CN111680310B - Authority control method and device, electronic equipment and storage medium - Google Patents
Authority control method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN111680310B CN111680310B CN202010457011.8A CN202010457011A CN111680310B CN 111680310 B CN111680310 B CN 111680310B CN 202010457011 A CN202010457011 A CN 202010457011A CN 111680310 B CN111680310 B CN 111680310B
- Authority
- CN
- China
- Prior art keywords
- role
- authority
- authority information
- identifier
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The embodiment of the application provides a method and a device for controlling authority, electronic equipment and a storage medium, wherein the method comprises the following steps: when a service request aiming at a target service system is received, determining service authority information required by processing the service request; wherein the service request includes a target user identifier; determining a permission character string corresponding to the target user identifier; splitting the authority character string to obtain one or more character identification sets; respectively determining role authority information sets corresponding to one or more role identification sets; generating a user authority information set corresponding to the target user identifier by adopting the role authority information sets corresponding to all the role identifier sets; and when the user authority information set is detected to be matched with the service authority information, the target service system is invoked to process the service request. The embodiment of the application realizes the control of the authority among a plurality of service systems in the integrated management information system, simplifies the authority control process and improves the authority control efficiency.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method and apparatus for controlling rights, an electronic device, and a storage medium.
Background
ERP (Enterprise Resource Planning ) is a management platform which is based on information technology, integrates information technology and advanced management ideas, and provides decision means for enterprise staff and decision layers by using systematic management ideas.
At present, ERP systems are used by a plurality of enterprises, so that the integrated management of enterprises' production, supply, marketing and finance is realized, and the daily business processing of personnel of each department is also carried out in the ERP systems.
However, in the ERP application of the enterprise, with the increase of service systems and users, the management of rights between the service systems becomes very complex, and challenges to the management of rights of users, but in the prior art, the rights control based on roles only distributes roles to each user by defining various roles and rights corresponding to the roles, which is difficult to be applied to the situations that the service systems are complex, the users are numerous and different roles are acted in different systems, resulting in low management efficiency and high error rate.
Disclosure of Invention
In view of the foregoing, a method and apparatus for controlling rights, an electronic device, a storage medium, and a computer program product are provided to overcome or at least partially solve the foregoing, including:
A method of rights control, the method being applied to an integrated management information system integrated with a plurality of business systems, the method comprising:
when a service request aiming at a target service system is received, determining service authority information required by processing the service request; wherein the service request includes a target user identifier;
determining a permission character string corresponding to the target user identifier; the authority character string consists of one or more character identification sets, and each character identification set corresponds to a service system;
splitting the authority character string to obtain one or more character identification sets;
respectively determining role authority information sets corresponding to the one or more role identification sets;
generating a user authority information set corresponding to the target user identifier by adopting character authority information sets corresponding to all character identifier sets;
and when the user authority information set is detected to be matched with the service authority information, the target service system is called to process the service request.
Optionally, the step of splitting the authority character string to obtain one or more role identification sets includes:
Determining separation characters in the authority character string;
and splitting the authority character string according to the separation character to obtain one or more character identification sets.
Optionally, each character identification set includes a plurality of character identifications, and the step of determining the character authority information set corresponding to the one or more character identification sets includes:
for each role identification set, respectively determining first authority group identifications corresponding to a plurality of role identifications;
determining authority information corresponding to the first authority group identifier;
and generating a role authority information set corresponding to the role identification set by adopting the authority information corresponding to the first authority group identification.
Optionally, the step of determining the role authority information sets corresponding to the one or more role identification sets respectively further includes:
judging whether character identifiers with father-son relationship exist for each character identifier set;
if the role identifier with the father-son relationship exists, determining authority information corresponding to the son role identifier from authority information corresponding to the father role identifier; wherein, the authority information corresponding to the child role identifier is a subset of the authority information corresponding to the parent role identifier;
And generating a role authority information set corresponding to the role identification set by adopting the authority information corresponding to the sub role identification.
Optionally, the step of determining the authority information corresponding to the child role identifier from the authority information corresponding to the parent role identifier includes:
determining a second permission group identifier corresponding to the parent role identifier;
determining authority information corresponding to the second authority group identifier;
and determining the authority information corresponding to the sub-role identifier from the authority information corresponding to the second authority group identifier.
Optionally, the step of calling the target service system to process the service request when the user authority information set is detected to be matched with the service authority information includes:
when the user authority information set is detected to be matched with the service authority information, user attribute information corresponding to the target user identifier is obtained;
and calling the target service system to process the service request according to the user attribute information.
Optionally, the step of calling the target service system to process the service request according to the user attribute information includes:
acquiring first data corresponding to the user right information set from the target service system;
Determining second data corresponding to the user attribute information from the first data;
the second data is shown.
An apparatus for rights control, the apparatus comprising an integrated management information system integrated with a plurality of business systems, the apparatus comprising:
the service authority information determining module is used for determining service authority information required by processing a service request aiming at a target service system when the service request is received; wherein the service request includes a target user identifier;
the permission character string determining module is used for determining permission character strings corresponding to the target user identifications; the authority character string consists of one or more character identification sets, and each character identification set corresponds to a service system;
the role identification set obtaining module is used for splitting the authority character string to obtain one or more role identification sets;
the role authority information set determining module is used for respectively determining role authority information sets corresponding to the one or more role identification sets;
the user authority information set generation module is used for generating a user authority information set corresponding to the target user identifier by adopting the role authority information sets corresponding to all the role identifier sets;
And the service request processing module is used for calling the target service system to process the service request when the user authority information set is detected to be matched with the service authority information.
An electronic device comprising a processor, a memory and a computer program stored on the memory and capable of running on the processor, which computer program, when executed by the processor, carries out the steps of the method of rights control as described above.
A computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, which computer program, when being executed by a processor, implements the steps of the method of rights control as described above.
The embodiment of the application has the following advantages:
in the embodiment of the application, when a service request aiming at a target service system is received, service authority information required by processing the service request is determined, the service request comprises a target user identifier, a authority character string corresponding to the target user identifier is determined, the authority character string is composed of one or more role identifier sets, each role identifier set corresponds to a service system, the authority character string is split to obtain one or more role identifier sets, the role authority information sets corresponding to the one or more role identifier sets are respectively determined, the role authority information sets corresponding to all the role identifier sets are adopted to generate a user authority information set corresponding to the target user identifier, and when the condition that the user authority information set is matched with the service authority information is detected, the target service system is called to process the service request, so that the control of authorities among a plurality of service systems in an integrated management information system is realized, loose coupling among users, roles and authorities can be kept, the authority control process is simplified, the authority control efficiency is improved, and the error rate is reduced.
Drawings
In order to more clearly illustrate the technical solutions of the present application, the drawings that are needed in the description of the present application will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
FIG. 1 is a flow chart of steps of a method for controlling rights provided by an embodiment of the application;
FIG. 2 is a flow chart of steps of another method for controlling rights provided by an embodiment of the application;
FIG. 3 is a flow chart of steps of another method for controlling rights provided by an embodiment of the application;
fig. 4 is a schematic structural diagram of an apparatus for controlling authority according to an embodiment of the present application.
Detailed Description
In order that the above-recited objects, features and advantages of the present application will become more readily apparent, a more particular description of the application will be rendered by reference to the appended drawings and appended detailed description. It will be apparent that the described embodiments are some, but not all, embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In the technical field of data processing, ERP (Enterprise Resource Planning ), for the situations that a business system is complex, users are numerous and different systems play different roles, management efficiency is low and careless mistakes are easy to occur.
In an enterprise ERP application, users at a certain post may have different roles in different business systems, and thus the corresponding rights may also be different. For example, a product manager in a personnel management system may have a local observer role, able to have the right to query all data except payroll; in the financial management system, no role exists, so no authority exists; in fixed asset management, there may be a local administrator role, i.e., add-drop-check functionality for the product & development department, and so forth. Different role authorities are allocated to users in different posts in different business systems, and the user authorities are updated along with post changes, which is a complex work for ERP system administrators.
The ERP system can also set group authorities by groups, ERP users are added into the corresponding groups, the group authorities are inherited, the positions of enterprise personnel are changed, and the user authorities are not required to be reset, so long as the users are added into the corresponding groups. However, the authority management granularity is coarse, complete group authority is required to be set, and different authorities are difficult to be allocated to different users in detail effectively.
In order to solve the problem of large expansion and modification difficulty, a user role mapping table and a permission information list are generated when the user rights are set; and when an access request is received, acquiring a role name corresponding to the user name according to the user name query mapping table, and then determining content displayed to the user according to a rights item information list corresponding to the role name.
In order to improve the authorization stability, the role type is used as an intermediary, resources are authorized to the role type, then users are added to the roles, the direct authorization and cancellation between the users and the resources are avoided, the human resource multi-level manager is utilized to carry out hierarchical authorization on the role type, the workload of a single system manager is reduced, and the management is easy.
In order to solve the problems that a business system is complex, a plurality of users and different systems act in different roles, the management efficiency is low and careless mistakes are easy to occur, the application provides a method for controlling authority, which comprises the following specific steps:
referring to fig. 1, a flowchart illustrating steps of a method for controlling authority provided by an embodiment of the present application may be applied to an integrated management information system, where the integrated management information system is integrated with a plurality of service systems, such as an asset management system, and may specifically include the following steps:
Step 101, when a service request aiming at a target service system is received, determining service authority information required by processing the service request; wherein the service request includes a target user identifier;
as an example, the business request may include an asset management product viewing request and the business rights information may include asset management product viewing rights.
When a user needs to check related business of the target business system, the user can firstly send a business request to the integrated management information system, for example, when the user checks a product sales report in the asset management system, the user can firstly send an asset management product check request to the integrated management information system.
After receiving the service request, the integrated management information system may first determine service authority information required for processing the service request, e.g., after receiving an asset management product viewing request sent by a user, the integrated management information system may first obtain asset management product viewing authority required for processing the asset management product viewing request.
In an embodiment of the present application, before step 101, the method may further include the steps of:
receiving a login request; wherein the login request includes user login information; when the user login information passes the verification, returning a service system list; wherein the service system list includes a plurality of service system identifications.
Wherein the login information may be a character string or a character string combination indicating the identity of the user, for example, "asset management director" or "asset||human power";
the business system identification may include text or icons corresponding to business systems, which may be information corresponding to different business systems;
when the user needs to check the related business of the target business system, the user can log in the integrated management information system first, and specifically, log-in information, such as account information, and password information corresponding to the account information, can be sent to the integrated management information system first.
After receiving the login information sent by the user, the integrated management information system can check the login information, for example, when receiving the login information sent by the user, the integrated management information system searches whether the login information is prestored in the system, if the login information is prestored in the integrated management information system, the check is successful, and if the prestored login information cannot be found in the integrated management information system, the check fails.
After the integrated management information system checks the login information successfully, the network used by the user side can be checked, after the network used by the user side is checked successfully, a service system list can be returned to the user, the service system list comprises a plurality of service system identifiers, and the user can send service requests for different service systems by clicking the service system identifiers.
In the embodiment of the application, the user identity information and the information security in the integrated management information system can be ensured by verifying the login information of the user and the network used during login.
102, determining a permission character string corresponding to the target user identifier; the authority character string consists of one or more character identification sets, and each character identification set corresponds to a service system;
wherein the target user identification may be character information associated with the user, such as "funding.
After determining the service authority information required for processing the service request, a target user identifier composed of authority character strings can be extracted from the service request, so as to determine the authority character strings corresponding to the target user identifier.
In an embodiment of the present application, before step 102, the method may further include the steps of:
and decrypting the authority character string.
After determining the authority character string corresponding to the target user identifier, whether the authority character string is encrypted or not can be judged, if the authority character string is encrypted, the authority character string is decrypted, specifically, the prestored certificate information and the encrypted authority character string can be sent to a computing unit, and the computing unit decrypts the authority character string according to the sent digital certificate to obtain the decrypted authority character string.
Step 103, splitting the authority character string to obtain one or more character identification sets;
the role identification set may be an identification set corresponding to different service systems, in the integrated management information system, the roles of users in different positions in a plurality of different service systems are different, and available resources or available operations are also different, so that corresponding rights are also different. Therefore, the mapping relation between each post of the enterprise and each service system role identification set can be predefined, and when the user is assigned with the right, the role corresponding to the user can be determined according to the post query of the user and the table storing the mapping relation.
To increase efficiency, mapping between a user and its corresponding one or more roles may be accomplished by setting a set of role identifications without requiring the user to be manually configured or assigned roles one by one. For example, a certain user's post may participate in asset management or customer service management, and then the user role name set for the user may be "asset_customer service", for example. That is, each character corresponding to the user is concatenated into character strings, and each character name is divided by specific characters.
After determining the authority character string corresponding to the target user identifier, the authority character string may be split to obtain one or more role identifier sets, where each role identifier set corresponds to a service system, for example, "resource management __ yen" manpower is split into "resource management __ yen" and "manpower," resource management __ yen "corresponds to a resource management service system, and" manpower "corresponds to a manpower service system.
In an embodiment of the present application, step 103 may include the following sub-steps:
determining separation characters in the authority character string; and splitting the authority character string according to the separation character to obtain one or more character identification sets.
The separation character may be "||", comma, or "any predetermined character.
In a specific implementation, a preset separation character may be searched for in the authority character string, for example, the preset separation character is "|".
After determining the separation character, splitting the authority character string according to the position of the separation character to obtain one or more character identification sets, for example, determining the separation character "||", splitting the authority character string "resource management __ yearly||manpower", and finally obtaining the character identification sets "resource management __ yearly|and" manpower ".
Step 104, determining role authority information sets corresponding to the one or more role identification sets respectively;
after obtaining the one or more split character identification sets, the character authority information set corresponding to the one or more character identification sets may be determined first, for example, after obtaining the character identification sets "resource management __ yen" and "manpower", obtaining the character authority information set corresponding to "resource management __ yen" as resource management product authority information of the yen channel, and obtaining the character authority information set corresponding to "manpower" as manpower resource authority information.
Step 105, a role authority information set corresponding to all role identification sets is adopted to generate a user authority information set corresponding to the target user identification;
the user authority information set may be character information associated with authority, for example, "resource management viewing authority".
After the role authority information sets corresponding to all the role identification sets are acquired, the role authority information sets corresponding to all the role identification sets are integrated together to generate a user authority information set corresponding to the target user identification, for example, a user identification of 'resource management __ annuity' and 'manpower', wherein the role authority information set corresponding to the role identification set of 'resource management __ annuity' is asset management product authority information sold by the annuity, the role authority information set corresponding to the role identification set of 'manpower' is 'manpower resource authority information', and the user authority information set corresponding to the user identification of 'resource management __ annuity' is asset management product authority information and manpower resource authority information sold by the annuity.
And step 106, when the user authority information set is detected to be matched with the service authority information, the target service system is called to process the service request.
After the user authority information set corresponding to the target user identifier is determined, the user authority information set can be matched with the acquired service authority information, in practical application, whether the user authority information set contains the service authority information can be judged, if the user authority information set contains the service authority information, the user authority information set is successfully matched with the acquired service authority information, and after the user authority information set is successfully matched with the acquired service authority information, the integrated management information system invokes the target service system to process the service request.
In an embodiment of the present application, step 106 may include the following sub-steps:
when the user authority information set is detected to be matched with the service authority information, user attribute information corresponding to the target user identifier is obtained; and calling the target service system to process the service request according to the user attribute information.
In the integrated management information system, a rights content management interface may be provided to configure specific rights content for specific personnel. Specifically, rights can be issued to individuals, and a general method is used in rights management, for example, the roles of the fund manager A and the role of the fund manager B are both fund managers, but the seen funds are different, so that more flexible configuration and display of contents are realized.
Specifically, when the user authority information set is detected to be matched with the service authority information, namely after authentication, user attribute information corresponding to the target user identifier, such as fund information which can be operated by a user, is acquired, and then the target service system can be called to process the service request according to the difference of the user attribute information, so that personalized processing for different users is realized.
In an embodiment of the present application, the step of calling the target service system to process the service request according to the user attribute information includes:
acquiring first data corresponding to the user right information set from the target service system; determining second data corresponding to the user attribute information from the first data; the second data is shown.
In a specific implementation, first data corresponding to the user authority information set can be obtained from the target service system, namely, first data of an authority group can be obtained, and then second data matched with the user can be screened out from the first data of the authority group according to different user attribute information of each user, so that the second data can be displayed for operation of the user.
In the embodiment of the application, when a service request aiming at a target service system is received, service authority information required by processing the service request is determined, the service request comprises a target user identifier, a authority character string corresponding to the target user identifier is determined, the authority character string is composed of one or more role identifier sets, each role identifier set corresponds to a service system, the authority character string is split to obtain one or more role identifier sets, the role authority information sets corresponding to the one or more role identifier sets are respectively determined, the role authority information sets corresponding to all the role identifier sets are adopted to generate a user authority information set corresponding to the target user identifier, and when the condition that the user authority information set is matched with the service authority information is detected, the target service system is called to process the service request, so that the control of authorities among a plurality of service systems in an integrated management information system is realized, loose coupling among users, roles and authorities can be kept, the authority control process is simplified, the authority control efficiency is improved, and the error rate is reduced.
Referring to fig. 2, a flowchart illustrating steps of another method for controlling authority according to an embodiment of the present application may specifically include the following steps:
Step 201, when a service request for a target service system is received, determining service authority information required for processing the service request; wherein the service request includes a target user identifier;
step 202, determining a permission character string corresponding to the target user identifier; the authority character string consists of one or more character identification sets, and each character identification set corresponds to a service system;
step 203, splitting the authority character string to obtain one or more character identification sets; wherein each character identification set comprises a plurality of character identifications;
step 204, for each role identification set, determining first authority group identifications corresponding to the plurality of role identifications respectively;
because a user can belong to a plurality of authority groups, each authority group has a unique authority group identifier, for each role identifier set, a plurality of role identifiers contained in the user can be determined, and then the authority group corresponding to each role identifier can be determined, so that a first authority group identifier is obtained.
Step 205, determining authority information corresponding to the first authority group identifier;
for each authority group, different authority information can be set, and after the first authority group identifier is determined, the authority information corresponding to the first authority group identifier can be determined.
Step 206, adopting the authority information corresponding to the first authority group identifier to generate a role authority information set corresponding to the role identifier set;
after determining the authority information corresponding to the first authority group identifier, the authority information corresponding to the first authority group identifier may be used to generate a role authority information set corresponding to the role identifier set, where the role authority information set may include the authority information corresponding to the first authority group identifier.
Step 207, a role authority information set corresponding to all role identification sets is adopted to generate a user authority information set corresponding to the target user identification;
and step 208, when the user authority information set is detected to be matched with the service authority information, the target service system is called to process the service request.
In the embodiment of the application, the first authority group identifications corresponding to the plurality of role identifications are respectively determined for each role identification set, the authority information corresponding to the first authority group identifications is determined, the authority information corresponding to the first authority group identifications is adopted to generate the role authority information set corresponding to the role identification set, so that the same user can be assigned to a plurality of authority groups, and the plurality of authority groups can be cross-system authority groups, thereby improving the efficiency of authority management.
Referring to fig. 3, a flowchart illustrating steps of another method for controlling authority according to an embodiment of the present application may specifically include the following steps:
step 301, when a service request for a target service system is received, determining service authority information required for processing the service request; wherein the service request includes a target user identifier;
step 302, determining a permission character string corresponding to the target user identifier; the authority character string consists of one or more character identification sets, and each character identification set corresponds to a service system;
step 303, splitting the authority character string to obtain one or more character identification sets;
step 304, judging whether a role identifier with a parent-child relationship exists for each role identifier set;
when determining the role authority information set corresponding to the role identification set, whether a father-son relationship exists among the role identifications in the role identification set can be judged firstly, and the father-son relationship can be judged through a preset relationship mapping, for example, the role identification set is 'resource management __ annuity', and if a mapping relationship between 'resource management' and 'annuity' is stored in a prestored father-son relationship mapping table, the role identification set is 'resource management __ annuity', and the role identification 'resource management' is the role identification 'annuity' and has the father-son relationship.
The set of role identifications can include a base role identification and a rights group identification. The authority group identifier can be the name of the authority group identifier formed by a plurality of universal authority identifiers, and the user joining the authority group identifier can inherit a plurality of authority information corresponding to the authority group identifier.
For example, the common authority for asset management may be set as an authority group, and when the post of the user can perform asset management, the identifier of the authority group of "resource management" is added to the role name of the user, so that the mapping relationship between the user and the plurality of authorities in the authority group of "resource management" can be established.
In a specific implementation, the basic role identifier can be a parent class of all sub roles to which the service system belongs, a plurality of basic roles represent different sub service systems, and the basic roles are not directly related in general, for example, a role A is a basic role of a human resource system, a role B is a basic role of an investment management system, all the basic roles are in parallel relation, one user can have a plurality of basic roles, and the basic roles are generally designed and comprise all rights of the sub system;
for each basic role, the child roles can be inherited by the child roles, the child roles are refinements to the parent basic roles, namely, the rights defined by the child roles are subsets of the parent roles, and all the conflicting rights information is based on the rights information corresponding to the child roles.
In the application, for each business system, each layer can define basic roles, such as a human resource management system basic role C is page viewing authority, a basic role D is operation authority, a role E is report generation authority and the like, and the basic roles can be combined according to business needs.
Step 305, if there is a role identifier with a parent-child relationship, determining authority information corresponding to a child role identifier from authority information corresponding to the parent role identifier; wherein, the authority information corresponding to the child role identifier is a subset of the authority information corresponding to the parent role identifier;
when the role identifier with the parent-child relationship exists, the child role identifier with the parent-child relationship and the parent role identifier with the parent identity are determined, for example, the role identifier set is "asset management __ annuity", and if the parent role identifier with the "asset management" being "annuity" is stored in the pre-stored parent-child relationship mapping table, the role identifier set is "asset management __ annuity" and the role identifier "asset management" is the parent role identifier of "annuity".
After the father role identification and the son role identification are determined, authority information corresponding to the father role identification can be determined, and further, authority information corresponding to the son role identification can be determined in the authority information corresponding to the father role identification, so that the inheritance of the authorities is realized.
In an embodiment of the present application, step 305 may include the following sub-steps:
determining a second permission group identifier corresponding to the parent role identifier; determining authority information corresponding to the second authority group identifier; and determining the authority information corresponding to the sub-role identifier from the authority information corresponding to the second authority group identifier.
In a specific implementation, the second authority group identifier corresponding to the parent role identifier may be determined first, then the authority information corresponding to the second authority group identifier may be determined, and further the authority information corresponding to the child role identifier may be determined from the authority information corresponding to the second authority group identifier.
Step 306, adopting the authority information corresponding to the sub-character identifiers to generate a character authority information set corresponding to the character identifier set;
step 307, a role authority information set corresponding to all the role identification sets is adopted to generate a user authority information set corresponding to the target user identification;
and step 308, when the user authority information set is detected to be matched with the service authority information, the target service system is called to process the service request.
In the embodiment of the application, by aiming at each role identification set, whether the role identification with the father-son relationship exists or not is judged, if the role identification with the father-son relationship exists, the authority information corresponding to the son role identification is determined from the authority information corresponding to the father role identification, the authority information corresponding to the son role identification is adopted, the role authority information set corresponding to the role identification set is generated, the inheritance of the authorities is realized, the user can acquire part of authorities of a certain authority group, and the flexibility of authority control is improved.
It should be noted that, for simplicity of description, the method embodiments are shown as a series of acts, but it should be understood by those skilled in the art that the embodiments are not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the embodiments. Further, those skilled in the art will appreciate that the embodiments described in the specification are presently preferred embodiments, and that the acts are not necessarily required by the embodiments of the application.
Referring to fig. 4, there is shown a block diagram of an apparatus for controlling authority, which includes an integrated management information system integrated with a plurality of service systems, and includes the following modules:
a service authority information determining module 401, configured to determine, when a service request for a target service system is received, service authority information required for processing the service request; wherein the service request includes a target user identifier;
a permission character string determining module 402, configured to determine a permission character string corresponding to the target user identifier; the authority character string consists of one or more character identification sets, and each character identification set corresponds to a service system;
A role identification set obtaining module 403, configured to split the authority character string to obtain one or more role identification sets;
a role authority information set determining module 404, configured to determine role authority information sets corresponding to the one or more role identification sets respectively;
a user authority information set generating module 405, configured to generate a user authority information set corresponding to the target user identifier by using the role authority information sets corresponding to all the role identifier sets;
and a service request processing module 406, configured to invoke the target service system to process the service request when it is detected that the set of user right information matches the service right information.
In an embodiment of the present application, the role identification set obtaining module 403 includes:
a separation character determining submodule, configured to determine separation characters in the authority character string;
and the authority character string splitting sub-module is used for splitting the authority character string according to the separation characters to obtain one or more character identification sets.
In an embodiment of the present application, each role identifier set includes a plurality of role identifiers, and the role authority information set determining module 404 includes:
The first authority group identification determining submodule is used for respectively determining first authority group identifications corresponding to a plurality of role identifications aiming at each role identification set;
the first permission group identification permission determination submodule is used for determining permission information corresponding to the first permission group identification;
and the permission generation sub-module is used for generating a role permission information set corresponding to the role identification set by adopting the permission information corresponding to the first permission group identification.
In an embodiment of the present application, the role authority information set determining module 404 further includes:
the father-son relationship judging submodule is used for judging whether the role identifier with the father-son relationship exists for each role identifier set;
the child role identification authority determination submodule is used for determining authority information corresponding to the child role identification from authority information corresponding to the parent role identification if the role identification with the parent-child relationship exists; wherein, the authority information corresponding to the child role identifier is a subset of the authority information corresponding to the parent role identifier;
and the sub-role identification permission generation sub-module is used for generating a role permission information set corresponding to the role identification set by adopting permission information corresponding to the sub-role identification.
In an embodiment of the present application, the sub-role identification authority determining sub-module includes:
the second permission group identification determining unit is used for determining a second permission group identification corresponding to the father role identification;
the second authority group identification authority determining unit is used for determining authority information corresponding to the second authority group identification;
and a second authority group identification authority determining unit is adopted and is used for determining authority information corresponding to the sub-role identification from the authority information corresponding to the second authority group identification.
In one embodiment of the present application, the service request processing module 406 includes:
the user attribute information acquisition sub-module is used for acquiring user attribute information corresponding to the target user identifier when the user authority information set is detected to be matched with the service authority information;
and the processing sub-module is used for calling the target service system to process the service request according to the user attribute information.
In one embodiment of the present application, the processing sub-module according to the user attribute information includes:
a first data acquisition unit, configured to acquire first data corresponding to the user permission information set from the target service system;
A second data determining unit configured to determine second data corresponding to the user attribute information from the first data;
and the second data display unit is used for displaying the second data.
In the embodiment of the application, when a service request aiming at a target service system is received, service authority information required by processing the service request is determined, the service request comprises a target user identifier, a authority character string corresponding to the target user identifier is determined, the authority character string is composed of one or more role identifier sets, each role identifier set corresponds to a service system, the authority character string is split to obtain one or more role identifier sets, the role authority information sets corresponding to the one or more role identifier sets are respectively determined, the role authority information sets corresponding to all the role identifier sets are adopted to generate a user authority information set corresponding to the target user identifier, and when the condition that the user authority information set is matched with the service authority information is detected, the target service system is called to process the service request, so that the control of authorities among a plurality of service systems in an integrated management information system is realized, loose coupling among users, roles and authorities can be kept, the authority control process is simplified, the authority control efficiency is improved, and the error rate is reduced.
An embodiment of the present application also provides an electronic device, which may include a processor, a memory, and a computer program stored on the memory and capable of running on the processor, the computer program implementing the steps of the method of rights control as described above when executed by the processor.
An embodiment of the application also provides a computer-readable storage medium on which a computer program is stored which, when executed by a processor, implements the steps of the method of rights control as described above.
For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the application.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or terminal device comprising the element.
The above detailed description of a method and apparatus for controlling authority, electronic device, and storage medium applies specific examples to illustrate the principles and embodiments of the present application, where the above examples are only used to help understand the method and core idea of the present application; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.
Claims (9)
1. A method of rights control, the method being applied to an integrated management information system integrated with a plurality of business systems, the method comprising:
when a service request aiming at a target service system is received, determining service authority information required by processing the service request; wherein the service request includes a target user identifier;
determining a permission character string corresponding to the target user identifier; the authority character string consists of one or more character identification sets, and each character identification set corresponds to a service system;
Splitting the authority character string to obtain one or more character identification sets;
respectively determining role authority information sets corresponding to the one or more role identification sets;
generating a user authority information set corresponding to the target user identifier by adopting character authority information sets corresponding to all character identifier sets;
when the user authority information set is detected to be matched with the service authority information, the target service system is called to process the service request;
and when the user authority information set is detected to be matched with the service authority information, the step of calling the target service system to process the service request comprises the following steps of:
when the user authority information set is detected to be matched with the service authority information, user attribute information corresponding to the target user identifier is obtained;
and calling the target service system to process the service request according to the user attribute information.
2. The method of claim 1, wherein the step of splitting the permission string to obtain one or more sets of role identifications comprises:
determining separation characters in the authority character string;
And splitting the authority character string according to the separation character to obtain one or more character identification sets.
3. The method of claim 2, wherein each set of role identifications includes a plurality of role identifications, and wherein the step of separately determining the sets of role authority information corresponding to the one or more sets of role identifications includes:
for each role identification set, respectively determining first authority group identifications corresponding to a plurality of role identifications;
determining authority information corresponding to the first authority group identifier;
and generating a role authority information set corresponding to the role identification set by adopting the authority information corresponding to the first authority group identification.
4. A method according to claim 2 or 3, wherein the step of determining the sets of role authority information corresponding to the one or more sets of role identities, respectively, further comprises:
judging whether character identifiers with father-son relationship exist for each character identifier set;
if the role identifier with the father-son relationship exists, determining authority information corresponding to the son role identifier from authority information corresponding to the father role identifier; wherein, the authority information corresponding to the child role identifier is a subset of the authority information corresponding to the parent role identifier;
And generating a role authority information set corresponding to the role identification set by adopting the authority information corresponding to the sub role identification.
5. The method of claim 4, wherein the step of determining the authority information corresponding to the child character identification from the authority information corresponding to the parent character identification comprises:
determining a second permission group identifier corresponding to the parent role identifier;
determining authority information corresponding to the second authority group identifier;
and determining the authority information corresponding to the sub-role identifier from the authority information corresponding to the second authority group identifier.
6. The method of claim 5, wherein the step of invoking the target service system to process the service request based on the user attribute information comprises:
acquiring first data corresponding to the user right information set from the target service system;
determining second data corresponding to the user attribute information from the first data;
the second data is shown.
7. An apparatus for rights control, the apparatus comprising an integrated management information system integrated with a plurality of business systems, the apparatus comprising:
The service authority information determining module is used for determining service authority information required by processing a service request aiming at a target service system when the service request is received; wherein the service request includes a target user identifier;
the permission character string determining module is used for determining permission character strings corresponding to the target user identifications; the authority character string consists of one or more character identification sets, and each character identification set corresponds to a service system;
the role identification set obtaining module is used for splitting the authority character string to obtain one or more role identification sets;
the role authority information set determining module is used for respectively determining role authority information sets corresponding to the one or more role identification sets;
the user authority information set generation module is used for generating a user authority information set corresponding to the target user identifier by adopting the role authority information sets corresponding to all the role identifier sets;
the service request processing module is used for calling the target service system to process the service request when the user authority information set is detected to be matched with the service authority information;
the service request processing module comprises:
The user attribute information acquisition sub-module is used for acquiring user attribute information corresponding to the target user identifier when the user authority information set is detected to be matched with the service authority information;
and the user attribute information processing sub-module is used for calling the target service system to process the service request according to the user attribute information.
8. An electronic device comprising a processor, a memory and a computer program stored on the memory and capable of running on the processor, which when executed by the processor performs the steps of the method of rights control according to any of claims 1 to 6.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program which, when executed by a processor, implements the steps of the method of rights control according to any of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010457011.8A CN111680310B (en) | 2020-05-26 | 2020-05-26 | Authority control method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010457011.8A CN111680310B (en) | 2020-05-26 | 2020-05-26 | Authority control method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111680310A CN111680310A (en) | 2020-09-18 |
| CN111680310B true CN111680310B (en) | 2023-08-25 |
Family
ID=72453900
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010457011.8A Active CN111680310B (en) | 2020-05-26 | 2020-05-26 | Authority control method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111680310B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615872B (en) * | 2020-12-22 | 2022-02-22 | 广州技象科技有限公司 | Internet of things node security management method, device, equipment and storage medium |
| CN112635034A (en) * | 2020-12-30 | 2021-04-09 | 微医云(杭州)控股有限公司 | Service authority system, authority distribution method, electronic device and storage medium |
| CN115640605A (en) * | 2022-10-19 | 2023-01-24 | 中电金信软件有限公司 | Authority management method for financial institution |
| CN117056885A (en) * | 2023-07-21 | 2023-11-14 | 广州盈风网络科技有限公司 | User permission determination method, device, equipment and storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20100053402A (en) * | 2008-11-11 | 2010-05-20 | (주)티아이스퀘어 | Method and apparatus for structuralize keyword string and searching keyword string |
| CN104519072A (en) * | 2015-01-14 | 2015-04-15 | 浪潮(北京)电子信息产业有限公司 | Authority control method and device |
| CN105303084A (en) * | 2015-09-24 | 2016-02-03 | 北京奇虎科技有限公司 | Privilege management system and method |
| CN109670768A (en) * | 2018-09-27 | 2019-04-23 | 深圳壹账通智能科技有限公司 | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain |
| CN110457629A (en) * | 2019-07-19 | 2019-11-15 | 口碑(上海)信息技术有限公司 | Permission processing, authority control method and device |
| CN110472111A (en) * | 2019-08-08 | 2019-11-19 | 广州城市信息研究所有限公司 | Rights management, user right inquiry and resource information authorization method |
| CN110516452A (en) * | 2019-08-07 | 2019-11-29 | 浙江大搜车软件技术有限公司 | RBAC access authorization for resource distribution method, device, electronic equipment and storage medium |
| CN110727929A (en) * | 2019-10-12 | 2020-01-24 | 北京明略软件系统有限公司 | AOP-based line-level authority control method, device and client |
| CN110750780A (en) * | 2019-10-16 | 2020-02-04 | 北京微星优财网络科技有限公司 | User role permission fusion method, device and equipment based on multi-service system |
| CN110909373A (en) * | 2018-09-18 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Access control method, device, system and storage medium |
| CN111104652A (en) * | 2019-10-17 | 2020-05-05 | 贝壳技术有限公司 | Authority management method and device, computer readable storage medium and electronic equipment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140172849A1 (en) * | 2012-12-13 | 2014-06-19 | Microsoft Corporation | Facilitating personas in communication exchange environments |
-
2020
- 2020-05-26 CN CN202010457011.8A patent/CN111680310B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20100053402A (en) * | 2008-11-11 | 2010-05-20 | (주)티아이스퀘어 | Method and apparatus for structuralize keyword string and searching keyword string |
| CN104519072A (en) * | 2015-01-14 | 2015-04-15 | 浪潮(北京)电子信息产业有限公司 | Authority control method and device |
| CN105303084A (en) * | 2015-09-24 | 2016-02-03 | 北京奇虎科技有限公司 | Privilege management system and method |
| CN110909373A (en) * | 2018-09-18 | 2020-03-24 | 阿里巴巴集团控股有限公司 | Access control method, device, system and storage medium |
| CN109670768A (en) * | 2018-09-27 | 2019-04-23 | 深圳壹账通智能科技有限公司 | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain |
| CN110457629A (en) * | 2019-07-19 | 2019-11-15 | 口碑(上海)信息技术有限公司 | Permission processing, authority control method and device |
| CN110516452A (en) * | 2019-08-07 | 2019-11-29 | 浙江大搜车软件技术有限公司 | RBAC access authorization for resource distribution method, device, electronic equipment and storage medium |
| CN110472111A (en) * | 2019-08-08 | 2019-11-19 | 广州城市信息研究所有限公司 | Rights management, user right inquiry and resource information authorization method |
| CN110727929A (en) * | 2019-10-12 | 2020-01-24 | 北京明略软件系统有限公司 | AOP-based line-level authority control method, device and client |
| CN110750780A (en) * | 2019-10-16 | 2020-02-04 | 北京微星优财网络科技有限公司 | User role permission fusion method, device and equipment based on multi-service system |
| CN111104652A (en) * | 2019-10-17 | 2020-05-05 | 贝壳技术有限公司 | Authority management method and device, computer readable storage medium and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| RBAC模型在管理系统中的设计与实现;兰洋;尤磊;;信阳农业高等专科学校学报(第04期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111680310A (en) | 2020-09-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111680310B (en) | Authority control method and device, electronic equipment and storage medium | |
| US7827598B2 (en) | Grouped access control list actions | |
| KR101486613B1 (en) | Transferable restricted security tokens | |
| US9805209B2 (en) | Systems and methodologies for managing document access permissions | |
| CN108351771B (en) | Maintaining control over restricted data during deployment to a cloud computing environment | |
| US8204949B1 (en) | Email enabled project management applications | |
| US11914687B2 (en) | Controlling access to computer resources | |
| WO2001082092A1 (en) | Secure system access | |
| US9769159B2 (en) | Cookie optimization | |
| US20230306138A1 (en) | Charter-based access controls for managing computer resources | |
| WO2021164459A1 (en) | Identity verification method and apparatus, computer device, and readable storage medium | |
| US8522323B1 (en) | System and method for obtaining identities | |
| CN112100585A (en) | Authority management method, device and storage medium | |
| US8763158B2 (en) | Directory service distributed product activation | |
| CN111062028A (en) | Authority management method and device, storage medium and electronic equipment | |
| US20030195759A1 (en) | Computer assisted contracting of application services | |
| CN116438778A (en) | Persistent source value of assumed alternate identity | |
| US20230077995A1 (en) | Application Programming Interface (API) Automation Framework | |
| Huawei Technologies Co., Ltd. | Database Security Fundamentals | |
| Ambika | Fortifying Cloud Storage Using Hash Code | |
| Guerrero et al. | Security model in XSA | |
| Wegelin et al. | SAP Interface Programming | |
| Buecker et al. | Integrating ibm security and sap solutions | |
| CN117708223A (en) | Visual management method for super-fusion of big data | |
| Lee et al. | Development of a User Management Module for Internet TV Systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |