CN111984936B

CN111984936B - Authorization distribution method, device, server and storage medium

Info

Publication number: CN111984936B
Application number: CN201910435895.4A
Authority: CN
Inventors: 欧岳; 王远; 陈丽玲; 万林佳; 王俊山
Original assignee: Tencent Technology Shenzhen Co Ltd
Current assignee: Tencent Technology Shenzhen Co Ltd
Priority date: 2019-05-23
Filing date: 2019-05-23
Publication date: 2023-06-30
Anticipated expiration: 2039-05-23
Also published as: CN111984936A

Abstract

The embodiment of the invention discloses an authorization distribution method, an authorization distribution device, a server and a storage medium, and belongs to the technical field of Internet. The method comprises the following steps: receiving a second creation instruction in a network service environment of the first organization; creating a network service environment of a second organization in the target operating environment; and according to the authorized user number configuration instruction, configuring a second authorized user number for the network service environment of the second organization based on the first authorized user number in the authorized information of the first organization. A part of authorized users of the first organization can be configured to the second organization, so that flexible allocation or transfer of the authorized users is realized, and software services provided by application software are more diversified.

Description

Authorization distribution method, device, server and storage medium

Technical Field

The present invention relates to the field of internet technologies, and in particular, to an authorization allocation method, an authorization allocation device, a server, and a storage medium.

Background

Privately deploying means that a server side, a management background and a database of the application software are packaged into a complete system to be delivered to a user for use. The privately-arranged system can be arranged on a server appointed by a user, and an enterprise can grasp data by itself.

Currently, after purchasing a software service of application software, a user receives an authorization file, and when using the software service, the authorization file is imported into a server designated by the user to obtain authorization information. The authorization information may include an authorized user identifier, an authorized user number, etc., and the user terminal may use the software service based on the authorization information after acquiring the authorization information.

When an enterprise user is purchasing a software service for application software, the enterprise user may purchase a certain number of authorized users. Since the authorization information is bound to the enterprise identity, only employees in the enterprise can use the application software. If the enterprise has multiple sub-enterprises, employees in the sub-enterprises are unavailable to use the application software, requiring each sub-enterprise to purchase separately. The service provided by the authorization mode is single and does not meet the requirements of the current enterprises.

Disclosure of Invention

The embodiment of the invention provides an authorization distribution method, an authorization distribution device, a server and a storage medium, which solve the problem of single authorization service in the related technology. The technical scheme is as follows:

in one aspect, there is provided an authorization allocation method, the method comprising:

Receiving a second creation instruction in a network service environment of the first organization;

creating a network service environment of a second organization in the target operating environment;

and according to the authorized user number configuration instruction, configuring a second authorized user number for the network service environment of the second organization based on the first authorized user number in the authorized information of the first organization.

In yet another aspect, there is provided an authorization distribution device, the device comprising:

the receiving module is used for receiving a second creation instruction in the network service environment of the first organization;

the creation module is used for creating a network service environment of the second organization in the target running environment;

the configuration module is used for configuring a second authorized user number for the network service environment of the second organization based on the first authorized user number in the authorization information of the first organization according to the authorized user number configuration instruction.

In one possible implementation, the configuration module includes:

the receiving unit is used for receiving the configuration instruction of the authorized user number, wherein the configuration instruction carries the second authorized user number;

the configuration unit is configured to configure the second authorized user number for the network service environment of the second organization when the second authorized user number is not greater than the available authorized user number of the first organization, where the available authorized user number is a difference between the first authorized user number and the used authorized user number of the first organization.

In one possible implementation, the apparatus further includes:

the first acquisition module is used for acquiring the organization identification of the second organization to be created;

the sending module is used for sending an incidence relation verification request to the target server, wherein the incidence relation verification request carries the organization identifier of the second organization structure, and the incidence relation verification request is used for verifying whether the second organization structure is associated with the first organization structure or not;

and the execution module is used for executing the step of creating the network service environment of the second organization in the target running environment when receiving the verification passing message.

In one possible implementation, the apparatus further includes:

the creation module is further configured to create, in a first operating environment, a network service environment of the first organization according to the received first creation instruction;

the second acquisition module is used for acquiring the authorization information of the first organization from the target server according to the received activation instruction, wherein the authorization information at least comprises the first authorized user number.

In one possible implementation manner, the second obtaining module includes:

the decryption unit is used for decrypting the authorization file according to the received import instruction to obtain a decrypted authorization file;

The sending unit is used for sending an authorization file verification request to the target server according to the received sending instruction, wherein the authorization file verification request carries the decrypted authorization file;

and the receiving unit is used for receiving the authorization information returned by the target server when the verification passes.

In one possible implementation, the apparatus further includes:

the generation module is used for generating ordering information based on the content of the current ordering page according to the received ordering command;

the sending module is further configured to send the subscription information to the target server, where the subscription information at least includes architecture information of the first organization and the first authorized user number.

In one possible implementation, the apparatus further includes:

the first obtaining module is further configured to obtain, when an organization information entry instruction is received, organization information of at least one organization, where the organization information at least includes an organization identifier of the at least one organization.

In one possible implementation manner, the configuration module is further configured to configure an instruction according to a valid duration, and configure a second valid duration for a network service environment of the second organization based on a first valid duration in the authorization information of the first organization;

The configuration module is further configured to configure a second authorization function for the network service environment of the second organization based on the first authorization function in the authorization information of the first organization according to the authorization function configuration instruction.

In yet another aspect, a server is provided, the computer device including a processor and a memory having at least one instruction stored therein, the instructions being loaded and executed by the processor to perform operations as performed in the authorization allocation method.

In yet another aspect, a computer-readable storage medium having stored therein at least one instruction that is loaded and executed by one or more processors to implement the operations performed in the authorization allocation method as described.

The technical scheme provided by the embodiment of the invention has the beneficial effects that at least:

by creating the second organization in the target operation environment, the authorization distribution method, the device, the server and the storage medium provided by the embodiment of the invention enable the first organization and the second organization to manage a plurality of organizations simultaneously in a set of system operation environment, and are more in line with the management mode of the current enterprise or government department. And a part of authorized users of the first organization can be configured to the second organization, so that flexible allocation or transfer of the authorized users is realized, and software services provided by application software are more diversified.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a schematic illustration of an implementation environment provided by an embodiment of the present invention;

FIG. 2 is a flowchart of a method for obtaining authorization information according to an embodiment of the present invention;

FIG. 3 is a flowchart of a method for generating an authorization file according to an embodiment of the present invention;

FIG. 4 is a schematic diagram of an interface for importing an authorization document according to an embodiment of the present invention;

FIG. 5 is a schematic diagram of an interface for sending an authorization sequence number according to an embodiment of the present invention;

FIG. 6 is a schematic diagram of an activation completion interface provided by an embodiment of the present invention;

FIG. 7 is a flowchart of a method for obtaining authorization information according to an embodiment of the present invention;

FIG. 8 is a flowchart of an authorization allocation method according to an embodiment of the present invention;

FIG. 9 is a flowchart of an authorization allocation method according to an embodiment of the present invention;

FIG. 10 is a flowchart of another authorization allocation method provided by an embodiment of the present invention;

FIG. 11 is a schematic diagram of an authorization assignment failure interface provided by an embodiment of the present invention;

FIG. 12 is a schematic diagram of a batch modification authorized user interface provided by an embodiment of the present invention;

FIG. 13 is a flowchart of an authorization allocation method according to an embodiment of the present invention;

FIG. 14 is a flowchart of an authorization allocation method according to an embodiment of the present invention;

fig. 15 is a schematic structural diagram of an authorization distribution device according to an embodiment of the present invention;

FIG. 16 is a schematic diagram of another authorization distribution device according to an embodiment of the present invention;

fig. 17 is a schematic structural diagram of a server according to an embodiment of the present invention.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the embodiments of the present invention will be described in further detail with reference to the accompanying drawings.

Fig. 1 is a schematic diagram of an implementation environment provided by an embodiment of the present invention, and referring to fig. 1, the implementation environment includes a plurality of computer devices 101, a server 102, and a target server 103.

The server 102 may be any local server deployed in an enterprise or a server deployed outside the enterprise, where the server 102 may provide a network service environment for multiple computer devices 101, and functions of user login, data entry, data management, data interaction, and the like are provided through the network service environment, and of course, different authorization rights may be set for a user in the network service environment, so that the user can use a corresponding network service in the authorization rights.

The target server 103 may be a server having a verification function, and the target server 103 may verify an authorization file of the enterprise, verify whether the authorization of the enterprise is legal, and send authorization information to the server 102 of the enterprise when the authorization of the enterprise is legal.

The plurality of computer devices 101 may log in to the server in the form of web access, so as to perform a process of corresponding authority in the network service environment.

It should be noted that, the above network service environment may be in the form of a domain name, that is, a domain name space is allocated to a certain enterprise, so that when a user uses the network service environment, the user may access the domain name through a browser to enter the network service environment. The network service environment may also take the form of an application program, i.e., an application program may be installed on a computer device through which the network service environment is accessed.

Based on different demands of clients, deployment modes adopted by the operation environments corresponding to the network service environments can also be different, and the following description describes several deployment modes:

privating deployment: and the database, the file and the management background are all installed on the server of the user in a mode similar to the traditional software localization deployment mode, and the user maintains the server by himself. Through privatization deployment, a user can acquire all data generated by the application, and the data is mastered in the user's own hand, so that the user statistics data is more convenient.

SaaS (Software-as-a-Service) deployment: the software is provided by Internet, and the manufacturer uniformly deploys the application software on its own server, so that SaaS mainly provides management and data of the application program. The user can purchase the required software service from the manufacturer through the Internet according to the actual demand of the user, and obtain the service provided by the manufacturer through the Internet. The SaaS deployment also provides a management background for the user, where the user manages the application.

And (3) hybrid deployment: the user can privately deploy the comparison core or the important system and perform cloud deployment on other systems, wherein SaaS deployment is cloud deployment. For example, an enterprise may privately deploy its own cores, such as financial systems and financial systems, and then cloud-deploy these systems, such as logistics systems, customer service systems, and the like.

It should be noted that, in any deployment mode, the solution provided by the embodiment of the present invention is applicable. In addition to the above scenario, the method provided by the embodiment of the present invention may also be applied to other deployment scenarios, which is not limited by the embodiment of the present invention.

Fig. 2 is a flowchart of a method for obtaining authorization information according to an embodiment of the present invention, where a process of obtaining authorization information by a server is illustrated by interacting with a target server to complete the server. Referring to fig. 2, the method includes:

201. the target server obtains subscription information.

Wherein the subscription information may include at least one of an authorized user number, an authorized type, or an authorized function.

A producer of application software may provide various types of software services for selection by a user when selling the software services. Wherein the plurality of types of software services can be distinguished by authorization type, authorization function, etc. The authorization types can include various types such as monthly lease, quaternary lease, annual lease, buy-off and the like, the authorization functions can include each function of the application software, and a user can select one or more functions to purchase. When the subscription information includes the authorization type, the authorization type may be represented by specific types such as monthly lease and quaternary lease, or may be represented by specific durations such as 30 days and 90 days.

The user may purchase the software service of the application software online or offline, wherein the user may be a manager of the first organization or any member of the first organization. The embodiment of the disclosure does not limit the specific purchasing mode of the user. The user can select the authorization type and the authorization function which meet the requirement of the user, and the user can select the corresponding authorized user number based on the number of the members of the first organization. The number of authorized users indicates the number of users capable of using the software service, and the number of authorized users selected by the user can be any number customized by the user or one of a plurality of numbers provided by a producer of the application software. The authorization type indicates a term during which the software service can be used, and the authorization function indicates a software function that can be used.

In addition, the subscription information is used to generate authorization information of the first organization, and thus, the subscription information may further include information related to the first organization. In one possible implementation, the subscription information may further include at least one of first organization information or user information. The first organization information may be an organization identifier of the first organization, where the organization identifier may be an organization name of the first organization, an ID (Identity) of the first organization, or the like, capable of uniquely determining an identification of the organization, and the first organization information may also be architecture information of the first organization, where the architecture information may include at least one of an organization identifier of another organization related to the first organization or an association relationship between the first organization and the other organization, where the association relationship may indicate a hierarchical relationship between the organizations, or indicate a cooperative relationship between the organizations. The user information may be a contact manner of the user, where the contact manner is used to obtain a corresponding authorization file. The contact information of the user can comprise at least one of a telephone number or a mailbox address of the user, so that the target server sends the authorization document to the user based on the contact information of the user after generating the authorization document.

After obtaining the subscription information, the subscription information may be sent to the target server. In one possible implementation, on any device, the device generates subscription information based on the content of the current subscription page according to the received subscription instruction, and sends the subscription information to the target server. Any one of the devices may be a device used by the user to make a purchase when the user purchases in an online manner, and may be a device used by a producer of the application software when the user purchases in an offline manner.

202. The target server verifies the subscription information.

The target server can be provided with an audit condition, and only when the order information meets the audit condition, the order information is audited. Accordingly, in one possible implementation, the method may further include: the CRM (Customer Relationship Management, customer relationship management system) of the target server acquires the subscription information of the user, and the user IP in the subscription information is checked to determine whether the user IP (Internet Protocol ) is abnormal, and when the user IP is normal IP, the subscription information is confirmed to pass the check. In the implementation mode, the IP of the user is verified, so that attacks of some malicious IPs are avoided, and network security is enhanced.

In another possible implementation, the method may further include: the CRM system can audit the user information filled by the user, determine whether the user information is fake information, and determine that the order information passes the audit when the user information is not fake information. For example, the user information written by the user is the name of the organization, the location of the organization, etc., and the CRM system retrieves the corresponding information in the database to verify whether the user information is identical to the retrieved information, and when the user information is identical to the retrieved information, it is determined that the user information is not counterfeit information. Through auditing the user information, the false information is prevented from being filled by the user, and the problem that the subsequent authorization file cannot be used due to the fact that the user inputs the false information through misoperation can be prevented.

It should be noted that, in the embodiment of the present invention, only several auditing conditions during auditing the subscription information are illustrated, and auditing the subscription information may also be performed based on other conditions such as whether the subscription information is complete, and the auditing conditions of the subscription information are not limited in the embodiment of the present invention. In addition, several audit conditions shown in the embodiments of the present invention may be combined arbitrarily. In addition, when the ordering information is audited in the client relation management system, the ordering information can be audited manually by corresponding staff, so that auditing errors caused by the problems of untimely data updating and the like can be avoided.

203. When the subscription information is verified, the target server generates an authorization file and authorization information, and allocates a first operating environment.

The authorization file may include an encrypted authorization serial number, and the authorization information may include at least one of an authorized user number, an effective duration, or an authorization function.

The specific process of generating the authorization information by the target server may be: the target server generates authorization information through an authorization (license) management system. In one possible implementation, the CRM system of the target server sends an application authorization request to the authorization management system of the target server, where the application authorization request carries subscription information, and the authorization management system obtains corresponding authorization information based on the received subscription information, and stores the authorization information locally. The subscription information sent by the CRM system to the authorization management system may be subscription information acquired by the CRM system, or may be a part of subscription information acquired by the CRM system.

The specific process of generating the authorization file by the target server may be: the target server generates an authorization file through an authorization management system. In one possible implementation, as shown in fig. 3, the authorization management system randomly generates an authorization sequence number, stores the authorization sequence number locally, encrypts the authorization sequence number symmetrically by AES (Advanced Encryption Standard ), generates a sequence number E1, encrypts the key of AES using RSA (asymmetric encryption) to generate a signature data segment A1. And connecting the serial number E1 with the signature data segment A1 in a front-back manner to obtain an encrypted authorization serial number, and adding the encrypted authorization serial number into an authorization file.

In one possible implementation, the authorization management system generates an authorization sequence number from the subscription information or a portion of the subscription information by AES symmetric encryption sequence numbers, and stores the authorization sequence number locally. The authorization sequence number is encrypted symmetrically by AES to generate a sequence number E2, and a key of AES is encrypted using RSA (asymmetric encryption) to generate a signature data segment A2. And connecting the serial number E2 with the signature data segment A2 back and forth to obtain an encrypted authorization serial number, and adding the encrypted authorization serial number into an authorization file.

In addition, the target server allocates a hardware resource for supporting the software service for the computer device in the server, where the hardware resource may include a processing resource, a storage resource, and the like, and these hardware resources may support the operation of the software service, that is, provide an operation environment for enterprise management software, and in the embodiment of the present invention, the operation environment provided for the first organization structure is referred to as a first operation environment.

The specific process of the target server distributing the first running environment may be: the subscription information includes information of a server, the target server obtains the information of the server, and sets the information of the server as information of the first running environment, wherein the information of the server may be information of a server specified by a user, or may be information of a server specified by a manufacturer of application software, and the information may be information capable of uniquely identifying the server, such as an IP address. Or, the subscription information does not include the information of the first operation environment, the target server distributes the first operation environment, and the information of the first operation environment is stored locally, and the specific process may be: the target server determines the size of the hardware resources supporting the running of the application software based on the subscription information, and allocates the hardware resources with corresponding sizes for the computer equipment from the server cluster. The identification information of the hardware resource is stored in the target server.

In addition, the target server may establish a binding relationship between the locally stored authorization sequence number, the authorization information, and the first operating environment. For example, the target server establishes a binding relationship between the authorization sequence number and the authorization information, the target server establishes a binding relationship between the authorization sequence number and the first operating environment, and the target server establishes a binding relationship between the authorization information and the first operating environment. The target server establishes a binding relationship between the authorization serial number, the authorization information and the first running environment, and the like.

It should be noted that, regarding the generation of the authorization file, the generation of the authorization information, and the determination of the timing of the first operating environment, the 3 steps may be sequentially executed according to a certain sequence, or the 3 steps may be executed in parallel, or the 3 steps may be executed according to other timings, which is not limited in this embodiment.

It should be noted that, in this embodiment, only the authorization file is taken as an example of the encrypted character string, and in some embodiments, the authorization file may also be an authorization certificate or other forms, and the specific form of the authorization file is not limited in this embodiment of the present invention.

It should be noted that, step 202 is an optional execution step, and if step 202 is executed, authorization information may be obtained based on the authorization file later to improve security. If step 202 is not performed, the authorization information may be acquired based on the identifier of the sender, so that the whole authorization generating process is more convenient and quicker.

204. The target server sends the authorization file to the computer device.

The specific process of the target server sending the authorization file to the computer device may be: and transmitting the authorization file to the computer equipment based on the contact mode of the user in the subscription information. When the ordering information comprises at least one of a mobile phone number or a mailbox address of the user, the target server can send the authorization file to the computer equipment in a short message or mail mode, or the target server can send the authorization file to a mailbox of the user in a mail mode, and the user is reminded of checking the mailbox in a short message mode. In addition, an encrypted channel of HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer, network protocol) may be employed when sending an authorization file to a computer device.

205. When the computer equipment detects the first creation operation, a first creation instruction is sent to the server, and the first creation instruction carries the organization identification of the first organization.

The user can perform a first creation operation on the computer equipment, and send a first creation instruction to the server; in addition, the server may also be configured with a device having a display function, on which a first creation operation is performed to trigger the first creation instruction so that the server receives the first creation instruction. The present embodiment is described taking as an example the user operating on a computer device.

206. And the server creates a network service environment of the first organization in the first running environment according to the received first creation instruction.

Prior to creating the network server of the first organization, organization information for at least one organization may be entered in the server, the organization information including at least an organization identification. In one possible implementation, the organization information for at least one organization is obtained when an organization information entry order is received. In the implementation mode, the organization information of a plurality of organization mechanisms is input at one time, and when the network service environment of the organization mechanism is subsequently created, the organization information of the organization mechanism does not need to be input every time, so that the operation flow of a user is simplified.

In addition, before the network server of the first organization is created, only the organization information of the first organization and the organization information of other organizations can be input in the server, and the resource waste caused by unused organization information input in advance is avoided.

In the first running environment, the server may install a corresponding program, so that the server can provide a network service environment for the first organization, where the network service environment may provide functions of user login, data entry, data management, data interaction, and the like, and different authorization rights may be set for the user in the network service environment, so that the user can use the corresponding network service within the authorization rights.

It should be noted that, the server stores an RSA asymmetric decryption key, and the decryption key may be generated by the server and stored locally when the first organization is registered, or may be set by the user.

207. And when the computer equipment detects the import operation, sending an import instruction to the server, wherein the import instruction carries the authorization file.

Because the target server sends the authorization file to the user's computer device based on the user's contact information, the user also needs to import the authorization file into the server, and the user can perform an import operation on the computer device and send an import instruction to the server. In addition, before the user performs the import operation, the activation operation can be performed on the computer equipment, the activation instruction is triggered, and the computer equipment displays the import authorization file interface according to the activation instruction, so that the subsequent server can acquire the authorization information of the first organization from the target server.

208. The server decrypts the authorization file according to the received import instruction, and sends an authorization file verification request to the target server, wherein the authorization file verification request carries the decrypted authorization file.

The specific implementation process of the step 208 may be: when the server receives the import instruction, decrypting the authorization file to obtain a decrypted authorization file; according to the received sending instruction, sending an authorization file verification request to the target server, wherein the authorization file verification request carries the decrypted authorization file; and receiving authorization information returned by the target server when verification passes. And decrypting the authorization file to obtain the decrypted authorization file as an authorization serial number generated by the target server.

As shown in fig. 4, fig. 4 is an interface for importing an authorization file, the authorization file is imported through an "upload authorization file" option, when a triggering operation of a user on a verification option is detected, the interface is jumped to as shown in fig. 5, the decrypted authorization file is a serial number, when a triggering operation of a user on a sending option is detected, the decrypted authorization file is sent to a target server to be verified by the target server, when verification of the target server is passed, authorization information is sent to a computer device, after the authorization information is acquired, the computer device stores the authorization information locally and jumps to the interface as shown in fig. 6, and information of activation completion is shown in the interface of fig. 6.

The specific process of decrypting the authorization file by the computer device may be: decrypting the asymmetrically encrypted part of the authorization file based on the locally stored RSA asymmetric decryption key to obtain an AES symmetric encryption key, decrypting the symmetrically encrypted part of the AES based on the symmetric encryption key to obtain a decrypted authorization file, wherein the decrypted authorization file is an authorization serial number generated by the target server. The computer equipment sends an activation request to the target server, and the adopted data interaction request link is an encryption channel of https.

When the server is deployed outside the first organization, the user may perform an activation operation through the management background.

209. When the target server receives the authorization file verification request, the target server verifies the decrypted authorization file.

The target server verifies the decrypted authorization file based on the received authorization file verification request, and the specific process may be: the target server determines whether the authorization sequence number is received for the first time, and when the decrypted authorization file is determined to be received for the first time, the decrypted authorization file passes verification. The target server may store the received decrypted authorization file, and when a new decrypted authorization file is received, determine whether the new decrypted authorization file is identical to any one of the stored decrypted authorization files. By means of the verification mode, the fact that the authorization serial number is used for the first time is ensured, and the authorized serial number is prevented from being reused, so that legal rights and interests of manufacturers of application software are prevented from being damaged.

The specific process of verifying the decrypted authorization file by the target server may also be: the target server receives the authorization sequence number and the organization identifier of the first organization, queries the binding relationship between the authorization sequence number stored in the target server and the organization, and determines that the decrypted authorization file passes verification when determining that the binding relationship exists between the received authorization sequence number and the organization identifier of the first organization. By the verification mode, some users are prevented from stealing the authorization serial numbers of others, and legal rights and interests of other users are guaranteed.

It should be noted that, in the embodiment of the present invention, two verification methods are only shown by way of example, in some embodiments, the two verification methods may be combined, and verification may be performed by other methods such as verifying whether the authorization serial number is within the validity period, and the embodiment of the present invention does not limit the verification process of the decrypted authorization file.

210. When the target server passes the verification, the target server transmits the authorization information of the first organization to the server.

The target server may acquire corresponding authorization information based on the binding relationship between the authorization sequence number and the authorization information, and send the authorization information to the server.

After the verification of the target server is passed, corresponding user identity information (Token) can be generated based on the organization identification of the first organization, the user identity identification and the authorization information are sent to the computer equipment together, and the user identity information can be carried in the subsequent interaction process of the computer equipment and the target server. The target server may verify the organization identification based on the user identity information, and may encrypt data requested by the computer device based on the user identity information.

211. The server activates a network service environment of the first organization based on the authorization information.

The activating the network service environment of the first organization based on the authorization information means that the network service environment is configured according to at least one of the number of authorized users, the limited time length or the authorized function included in the authorization information, so that the user can use the corresponding network service within the authorized authority.

Wherein the computer device may store the authorization information locally after obtaining the authorization information of the first organization from the target server. In one possible implementation, after obtaining the authorization information, the computer device stores the authorization information into information corresponding to the first organization. In another possible implementation, the computer device modifies the attribute information of the first organization based on the authorization information after the authorization information is obtained. Wherein the attribute information of the first organization corresponds to the authorization information. For example, the attribute information includes at least one of the number of authorized users, the validity duration, or the authorized function.

Wherein FIG. 7 illustrates the interaction of a CRM (customer relationship management) system, an authorization management system, and a server when the target server includes the CRM system and the authorization management system. As shown in FIG. 7, after the CRM system obtains the subscription information, it sends an application authorization request to the authorization management system to obtain authorization based on the subscription information. After receiving the application authorization request, the authorization management system creates a corresponding authorization, generates an authorization file, returns the authorization file to the CRM system, sends the authorization file to the user, guides the authorization file into the server by the user, decrypts the authorization file after the server acquires the authorization file, and sends an authorization file verification request to the authorization management system, wherein the authorization file verification request carries the decrypted authorization file, the authorization management system verifies the decrypted authorization file, returns verification information to the server when the verification passes, the server receives the authorization information, stores the authorization information locally, configures the network service environment of the first organization according to the content indicated in the authorization information, and enables the user to use the corresponding network service in the authorization authority, thereby completing the activation of the network service environment. The server may also send a notification message to the authorization management system that activation is complete. After acquiring the notification message, the authorization management system confirms that the activation of the server is completed and informs the CRM system.

The creation process of the network service environment provided in this embodiment enables the first organization to use the purchased software service, and the authorization serial number is bound to the first running environment, so that the network service environment created in the first running environment can use the authorization.

Fig. 8 is a flowchart of an authorization allocation method provided by an embodiment of the present invention, where a process of allocating authorization to a network service environment of a second organization is described, and an execution body is a server, and referring to fig. 8, the method includes:

801. the server receives a second creation instruction in the network service environment of the first organization and creates the network service environment of the second organization in the target running environment.

The target operating environment is located in the first operating environment and is a part of the first operating environment. Since the first operating environment is a hardware resource allocated by the target server, the first target operating environment is a part of the hardware resource.

The second organization may be any organization other than the first organization, and a plurality of network service environments of the second organization may be created in the server, and it should be noted that in this embodiment, the authorization serial number is bound to the first operation environment, so that it is only necessary to ensure that in the first operation environment, a network service environment is created, and a corresponding authorization may be configured for the network service environment.

In addition, the first organization and the second organization may have an association relationship. For example, the second organization is a subordinate organization of the first organization, the first organization has a cooperative relationship with the second organization, and so on.

It should be noted that, the embodiment of the present invention does not limit the time for creating the second organization, and only needs to ensure that the time for creating the first organization is before the time for creating the second organization.

802. The server configures a second authorized user number for the network service environment of the second organization based on the first authorized user number in the authorization information of the first organization according to the authorized user number configuration instruction.

The second authorized user number can be input by a user on a display screen provided by the server, can also be input through computer equipment, and can be sent to the server through the computer equipment.

The specific process of the server configuring the second authorized user number for the network service environment of the second organization based on the first authorized user number may be: in one possible implementation, the server receives an authorized user number configuration instruction, where the configuration instruction carries a second authorized user number, and when the second authorized number is not greater than the first authorized user number of the first organization, the server serves the network service environment of the second organization. The authorized user number of the first organization is transferred to other organizations, so that the authorized user number of the organization can be freely distributed in the first running environment, the authorized service is more diversified, and the requirements of users are met as much as possible.

In another possible implementation manner, the server receives an authorized user number configuration instruction, where the configuration instruction carries a second authorized user number, and when the second authorized user number is not greater than an available authorized user number of the first organization, the second authorized user number is configured for a network service environment of the second organization, where the available authorized user number is a difference between the first authorized user number and the used authorized user number of the first organization. By distributing the number of authorized users which are not used by the first organization to the second organization, the free transfer of the number of authorized users among the organizations is realized, and the normal use of software services by members of the first organization is not influenced.

In addition, the manner of configuring the authorized user number for the network service environment of the organization may be: in the server, the attributes corresponding to the organization identification of the organization are modified. In one possible implementation manner, in the server, the user may register the organization, and after the registration is successful, the attribute corresponding to the organization identifier of the organization is null or is set by default. When an authorized user number configuration instruction is received, the target authorized user number carried in the configuration instruction is obtained, and the attribute corresponding to the mechanism identifier is set as the target authorized user number.

After the server distributes the target authorized user number of one organization to other organizations, the attribute corresponding to the organization identifier of the organization can be set as the difference value between the original authorized user number and the target authorized user number; the attribute corresponding to the organization identification of the organization can be kept unchanged, namely the total authorized user number of the organization is unchanged, and the used authorized user number of the organization is set to be the sum value of the original used authorized user number and the target authorized user number.

When a user registers a plurality of organizations on a server and the organizations have a hierarchical relationship, the server may allocate the authorized user number of the network service environment of the uppermost organization to the network service environment of each organization when allocating the authorized user number to the network service environment of each organization, or the computer device may determine the subordinate organization of the organization according to the hierarchical relationship of the organization, and allocate the authorized user number of the network service environment of the organization to the network service environment of the subordinate organization. Fig. 9 and 10 show the two different allocation schemes described above, respectively.

As shown in fig. 9, the first tissue mechanism is the uppermost tissue mechanism, the second tissue mechanism is a subordinate mechanism of the first tissue mechanism, and the third tissue mechanism and the fourth tissue mechanism are subordinate mechanisms of the second tissue mechanism. The first authorized user number of the first organization is M, the first organization distributes the second authorized user number N to the second organization, the first organization distributes the third authorized user number A to the third organization, the first organization distributes the fourth authorized user number B to the fourth organization, and the authorized user number of the first organization is changed into M-N-A-B.

As shown in fig. 10, the first tissue mechanism is the uppermost tissue mechanism, the second tissue mechanism is a subordinate mechanism of the first tissue mechanism, and the third tissue mechanism and the fourth tissue mechanism are subordinate mechanisms of the second tissue mechanism. The first authorized user number of the first organization is M, the first organization distributes the second authorized user number N to the second organization, the second organization distributes the third authorized user number A to the third organization, the second organization distributes the fourth authorized user number B to the fourth organization, the authorized user number of the first organization becomes M-N, and the authorized user number of the second organization becomes N-A-B.

In addition, when the server configures the authorized user number for the network service environment of the organization, a configuration failure may occur, and in one possible implementation, if the configuration fails, the server displays a reason for the configuration failure. For example, as shown in fig. 11, the display screen of the server displays that the number of unused authorized users is insufficient and cannot be allocated; the authorized user number is used and cannot be distributed, and the contact manager is requested to delete the address book; the current network condition is poor and three reasons are retried.

The organization can distribute the authorized user number, and also can reclaim the distributed authorized user number. When the authorized user number is to be retrieved, all the authorized user numbers allocated to the second organization may be retrieved, or a part of the authorized user numbers may be retrieved. Regarding the method for reclaiming the authorized user number, this embodiment will be described taking as an example that the authorized user number of the second organization is configured as the second authorized user number based on the first authorized user number of the first organization.

When the authorized user number is recovered, the user can operate the authorized user number of the first organization displayed in the computer equipment, and also can operate the authorized user number of the second organization displayed in the computer equipment.

In one possible implementation, a user operates an authorized user number of a first organization displayed in a computer device. And when the computer equipment receives an authorized user number display instruction of the first organization, displaying the first authorized user number of the first organization and the used authorized user number. When the number of used authorized users is displayed, the number of authorized users occupied by members of the first organization and the number of authorized users allocated to each other organization can be displayed based on the use type of the number of used authorized users, and when an authorized user number modification instruction corresponding to the second organization is received, a target authorized user number carried in the modification instruction is obtained, and the number of authorized users occupied by the second organization is modified into the target authorized user number. The target authorized user number is smaller than the second authorized user number. The number of authorized users configured by the network service environment of the second organization is changed from the second authorized user number to the target authorized user number, and the available authorized user number of the first organization correspondingly increases the difference between the second authorized user number and the target authorized user number.

In another possible implementation, the user operates the authorized user number of the second organization displayed in the computer device, and when the computer device receives the authorized user number display instruction of the second organization, the second authorized user number of the second organization is displayed. When an authorized user number modification instruction corresponding to the second organization is received, a target authorized user number carried in the modification instruction is obtained, the second authorized user number of the second organization is modified to be a target authorized user number, wherein the target authorized user number is smaller than the second authorized user number, and the difference between the second authorized user number and the target authorized user number can be correspondingly increased by the available authorized user number of the first organization.

In addition, when the authorized user number is recovered, the number of the authorized user unused by the second organization can be considered, and when the target authorized user number is not smaller than the number of the authorized user unused by the second organization, prompt information about whether to continue operation can be sent to the user. And when receiving a confirmation instruction triggered by the user, continuing to carry out the recovery operation of the authorized user number.

In addition, when the authorized user number of the organization is modified, the organization can be modified one by one, or a plurality of organizations can be selected to be modified together. As shown in FIG. 12, FIG. 12 illustrates an interface for selecting a plurality of organizations, which may be modified simultaneously when a batch modification option is selected. When the modification fails, an interface as shown in fig. 11 may be displayed.

It should be noted that, when the authorization information includes at least one of the effective duration and the authorization function in addition to the first number of authorized users, in one possible implementation manner, the network service environments of the plurality of organizations may share the effective duration and the authorization function.

803. The server configures a second effective duration for the network service environment of the second organization based on the first effective duration in the authorization information of the first organization according to the effective duration configuration instruction.

When the computer device configures the second effective duration for the network service environment of the second organization, whether the target condition is met may be determined first, and in one possible implementation manner, the computer device determines whether the second effective duration is within the first effective duration range, and when the second effective duration is within the first effective duration range, configures the second effective duration for the network service environment of the second organization.

In addition, the first organization and the second organization may share an effective duration, and the first effective duration may be correspondingly reduced after the first organization configures the second effective duration to the first organization.

804. The server configures a second authorization function for the network service environment of the second organization based on the first authorization function in the authorization information of the first organization according to the authorization function configuration instruction.

The configuration process of step 803 and step 804 is similar to that of step 802, and the embodiments of the present invention are not described herein again.

According to the authorization distribution method provided by the embodiment of the invention, the second organization is created in the target operation environment, so that the first organization and the second organization are managed by a plurality of organizations in a set of system operation environment at the same time, and the management mode of the current enterprise or government department is more met. And a part of authorized users of the first organization can be configured to the second organization, so that flexible allocation or transfer of the authorized users is realized, and software services provided by application software are more diversified.

In addition, the authorized user number can realize transfer and recovery, so that the distribution mode of the authorized user number is more flexible, and different requirements of the user at different stages are met as much as possible.

In addition, in the embodiment of the invention, not only the authorized user number can be allocated, but also other authorized information can be allocated, so that the distribution mode is more diversified, and a more flexible configuration mode is provided for the user.

The embodiments shown in fig. 8 to 12 above are described with respect to directly creating a network service environment of a second organization based on the organization identifier of the second organization, and in one possible embodiment, after obtaining the organization identifier of the second organization, the organization identifier is verified by the target server, and when the verification passes, the network service environment of the second organization is created, which is further described below based on the embodiment shown in fig. 13. Fig. 13 is a flowchart of an authorization allocation method according to an embodiment of the present invention, where the method is illustrated by using interaction between a server and a target server as an example, and referring to fig. 13, the method includes.

1301. The server receives a second creation instruction in the network service environment of the first organization, acquires the organization identification of the second organization to be created, and sends an association verification request to the target server, wherein the association verification request carries the organization identification of the second organization.

When the target server verifies whether the first organization and the second organization have the association relationship, if the subscription information stored in the target service comprises the architecture information of the first organization, the target server can determine whether the first organization and the second organization have the association relationship through the architecture information. In addition, the target server can also determine whether the first organization and the second organization have an association relationship by querying the social credit code. Wherein the social credit code is a unique, invariant code that identifies the body of social credit information, including a citizen credit code and an organization credit code. It may be determined whether the first organization has an association with the second organization based on the organization credit code.

When the association relation exists between the first organization and the second organization, the association relation verification request passes.

It should be noted that, in this embodiment, the target server only describes the verification process of the association relationship between the first organization and the second organization, and in some embodiments, the association relationship verification request further carries a user identity, where the target server may verify whether the user identity is expired, whether the authorization bound with the first operating environment is expired, etc., and the verification condition of the target server is not limited in this embodiment of the present invention.

1302. When the server receives the authentication pass message, a network service environment of the second organization is created in the target operating environment.

1303. The server configures a second authorized user number for the network service environment of the second organization based on the first authorized user number in the authorization information of the first organization according to the authorized user number configuration instruction.

1304. The server configures a second effective duration for the network service environment of the second organization based on the first effective duration in the authorization information of the first organization according to the effective duration configuration instruction.

1305. The server configures a second authorization function for the network service environment of the second organization based on the first authorization function in the authorization information of the first organization according to the authorization function configuration instruction.

Steps 1302 to 1305 are similar to steps 801 to 804, and are not described herein.

In addition, in the embodiment of the invention, when the network service environment of the second organization is created, the management of the first organization and the second organization is verified, and the creation can be performed only when the association relationship exists between the first organization and the second organization, so that the enterprise management is more standard.

The organization may be an administrative organization or an enterprise organization. In this embodiment, taking an organization as an enterprise organization as an example, a process of allocating authorization may be as shown in fig. 14, creating a network service environment of enterprise 0 on a server, and importing an authorization file into the server, so that the server obtains authorization information from an authorization management system, where the authorization information includes an authorized user number a, an effective duration T, and an authorization function R, and configures the network service environment of enterprise 0 based on the authorization information, so that a users in enterprise 0 may use the authorization function R within the effective duration T. The network service environment of the enterprise 1 can also be created in the server, wherein the enterprise 1 is a sub-enterprise of the enterprise 0, and the enterprise 0 can distribute a part of the use authority to the enterprise 1, for example, the enterprise 0 configures the authorized user number N for the network service environment of the enterprise 1, so that the sub-enterprise is distributed with a part of the authorized user number of the enterprise 0. Sub-enterprises of the sub-enterprise can also be created in the server, as shown in fig. 14, enterprise 2 and enterprise 3 are sub-enterprises of enterprise 1. Enterprise 1 may assign the obtained authorized user number N to enterprise 2 and enterprise 3, but the authorized user output assigned by enterprise 1 cannot be greater than the authorized user number of itself, enterprise 1 may assign authorized user number S1 to enterprise 2, where S1 is less than N. When enterprise 1 allocates authorized user number S2 to enterprise 3, it is necessary to satisfy that the sum of S1 and S2 is not greater than N, so that the allocation is successful.

Fig. 15 is a schematic structural diagram of an authorization distribution device according to an embodiment of the present invention. Referring to fig. 15, the apparatus includes:

a receiving module 1501, configured to receive a second creation instruction in a network service environment of the first organization;

a creating module 1502, configured to create a network service environment of the second organization in the target operating environment;

a configuration module 1503, configured to configure a second authorized user number for the network service environment of the second organization based on the first authorized user number in the authorization information of the first organization according to the authorized user number configuration instruction.

By creating the second organization in the target operation environment, the authorization distribution device provided by the embodiment of the invention enables the first organization and the second organization to manage a plurality of organizations simultaneously in a set of system operation environment, and is more in line with the management mode of the current enterprise or government department. And a part of authorized users of the first organization can be configured to the second organization, so that flexible allocation or transfer of the authorized users is realized, and software services provided by application software are more diversified.

In one possible implementation, as shown in fig. 16, the configuration module 1503 includes:

A receiving unit 15031, configured to receive the authorized user number configuration instruction, where the configuration instruction carries the second authorized user number;

a configuration unit 15032, configured to configure the second authorized user number for the network service environment of the second organization when the second authorized user number is not greater than the available authorized user number of the first organization, where the available authorized user number is a difference between the first authorized user number and the used authorized user number of the first organization.

In one possible implementation, as shown in fig. 16, the apparatus further includes:

a first obtaining module 1504, configured to obtain an organization identifier of a second organization to be created;

a sending module 1505, configured to send an association verification request to a target server, where the association verification request carries an organization identifier of the second organization, and the association verification request is used to verify whether the second organization is associated with the first organization;

an execution module 1506, configured to execute, when the authentication pass message is received, a step of creating a network service environment of the second organization in the target execution environment.

The creating module 1502 is further configured to create, in the first running environment, a network service environment of the first organization according to the received first creating instruction;

the second obtaining module 1507 is configured to obtain, from the target server, authorization information of the first organization, where the authorization information includes at least the first authorized user number according to the received activation instruction.

In one possible implementation, as shown in fig. 16, the second obtaining module 1507 includes:

a decryption unit 15071, configured to decrypt the authorization file according to the received import instruction, to obtain a decrypted authorization file;

a sending unit 15072, configured to send an authorization file verification request to the target server according to the received sending instruction, where the authorization file verification request carries the decrypted authorization file;

a receiving unit 15073 for receiving the authorization information returned by the target server when the verification passes.

a generating module 1508, configured to generate, according to the received subscription instruction, subscription information based on the content of the current subscription page;

the sending module 1505 is further configured to send the subscription information to the target server, where the subscription information includes at least architecture information of the first organization and the first authorized user number.

the first obtaining module 1504 is further configured to obtain, when an organization information entry order is received, organization information of at least one organization, where the organization information includes at least an organization identifier of the at least one organization.

In one possible implementation, as shown in fig. 16, the configuration module 1503 is further configured to configure an instruction according to a valid duration, and configure a second valid duration for the network service environment of the second organization based on the first valid duration in the authorization information of the first organization;

the configuration module 1503 is further configured to configure a second authorization function for the network service environment of the second organization based on the first authorization function in the authorization information of the first organization according to the authorization function configuration instruction.

Fig. 17 is a schematic diagram of a server according to an embodiment of the present invention, where the server 1700 may include one or more processors (central processing units, CPU) 1701 and one or more memories 1702, where at least one instruction is stored in the memories 1702, and the at least one instruction is loaded and executed by the processors 1701 to implement the methods according to the foregoing embodiments of the present invention. Of course, the server may also have a wired or wireless network interface, a keyboard, an input/output interface, and other components for implementing the functions of the device, which are not described herein.

Server 1700 may be configured to perform the steps performed by the server in the authorization allocation method described above.

The embodiment of the present invention also provides a computer readable storage medium having at least one instruction stored therein, the instruction being loaded and executed by a processor to implement the operations performed in the authorization allocation method of the above embodiment.

It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.

The foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims

1. A method of grant distribution, the method comprising:

receiving a second creation instruction in a network service environment of a first organization, wherein the network service environment of the first organization is created in a first running environment, and the first running environment and authorization information of the first organization are in binding relation;

Creating a network service environment of a second organization in a target operating environment, wherein the target operating environment is part of the operating environment in the first operating environment;

2. The method of claim 1, wherein configuring a second authorized user number for the network service environment of the second organization based on the first authorized user number in the authorization information of the first organization according to the authorized user number configuration instruction comprises:

receiving the configuration instruction of the authorized user number, wherein the configuration instruction carries the second authorized user number;

and when the second authorized user number is not greater than the available authorized user number of the first organization, configuring the second authorized user number for the network service environment of the second organization, wherein the available authorized user number is the difference between the first authorized user number and the used authorized user number of the first organization.

3. The method of claim 1, wherein after the receiving the second creation instruction, the method further comprises:

Obtaining an organization identifier of a second organization to be created;

sending an incidence relation verification request to a target server, wherein the incidence relation verification request carries an organization identifier of the second organization, and the incidence relation verification request is used for verifying whether the second organization is associated with the first organization;

when a validation pass message is received, the step of creating a network service environment of the second organization in the target operating environment is performed.

4. The method of claim 1, wherein prior to creating the network service environment of the second organization in the target operating environment, the method further comprises:

according to the received first creation instruction, creating a network service environment of the first organization in the first running environment;

and acquiring authorization information of the first organization from a target server according to the received activation instruction, wherein the authorization information at least comprises the first authorized user number.

5. The method of claim 4, wherein the obtaining authorization information for the first organization from the target server comprises:

decrypting the authorization file according to the received import instruction to obtain a decrypted authorization file;

According to the received sending instruction, sending an authorization file verification request to the target server, wherein the authorization file verification request carries the decrypted authorization file;

and receiving the authorization information returned by the target server when verification passes.

6. The method of claim 4, wherein prior to creating a network service environment for a first organization in the first operating environment, the method further comprises:

generating order information based on the content of the current order page according to the received order instruction;

and sending the order information to the target server, wherein the order information at least comprises architecture information of the first organization and the first authorized user number.

7. The method of claim 1, wherein prior to creating the network service environment of the first organization, the method further comprises:

and when an organization information input order is received, obtaining organization information of at least one organization, wherein the organization information at least comprises organization identification of the at least one organization.

8. The method of any of claims 1-7, wherein the authorization information for the first organization further comprises at least one of a first validity duration or a first authorization function for the first organization, the method further comprising:

According to the effective duration configuration instruction, a second effective duration is configured for the network service environment of the second organization based on the first effective duration in the authorization information of the first organization;

and according to the authorization function configuration instruction, configuring a second authorization function for the network service environment of the second organization based on the first authorization function in the authorization information of the first organization.

9. An authorization dispensing device, the device comprising:

the receiving module is used for receiving a second creation instruction in a network service environment of a first organization, wherein the network service environment of the first organization is created in a first operation environment, and the first operation environment and authorization information of the first organization are in binding relation;

a creation module for creating a network service environment of a second organization in a target operating environment, the target operating environment being part of the operating environment in the first operating environment;

10. The apparatus of claim 9, wherein the configuration module comprises:

11. The apparatus of claim 9, wherein the apparatus further comprises:

the sending module is used for sending an incidence relation verification request to the target server, wherein the incidence relation verification request carries an organization identifier of the second organization, and the incidence relation verification request is used for verifying whether the second organization is associated with the first organization;

12. The apparatus of claim 9, wherein the apparatus further comprises:

13. The apparatus of claim 12, wherein the second acquisition module further comprises:

14. A server comprising a processor and a memory having stored therein at least one instruction that is loaded and executed by the processor to perform the operations performed in the authorization allocation method of any one of claims 1 to 8.

15. A computer readable storage medium having stored therein at least one instruction that is loaded and executed by a processor to implement the operations performed in the authorization allocation method of any one of claims 1 to 8.