directly assigned to roles, rather than users. When a role is assigned to a user, the user has the rights that the role contains. In most cases, the relationship among the user, the role and the license can be regarded as a container, the container contains a plurality of users and a plurality of licenses, the user and the license are in many-to-many relationship, and the user is associated with the license through the role.
Fig. 2 schematically illustrates a schematic diagram of an existing RBAC model-based right resource configuration. As shown in fig. 2, the existing resource configuration based on the RBAC model requires a different resource table to be established in the database for each type of resource, for example, a menu table is required to be established for a menu resource, and a page element table is required to be established for a page resource. Moreover, different resource-authority association tables need to be established for different resources to represent the association relationship between the resources and the authorities. Once the service requirement changes, such as adding a certain type of resource or deleting a certain type of resource, the resource table and the resource-authority association table of the corresponding different authority resources in the database must be modified, which will greatly increase the workload of the configuration personnel, and is further not beneficial to the configuration and management of multiple types of resources.
Example one
With the change of business requirements and the change of resource types, the traditional authority resource configuration needs to modify development codes and database table structures to realize the changes, thereby affecting the flexibility and efficiency to a certain extent and being not well suitable for the unified management of the authority resources of different industrial internet application systems. In order to solve the technical problems that configuration and management of authority resources of different industrial internet application systems are difficult, the implementation process is complex and the authority resources cannot be flexibly used during distribution and control in the prior art, an embodiment of the invention provides an authority system solution based on an industrial cloud.
The solution mainly comprises: 1. establishing an authority distribution model based on a traditional RBAC model; 2. the management method based on the authority resources realizes that one authority system can manage a plurality of application system authorities.
The solution is mainly realized by the following three steps:
firstly, establishing a permission distribution model based on a traditional RBAC model. Referring to fig. 1, the basic concept of the RBAC model has been explained above, and will not be described herein again, and the outline is a basic flow of rights granting a user a license by establishing an association between a role and a user, and between a role and a license.
And secondly, performing abstract, synchronous and unified configuration on the authority resources to complete unified management and distribution of the authority resources, conveniently and quickly forming reasonable permission, and completing establishment of an authority system by combining the authority distribution model in the first step.
And step three, providing authentication service to the outside through a unified and standardized authority interface. The industrial application system acquires the information of the current login user through the authority interface (including but not limited to single sign-on and other functions), and inquires the authority permission information of the user through the unified authority interface of the authority system according to the information of the user.
In practice, each application system has the authority requirement of its own system characteristic, so the problem that each application system will not interfere with each other and affect each other in the process of configuring and acquiring the authority information required by itself needs to be solved, and the problem that how the authority system adapts to the special authority requirement of each application system needs to be solved.
In order to solve the technical problem, the invention isolates respective authority information by setting the codes of the application systems for the authority resources and the authorization data of different industrial internet application systems, so that the authority information among different applications cannot be influenced by mutual interference. Authorization data refers to the association relationship between a user and a right resource, including, for example, the relationship between the user and a role, and the relationship between the role and a permission.
In addition, the requirement of each application specific authority is a specialized expression of the authority resource, and different permissions (sets of authority resources) are required to be formed, so that the embodiment of the invention meets the requirement of each application system on the specific authority resource by adopting a resource method which is flexible in abstraction and can be uniformly managed. The specific method is that the ID and the code of each resource item are extracted to serve as attribute values under the attribute corresponding to the authority resource, and then the operation authority is distributed to each attribute value, so that the unified management and configuration of different types of authority resources in different industrial Internet application systems are realized.
Before describing an embodiment of the present invention in detail, an explanation will first be made as to the terms to which the present solution relates.
1) And (4) ID. The ID refers to a unique number of the resource item for distinguishing other resource items, e.g., 11 is the ID of the resource item.
2) And (5) encoding. Encoding refers to a code assigned to the resource item according to a certain rule to divide different resource items, for example, Demo _ Page is the encoding of the resource item, and is convenient for searching and managing.
3) Application is carried out. In one embodiment of the present invention, different industrial application systems are referred to as applications in the privilege system, so as to distinguish privilege information of different systems. The system is applied to enterprise information management systems ERP, production and manufacturing information management systems MES, equipment health management systems EQ, energy environmental protection systems EMPM and dispatching command systems DISP.
In the solution, the problem of isolation of authority among all industrial application systems is solved by setting application.
4) And (4) roles. The roles are different according to different application systems, different roles have different permission resource sets, and each role corresponds to a personnel group under an organization in actual work.
5) A user. The user refers to a person operating the application system in the actual application environment, and the role is associated with the user, namely, the authority resource is allocated to the user.
6) And (6) permission. The permission refers to a set of one or a group of permission resources and operations, namely an authentication object set, and the permission is associated with a role, namely the permission of the permission resources and the operations is assigned to the role.
The authority resources commonly used by industrial application comprise menus, pages and service data, and the problem of authority resource management in an application system is solved by well managing the resources.
7) And (4) a menu. A menu refers to navigation of a function page provided by an application system. This navigation data is usually represented in a tree structure. All application systems have the requirement of authority management of menus, if one user can access a plurality of application systems, a unified-style portal and a menu access entry of an application function page are provided for the application systems, and the menus need to be managed in a centralized manner so as to facilitate authority distribution and resource adjustment, so that the menu information in the solution is managed by the authority system and the configuration of all application menus is processed in a unified manner. In the solution, the authority configuration users of various application systems can be guided by the menu guide to realize functions of increasing, deleting, modifying, checking, importing and exporting menus and the like.
8) Pages and page resources. The page refers to a display page of a specific service function, and in an embodiment of the present invention, the page refers to a URL of an access address of the page. A page resource refers to a control in a page, such as a button, form, text box, etc. in the page. The page and page resource are on leaf nodes of the associated menu.
9) And (4) service data. The business data refers to data displayed on each business system page. The traffic data may be classified into packets in which various roles are operable. The service data is required to define resources according to the self-requirement of the service, so that the service system can conveniently display the service data according to the authority information when realizing the self page.
10) The operation refers to the permission operation that the permission resource can be allowed, and the default defined operation in the permission system includes addition, deletion, modification, inquiry, deletion, import, export and the like, which supports dynamic expansion.
11) The authentication object is an attribute value plus an assigned authorization operation. For example, an attribute value is selected from the menu page attributes, and an operation authority is assigned, so that an authentication object is formed.
12) An authentication class is a set of one or more attributes. Since the assignment of permissions is derived from the selection of attribute values from a range of attributes. In order to facilitate the generation of the license, in an embodiment of the present invention, the attributes that are commonly used or have an identity are classified into an authentication class, so that the attributes are screened from the authentication class when the license is configured.
The industrial cloud-based rights system solution of an embodiment of the present invention is described in detail below. In an embodiment of the present invention, the extraction of the right resource is realized by the following method:
the menu is abstracted into menu page attributes, and the ID and code of the menu are attribute values in the menu page attributes. The name of the menu and the association relationship between the parent and the child are in the information of the object of the menu. It should be understood that an embodiment of the present invention only extracts the ID and code of the menu, and other information is still retained in the original menu.
The page and page resources are abstracted into menu page attributes, the ID and code of the page are used as attribute values in the menu page attributes, and the name and URL of the page are in the object information of the page. It should be understood that an embodiment of the present invention only extracts the ID and code of the page, and other information is still retained in the original page.
The service data is data configured in the authority system by the service system according to the authority requirement of the service system. A business system may create multiple data attributes. One data attribute corresponds to one authority requirement of one service system. The attribute values of the data attributes are abstractions of the concrete business data. For example, the data of a battery limits refers to a factory divided into a plurality of areas, a plurality of devices are arranged in one area, and users with different roles in the factory can only operate the devices in the corresponding area. The data of the boundary area is a data attribute, and the data of the area divided by the boundary area is an attribute value of the data attribute of the boundary area. In an embodiment of the present invention, only the ID and the code of the region data are saved in the authority system. The service application system corresponds to the area information of the application system according to the ID and the code of the area data, so that the service application system is convenient to carry out authority control.
By controlling the three right resources, most right requirements of industrial application can be completed, and the functions of viewing different menu pages by users with different rights and operating different pages and service data under the control of the rights can be completed. In an embodiment of the present invention, the right resource is abstracted into a menu page attribute and a data attribute, respectively, where the attribute values in the attributes correspond to a menu item code and ID, a code and ID of a page and page resource, and a code and ID of service data. In an embodiment of the invention, different types of resources are abstracted, only the codes and IDs of resource items are reserved, corresponding attribute values are found through specified attributes, grouping of the resources is carried out, and a permitted configuration process is established uniformly.
The basic processes of extraction and grouping of rights resources, and authorization are described above. After the initial resource management is established, there are also cases where resources are changed in reality. In an embodiment of the present invention, the solution implements a synchronization process after resource change by the following method, and the specific synchronization process is as follows:
and (3) permission synchronization process of menu attributes: in the process of managing and configuring menu information, when a menu of an application is newly added, the newly added menu item is synchronized into the attribute of a menu page, an attribute value is added into the attribute of the menu page, the ID and the code of the menu item are stored, and the newly added menu item can be checked when configuration is permitted; when the name or parent-child structure of a menu item needs to be changed, no synchronization process is triggered after the management interface changes information, because the changed information does not contain the ID and code of the menu item (which is not allowed to be changed after the menu item is created). When a menu item is deleted, the deleted menu item is synchronized to the menu page attribute, the attribute value of the menu item is set to disable, the deleted menu item cannot be seen in the permission configuration interface, and all attribute values of disable states can be filtered out in the menu permission interface.
And (3) permission synchronization process of the page and the page resource: in the information management and configuration process of the page and the page resource, when a certain application page and page resource are newly added, the newly added page is synchronized into the menu page attribute, the newly added attribute value comprises the ID and the code of the newly added page, and the newly added configuration item can be seen when the configuration is allowed; when the page resource or page URL changes, the synchronization process cannot be triggered, because the changed information cannot contain the ID and the code of the resource item; when a page is deleted, the resource is synchronized into the menu page attribute, the attribute value of the page is set to disabled, the deleted resource cannot be seen in the permission configuration interface, and all attribute values of disabled states are filtered out in the page permission interface.
And (3) permission synchronization process of service data: the attribute values of the data attributes are from third party application systems, and are generated by manual entry (or batch import) or interface call. When a data attribute value is newly added, checking the source ID and the source code of the attribute value, keeping the attribute value unique in the attribute, and seeing the newly added configuration item in the allowable configuration; the ID and encoding of the attribute value is not allowed to be modified; when the data attribute value is deleted, the attribute value is set to disabled, the deleted resource cannot be seen in the permission configuration interface, and all attribute values in disabled state can be filtered out in the service data permission interface.
The above describes how the present solution enables the extraction and update synchronization of rights resources. In addition, the solution also relates to how to allocate and authorize the rights resources to the role and the user, and in an embodiment of the present invention, the configuration process is based on a traditional RBAC rights control model, specifically as follows:
each attribute value and operation is combined to form a license, a license is a collection of a set of operable resources, a license is granted to a role, a license and a role are in a many-to-many relationship, a role can be granted multiple licenses, and a license can also be granted to multiple roles. Therefore, the license and the role are an authorization model with a two-dimensional table structure, the row column is the license, the column is the role, and the association between the license and the role is complex in some cases, has large data volume and can be maintained in a batch import and export mode.
The role is authorized to the user, the user exists under the organization unit, a plurality of organization units are under one organization, and a plurality of users are under one organization unit. Such as: there are several departments under a company and several employees under a department. There are also multiple roles under one department. There are also multiple users under a role. For example, a department has multiple leaders and multiple common staff. And leaders often play different roles by playing different organizational units. The roles and users are in a many-to-many relationship. After a role is fixed, authorized users are screened from the organization and then selected for assignment to the authorized set of users.
The above is the process of allocating the authority resources. In addition, the inquiry of the authority resources is also one of the technical problems solved by the solution. In an embodiment of the invention, a unique user code is set for each user, and likewise, a unique application code is set for each application, and a unique attribute code is set for each attribute. The inquiry of the authority resources is carried out according to three parameters of user coding, application coding and attribute coding. The application code isolates the entitlement resources and authorization data between the various application systems. The attribute codes group the authority resources, so that each application system can conveniently obtain accurate authority resources in different scenes. User coding is the precise acquisition of a single user-specific rights resource. The permission resource set of the three parameter combination inquiry is suitable for most permission inquiry scenes, and data redundancy transmission and processing cannot be caused.
The inquiry process is to find the role from the user under a certain application, find the permission from the role, find the attribute value plus operation from the permission, and this is the basic authority resource. If the menu page attribute is, for example, a menu, the attribute value of the menu needs to be added in the query parameter, and specific menu item information including a parent-child relationship is queried according to the attribute value of the menu; for another example, if the query parameter is a page, a page attribute value needs to be added to the query parameter, and a page resource which is operated by the user and has the authority in a single page is queried according to the page attribute value. And if the data attribute is the data attribute, directly returning the basic authority resource, and specifically, enabling a third-party application system to correspond to specific service data information according to the ID and the code of the attribute value in the basic authority resource.
Example two
The permission system solution based on the industrial cloud in the first embodiment can be specifically embodied as a permission resource configuration method based on the industrial cloud. In order that the technical solutions of the present invention will be more clearly understood, the present invention will be described in detail below with reference to the accompanying drawings in conjunction with specific embodiments.
FIG. 3 shows a flowchart of an industrial cloud-based privilege resource configuration method according to an embodiment of the invention. As shown in fig. 3, the method includes:
step S301: abstracting the authority resources into different attributes according to the resource types;
step S302: extracting the ID and the code of each resource item in the authority resources as an attribute value under the attribute corresponding to the authority resources;
step S303: querying each attribute value for whether the resource item corresponding to the attribute value exists, if the resource item corresponding to the attribute value exists, not processing the resource item, if the resource item corresponding to the attribute value does not exist, invalidating the attribute value, and
inquiring whether the attribute value corresponding to each resource item exists according to the ID and the code of each resource item, if so, not processing, and if not, regarding the resource item without the attribute value and corresponding to the attribute value, using the ID and the code of the resource item as the attribute value under the attribute to which the resource item belongs so as to realize the synchronization of the resource attribute value;
step S304: each attribute value and operation is combined to form a permission, the permission is granted to a role, and the role is granted to a user to implement a rights resource configuration.
First, in step S301, multiple types of privilege resources are abstracted into different attributes according to resource types, so that each type of privilege resource has one attribute corresponding to each other. Specifically, in order to facilitate the configuration of the authority resource, for different types of authority resources, different authority resources are abstracted into different attributes according to different resource types. More specifically, in an embodiment of the present invention, it is assumed that one service application configures authority data for the energy management EQ. The privilege resources include static resources including menus, pages, and page controls, and dynamic resources including service data of the service system using the privilege system, such as device data and junior data. Of course, other types of resources or data may be included, and as long as the resources or data have ID and code, the resources or data may be used as the right resource to be configured according to an embodiment of the present invention, and the present invention is not limited thereto. Here, the bays refer to device areas defined for distinguishing between different series or different productions performed in the industrial production device, and the device data refers to data of all devices within these bays.
Further, in step S301, the static resource is abstracted to the menu page attribute, and the dynamic resource is abstracted to the data attribute. That is, all menu, page and page resources are abstracted to menu page attributes, and business data (e.g., all border area data and device data) are abstracted to data attributes.
Next, step S302 is performed: and extracting the ID and the code of each resource item in each type of the authority resource as an attribute value under the attribute corresponding to the authority resource. In an embodiment of the present invention, the privilege resource may include a plurality of menus, a plurality of pages, a plurality of junctor data and a plurality of device data, and accordingly, for one menu, one page, one junctor data or one device data, it is a resource item. It is to be understood that one menu is a resource item, one page is a resource item, one precinct data is also a resource item, and one device data is also a resource item. Wherein, for any resource item, its ID and code are unique in the attribute, and its code refers to the code of the resource item given according to a certain rule to divide different resource items, facilitate searching and managing, for example, Demo _ Page is the code of the resource item. And the ID refers to the number of the resource item for distinguishing other resource items, e.g., 11 is the ID of the resource item.
Preferably, in one embodiment of the invention, each resource item is stored with its ID and code at the time of submission in the database. Therefore, in step S302, the ID and the code of each resource item in the resources of authority are preferably extracted from the database as the attribute value under the attribute corresponding to the resource of authority. For a resource item of static resources, such as a menu, the ID and code of the menu are extracted as the attribute values under the menu page attribute. Or one page, extracting the ID and the code of the page as the attribute value under the menu page attribute. For a resource item of a dynamic resource, such as a bounding region data, the ID and the code of the bounding region data are extracted as the attribute values under the data attribute. Or one device data, the ID and code of the device data are extracted as the attribute value under the data attribute.
For each resource item, because its ID and encoding are unique within the attribute, all information associated with the resource item can be inferred by its ID and encoding. In step S302, the ID and code of each resource item are extracted as the attribute value under the attribute corresponding to the right resource, so that the right configuration of the right resource can be realized only by assigning a right to each attribute value.
As the business needs change, the resources change. It can be understood that, as the service requirement changes, the user may add, modify, or delete some resource items in the application at any time. However, when a user newly adds, modifies, or deletes a resource item in an application, the attribute value corresponding to the resource item does not automatically change with the change of the resource item, thereby causing the asynchronous right resource.
In order to avoid this situation, it is necessary to implement the synchronization of the right resource, so the method of this embodiment includes a query feedback step.
Aiming at the condition that some resource items are modified or deleted by a user but the attribute values of the resource items still exist, the method for configuring the authority resources based on the industrial cloud comprises the following steps:
step S303: inquiring whether the resource item corresponding to each attribute value exists or not according to each attribute value;
if the resource item corresponding to the attribute value exists, the attribute value is an effective attribute value, and no processing is performed; if the resource item corresponding to the attribute value does not exist, the attribute value is invalidated, e.g., set to disabled.
Specifically, first, whether the corresponding resource item exists is deduced back according to each attribute value, and if some attribute values cannot be deduced back to the corresponding resource item, the attribute values are set to disabled. For attribute values of a resource item, no processing is done.
Through the above processing, the redundant attribute value which is not matched to the resource item is invalidated.
In addition, the method is used for the case that some resource items are added by the user, but the attribute values of the resource items are not extracted. In an embodiment of the present invention, step S303 further includes:
inquiring whether the attribute value corresponding to each resource item exists according to the ID and the code of each resource item; if yes, no processing is carried out; if not, regarding the resource item without attribute value, the ID and code are used as the attribute value under the attribute to which the resource item belongs.
More specifically, the ID and code of each resource item stored in the database are utilized to inquire whether the attribute value corresponding to the resource item exists.
If each resource item and its corresponding attribute value are present, then no processing is done.
If all or part of the resource items do not have the attribute values corresponding to the resource items, the ID and the code of the resource items without the attribute values are used as the attribute values under the attribute to which the resource items belong.
Therefore, through step S303, it can be ensured that when some resource items in the application are newly added, modified, or deleted, for example, the attribute values corresponding to the resource items will automatically change with the change of the resource items, thereby implementing the synchronization of the rights resources.
Compared with the prior art, the method can realize the synchronization of the authority resources through the step S303, and does not need to modify the resource tables and the resource-authority association tables of different authority resources in the database, thereby better meeting the requirement of service requirement change.
Next, step S304 is performed: each attribute value and operation is combined to form a permission, the permission is granted to a role, and the role is granted to a user to implement a rights resource configuration. Specifically, different operations, such as an addition operation, a deletion operation, a query operation, an import operation, or an export operation, may be configured for each attribute value. According to different configuration requirements, different operations are configured for each attribute value to generate an authentication object, wherein one attribute value corresponds to one authentication object, one attribute value is called as one authentication object after the operation is configured, and a license can be understood as a set of a plurality of authentication objects and is in one-to-many relationship with the authentication objects, wherein one license comprises at least one authentication object. And then the permission is authorized to the role, and the role is authorized to the user, so that the authorization flow of the right resource configuration is completed.
Furthermore, there are often many rights resources that need to be configured and managed for the user, including static resources and dynamic resources (third party data). In order to effectively distinguish which resources are static resources and which resources are dynamic resources, and a user can conveniently configure and manage a plurality of attribute values. Therefore, the invention firstly abstracts the authority resources of different resource types into different attributes, and then extracts the ID and the code of each resource item in the authority resources as the attribute value under the attribute corresponding to the authority resource according to the resource type of each resource item, thereby systematically classifying the attribute values and further facilitating the configuration and management of the attribute values of different resource types by users.
Fig. 4 illustrates a UML (unified modeling language) class diagram of an industrial cloud-based rights resource configuration method according to an embodiment of the present invention. As shown in fig. 4, a UML class diagram illustrates a relationship between rights elements of the rights resource configuration method based on the industrial cloud according to an embodiment of the present invention. The right element of an embodiment of the present invention includes: application, menu page attribute, data attribute, menu page attribute value, data attribute value, authentication object, operation, permission, role, and user. In the UML class diagram, "→" indicates a one-way associative relationship, and element a → element B can be understood as element a directly referencing the contents of element B; ", element A, element B, represents one of aggregating a set in element A into element B; "-" indicates a bidirectional association relationship.
For example, there is a two-way relationship between permissions and roles, it being understood that one permission can be granted to multiple roles, and one role can own multiple permissions. For example, the authentication object is in a one-way association relationship with the menu page attribute value, the data attribute value and the operation, and the authentication object is generated by directly referencing the contents in the menu page attribute value, the data attribute value and the operation element. For example, the menu page attribute value and the menu page attribute are in an aggregation relationship, there are many attribute values in the menu page attribute value, and these attribute values all belong to the menu page attribute, that is, there are multiple menu page attribute values under one menu page attribute.
EXAMPLE III
The permission system solution based on the industrial cloud in the first embodiment can be specifically embodied as a permission resource configuration system based on the industrial cloud. FIG. 5 schematically illustrates a block diagram of an industrial cloud-based rights resource configuration system, according to an embodiment of the invention. As shown in fig. 5, the system includes:
the abstraction module is used for abstracting the authority resources into different attributes according to the resource types;
the synchronous module is used for processing resource initialization and resource change, and the ID and the code of each resource item in the authority resources are extracted as the attribute value under the attribute corresponding to the authority resources during the resource initialization; when the resource is changed, inquiring whether the resource item corresponding to each attribute value exists or not, if the resource item corresponding to the attribute value exists, not processing, and if the resource item corresponding to the attribute value does not exist, making the attribute value invalid; inquiring whether the attribute value corresponding to each resource item exists according to the ID and the code of each resource item, if so, not processing, and if not, regarding the resource item without the attribute value and corresponding to the attribute value, taking the ID and the code of the resource item as the attribute value under the attribute to which the resource item belongs; and
a configuration module to combine each attribute value and operation to form a permission, to grant the permission to the role, and to grant the role to the user.
In an embodiment of the present invention, the authority resources include static resources and dynamic resources, the static resources include menus, pages, page controls, and page elements, and the dynamic resources include service data of a service system using the authority system.
In an embodiment of the present invention, abstracting the right resource into different attributes according to the resource type includes: the abstraction module is used for abstracting the static resource into the attribute of the menu page; the abstraction module is used for abstracting the dynamic resources into data attributes.
In one embodiment of the invention, combining each attribute value and operation to form a permit comprises: generating authentication objects by configuring operations on attribute values such that at least one of said authentication objects is included in each license.
In an embodiment of the present invention, the operation refers to a permission operation that can be performed on the permission resource, and the permission operation can be customized and supports dynamic expansion, including but not limited to: add, delete, modify, query, import, and export.
For detailed details of the operations in the modules, reference may be made to the description of the method of the present invention in conjunction with fig. 3 and 4, and details are not repeated here.
It should be noted that, for dynamic data (such as device data and interface data), the ID and the code of each resource item may be extracted by the synchronization module of the system provided in an embodiment of the present invention as the attribute value under the attribute corresponding to the resource under the authority, or the ID and the code of each resource item may be input by the user himself as the attribute value under the attribute corresponding to the resource under the authority, which is not limited thereto.
Accordingly, an embodiment of the present invention further provides a storage medium having executable code stored thereon, and when the executable code is executed by a processor, the processor executes the method for configuring the authority of the industrial cloud-based authority resource according to an embodiment of the present invention.
In summary, the method and system for configuring authority resources based on an industrial cloud according to the present invention extract, for authority resources of different industrial internet application systems, an ID and a code of each resource item in the authority resources as an attribute value under an attribute corresponding to the authority resource, thereby implementing unified configuration and management for different types of authority resources in different industrial internet application systems, and being applicable to data of a service system using the authority system, that is, data that can be controlled by authority, such as device data and border area data.
In the authorization process, only corresponding authority needs to be allocated to each attribute value, a resource table and a resource-authority association table of different authority resources do not need to be established, the process of authority resource allocation is greatly reduced, when the service requirement changes, the synchronization of the authority resources is realized through self query and processing of the system, a back-end development code and a resource table and a resource-authority association table of different authority resources do not need to be modified, and the method and the system have the advantages of convenience in maintenance, flexibility in use, convenience in use and easiness in expansibility.
The invention abstracts and manages the data of different resource types uniformly, reduces the development and maintenance cost of the authority system and facilitates the uniform processing of different industrial internet application systems.
It is to be understood that the disclosed embodiments of the invention are not limited to the particular process steps or materials disclosed herein, but rather, are extended to equivalents thereof as would be understood by those of ordinary skill in the relevant art. It is also to be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not intended to be limiting.
Reference in the specification to "an embodiment" means that a particular feature, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. Thus, the appearances of the phrase "an embodiment" appearing in various places throughout the specification are not necessarily all referring to the same embodiment.
It will be appreciated by those of skill in the art that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Although the embodiments of the present invention have been described above, the above description is only for the convenience of understanding the present invention, and is not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (3)
1. An authority resource configuration method based on an industrial cloud is applied to a business system and comprises the following steps:
abstracting authority resources into different attributes according to resource types, wherein the authority resources comprise static resources and dynamic resources, and abstracting the authority resources into the different attributes according to the resource types comprises abstracting the static resources into menu page attributes; and abstracting the dynamic resource into data attributes; the static resources comprise menus, pages, page controls and page elements, and the dynamic resources comprise service data of the service system;
extracting the ID and the code of each resource item in the authority resources as an attribute value under the attribute corresponding to the authority resources;
inquiring whether the resource item corresponding to each attribute value exists or not, if the resource item corresponding to the attribute value exists, not processing, if the resource item corresponding to the attribute value does not exist, making the attribute value invalid,
inquiring whether the attribute value corresponding to each resource item exists according to the ID and the code of each resource item, if so, not processing, and if not, regarding the resource item without the attribute value and corresponding to the attribute value, using the ID and the code of the resource item as the attribute value under the attribute to which the resource item belongs so as to realize the synchronization of the resource attribute value; and
combining each attribute value and operation to form a permission, granting the permission to a role, and granting the role to a user to implement a rights resource configuration;
said combining each attribute value and operation to form a permit comprises:
generating authentication objects by configuring operations on attribute values such that each license includes at least one of the authentication objects;
the operation refers to permission operation which can be carried out on the permission resource and supports dynamic expansion.
2. An industrial cloud-based privilege resource configuration system, comprising:
the abstract module is used for abstracting the authority resources into different attributes according to resource types, wherein the authority resources comprise static resources and dynamic resources, and the abstracting the authority resources into the different attributes according to the resource types comprises abstracting the static resources into menu page attributes; and abstracting the dynamic resource into data attributes; the static resources comprise menus, pages, page controls and page elements, and the dynamic resources comprise service data of a service system using the authority resource configuration system;
the synchronous module is used for processing resource initialization and resource change, and when the resource is initialized, the ID and the code of each resource item in the authority resource are extracted as the attribute value under the attribute corresponding to the authority resource; when the resource is changed, inquiring whether the resource item corresponding to each attribute value exists or not according to each attribute value, if the resource item corresponding to the attribute value exists, not processing, and if the resource item corresponding to the attribute value does not exist, making the attribute value invalid; inquiring whether the attribute value corresponding to each resource item exists according to the ID and the code of each resource item, if so, not processing, and if not, regarding the resource item without the attribute value and corresponding to the attribute value, taking the ID and the code of the resource item as the attribute value under the attribute to which the resource item belongs; and
a configuration module to combine each attribute value and operation to form a license, to grant the license to the role, and to grant the role to the user, wherein the combining each attribute value and operation to form the license comprises: generating authentication objects by configuring operations on attribute values such that each license includes at least one of the authentication objects; the operation refers to permission operation which can be carried out on the permission resource and supports dynamic expansion.
3. A storage medium having stored thereon executable code which, when executed by a processor, causes the processor to perform the method of claim 1.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910451892.XA CN110348184B (en) | 2019-05-28 | 2019-05-28 | Industrial cloud-based permission resource configuration method, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910451892.XA CN110348184B (en) | 2019-05-28 | 2019-05-28 | Industrial cloud-based permission resource configuration method, system and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110348184A CN110348184A (en) | 2019-10-18 |
| CN110348184B true CN110348184B (en) | 2021-04-06 |
Family
ID=68174122
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910451892.XA Active CN110348184B (en) | 2019-05-28 | 2019-05-28 | Industrial cloud-based permission resource configuration method, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110348184B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7065784B2 (en) * | 1999-07-26 | 2006-06-20 | Microsoft Corporation | Systems and methods for integrating access control with a namespace |
| CN102932369A (en) * | 2012-11-19 | 2013-02-13 | 西北大学 | Fine-grain resource authorization method aiming at user characteristics |
| CN103049684A (en) * | 2012-12-21 | 2013-04-17 | 大唐软件技术股份有限公司 | Data authority control method and data authority control system based on RBAC (role-based access control) model extension |
| CN103488706A (en) * | 2013-09-06 | 2014-01-01 | 北京东方艾迪普科技发展有限公司 | Processing method and device for mass data base |
| CN105930741A (en) * | 2016-04-14 | 2016-09-07 | 国网浙江省电力公司电力科学研究院 | Power system resource permission management system |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103377336B (en) * | 2013-01-21 | 2016-12-28 | 航天数联信息技术(深圳)有限公司 | The control method of a kind of computer system user authority and system |
| CN108229206B (en) * | 2018-01-09 | 2021-08-24 | 上海中畅数据技术有限公司 | Authority management method and system based on label library |
-
2019
- 2019-05-28 CN CN201910451892.XA patent/CN110348184B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7065784B2 (en) * | 1999-07-26 | 2006-06-20 | Microsoft Corporation | Systems and methods for integrating access control with a namespace |
| CN102932369A (en) * | 2012-11-19 | 2013-02-13 | 西北大学 | Fine-grain resource authorization method aiming at user characteristics |
| CN103049684A (en) * | 2012-12-21 | 2013-04-17 | 大唐软件技术股份有限公司 | Data authority control method and data authority control system based on RBAC (role-based access control) model extension |
| CN103488706A (en) * | 2013-09-06 | 2014-01-01 | 北京东方艾迪普科技发展有限公司 | Processing method and device for mass data base |
| CN105930741A (en) * | 2016-04-14 | 2016-09-07 | 国网浙江省电力公司电力科学研究院 | Power system resource permission management system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110348184A (en) | 2019-10-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109688120B (en) | Dynamic authority management system based on improved RBAC model and Spring Security framework | |
| US10367821B2 (en) | Data driven role based security | |
| CN104573478B (en) | A kind of user authority management system of Web applications | |
| CN111935131A (en) | SaaS resource access control method based on resource authority tree | |
| CN108475288B (en) | System, method and equipment for unified access control of combined database | |
| CN110363012B (en) | Method for configuring authority of authority resource, authority system and storage medium | |
| US8931055B2 (en) | Enterprise entitlement framework | |
| CN110443010A (en) | One kind permission visual configuration control method, device, terminal and storage medium in information system | |
| US20230370471A1 (en) | Systems and methods for deploying and managing secure limited-administration server systems | |
| CN109522707B (en) | Role and resource-based user data read-write security authority control method and system | |
| EP3084590B1 (en) | Controlling access to a software application | |
| CN110472388B (en) | Equipment management and control system and user permission control method thereof | |
| CN112182619A (en) | Service processing method and system based on user permission, electronic device and medium | |
| CN113297550A (en) | Authority control method, device, equipment, storage medium and program product | |
| CN110348183B (en) | RBAC-based rapidly configurable permission configuration system, method and storage medium | |
| US8180894B2 (en) | System and method for policy-based registration of client devices | |
| EP3185507B1 (en) | Access control method and apparatus | |
| Jin et al. | Role and attribute based collaborative administration of intra-tenant cloud iaas | |
| CN103778364B (en) | Management is set applied to the license of application | |
| CN113282896A (en) | Authority management method and system | |
| CN114143069B (en) | Authority management system and method applied to microservice | |
| CN107566375A (en) | Access control method and device | |
| CN114398603A (en) | Product data document management system and authority control method thereof | |
| US20240007458A1 (en) | Computer user credentialing and verification system | |
| CN110348184B (en) | Industrial cloud-based permission resource configuration method, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |