CN110569667B - Access control method and device, computer equipment and storage medium - Google Patents

Access control method and device, computer equipment and storage medium Download PDF

Info

Publication number
CN110569667B
CN110569667B CN201910854940.XA CN201910854940A CN110569667B CN 110569667 B CN110569667 B CN 110569667B CN 201910854940 A CN201910854940 A CN 201910854940A CN 110569667 B CN110569667 B CN 110569667B
Authority
CN
China
Prior art keywords
function
role
field
target
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910854940.XA
Other languages
Chinese (zh)
Other versions
CN110569667A (en
Inventor
郑海波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing ByteDance Network Technology Co Ltd
Original Assignee
Beijing ByteDance Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing ByteDance Network Technology Co Ltd filed Critical Beijing ByteDance Network Technology Co Ltd
Priority to CN201910854940.XA priority Critical patent/CN110569667B/en
Publication of CN110569667A publication Critical patent/CN110569667A/en
Application granted granted Critical
Publication of CN110569667B publication Critical patent/CN110569667B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Abstract

The embodiment of the disclosure discloses an access control method, an access control device, computer equipment and a storage medium. The access control method comprises the following steps: determining at least one role to which a target user belongs, wherein the target user is a user initiating a target function access request; determining a first function code corresponding to a target function and a second function code corresponding to at least one function for which each role is authorized; and if the second function code comprises the first function code, displaying a target function page corresponding to the target function. The technical scheme of the embodiment of the disclosure overcomes the defects that the authorization of system resources is difficult to be finely realized and the authorization is easily disordered when the prior role-based authority access control model utilizes the URI to authorize the roles, and achieves the effect of more finely realizing the authorization of the system resources in a complex information system on the premise of not causing the authorization confusion.

Description

Access control method and device, computer equipment and storage medium
Technical Field
The embodiment of the disclosure relates to the technical field of information security management, and in particular, to an access control method and apparatus, a computing node device, and a storage medium.
Background
In the enterprise information system, the access of users to system functions and resources is controlled by access authority according to the requirements of enterprise management, and the users are only allowed to access the system within an authorized range.
An existing permission model is a Role-Based Access Control (RBAC) model, and the model generally authorizes a Role by using a Uniform Resource Identifier (URI) corresponding to a system Resource to realize an effect of authorizing a person in the Role by using a function and a Resource.
However, in the existing RBAC model, the authorization of the character by using the URI is a coarse-grained authorization manner, although the URI itself can be divided into very thin pieces, the URI cannot clearly describe the function itself, and because of the absolute uniqueness of the URI, the URI does not have a grouping concept, the function aggregation in the system is also described, if the authorization is divided according to the dimension of fine granularity, serious authorization confusion is caused, and particularly when the function grouping form is changed, the URI authorization of the fine granularity is difficult to deal with. Therefore, the method for authorizing the roles by using the URI is difficult to meet the requirement of the complicated enterprise information system on the authority.
Disclosure of Invention
The present disclosure provides an access control method, an access control apparatus, a computer device, and a storage medium, which can more finely authorize system resources in a complex information system without causing authorization confusion.
In a first aspect, an embodiment of the present disclosure provides an access control method, including:
determining at least one role to which a target user belongs, wherein the target user is a user initiating a target function access request;
determining a first function code corresponding to the target function and a second function code corresponding to at least one function for which each role is authorized;
and if the second function code comprises the first function code, displaying a target function page corresponding to the target function.
In a second aspect, an embodiment of the present disclosure further provides an access control apparatus, including:
the role determination module is used for determining at least one role to which a target user belongs, wherein the target user is a user initiating a target function access request;
a function code determining module, configured to determine a first function code corresponding to the target function and a second function code corresponding to at least one function for which each role is authorized;
and the function page display module is used for displaying the target function page corresponding to the target function if the second function code comprises the first function code.
In a third aspect, an embodiment of the present disclosure further provides a computer device, including:
one or more processing devices;
storage means for storing one or more programs;
when the one or more programs are executed by the one or more processing devices, the one or more processing devices are caused to implement the access control method according to any embodiment of the present disclosure.
In a fourth aspect, the embodiments of the present disclosure further provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the access control method according to any embodiment of the present disclosure.
The method comprises the steps that at least one role to which a target user belongs is determined, wherein the target user is a user initiating a target function access request; determining a first function code corresponding to a target function and a second function code corresponding to at least one function for which each role is authorized; if the second function code comprises the first function code, a target function page corresponding to a target function is displayed, the defects that authorization of system resources is difficult to achieve in detail and authorization confusion is easy to cause when the conventional role-based authority access control model utilizes a URI to authorize the role are overcome, and the effect of more carefully achieving authorization of the system resources in a complex information system on the premise that authorization confusion is not caused is achieved.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and features are not necessarily drawn to scale.
Fig. 1 is a flowchart of an access control method according to an embodiment of the present disclosure;
fig. 2 is a flowchart of an access control method according to a second embodiment of the present disclosure;
fig. 3 is a flowchart of an access control method provided in a third embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an access control apparatus according to a fourth embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a computer device according to a fifth embodiment of the present disclosure.
Detailed Description
Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present disclosure are shown in the drawings, it is to be understood that the present disclosure may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the disclosure are for illustration purposes only and are not intended to limit the scope of the disclosure.
It should be understood that the various steps recited in the method embodiments of the present disclosure may be performed in a different order, and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the present disclosure is not limited in this respect.
The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.
It should be noted that the terms "first", "second", and the like in the present disclosure are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.
It is noted that references to "a", "an", and "the" modifications in this disclosure are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that "one or more" may be used unless the context clearly dictates otherwise.
The names of messages or information exchanged between devices in the embodiments of the present disclosure are for illustrative purposes only, and are not intended to limit the scope of the messages or information.
Example one
Fig. 1 is a flowchart of an access control method according to an embodiment of the present disclosure. The disclosed embodiments can be applied to the situation that in a complex information system, system resources need to be carefully authorized without causing authorization confusion, and the method can be executed by an access control device, which can be implemented in a software and/or hardware manner, and can be configured in a computer device. As shown in fig. 1, the method may include the steps of:
s110, determining at least one role to which the target user belongs, wherein the target user is a user initiating the target function access request.
Illustratively, the target function may be at least one of an add, delete, modify, find, import, and export operation.
Preferably, different roles may be set in the system in advance according to actual needs, and corresponding system resource (for example, each function in the system, or a part of functions in the system) access permissions are set for each role, and each user is assigned to the role having the corresponding system resource access permission according to the specific responsibility of each user in the system and the system resource access permission corresponding to each role. The number of roles corresponding to each user may be one or multiple.
In the embodiment of the disclosure, all roles to which a target user belongs are determined, wherein the number of roles corresponding to all the roles is at least one. Preferably, whether each role contains a target user or not can be determined by traversing the users contained in each role, if it is determined that a certain role contains a target user, it is determined that the target user belongs to the role, and all roles to which the target user belongs are determined according to the above manner.
Preferably, after the target user initiates the target function access request, at least one role to which the target user belongs may be determined, where the target user may initiate the target function access request by clicking a target function option or pressing a target function key. Or determining at least one role to which the target user belongs after the target user logs in the system, wherein the target user can log in the system by inputting an account and a password, fingerprint verification, face recognition or the like.
Taking the application scenario as an enterprise information system as an example, the attribute of each user may include an enterprise ID, a user name, and the like, and the attribute of each role may include an enterprise ID, a role name, a role code (one role code corresponds to each role), and the like. After the target user is determined, for each role, a corresponding role can be determined through at least one attribute of a role ID, a role name and a role code, a user name or a user ID contained in the role is traversed to determine whether the user name or the user ID of the target user is contained in the role, and finally, each role containing the user name or the user ID of the target user is taken as at least one role to which the target user belongs.
S120, determining a first function code corresponding to the target function and a second function code corresponding to at least one function for which each role is authorized.
Because the customized code is flexible and has definite meaning, a group of associated functions can be identified through a fixed prefix or a fixed digit, and the customized code has the advantages of convenience in sorting, convenience in batch authorization, convenience in authority management and the like.
For example, the attribute of each function in the system may include an enterprise ID, a function name, a function serial number, a superior function ID, a function type, a function code, and the like, and preferably, the first function code corresponding to the target function may be determined by the attribute of the function ID or the function name of the target function. After determining all roles to which the target user belongs, the role ID and the function ID can be utilized to determine at least one function to which each role is authorized, the at least one function being a function accessible to the target user. It is understood that the second function code corresponding to each function can also be determined by the attribute such as the function ID or the function name of each function.
Preferably, each function in the system may be encoded in advance. Specifically, before determining a second function code corresponding to at least one function to which each role is authorized, encoding each function to obtain a function code corresponding to each function, where a function is a function to be subjected to authority control, and the function may be all functions in a system or a part of functions in the system, and may be determined according to actual conditions; since each role is provided with a corresponding function access right, preferably, after each function is encoded, each function code can be authorized to the corresponding role, so that the role corresponds to the corresponding second function code.
S130, if the second function code comprises the first function code, displaying a target function page corresponding to the target function.
And traversing the second function code, determining whether the second function code comprises the first function code, and if the second function code comprises the first function code, indicating that the target user has the authority to access the target function corresponding to the first function code, so that the target function page corresponding to the target function can be displayed to the target user.
In the access control method provided by the embodiment of the present disclosure, at least one role to which a target user belongs is determined, where the target user is a user initiating a target function access request; determining a first function code corresponding to a target function and a second function code corresponding to at least one function for which each role is authorized; if the second function code comprises the first function code, a target function page corresponding to a target function is displayed, the defects that authorization of system resources is difficult to achieve in detail and authorization confusion is easy to cause when the conventional role-based authority access control model utilizes a URI to authorize the role are overcome, and the effect of more carefully achieving authorization of the system resources in a complex information system on the premise that authorization confusion is not caused is achieved.
On the basis of the foregoing embodiments, after determining a first function code corresponding to a target function and a second function code corresponding to a function for which a role is authorized, the method further includes:
and if the second function code does not comprise the first function code, returning to a prompt page without access authority.
And traversing the second function code, determining whether the second function code comprises the first function code, and if the second function code does not comprise the first function code, indicating that the target user does not have the authority to access the target function corresponding to the first function code, so that a prompt page without access authority can be returned. In addition, when the prompt page is returned, the user can be prompted to access without authority by using a voice broadcasting mode.
Example two
Fig. 2 is a flowchart of an access control method according to a second embodiment of the present disclosure. The embodiment of the present disclosure may be combined with various alternatives in one or more of the above embodiments, in the embodiment of the present disclosure, before the determining at least one role to which the target user belongs, the method further includes: and allocating at least one role for each user, wherein the role function types corresponding to each role are the same, and the role function types are the types to which the corresponding roles are authorized.
As shown in fig. 2, the method may include the steps of:
s210, at least one role is allocated to each user, wherein the role function types corresponding to each role are the same, and the role function types are the types to which the corresponding roles are authorized.
As each function in the system is refined, the types to which the different functions belong may be the same. Therefore, although the authorized functions of different roles are different, the roles have the same function types because the functions belong to the same type. In the embodiment of the present disclosure, in order to separate system responsibilities, preferably, when at least one role is allocated to each user, the role function types corresponding to all roles to which each user belongs may be set to be the same, so that each user may only process services of one function type.
Still taking an application scenario as an example of an enterprise information system, roles in the system can be divided into a management role and a service role, wherein the management role can only access a system management background, and the service role can only access a service function module. Therefore, when the function is authorized, the management role can only authorize the platform functions, such as the platform functions of system parameter configuration, role management, function authorization and the like, to perform system background management; the service type role can only authorize service functions, such as addition, deletion, modification and check of the service functions, only operate a service module and cannot access a system management background. The system does not allow one role to authorize both the platform function and the service function, the mode separates system responsibilities, personnel managing the system cannot operate the service, personnel operating the service cannot manage the system, special roles such as a super manager are avoided, authorization of the authority is more flexible, and the system is safer.
The system provides a system administrator role (namely an administrative role) by default, only the system management background can be accessed, and when the system is initialized, a user with the system administrator role is automatically generated. Meanwhile, a common user role (i.e. a business class role) can be provided by default, and all newly added users in the system are given the common user role by default. In a specific using process, the user can recover the common user role and be endowed with a system administrator role. The system administrator role and the normal user role are not allowed to be deleted as system default roles. When a user-defined function is newly built in the system, a corresponding function code can be automatically generated for the function and is distributed to a system administrator role or a default common user role.
S220, determining at least one role to which the target user belongs, wherein the target user is a user initiating the target function access request.
S230, determining a first function code corresponding to the target function and a second function code corresponding to at least one function for which each role is authorized.
And S240, if the second function code comprises the first function code, displaying a target function page corresponding to the target function.
In the access control method provided by the embodiment of the present disclosure, at least one role is allocated to each user, wherein the role function types corresponding to each role are the same, and the role function type is a type to which a function to which the corresponding role is authorized belongs, and at least one role to which a target user belongs is determined, wherein the target user is a user initiating a target function access request; determining a first function code corresponding to a target function and a second function code corresponding to at least one function for which each role is authorized; if the second function code comprises the first function code, a target function page corresponding to a target function is displayed, the defects that when the existing role-based authority access control model authorizes the roles by utilizing a URI (Uniform resource identifier), authorization of system resources is difficult to finely realize and authorization confusion is easily caused are overcome, the effect of authorizing the system resources in a more fine manner in a complex information system can be realized on the premise of not causing authorization confusion, the system responsibilities are separated, each role can take its own role, and the problem of potential safety hazards of the system caused by too large authority of a super administrator is avoided.
EXAMPLE III
Fig. 3 is a flowchart of an access control method provided in the third embodiment of the present disclosure. In this disclosure, after the displaying the target function page corresponding to the target function if the second function code includes the first function code, the method may further include: determining each field authority corresponding to each role aiming at each field on the target function page; and in each field permission, taking the field permission with the highest priority as the permission of the target user to the corresponding field.
As shown in fig. 3, the method may include the steps of:
s310, determining at least one role to which the target user belongs, wherein the target user is a user initiating the target function access request.
S320, determining a first function code corresponding to the target function and a second function code corresponding to at least one function for which each role is authorized.
S330, if the second function code comprises the first function code, displaying a target function page corresponding to the target function.
S340, aiming at each field on the target function page, determining each field authority corresponding to each role.
And S350, taking the field authority with the highest priority as the authority of the target user to the corresponding field in each field authority.
Preferably, the field authority includes invisible, read-only and read-write, and the priority of the field authority is from high to low, read-write, read-only and invisible.
The application scenario is still taken as an example of the enterprise information system for explanation. A business object on the target function page will usually have a plurality of fields, in which some sensitive fields may exist, such as customer name, amount of transaction, and mobile phone number, and these sensitive fields are only allowed to be visible to some users, so that the authority setting can be performed on the fields on the target page.
Illustratively, if a field in the target function page is a client name, the number of roles to which the target user belongs is one, and the field authority corresponding to the role is invisible, the client name field is not displayed in the target function page. If the field in the target function page is the transaction amount, the number of the roles to which the target user belongs is three, the field authority corresponding to the first role is invisible, the field authority corresponding to the second role is read-only, and the field authority corresponding to the third role is read-write, the field authority read-write with the highest priority is used as the authority of the target user on the transaction amount field, namely, the transaction amount field is displayed in the target function page, and the user has the right to perform read-write operation on the field.
It should be noted here that before determining the field authority, the function authority may be preferably determined, and if the target user does not have the authority of the target function, the field authority does not have to be determined. The field authority is an optional configuration, and if the user does not use the field authority, all fields are considered to be open to all users. The system may provide a setting of whether to turn on the field permissions, which is turned on by default. When the field authority is opened, the system checks the field authority. When the user closes the field authority, although the system has field authority data, the system does not check the field authority until the administrator opens the field-level authority again.
For invisible fields, the data can be hidden on the page (the form is normally displayed, the data can be displayed as invisible); for read-only fields, the fields may be grayed out on the page; it should be noted that, for a read-write field, a user may not be able to edit the field, and whether the user has the right to edit data may be determined according to the data authority of the user to determine whether the user can edit the field.
In the access control method provided by the embodiment of the present disclosure, at least one role to which a target user belongs is determined, where the target user is a user initiating a target function access request; determining a first function code corresponding to a target function and a second function code corresponding to at least one function for which each role is authorized; if the second function code comprises the first function code, displaying a target function page corresponding to a target function, determining each field authority corresponding to each role for each field on the target function page, and taking the field authority with the highest priority as the authority of a target user to the corresponding field in each field authority, so that the defects that the authorization of system resources is difficult to be finely realized and the authorization is easily disordered when the conventional role-based authority access control model authorizes the roles by using a URI are overcome, and the effects of the authorization of the system resources can be more finely realized and the field authority control can be more finely realized in a complex information system on the premise of not causing the authorization disorder.
On the basis of the above embodiments, further, the field authority corresponds to a digital identifier, and the larger the digital identifier is, the higher the priority of the field authority is;
correspondingly, in each field permission, the field permission with the highest priority is taken as the permission of the target user to the corresponding field, and the method comprises the following steps:
in each field authority, the field authority with the largest digital identification is taken as the authority of the target user to the corresponding field.
Illustratively, the number identifier corresponding to field authority invisibility is 0, the number identifier corresponding to field authority read-only is 1, the number identifier corresponding to field authority read-write is 2, still taking the field in the target function page as the transaction amount, the number of roles to which the target user belongs is three as an example for explanation, wherein, the field authority corresponding to the first role is invisible, the number identifier corresponding to the field authority is 0, the field authority corresponding to the second role is read-only, the number identifier corresponding to the second role is 1, the field authority corresponding to the third role is read-write, the number identifier corresponding to the third role is 2, the field authority read-write with the number identifier 2 is taken as the authority of the target user to the transaction amount field, that is, the transaction amount field is displayed in the target function page, and the user has the right to read and write the field.
Example four
Fig. 4 is a schematic structural diagram of an access control apparatus according to a fourth embodiment of the present disclosure. The embodiment of the disclosure is applicable to the situation that in a complex information system, system resources need to be carefully authorized on the premise of not causing authorization confusion. The apparatus may be implemented in software and/or hardware, and may be configured in a computer device. As shown in fig. 4, the apparatus may include:
a role determination module 410, configured to determine at least one role to which a target user belongs, where the target user is a user initiating a target function access request;
a function code determining module 420, configured to determine a first function code corresponding to the target function and a second function code corresponding to at least one function for which each role is authorized;
the function page displaying module 430 is configured to display a target function page corresponding to the target function if the second function code includes the first function code.
The access control device provided by the embodiment of the disclosure determines at least one role to which a target user belongs through a role determination module, wherein, the target user is the user initiating the target function access request, the function code determining module determines a first function code corresponding to the target function and a second function code corresponding to at least one function for which each role is authorized, if the second function code comprises the first function code, the function page display module displays the target function page corresponding to the target function, thereby overcoming the defects that when the prior role-based authority access control model utilizes URI to authorize the roles, the authorization of system resources is difficult to be realized in detail, and the deficiency of authorization confusion is easily caused, so that in a complex information system, on the premise of not causing authorization confusion, the effect of authorizing the system resources can be more carefully realized.
Based on the foregoing technical solution, optionally, the access control apparatus may further include a role assignment module, configured to assign at least one role to each user before determining at least one role to which the target user belongs, where role function types corresponding to each role are the same, and the role function type is a type to which a function to which the corresponding role is authorized belongs.
On the basis of the foregoing technical solution, optionally, the access control apparatus may further include a field authority determining module, configured to determine, for each field on the target function page, each field authority corresponding to each role after the target function page corresponding to the target function is displayed if the second function code includes the first function code;
and in each field permission, taking the field permission with the highest priority as the permission of the target user to the corresponding field.
On the basis of the technical scheme, optional field permission comprises invisible permission, read-only permission and read-write permission, wherein the priority of the field permission from high to low is read-write permission, read-only permission and invisible permission.
On the basis of the technical scheme, optionally, the field authority corresponds to a digital identifier, and the larger the digital identifier is, the higher the priority of the field authority is;
correspondingly, the field authority determination module may be specifically configured to: in each field authority, the field authority with the largest digital identification is taken as the authority of the target user to the corresponding field.
On the basis of the above technical solution, optionally, the access control device may further include a function encoding module, configured to encode each function to obtain a function code corresponding to each function before determining a second function code corresponding to at least one function to which each role is authorized, where the function is a function to be subjected to authority control;
and authorizing each function code to a corresponding role so that the role corresponds to a corresponding second function code.
On the basis of the foregoing technical solution, optionally, the access control apparatus may further include a prompt page returning module, configured to, after determining that the first function code corresponding to the target function and the second function code corresponding to the function whose role is authorized correspond to each other, return a prompt page without an access right if the second function code does not include the first function code.
The access control device provided by the embodiment of the disclosure can execute the access control method provided by the embodiment of the disclosure, and has corresponding functional modules and beneficial effects of the execution method.
EXAMPLE five
Referring now to FIG. 5, shown is a block diagram of a computer device 500 suitable for use in implementing the fifth embodiment of the present disclosure. The computer device in the embodiments of the present disclosure may include, but is not limited to, devices such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (personal digital assistant), a PAD (tablet), a PMP (portable multimedia player), a vehicle terminal (e.g., a car navigation terminal), and the like. The computer device shown in fig. 5 is only an example and should not bring any limitation to the function and scope of use of the embodiments of the present disclosure.
As shown in fig. 5, computer device 500 may include a processing means (e.g., central processing unit, graphics processor, etc.) 501 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)502 or a program loaded from a storage means 506 into a Random Access Memory (RAM) 503. In the RAM 503, various programs and data necessary for the operation of the computer apparatus 500 are also stored. The processing device 501, the ROM 502, and the RAM 503 are connected to each other through a bus 504. An input/output (I/O) interface 505 is also connected to bus 504.
Generally, the following devices may be connected to the I/O interface 505: input devices 506 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 507 including, for example, a Liquid Crystal Display (LCD), speakers, vibrators, and the like; storage devices 506 including, for example, magnetic tape, hard disk, etc.; and a communication device 509. The communication means 509 may allow the computer device 500 to communicate with other devices wirelessly or by wire to exchange data. While fig. 5 illustrates a computer device 500 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to an embodiment of the present disclosure, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network via the communication means 509, or installed from the storage means 506, or installed from the ROM 502. The computer program performs the above-described functions defined in the methods of the embodiments of the present disclosure when executed by the processing device 501.
It should be noted that the computer readable medium in the present disclosure can be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In contrast, in the present disclosure, a computer readable signal medium may comprise a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (HyperText Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the computer device; or may exist separately and not be incorporated into the computer device.
The computer readable medium carries one or more programs which, when executed by the computing device, cause the computing device to: determining at least one role to which a target user belongs, wherein the target user is a user initiating a target function access request; determining a first function code corresponding to a target function and a second function code corresponding to at least one function for which each role is authorized; and if the second function code comprises the first function code, displaying a target function page corresponding to the target function.
Computer program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods, apparatus, computer devices, and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules, units and sub-units described in the embodiments of the present disclosure may be implemented by software, or may be implemented by hardware. The name of a module, a unit or a sub-unit does not in some cases form a limitation of the module, the unit or the sub-unit, for example, the function code determining module may be further described as a module for determining a first function code corresponding to the target function and a second function code corresponding to at least one function for which each role is authorized.
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
According to one or more embodiments of the present disclosure, an example provides an access control method, including:
determining at least one role to which a target user belongs, wherein the target user is a user initiating a target function access request;
determining a first function code corresponding to a target function and a second function code corresponding to at least one function for which each role is authorized;
and if the second function code comprises the first function code, displaying a target function page corresponding to the target function.
According to one or more embodiments of the present disclosure, example two provides an access control method, and on the basis of the access control method of example one, before determining at least one role to which a target user belongs, the method further includes:
and allocating at least one role for each user, wherein the role function types corresponding to each role are the same, and the role function types are the types to which the corresponding roles are authorized.
According to one or more embodiments of the present disclosure, example three provides an access control method, and on the basis of the access control method of example one or example two, after the second function code includes the first function code, the method further includes, after presenting a target function page corresponding to the target function:
determining each field authority corresponding to each role aiming at each field on the target function page;
and in each field permission, taking the field permission with the highest priority as the permission of the target user to the corresponding field.
According to one or more embodiments of the present disclosure, example four provides an access control method, and on the basis of the access control method of example three, the field authority includes invisible, read-only, and read-write, where the priority of the field authority is from high to low, read-write, read-only, and invisible.
According to one or more embodiments of the present disclosure, example five provides an access control method, and on the basis of the access control method of example four, the field authority corresponds to a digital identifier, and the larger the digital identifier is, the higher the priority of the field authority is;
correspondingly, in each field permission, the field permission with the highest priority is taken as the permission of the target user to the corresponding field, and the method comprises the following steps:
in each field authority, the field authority with the largest digital identification is taken as the authority of the target user to the corresponding field.
According to one or more embodiments of the present disclosure, example six provides an access control method, and on the basis of the access control method of example one or example two, before determining that each role is authorized, the method further includes:
coding each function to obtain a function code corresponding to each function, wherein the function is a function to be subjected to authority control;
and authorizing each function code to a corresponding role so that the role corresponds to a corresponding second function code.
According to one or more embodiments of the present disclosure, example seven provides an access control method, and on the basis of the access control method of example one or example two, after determining a first function code corresponding to a target function and a second function code corresponding to a function for which a role is authorized, the method further includes:
and if the second function code does not comprise the first function code, returning to a prompt page without access authority.
Example eight provides, in accordance with one or more embodiments of the present disclosure, an access control apparatus comprising:
the role determining module is used for determining at least one role to which a target user belongs, wherein the target user is a user initiating a target function access request;
the function code determining module is used for determining a first function code corresponding to a target function and a second function code corresponding to at least one function for which each role is authorized;
and the function page display module is used for displaying the target function page corresponding to the target function if the second function code comprises the first function code.
Example nine provides, in accordance with one or more embodiments of the present disclosure, a computer device comprising:
one or more processing devices;
storage means for storing one or more programs;
when the one or more programs are executed by the one or more processing devices, the one or more processing devices are caused to implement the access control method according to any one of examples one to seven.
Example ten provides, according to one or more embodiments of the present disclosure, a computer-readable storage medium having stored thereon a computer program that, when executed by a processor, implements an access control method as recited in any of examples one to seven.
The foregoing description is only exemplary of the preferred embodiments of the disclosure and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other embodiments in which any combination of the features described above or their equivalents does not depart from the spirit of the disclosure. For example, the above features and (but not limited to) the features disclosed in this disclosure having similar functions are replaced with each other to form the technical solution.
Further, while operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while several specific implementation details are included in the above discussion, these should not be construed as limitations on the scope of the disclosure. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (7)

1. An access control method, comprising:
determining at least one role to which a target user belongs, wherein the target user is a user initiating a target function access request;
determining a first function code corresponding to the target function and a second function code corresponding to at least one function for which each role is authorized;
if the second function code comprises the first function code, displaying a target function page corresponding to the target function;
before determining at least one role to which the target user belongs, the method further includes:
allocating at least one role for each user, wherein the role function types corresponding to each role are the same, each user only processes services of one function type, and the role function type is the type to which the corresponding role authorized function belongs;
after the displaying the target function page corresponding to the target function if the second function code includes the first function code, the method further includes:
determining each field authority corresponding to each role aiming at each field on the target function page;
in each field authority, taking the field authority with the highest priority as the authority of the target user to the corresponding field;
the field authority corresponds to a digital identifier, and the larger the digital identifier is, the higher the priority of the field authority is;
correspondingly, in each field permission, the field permission with the highest priority is taken as the permission of the target user for the corresponding field, and the method includes:
and in each field permission, taking the field permission with the largest digital identification as the permission of the target user to the corresponding field.
2. The method of claim 1, wherein the field permissions include invisible, read-only, and read-write, and wherein the priority of the field permissions is from high to low for read-write, read-only, and invisible.
3. The method of claim 1, further comprising, before determining that each role is authorized for the second function code corresponding to the at least one function, the steps of:
coding each function to obtain a function code corresponding to each function, wherein the function is a function to be subjected to authority control;
and authorizing each function code to a corresponding role so that the role corresponds to a corresponding second function code.
4. The method of claim 1, wherein after the determining the first function code corresponding to the target function and the second function code corresponding to the authorized function, the method further comprises:
and if the second function code does not comprise the first function code, returning a prompt page without access authority.
5. An access control apparatus, comprising:
the role determination module is used for determining at least one role to which a target user belongs, wherein the target user is a user initiating a target function access request;
a function code determining module, configured to determine a first function code corresponding to the target function and a second function code corresponding to at least one function for which each role is authorized;
a function page display module, configured to display a target function page corresponding to the target function if the second function code includes the first function code;
the role distribution module is used for distributing at least one role to each user before determining at least one role to which the target user belongs, wherein the role function types corresponding to each role are the same, each user only processes services of one function type, and the role function types are types to which the corresponding authorized functions of the roles belong;
the field permission determining module is used for determining each field permission corresponding to each role aiming at each field on the target function page after the target function page corresponding to the target function is displayed if the second function code comprises the first function code;
in each field authority, taking the field authority with the highest priority as the authority of a target user to a corresponding field;
the field authority corresponds to a digital identifier, and the larger the digital identifier is, the higher the priority of the field authority is;
correspondingly, the field authority determination module may be specifically configured to: in each field authority, the field authority with the largest digital identification is taken as the authority of the target user to the corresponding field.
6. A computer device, characterized in that the computer device comprises:
one or more processing devices;
storage means for storing one or more programs;
when executed by the one or more processing devices, cause the one or more processing devices to implement the access control method of any of claims 1-4.
7. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the access control method according to any one of claims 1 to 4.
CN201910854940.XA 2019-09-10 2019-09-10 Access control method and device, computer equipment and storage medium Active CN110569667B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910854940.XA CN110569667B (en) 2019-09-10 2019-09-10 Access control method and device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910854940.XA CN110569667B (en) 2019-09-10 2019-09-10 Access control method and device, computer equipment and storage medium

Publications (2)

Publication Number Publication Date
CN110569667A CN110569667A (en) 2019-12-13
CN110569667B true CN110569667B (en) 2022-03-15

Family

ID=68779080

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910854940.XA Active CN110569667B (en) 2019-09-10 2019-09-10 Access control method and device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN110569667B (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111191221B (en) * 2019-12-30 2023-05-12 腾讯科技(深圳)有限公司 Configuration method and device of authority resources and computer readable storage medium
CN111310166A (en) * 2020-01-17 2020-06-19 深圳木成林科技有限公司 Authority management method, device, equipment and storage medium
CN113449228A (en) * 2020-03-24 2021-09-28 北京沃东天骏信息技术有限公司 Page rendering method and device
CN111597584B (en) * 2020-05-26 2023-12-19 牛津(海南)区块链研究院有限公司 Privacy protection and data sharing method, device and equipment based on blockchain
CN112084528B (en) * 2020-08-28 2024-02-02 杭州数云信息技术有限公司 Customer privacy data identification and protection method based on data model
CN115001729B (en) * 2022-02-22 2024-03-12 中国光大银行股份有限公司 User authority control method, device, equipment and medium
CN115017484A (en) * 2022-08-04 2022-09-06 北京航天驭星科技有限公司 Access control method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102387145A (en) * 2011-10-21 2012-03-21 北京航空航天大学 System and method for detecting access control strategy collision in collaborative environment
CN102932340A (en) * 2012-10-25 2013-02-13 上海电机学院 System and method for role-based access control
CN103500298A (en) * 2013-10-12 2014-01-08 彩虹集团公司 Method for achieving authorization distribution based on rule management
CN107403106A (en) * 2017-07-18 2017-11-28 北京计算机技术及应用研究所 Database fine-grained access control method based on terminal user

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5567053B2 (en) * 2012-03-19 2014-08-06 株式会社東芝 Authority changing device, creation device, and program
CN103065074B (en) * 2012-12-14 2016-03-16 北京思特奇信息技术股份有限公司 A kind of method of carrying out URL control of authority based on fine granularity
US10075557B2 (en) * 2015-12-30 2018-09-11 Amazon Technologies, Inc. Service authorization handshake
CN107342992B (en) * 2017-06-27 2020-12-08 深圳媒介之家文化传播有限公司 System authority management method and device and computer readable storage medium
CN107330307A (en) * 2017-07-16 2017-11-07 成都牵牛草信息技术有限公司 A kind of form data operating right authorization method
CN109857577B (en) * 2019-01-28 2021-10-22 北京三快在线科技有限公司 Access control method, device, medium, and electronic apparatus

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102387145A (en) * 2011-10-21 2012-03-21 北京航空航天大学 System and method for detecting access control strategy collision in collaborative environment
CN102932340A (en) * 2012-10-25 2013-02-13 上海电机学院 System and method for role-based access control
CN103500298A (en) * 2013-10-12 2014-01-08 彩虹集团公司 Method for achieving authorization distribution based on rule management
CN107403106A (en) * 2017-07-18 2017-11-28 北京计算机技术及应用研究所 Database fine-grained access control method based on terminal user

Also Published As

Publication number Publication date
CN110569667A (en) 2019-12-13

Similar Documents

Publication Publication Date Title
CN110569667B (en) Access control method and device, computer equipment and storage medium
US10462142B2 (en) Techniques for implementing a data storage device as a security device for managing access to resources
US11290438B2 (en) Managing session access across multiple data centers
US11716325B2 (en) Limiting scopes in token-based authorization systems
US9576124B2 (en) Multi-level password authorization
CN110704833A (en) Data permission configuration method, device, electronic device and storage medium
CN112487451B (en) Display method and device and electronic equipment
US10218700B2 (en) Authorizations for computing devices to access a protected resource
CN115989660B (en) Secure zone policy enforcement in cloud infrastructure systems
US11316860B2 (en) Consolidated identity
US10257263B1 (en) Secure remote execution of infrastructure management
CN111054079A (en) Information query method and device, electronic equipment and storage medium
CN113133072B (en) Method and device for controlling terminal, terminal and storage medium
CN115438333A (en) Authority distribution method and device
CN112286632B (en) Cloud platform, cloud platform management method and device, electronic equipment and storage medium
US20140086397A1 (en) Phone Call Management
US20180098102A1 (en) Limited use media access tokens
CN114048498A (en) Data sharing method, device, equipment and medium
CN112699407A (en) Service data access method, device, equipment and storage medium
CN113641966B (en) Application integration method, system, equipment and medium
CN113572763B (en) Data processing method and device, electronic equipment and storage medium
CN114254385A (en) Access control method, device, electronic equipment and storage medium
CN115248933A (en) Authority setting method, device, equipment and medium
CN116389154A (en) Login processing method, device, equipment and storage medium
CN117113295A (en) Target object access method, device, equipment, storage medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant