CN112100585A - Authority management method, device and storage medium - Google Patents
Authority management method, device and storage medium Download PDFInfo
- Publication number
- CN112100585A CN112100585A CN202010838932.9A CN202010838932A CN112100585A CN 112100585 A CN112100585 A CN 112100585A CN 202010838932 A CN202010838932 A CN 202010838932A CN 112100585 A CN112100585 A CN 112100585A
- Authority
- CN
- China
- Prior art keywords
- information
- authority
- resource
- identification information
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003860 storage Methods 0.000 title claims description 8
- 238000007726 management method Methods 0.000 title description 70
- 238000000034 method Methods 0.000 claims abstract description 27
- 238000012545 processing Methods 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 3
- 238000012423 maintenance Methods 0.000 abstract description 12
- 238000013523 data management Methods 0.000 description 8
- 230000008520 organization Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- PCHJSUWPFVWCPO-UHFFFAOYSA-N gold Chemical compound [Au] PCHJSUWPFVWCPO-UHFFFAOYSA-N 0.000 description 5
- 229910052737 gold Inorganic materials 0.000 description 5
- 239000010931 gold Substances 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- BQCADISMDOOEFD-UHFFFAOYSA-N Silver Chemical compound [Ag] BQCADISMDOOEFD-UHFFFAOYSA-N 0.000 description 1
- 230000006978 adaptation Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 229910052709 silver Inorganic materials 0.000 description 1
- 239000004332 silver Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
The method obtains first access authority information of a target user when the target user accesses the target resource through a pre-established business authority corresponding relation according to the target user identification information and the resource identification information, and the business authority corresponding relation comprises the corresponding relation of the resource identification information and the user authority information, and the user authority information comprises access authority information corresponding to the user identification information of an appointed user, so that the granularity of authority management can be effectively improved, the problem of increased authority management complexity caused by adopting role authority management can be effectively avoided, the authority management efficiency is favorably improved, and the later maintenance cost of an authority management system is reduced.
Description
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a method and an apparatus for rights management and a storage medium.
Background
Most of the current privilege management methods are privilege management Based on Role-Based Access Control (RBAC), that is, an association relationship between a privilege and a Role is established, and a user obtains the privilege of a certain Role by becoming a member of the Role.
However, when the role members are relatively dispersed (i.e. there are fewer members per role and there are more roles involved), the role of the role is weakened, and creating the role cannot simplify the difficulty of the rights management, but rather, the creating of the role increases the complexity of the rights management, and also raises the maintenance cost of the rights management system.
Disclosure of Invention
In order to overcome the above problems, the present disclosure provides a rights management method, apparatus, and storage medium.
According to a first aspect of the embodiments of the present disclosure, there is provided a rights management method applied to a rights server, the method including:
receiving an authority query request message sent by a service server, wherein the authority query request message comprises target user identification information of a target user and resource identification information corresponding to a target resource which the target user requests to access;
according to the target user identification information and the resource identification information, acquiring first access authority information of a target user when the target user accesses the target resource through a pre-established service authority corresponding relation, wherein the service authority corresponding relation comprises the corresponding relation of the resource identification information and user authority information, the user authority information comprises access authority information corresponding to user identification information of an appointed user, and the appointed user comprises a user which is pre-set and can access the target resource;
and sending the first access right information to the service server so that the service server configures the access right of the target user to the target resource according to the first access right information.
Optionally, the obtaining, according to the target user identification information and the resource identification information, first access right information of the target user when accessing the target resource through a pre-established service right correspondence includes:
determining user authority information corresponding to the resource identification information according to the service authority corresponding relation;
and acquiring the first access authority information corresponding to the target user identification information from the user authority information.
Optionally, in a case that the target resource is a data-type resource, the data-type resource includes at least one of row data, column data, and field data;
under the condition that the data type resource comprises row data, the resource identification information comprises the row data identification information, and the service authority corresponding relation comprises the row data identification information and the row level authority information; or,
under the condition that the data type resource comprises column data, the service authority corresponding relation comprises the corresponding relation between the column data identification information and column-level authority information; or,
and under the condition that the data type resource comprises field data, the service permission corresponding relation comprises the corresponding relation between field data identification information and field permission information.
Optionally, before obtaining, according to the target user identification information and the resource identification information, first access right information of the target user when accessing the target resource through a pre-established service right correspondence, the method further includes:
determining whether role information corresponding to the target user identification information exists;
the obtaining of the first access right information of the target user when accessing the target resource through the pre-established service right corresponding relation according to the target user identification information and the resource identification information includes:
and under the condition that the role information corresponding to the target user identification information does not exist, acquiring first access authority information of the target user when the target user accesses the target resource through a pre-established service authority corresponding relation according to the target user identification information and the resource identification information.
Optionally, the method further comprises:
under the condition that the role information corresponding to the target user identification information is determined to exist, second access authority information corresponding to the role information is obtained through a pre-established role authority corresponding relation; the role authority corresponding relation comprises a corresponding relation between the role information and the second access authority information;
and sending the second access right information to the service server so that the service server configures the access right of the target user to the target resource according to the second access right information.
Optionally, the service right corresponding relationship is pre-established in the following manner:
receiving resource registration request information sent by the service server, wherein the resource registration request information comprises the resource identification information of the target resource and the user permission information;
and establishing a corresponding relation between the resource identification information and the user authority information to obtain the service authority corresponding relation.
According to a second aspect of the embodiments of the present disclosure, there is provided a rights management apparatus applied to a rights server, the apparatus including:
the system comprises a receiving module, a service server and a service processing module, wherein the receiving module is configured to receive an authority query request message sent by the service server, and the authority query request message comprises target user identification information of a target user and resource identification information corresponding to a target resource which the target user requests to access;
a first obtaining module, configured to obtain, according to the target user identification information and the resource identification information, first access permission information of the target user when accessing the target resource through a pre-established service permission correspondence relationship, where the service permission correspondence relationship includes a correspondence relationship between the resource identification information and user permission information, the user permission information includes access permission information corresponding to user identification information of an appointed user, and the appointed user includes a pre-set user capable of accessing the target resource;
the first sending module is configured to send the first access right information to the service server, so that the service server configures the access right of the target user to the target resource according to the first access right information.
Optionally, the first obtaining module includes:
the determining submodule is configured to determine user permission information corresponding to the resource identification information through the service permission corresponding relation;
and the obtaining sub-module is configured to obtain the first access right information corresponding to the target user identification information from the user right information.
Optionally, in a case that the target resource is a data-type resource, the data-type resource includes at least one of row data, column data, and field data;
under the condition that the data type resource comprises row data, the resource identification information comprises the row data identification information, and the service authority corresponding relation comprises the row data identification information and the row level authority information; or,
under the condition that the data type resource comprises column data, the service authority corresponding relation comprises the corresponding relation between the column data identification information and column-level authority information; or,
and under the condition that the data type resource comprises field data, the service permission corresponding relation comprises the corresponding relation between field data identification information and field permission information.
Optionally, the apparatus further comprises:
a determining module configured to determine whether role information corresponding to the target user identification information exists;
the first obtaining module is configured to, under the condition that it is determined that there is no role information corresponding to the target user identification information, obtain, according to the target user identification information and the resource identification information, first access right information of the target user when accessing the target resource through a pre-established service right correspondence.
Optionally, the apparatus further comprises:
the second acquisition module is configured to acquire second access authority information corresponding to the role information through a role authority corresponding relationship established in advance under the condition that the role information corresponding to the target user identification information is determined to exist; the role authority corresponding relation comprises a corresponding relation between the role information and the second access authority information;
and the second sending module is configured to send the second access right information to the service server, so that the service server configures the access right of the target user to the target resource according to the second access right information.
Optionally, the service right corresponding relationship is pre-established in the following manner:
receiving resource registration request information sent by the service server, wherein the resource registration request information comprises the resource identification information of the target resource and the user permission information;
and establishing a corresponding relation between the resource identification information and the user authority information to obtain the service authority corresponding relation.
According to a third aspect of the embodiments of the present disclosure, there is provided a rights management apparatus including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
receiving an authority query request message sent by a service server, wherein the authority query request message comprises target user identification information of a target user and resource identification information corresponding to a target resource which the target user requests to access;
according to the target user identification information and the resource identification information, acquiring first access authority information of a target user when the target user accesses the target resource through a pre-established service authority corresponding relation, wherein the service authority corresponding relation comprises the corresponding relation of the resource identification information and user authority information, the user authority information comprises access authority information corresponding to user identification information of an appointed user, and the appointed user comprises a user which is pre-set and can access the target resource;
and sending the first access right information to the service server so that the service server configures the access right of the target user to the target resource according to the first access right information.
According to a fourth aspect of embodiments of the present disclosure, there is provided a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the method of the first aspect above.
The technical scheme provided by the embodiment of the disclosure can have the following beneficial effects: according to the target user identification information and the resource identification information, first access authority information of the target user when the target user accesses the target resource is obtained through a pre-established service authority corresponding relation, the service authority corresponding relation comprises the resource identification information and the user authority information, and the user authority information comprises access authority information corresponding to the user identification information of the appointed user, so that the granularity of authority management can be effectively improved, the problem of increased authority management complexity caused by adopting role authority management can be effectively avoided, the authority management efficiency is improved, and the later maintenance cost of an authority management system is reduced.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
FIG. 1 is a flow chart illustrating a method of rights management in accordance with an exemplary embodiment of the present disclosure;
FIG. 2 is a flow chart illustrating a method of rights management according to another exemplary embodiment of the present disclosure;
fig. 3 is a block diagram illustrating a rights management apparatus according to still another exemplary embodiment of the present disclosure;
FIG. 4 is a block diagram of a rights management device according to the embodiment shown in FIG. 3;
fig. 5 is a block diagram illustrating an apparatus for rights management according to an example embodiment.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.
Before the detailed description of the specific embodiments of the present disclosure, the following description is first made on a specific application scenario developed by the present inventor, where the present disclosure may be applied to a process in which an authority server returns authority information of a resource specified in a service system operated by the service server to the service server, where an XM community system is taken as an example for description, the XM community system is a platform for users to communicate product use experience using products produced by XM corporation, and in the process of communicating product use experience, advantages and disadvantages of XM products are often involved, and XM products generally include a product, a product B, and a product C, and XM community users may include a product developer user, and a development organization manager user, so to better manage a user community of the XM community system, corresponding authorities need to be set for each community user respectively, for example, a product developer user A only sees related communication information about a product A, a product developer user B only sees related communication experience about a product B, a product developer user C only sees related communication experience about a product C, a development organization manager can see communication information about all products, in order to better manage the community user authority of the XM community system, the service server running the XM community system is connected with the authority server, when each community user accesses the target resource in the XM community system, the access right corresponding to the community user is provided to the XM community system by the right server, and the XM community system configures corresponding resources for the community users according to the received access authority sent by the authority server.
In the related art, when performing authority management, community users are generally divided into a plurality of roles (for example, a product developer user, a development organization manager user, and the like), and authority of a certain role is configured for the community users by establishing an association relationship between the authority and the role and making the community users become members of the certain role, however, with the expansion of the XM community system function, staff attendance, wage detail distribution, and other functions are added in the XM community system, data type resources (for example, sales reports, wage lists, and the like) are often involved in the staff attendance, wage detail distribution, and other functions, in the access authority of the data type resources, only one or two community users per row (column) of data have access authority to the data, and if the authority management method in the related art is still adopted, the community users become members of a role, and then the access authority of the row (column) data is configured for the role, so that the difficulty of authority management cannot be simplified, the complexity of the authority management is increased due to the creation of the role, and the later maintenance cost of the authority management system is further increased.
In order to solve the technical problems existing in the related technology, the present disclosure provides a method, an apparatus and a storage medium for rights management, wherein the method obtains first access rights information of a target user when the target user accesses the target resource through a pre-established business rights corresponding relationship according to the target user identification information and the resource identification information, and the business rights corresponding relationship includes the corresponding relationship between the resource identification information and the user rights information, and the user rights information includes access rights information corresponding to the user identification information of an appointed user, so that the granularity of rights management can be effectively improved, and the problem of increased complexity of rights management caused by adopting role rights management can be effectively avoided, thereby being beneficial to improving the efficiency of rights management and reducing the later maintenance cost of a rights management system.
FIG. 1 is a flow chart illustrating a method of rights management in accordance with an exemplary embodiment of the present disclosure; referring to fig. 1, the method applied to the rights server may include the following steps:
The permission query request message includes target user identification information of a target user and resource identification information corresponding to a target resource which the target user requests to access.
It should be noted that, a service system is operated in the service server, the target user is at least one of users of the service system, the target user identification information may be an ID account, a name or an icon of the target user, and the target resource may be a web page, a tag, a key, a form, a field, a database, and the like in the page.
102, obtaining first access right information of the target user when accessing the target resource through a pre-established service right corresponding relation according to the target user identification information and the resource identification information.
The service authority corresponding relation comprises a corresponding relation between the resource identification information and user authority information, the user authority information comprises access authority information corresponding to the user identification information of an appointed user, and the appointed user comprises a preset user capable of accessing the target resource.
In this step, one possible implementation manner is: and determining user authority information corresponding to the resource identification information according to the service authority corresponding relation, and acquiring the first access authority information corresponding to the target user identification information from the user authority information.
In the above embodiment, the service right corresponding relationship may be pre-established in the following manner:
receiving resource registration request information sent by the service server, wherein the resource registration request information comprises the resource identification information of the target resource and the user permission information; and establishing a corresponding relation between the resource identification information and the user authority information to obtain the service authority corresponding relation.
Illustratively, after the creation module, the community product ring module, the data management module and the index module are created in the XM community system, the user right information of the creation module, the community product ring module, the data management module and the index module can be pre-stored in a right server connected with the XM community system, and the corresponding relation between the module identifier and the user right information of each module in the XM community system is generated in the right server, namely, the corresponding relation between the service right corresponding to the XM community system is pre-stored in the right server, the corresponding relation between the service right corresponding to the XM community system comprises the corresponding relation between the identifier of the creation module and the user right information of the creation module, and the corresponding relation between the identifier of the community product ring module and the user right information of the community product ring module, the corresponding relation between the identification of the data management module and the user authority information of the data management module, and the corresponding relation between the identification of the index module and the user authority information of the index module, wherein the user authority information of the creation module comprises the corresponding relation between the user identification information corresponding to the user capable of accessing the creation module and the access authority information, the user authority information of the community product circle module comprises the corresponding relation between the user identification information corresponding to the user capable of accessing the community product circle module and the access authority information, the user authority information of the data management module comprises the corresponding relation between the user identification information corresponding to the user capable of accessing the data management module and the access authority information, and the user authority information of the index module comprises the corresponding relation between the user identification information corresponding to the user capable of accessing the index module and the access authority information, the access right information may be readable, editable or an identification of the right to forward etc.
Still taking the example shown in the step 102 as an example for explanation, when the user M of the XM community system accesses the authoring module, the XM community system sends an authority query request message to the authority server, where the authority query request message includes the user identifier M of the user M and the identifier of the authoring module, and when the authority server receives the authority query request, obtains the access authority information corresponding to the user identifier M from the correspondence between the identifier of the authoring module and the user authority information of the authoring module, and sends the access authority information corresponding to the user identifier M to the XM community system, and the XM community system configures the access authority for the authoring module for the user M according to the access authority information corresponding to the user identifier M.
According to the technical scheme, the first access authority information of the target user when the target user accesses the target resource is obtained through the pre-established business authority corresponding relation according to the target user identification information and the resource identification information, and the business authority corresponding relation comprises the corresponding relation of the resource identification information and the user authority information, and the user authority information comprises the access authority information corresponding to the user identification information of the appointed user, so that the granularity of authority management can be effectively improved, the problem of the rise of the authority management complexity caused by adopting role authority management can be effectively avoided, the authority management efficiency is improved, and the later maintenance cost of the authority management system is reduced.
FIG. 2 is a flow chart illustrating a method of rights management according to another exemplary embodiment of the present disclosure; referring to fig. 2, the method may include the steps of:
The resource registration request information includes the resource identification information of the target resource and the user permission information, the user permission information includes access permission information corresponding to the user identification information of the designated user, and the designated user includes a user which is preset and can access the target resource.
It should be noted that the target resource may be a web page, a tag in a page, a key, a table, a field, a database, etc. The access right information can be readable, editable, forwardable, duplicable and the like.
One possible implementation manner in this step is: in the case that the target resource is a data-type resource, the data-type resource includes at least one of row data, column data, and field data; under the condition that the data type resource comprises row data, the resource identification information comprises the row data identification information, and the service authority corresponding relation comprises the row data identification information and the row-level authority information; or, in the case that the data type resource includes column data, the service permission correspondence includes a correspondence between the column data identification information and column-level permission information; or, in the case that the data type resource includes field data, the service permission correspondence includes a correspondence between identification information of the field data and field permission information.
The column level authority information comprises a corresponding relation between user identification information of designated users capable of accessing the column data and access authority information, and the field authority information comprises a corresponding relation between user identification information of designated users capable of accessing the field data and access authority information.
It should be noted that whether the target resource belongs to the data-type resource may be determined by the resource type corresponding to the target resource, for example, in a case that the resource type of the target resource is determined to be int, it may be determined that the target resource belongs to the data-type resource. The row of data is data stored in a row in a data table, the row of data identification information may be a row number or a row name in the target resource, the column of data is data stored in a column in the data table, the column of data identification information may be a column number or a column name in the target resource, the field of data is a data resource composed of fields, and the field of data identification information may be a code or a symbol of a target field in the target resource.
Illustratively, in the case that the target resource is a payroll report, each row of data in the payroll report records payroll details of one employee, where each employee has readable authority for its payroll details, and the financial staff and the company leader have readable and editable authority for the entire payroll report, and the business authority correspondence for each row of data in the payroll report may include a correspondence between a row number of the row in the payroll report and row-level authority information of the row of data, for example, if the certain row of data is payroll details of employee a, the corresponding row-level authority information includes a correspondence between a name of employee a and readable authority, and a name of financial employee B and readable and editable correspondence. Therefore, the corresponding relation between the resource identification information of the target resource and the user authority information is directly established for the data type resource, the granularity of authority management of the data type resource can be effectively improved, and the problem that the authority management is complicated due to role distribution can be avoided, so that the later maintenance of an authority management system is facilitated, and the data maintenance cost is saved.
The permission query request message includes target user identification information of a target user and resource identification information corresponding to a target resource which the target user requests to access.
It should be noted that the target user is one of the users who can access the target resource, the target user identification information may be an ID account, a name or an icon of the target user, and the target resource may be a web page, a tag in a page, a key, a table, a field, a database, and the like.
the role information may include an organization architecture (for example, a company is composed of a sales department, a human resources department, a production department, and a logistics department) or a custom role (for example, a gold member, a silver member, a super gold member, etc.).
It should be noted that, in a case where it is determined that there is a correspondence between the target user identification information and a certain organization in the organization structure or it is determined that there is a correspondence between the target user identification information and a user-defined role, it may be determined that there is role information corresponding to the target user identification information, and in a case where it is determined that there is no correspondence between the target user identification information and any one organization in the organization structure and there is no correspondence between the target user identification information and any one user-defined role, it may be determined that there is no role information corresponding to the target user identification information.
In this step, when it is determined that the role information corresponding to the target user identification information does not exist, step 205 to step 207 are executed, and when it is determined that the role information corresponding to the target user identification information exists, step 208 to step 209 are executed.
Illustratively, when the first access right of the authoring module corresponding to the user M of the XM community system is obtained from the right server, the user right information of the authoring module can be obtained by first obtaining the corresponding relation between the identifier of the authoring module and the user right information of the authoring module from the corresponding relation between the identifier of the authoring module and the user right information of the authoring module, the corresponding relation between the identifier of the community product circle module and the user right information of the community product circle module, the corresponding relation between the identifier of the data management module and the user right information of the data management module, and the corresponding relation between the identifier of the indicator module and the user right information of the indicator module, therefore, the access authority information corresponding to the user identifier M can be obtained according to the target user identifier.
In the above steps 203 to 207, the first access right information of the target user when accessing the target resource can be obtained through the pre-established service right corresponding relationship according to the target user identification information and the resource identification information, and because the service right corresponding relationship includes the corresponding relationship between the resource identification information and the user right information, and the user right information includes the access right information corresponding to the user identification information of the designated user, the granularity of the right management can be effectively improved, and the problem of the rise of the complexity of the right management caused by adopting the role right management can be effectively avoided, thereby being beneficial to improving the right management efficiency and reducing the later maintenance cost of the right management system.
And step 208, acquiring second access right information corresponding to the role information through the pre-established role right corresponding relation.
The role authority corresponding relation comprises the corresponding relation between the role information and the second access authority information. The second access right information can be readable, editable, reproducible, transferable and other identification information of the right.
Illustratively, when the target user identifier of the target user has a corresponding relationship with the gold member, the access authority information corresponding to the gold member is acquired, and the access authority information corresponding to the gold member is used as the second access authority information of the target user.
In the above steps 208 to 209, when it is determined that there is role information corresponding to the target user identification information, the second access permission information corresponding to the role information can be obtained through the pre-established role permission correspondence relationship, so that the complexity of permission management can be greatly simplified and the efficiency of permission management can be improved when the number of members corresponding to each role is large.
According to the technical scheme, under the condition that the role information corresponding to the target user identification information is determined to exist, the second access authority information corresponding to the role information can be obtained through the pre-established role authority corresponding relation, and under the condition that the role information corresponding to the target user identification information does not exist, the first access authority information of the target user when the target user accesses the target resource can be obtained through the pre-established business authority corresponding relation, so that the granularity of authority management can be effectively improved, the authority management efficiency of an authority management system can be effectively improved, and the later maintenance cost of the authority management system can be reduced.
Fig. 3 is a block diagram illustrating a rights management apparatus according to still another exemplary embodiment of the present disclosure; referring to fig. 3, the apparatus, applied to the rights server, may include:
a receiving module 301, configured to receive an authority query request message sent by a service server, where the authority query request message includes target user identification information of a target user and resource identification information corresponding to a target resource that the target user requests to access;
a first obtaining module 302, configured to obtain, according to the target user identification information and the resource identification information, first access right information of the target user when accessing the target resource through a pre-established service right corresponding relationship, where the service right corresponding relationship includes a corresponding relationship between the resource identification information and user right information, the user right information includes access right information corresponding to user identification information of an appointed user, and the appointed user includes a pre-set user capable of accessing the target resource;
a first sending module 303, configured to send the first access right information to the service server, so that the service server configures the access right of the target user to the target resource according to the first access right information.
According to the technical scheme, the first obtaining module 302 obtains the first access authority information of the target user when the target user accesses the target resource through the pre-established business authority corresponding relation according to the target user identification information and the resource identification information, and the business authority corresponding relation comprises the corresponding relation between the resource identification information and the user authority information, and the user authority information comprises the access authority information corresponding to the user identification information of the appointed user, so that the granularity of authority management can be effectively improved, and the problem of the rise of the complexity of the authority management caused by adopting role authority management can be effectively avoided, thereby being beneficial to improving the efficiency of the authority management and reducing the later maintenance cost of the authority management system.
FIG. 4 is a block diagram of a rights management device according to the embodiment shown in FIG. 3; referring to fig. 4, the first obtaining module 302 includes:
a determining submodule 3021 configured to determine, through the service right correspondence, user right information corresponding to the resource identification information;
the obtaining sub-module 3022 is configured to obtain the first access right information corresponding to the target user identification information from the user right information.
Optionally, in a case that the target resource is a data-type resource, the data-type resource includes at least one of row data, column data, and field data;
under the condition that the data type resource comprises row data, the resource identification information comprises the row data identification information, and the service authority corresponding relation comprises the row data identification information and the row-level authority information; or,
under the condition that the data type resource comprises column data, the service authority corresponding relation comprises the corresponding relation between the column data identification information and column-level authority information; or,
and under the condition that the data type resource comprises field data, the service authority corresponding relation comprises the corresponding relation between the field data identification information and the field authority information.
Optionally, the apparatus further comprises:
a determining module 304 configured to determine whether role information corresponding to the target user identification information exists;
the first obtaining module 302 is configured to, when it is determined that there is no role information corresponding to the target user identification information, obtain, according to the target user identification information and the resource identification information, first access right information of the target user when accessing the target resource through a pre-established service right correspondence relationship.
Optionally, the apparatus further comprises:
a second obtaining module 305, configured to, in a case where it is determined that role information corresponding to the target user identification information exists, obtain second access right information corresponding to the role information through a role right correspondence relationship established in advance; the role authority corresponding relation comprises a corresponding relation between the role information and the second access authority information;
a second sending module 306, configured to send the second access right information to the service server, so that the service server configures the access right of the target user to the target resource according to the second access right information.
Optionally, the service right corresponding relationship is pre-established in the following manner:
receiving resource registration request information sent by the service server, wherein the resource registration request information comprises the resource identification information of the target resource and the user permission information;
and establishing a corresponding relation between the resource identification information and the user authority information to obtain the service authority corresponding relation.
According to the technical scheme, under the condition that the role information corresponding to the target user identification information is determined to exist, the second access authority information corresponding to the role information can be obtained through the pre-established role authority corresponding relation, and under the condition that the role information corresponding to the target user identification information does not exist, the first access authority information of the target user when the target user accesses the target resource can be obtained through the pre-established business authority corresponding relation, so that the granularity of authority management can be effectively improved, the authority management efficiency of an authority management system can be effectively improved, and the later maintenance cost of the authority management system can be reduced.
An exemplary embodiment of the present disclosure also provides a rights management apparatus, including:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
receiving an authority query request message sent by a service server, wherein the authority query request message comprises target user identification information of a target user and resource identification information corresponding to a target resource which the target user requests to access;
according to the target user identification information and the resource identification information, acquiring first access authority information of a target user when the target user accesses the target resource through a pre-established service authority corresponding relation, wherein the service authority corresponding relation comprises the corresponding relation of the resource identification information and user authority information, the user authority information comprises access authority information corresponding to user identification information of an appointed user, and the appointed user comprises a user which is pre-set and can access the target resource;
and sending the first access right information to the service server so that the service server configures the access right of the target user to the target resource according to the first access right information.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
The present disclosure also provides a computer readable storage medium having stored thereon computer program instructions which, when executed by a processor, implement the steps of the rights management method provided by the present disclosure.
Fig. 5 is a block diagram illustrating an apparatus for rights management according to an example embodiment. For example, the apparatus 500 may be provided as a server. Referring to fig. 5, the apparatus 500 includes a processing component 522 that further includes one or more processors and memory resources, represented by memory 532, for storing instructions, such as applications, that are executable by the processing component 522. The application programs stored in memory 532 may include one or more modules that each correspond to a set of instructions. Further, the processing component 522 is configured to execute instructions to perform the rights management method described above.
The apparatus 500 may also include a power component 526 configured to perform power management of the apparatus 500, a wired or wireless network interface 550 configured to connect the apparatus 500 to a network, and an input/output (I/O) interface 558. The apparatus 500 may operate based on an operating system, such as Windows Server, stored in the memory 532TM,Mac OS XTM,UnixTM,LinuxTM,FreeBSDTMOr the like.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.
Claims (14)
1. A method for managing authority, which is applied to an authority server, the method comprises the following steps:
receiving an authority query request message sent by a service server, wherein the authority query request message comprises target user identification information of a target user and resource identification information corresponding to a target resource which the target user requests to access;
according to the target user identification information and the resource identification information, acquiring first access authority information of a target user when the target user accesses the target resource through a pre-established service authority corresponding relation, wherein the service authority corresponding relation comprises the corresponding relation of the resource identification information and user authority information, the user authority information comprises access authority information corresponding to user identification information of an appointed user, and the appointed user comprises a user which is pre-set and can access the target resource;
and sending the first access right information to the service server so that the service server configures the access right of the target user to the target resource according to the first access right information.
2. The method of claim 1, wherein the obtaining, according to the target user identification information and the resource identification information, first access right information of the target user when accessing the target resource through a pre-established service right correspondence relationship comprises:
determining user authority information corresponding to the resource identification information according to the service authority corresponding relation;
and acquiring the first access authority information corresponding to the target user identification information from the user authority information.
3. The method of claim 1, wherein in the case where the target resource is a data-type resource, the data-type resource includes at least one of row data, column data, and field data;
under the condition that the data type resource comprises row data, the resource identification information comprises the row data identification information, and the service authority corresponding relation comprises the row data identification information and the row level authority information; or,
under the condition that the data type resource comprises column data, the service authority corresponding relation comprises the corresponding relation between the column data identification information and column-level authority information; or,
and under the condition that the data type resource comprises field data, the service permission corresponding relation comprises the corresponding relation between field data identification information and field permission information.
4. The method according to claim 1, wherein before obtaining first access right information of the target user when accessing the target resource through a pre-established service right corresponding relationship according to the target user identification information and the resource identification information, the method further comprises:
determining whether role information corresponding to the target user identification information exists;
the obtaining of the first access right information of the target user when accessing the target resource through the pre-established service right corresponding relation according to the target user identification information and the resource identification information includes:
and under the condition that the role information corresponding to the target user identification information does not exist, acquiring first access authority information of the target user when the target user accesses the target resource through a pre-established service authority corresponding relation according to the target user identification information and the resource identification information.
5. The method of claim 4, further comprising:
under the condition that the role information corresponding to the target user identification information is determined to exist, second access authority information corresponding to the role information is obtained through a pre-established role authority corresponding relation; the role authority corresponding relation comprises a corresponding relation between the role information and the second access authority information;
and sending the second access right information to the service server so that the service server configures the access right of the target user to the target resource according to the second access right information.
6. The method according to any one of claims 1 to 5, wherein the service right correspondence is pre-established by:
receiving resource registration request information sent by the service server, wherein the resource registration request information comprises the resource identification information of the target resource and the user permission information;
and establishing a corresponding relation between the resource identification information and the user authority information to obtain the service authority corresponding relation.
7. A rights management apparatus applied to a rights server, the apparatus comprising:
the system comprises a receiving module, a service server and a service processing module, wherein the receiving module is configured to receive an authority query request message sent by the service server, and the authority query request message comprises target user identification information of a target user and resource identification information corresponding to a target resource which the target user requests to access;
a first obtaining module, configured to obtain, according to the target user identification information and the resource identification information, first access permission information of the target user when accessing the target resource through a pre-established service permission correspondence relationship, where the service permission correspondence relationship includes a correspondence relationship between the resource identification information and user permission information, the user permission information includes access permission information corresponding to user identification information of an appointed user, and the appointed user includes a pre-set user capable of accessing the target resource;
the first sending module is configured to send the first access right information to the service server, so that the service server configures the access right of the target user to the target resource according to the first access right information.
8. The apparatus of claim 7, wherein the first obtaining module comprises:
the determining submodule is configured to determine user permission information corresponding to the resource identification information through the service permission corresponding relation;
and the obtaining sub-module is configured to obtain the first access right information corresponding to the target user identification information from the user right information.
9. The apparatus of claim 7, wherein in the case that the target resource is a data-type resource, the data-type resource includes at least one of row data, column data, and field data;
under the condition that the data type resource comprises row data, the resource identification information comprises the row data identification information, and the service authority corresponding relation comprises the row data identification information and the row level authority information; or,
under the condition that the data type resource comprises column data, the service authority corresponding relation comprises the corresponding relation between the column data identification information and column-level authority information; or,
and under the condition that the data type resource comprises field data, the service permission corresponding relation comprises the corresponding relation between field data identification information and field permission information.
10. The apparatus of claim 7, further comprising:
a determining module configured to determine whether role information corresponding to the target user identification information exists;
the first obtaining module is configured to, under the condition that it is determined that there is no role information corresponding to the target user identification information, obtain, according to the target user identification information and the resource identification information, first access right information of the target user when accessing the target resource through a pre-established service right correspondence.
11. The apparatus of claim 10, further comprising:
the second acquisition module is configured to acquire second access authority information corresponding to the role information through a role authority corresponding relationship established in advance under the condition that the role information corresponding to the target user identification information is determined to exist; the role authority corresponding relation comprises a corresponding relation between the role information and the second access authority information;
and the second sending module is configured to send the second access right information to the service server, so that the service server configures the access right of the target user to the target resource according to the second access right information.
12. The apparatus according to any one of claims 7 to 10, wherein the service right correspondence is pre-established by:
receiving resource registration request information sent by the service server, wherein the resource registration request information comprises the resource identification information of the target resource and the user permission information;
and establishing a corresponding relation between the resource identification information and the user authority information to obtain the service authority corresponding relation.
13. A rights management device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor is configured to:
receiving an authority query request message sent by a service server, wherein the authority query request message comprises target user identification information of a target user and resource identification information corresponding to a target resource which the target user requests to access;
according to the target user identification information and the resource identification information, acquiring first access authority information of a target user when the target user accesses the target resource through a pre-established service authority corresponding relation, wherein the service authority corresponding relation comprises the corresponding relation of the resource identification information and user authority information, the user authority information comprises access authority information corresponding to user identification information of an appointed user, and the appointed user comprises a user which is pre-set and can access the target resource;
and sending the first access right information to the service server so that the service server configures the access right of the target user to the target resource according to the first access right information.
14. A computer-readable storage medium, on which computer program instructions are stored, which program instructions, when executed by a processor, carry out the steps of the method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010838932.9A CN112100585A (en) | 2020-08-19 | 2020-08-19 | Authority management method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010838932.9A CN112100585A (en) | 2020-08-19 | 2020-08-19 | Authority management method, device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112100585A true CN112100585A (en) | 2020-12-18 |
Family
ID=73753009
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010838932.9A Pending CN112100585A (en) | 2020-08-19 | 2020-08-19 | Authority management method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112100585A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615925A (en) * | 2020-12-22 | 2021-04-06 | 北京金山云网络技术有限公司 | Configuration and management method and device of service resources and electronic equipment |
| CN112668051A (en) * | 2020-12-31 | 2021-04-16 | 北京聚云科技有限公司 | Data acquisition method and device |
| CN113282890A (en) * | 2021-05-25 | 2021-08-20 | 挂号网(杭州)科技有限公司 | Resource authorization method, device, electronic equipment and storage medium |
| CN113407916A (en) * | 2021-06-15 | 2021-09-17 | 北京字跳网络技术有限公司 | Information processing method, device, terminal and storage medium |
| CN114172727A (en) * | 2021-12-07 | 2022-03-11 | 中国建设银行股份有限公司 | Information processing method, information processing apparatus, electronic device, and storage medium |
| WO2022237255A1 (en) * | 2021-05-14 | 2022-11-17 | 华为技术有限公司 | Management method and system for computing node |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
| CN103078859A (en) * | 2012-12-31 | 2013-05-01 | 普天新能源有限责任公司 | Service system authority management method, equipment and system |
| CN106302492A (en) * | 2016-08-23 | 2017-01-04 | 唐山新质点科技有限公司 | A kind of access control method and system |
| WO2017076212A1 (en) * | 2015-11-05 | 2017-05-11 | 阿里巴巴集团控股有限公司 | Data sheet query method and device |
| CN107204964A (en) * | 2016-03-16 | 2017-09-26 | 腾讯科技(深圳)有限公司 | A kind of methods, devices and systems of rights management |
| CN108763960A (en) * | 2018-06-04 | 2018-11-06 | 北京奇虎科技有限公司 | Access authorization for resource management method and device |
| CN109598117A (en) * | 2018-10-24 | 2019-04-09 | 平安科技(深圳)有限公司 | Right management method, device, electronic equipment and storage medium |
| CN109818935A (en) * | 2018-05-04 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | User authority control method and device, storage medium, computer equipment |
| CN110727929A (en) * | 2019-10-12 | 2020-01-24 | 北京明略软件系统有限公司 | AOP-based line-level authority control method, device and client |
| CN111191221A (en) * | 2019-12-30 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Method and device for configuring authority resources and computer readable storage medium |
| CN111488595A (en) * | 2020-03-27 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Method for realizing authority control and related equipment |
| CN111552936A (en) * | 2020-04-26 | 2020-08-18 | 国电南瑞科技股份有限公司 | Cross-system access right control method and system based on scheduling mechanism level |
-
2020
- 2020-08-19 CN CN202010838932.9A patent/CN112100585A/en active Pending
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546664A (en) * | 2012-02-27 | 2012-07-04 | 中国科学院计算技术研究所 | User and authority management method and system for distributed file system |
| CN103078859A (en) * | 2012-12-31 | 2013-05-01 | 普天新能源有限责任公司 | Service system authority management method, equipment and system |
| WO2017076212A1 (en) * | 2015-11-05 | 2017-05-11 | 阿里巴巴集团控股有限公司 | Data sheet query method and device |
| CN107204964A (en) * | 2016-03-16 | 2017-09-26 | 腾讯科技(深圳)有限公司 | A kind of methods, devices and systems of rights management |
| CN106302492A (en) * | 2016-08-23 | 2017-01-04 | 唐山新质点科技有限公司 | A kind of access control method and system |
| CN109818935A (en) * | 2018-05-04 | 2019-05-28 | 360企业安全技术(珠海)有限公司 | User authority control method and device, storage medium, computer equipment |
| CN108763960A (en) * | 2018-06-04 | 2018-11-06 | 北京奇虎科技有限公司 | Access authorization for resource management method and device |
| CN109598117A (en) * | 2018-10-24 | 2019-04-09 | 平安科技(深圳)有限公司 | Right management method, device, electronic equipment and storage medium |
| CN110727929A (en) * | 2019-10-12 | 2020-01-24 | 北京明略软件系统有限公司 | AOP-based line-level authority control method, device and client |
| CN111191221A (en) * | 2019-12-30 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Method and device for configuring authority resources and computer readable storage medium |
| CN111488595A (en) * | 2020-03-27 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Method for realizing authority control and related equipment |
| CN111552936A (en) * | 2020-04-26 | 2020-08-18 | 国电南瑞科技股份有限公司 | Cross-system access right control method and system based on scheduling mechanism level |
Non-Patent Citations (1)
| Title |
|---|
| 颜平超;牛熠;吴燕玲;: "基于RBAC的权限管理的设计与实现", 硅谷, no. 07 * |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615925A (en) * | 2020-12-22 | 2021-04-06 | 北京金山云网络技术有限公司 | Configuration and management method and device of service resources and electronic equipment |
| CN112615925B (en) * | 2020-12-22 | 2022-11-01 | 北京金山云网络技术有限公司 | Configuration and management method and device of service resources and electronic equipment |
| CN112668051A (en) * | 2020-12-31 | 2021-04-16 | 北京聚云科技有限公司 | Data acquisition method and device |
| WO2022237255A1 (en) * | 2021-05-14 | 2022-11-17 | 华为技术有限公司 | Management method and system for computing node |
| CN113282890A (en) * | 2021-05-25 | 2021-08-20 | 挂号网(杭州)科技有限公司 | Resource authorization method, device, electronic equipment and storage medium |
| CN113407916A (en) * | 2021-06-15 | 2021-09-17 | 北京字跳网络技术有限公司 | Information processing method, device, terminal and storage medium |
| CN114172727A (en) * | 2021-12-07 | 2022-03-11 | 中国建设银行股份有限公司 | Information processing method, information processing apparatus, electronic device, and storage medium |
| CN114172727B (en) * | 2021-12-07 | 2024-04-26 | 中国建设银行股份有限公司 | Information processing method, information processing apparatus, electronic device, and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112100585A (en) | Authority management method, device and storage medium | |
| CN109688120B (en) | Dynamic authority management system based on improved RBAC model and Spring Security framework | |
| CN111680310B (en) | Authority control method and device, electronic equipment and storage medium | |
| US20110145903A1 (en) | Unified user login for co-location facilities | |
| US9934310B2 (en) | Determining repeat website users via browser uniqueness tracking | |
| US11196627B1 (en) | Managed remediation of non-compliant resources | |
| CN109522751B (en) | Access right control method and device, electronic equipment and computer readable medium | |
| CN108416195B (en) | Cross-platform user authority management method and device, computer equipment and storage medium | |
| CN111985902B (en) | Cross-system information collaborative management method, device, equipment and storage medium | |
| CN112202708A (en) | Identity authentication method and device, electronic equipment and storage medium | |
| CN111143391A (en) | Data sharing exchange method and system | |
| CN112597511A (en) | Remote government affair service cooperation method and device | |
| US20210390489A1 (en) | System and method for multiple identification using smart contracts on blockchains | |
| US20080294639A1 (en) | System and Method For Delegating Program Management Authority | |
| WO2022245291A2 (en) | Method and apparatus for managing resources, computer device and storage medium | |
| CN113220762A (en) | Method, device, processor and storage medium for realizing general record processing of key service field change in big data application | |
| US20140143782A1 (en) | Computerized infrastructure management system and method | |
| CN109683942B (en) | Script management method, script management device, script management medium and electronic equipment | |
| CN110427759A (en) | A kind of Internet resources browsing control method and system for supporting service security label | |
| CN104754040A (en) | A system used for end-to-end cloud service virtualization | |
| US20230195792A1 (en) | Database management methods and associated apparatus | |
| US20220086160A1 (en) | Autonomous data source discovery | |
| CN115102770A (en) | Resource access method, device and equipment based on user permission and storage medium | |
| CN113421052A (en) | Data sharing management method, system and computer readable storage medium | |
| CN114095200A (en) | Resource access authority management method and device, electronic equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |