CN113505996A - Authority management method and device - Google Patents
Authority management method and device Download PDFInfo
- Publication number
- CN113505996A CN113505996A CN202110788261.4A CN202110788261A CN113505996A CN 113505996 A CN113505996 A CN 113505996A CN 202110788261 A CN202110788261 A CN 202110788261A CN 113505996 A CN113505996 A CN 113505996A
- Authority
- CN
- China
- Prior art keywords
- tree
- user
- node
- resource
- role
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims description 33
- 238000000034 method Methods 0.000 claims abstract description 33
- 230000015654 memory Effects 0.000 claims description 17
- 230000004044 response Effects 0.000 claims description 7
- 230000008859 change Effects 0.000 claims description 5
- 238000004590 computer program Methods 0.000 claims description 5
- 230000007547 defect Effects 0.000 abstract description 2
- 238000012545 processing Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 238000012550 audit Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 239000008186 active pharmaceutical agent Substances 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000008676 import Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/06—Resources, workflows, human or project management; Enterprise or organisation planning; Enterprise or organisation modelling
- G06Q10/063—Operations research, analysis or management
- G06Q10/0637—Strategic management or analysis, e.g. setting a goal or target of an organisation; Planning actions based on goals; Analysis or evaluation of effectiveness of goals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0629—Configuration or reconfiguration of storage systems
- G06F3/0637—Permissions
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Entrepreneurship & Innovation (AREA)
- Databases & Information Systems (AREA)
- Strategic Management (AREA)
- General Engineering & Computer Science (AREA)
- Educational Administration (AREA)
- Economics (AREA)
- Development Economics (AREA)
- Game Theory and Decision Science (AREA)
- Data Mining & Analysis (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Human Computer Interaction (AREA)
- Storage Device Security (AREA)
Abstract
The disclosure discloses a method and a device for managing authority, wherein the method comprises the following steps: after defining at least one role, configuring corresponding roles for all users; establishing a permission tree based on the permission category to associate each role to a corresponding permission tree, wherein each permission tree comprises a root node and at least one child node; after the resources of at least one category are obtained, establishing a resource tree for each category of resources, wherein each resource tree comprises at least one node, and each node is mounted with resources; and associating preset nodes in the resource tree nodes to preset users. The concept of 'resources' and 'resource trees' is introduced on the traditional authority control method, the advantages of an RBAC model and the ABAC are combined, authority configuration is carried out on the basis of the resources, and the resources are established one by one according to the corresponding hierarchical relation under the authority model, so that accurate authority control is achieved. The defects of the RBAC model and the ABAC model are overcome.
Description
Technical Field
The present disclosure relates to the field of data processing technologies, and in particular, to a method and an apparatus for managing permissions.
Background
In the actual production environment of an enterprise, each employee has different responsibilities, meaning different scope of authority. A system is required to uniformly manage the authority of all employees. Most companies now employ either role-based RBAC or attribute-based ABAC.
The RBAC model may be frustrated in scenarios where flexible and complex rights control needs to be satisfied, such as scenarios where a person who needs to be given the same role has different rights automatically according to their position or other attributes.
The RBAC model has the problem of color bloat when more than ninety percent of the permissions of one class of users coincide with those of another class of users, but because of the ten percent difference, different roles need to be established for the two classes of users. In the production life of a company, the growth of roles is geometric, the maintenance cost of administrator personnel is greatly increased, and users cannot distinguish roles due to slight differences of the roles when applying for the rights.
The ABAC model permissions are too flexible and complex, and once the user quantity and the permission quantity increase, the complexity of permission management is greatly improved. For example, Kubernetes used the ABAC rights management mode in the early days, but had to switch to the RBAC rights mode to the later days because of the complexity of rights management.
Disclosure of Invention
The main purpose of the present disclosure is to provide a rights management method.
In order to achieve the above object, according to a first aspect of the present disclosure, there is provided a rights management method including: after defining at least one role, configuring corresponding roles for all users; establishing a permission tree based on the permission category to associate each role to a corresponding permission tree, wherein each permission tree comprises a root node and at least one child node; after the resources of at least one category are obtained, establishing a resource tree for each category of resources, wherein each resource tree comprises at least one node, and each node is mounted with resources; and associating preset nodes in the resource tree nodes to preset users.
Optionally, the method further comprises: in response to receiving an operation request of a user, after a target role corresponding to the user is determined, whether a target permission tree corresponding to the target role contains a permission corresponding to the operation is determined.
Optionally, the method further comprises: if the authority corresponding to the operation is contained, determining whether the node in the resource tree associated with the user contains the requested operation; and feeding back the target resource mounted by the target node to the user.
Optionally, associating each role to a corresponding authority tree includes: associating each role to a root node of a corresponding authority tree; or, each role is associated to a part of the child nodes of the corresponding authority tree.
Optionally, the method further comprises: in response to receiving a change pre-configured role request for a user, a new role is configured for the user.
Optionally, the method further comprises: and responding to a received request for changing the pre-associated preset node in the resource tree for the user, and changing the association relation for the user.
Optionally, the establishing a resource tree for each type of resource includes: and establishing the resource tree from top to bottom based on a preset control logic specification.
According to a second aspect of the present disclosure, there is provided a rights management device including: the configuration unit is configured to configure corresponding roles for all users after at least one role is defined; the generating unit is configured to establish a permission tree based on the permission category so as to associate each role to a corresponding permission tree, wherein each permission tree comprises a root node and at least one child node; the second generation unit is configured to establish a resource tree for each type of resources after the resources of at least one type are acquired, wherein each resource tree comprises at least one node, and each node is mounted with resources; an associating unit configured to associate a preset node in the resource tree nodes to a preset user.
According to a third aspect of the present disclosure, there is provided a computer-readable storage medium storing computer instructions for causing the computer to perform the method of rights management of any one of claims 1-7.
According to a fourth aspect of the present disclosure, there is provided an electronic device comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to cause the at least one processor to perform the method of rights management as set forth in any one of the embodiments of the first aspect.
In the embodiment of the disclosure, the concepts of "resources" and "resource trees" are introduced on the traditional authority control method, the advantages of the RBAC model and the ABAC are combined, the authority configuration is performed on the basis of the resources, and the resources are established one by one according to the corresponding hierarchical relationship under the authority model, so that the accurate authority control is achieved. The defects of the RBAC model and the ABAC model are overcome.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present disclosure, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart of a method of rights management according to an embodiment of the present disclosure;
FIG. 2 is a diagram of an application scenario of a rights management method according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of a structure of a rights management device according to an embodiment of the disclosure;
fig. 4 is a schematic diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
In order to make the technical solutions of the present disclosure better understood by those skilled in the art, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the drawings in the embodiments of the present disclosure, and it is obvious that the described embodiments are only some embodiments of the present disclosure, not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments disclosed herein without making any creative effort, shall fall within the protection scope of the present disclosure.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It should be understood that the data so used may be interchanged under appropriate circumstances such that embodiments of the present disclosure may be described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
It should be noted that, in the present disclosure, the embodiments and features of the embodiments may be combined with each other without conflict. The present disclosure will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
At present, the management of the data authority by the RBAC is generally solved by hard coding of a client program. This makes the rights unable to be dynamically configured, and the rights depend on the client, which presents a security risk.
Another problem with the ABAC model is that due to its complexity, it has a poor experience in terms of rights verification, problem tracking, rights integrity checks, and corporate level rights audits.
According to an embodiment of the present disclosure, there is provided a rights management method, as shown in fig. 1, the method including the following steps 101 to 104:
step 101: after defining at least one role, configuring corresponding roles for all users.
In this embodiment, roles may be defined according to preset specifications, so that different roles have different permissions, for example, for the financial industry, roles may be defined to include, but not limited to, administrators, managers, auditors, and the like, and the types of roles that may be defined according to different business specifications are various.
Step 102: and establishing a permission tree based on the permission category to associate each role to the corresponding permission tree, wherein each permission tree comprises a root node and at least one child node.
In this embodiment, the structure (hierarchy) of the authority tree may be determined based on business logic, the authority tree may be an authority tree for representing operation authority, the root node may be "operation authority", and the child nodes composing the tree structure may include, but are not limited to, "query", "edit", "download", "create, clear, import, export", and so on, which are merely illustrative. The hierarchy of each child node is determined based on the business hierarchy, for example, "operation authority" as a root node, the first level of its child node is "query" or the like, and the child node as "query" may be "download" or the like, and the logical structure is implemented based on the business logic.
Specifically, each role can be associated to a corresponding rights tree after the rights tree is established.
More specifically, the rights tree may be constructed from a series of components that need to be rights controlled, such as APIs, menus, buttons, page elements, and the like.
As an optional implementation manner of this embodiment, associating each role to a corresponding authority tree includes: associating each role to a root node of a corresponding authority tree; or, each role is associated to a part of the child nodes of the corresponding authority tree.
In this optional implementation, if the role is associated to the authority tree, the role may be associated to all child nodes after being associated to the root node; or selectively associating partial child nodes of the authority tree based on the configuration of the user terminal.
Step 103: after the resources of at least one category are obtained, a resource tree is established for each category of resources, wherein each resource tree comprises at least one node, and each node is mounted with resources.
In this embodiment, the resource category includes various categories, such as a service resource, a set of interrelated data, an application, a database, a menu of an operation platform, and the like. A resource tree may be established for each class of resources. And mounting resources needing to be controlled, such as file resources, database resources and the like, on the nodes of the resource tree.
As an optional implementation manner of this embodiment, the establishing a resource tree for each type of resource includes: and establishing the resource tree from top to bottom based on a preset control logic specification.
In this optional implementation, when the resource tree is established, the tree structure may be established from top to bottom according to the control logic granularity, for example, established according to an enterprise architecture, established according to a folder hierarchy, established according to a regional division, or established in a user-defined manner. There is no limitation on the control logic nor on its granularity, such as the granularity of regional differentiation under the report resource.
Step 104: and associating preset nodes in the resource tree nodes to preset users.
In this embodiment, the preset node on the resource tree may be associated to the preset user, or the preset node on the resource tree may be associated to the preset user based on the configuration of the user side. For example, taking the report resource as an example, the child nodes of the report resource include a south China report and a north China report, and then any one of the child nodes or all of the child nodes may be associated with a preset user. It will be appreciated that each user is associated with which nodes are configurable. The nodes in the established resource tree are associated to the users, and the purpose of defining the range of the data authority is realized.
In the embodiment, the concept of "resource" and "resource tree" is added, all managed data are collectively referred to as resources, and the resources are divided according to the data authority management hierarchy, so that the resource tree is formed. The resource tree manages resources in a tree structure, defines the authority range of the user through a resource path, and solves the problem that the user achieves real flexible control authority.
As an optional implementation manner of this embodiment, the method further includes: in response to receiving an operation request of a user, after a target role corresponding to the user is determined, whether a target permission tree corresponding to the target role contains a permission corresponding to the operation is determined.
In this alternative implementation, the purpose of the request operation is to request the operation resource. The permission tree and the resource tree of the user can be analyzed through intercepting the request, so that the permission feasibility of the user is analyzed. After the structure of the authority model is established based on steps 101 to 104, authority management can be realized, and the management method can include that after an operation request of a user through a user side is received, because user information is associated with roles in advance, the roles corresponding to the user can be determined; each role has a pre-associated authority tree, which can be determined to include the authority of the user.
As an optional implementation manner of this embodiment, the method further includes: if the authority corresponding to the operation is contained, determining a target node in the resource tree associated with the user; and feeding back the target resource mounted by the target node to the user.
In the optional implementation manner, whether the user has the operation authority is determined according to the operation requested by the user, if so, the resource tree node pre-associated with the user is determined to obtain the data authority of the user, and if the data requested to be operated has the data authority, the resource under the node is fed back to the user. Meanwhile, if the operation authority exists, the resource tree nodes pre-associated with the user are judged to obtain the data authority of the user, and if the data requesting the operation contains the non-associated resource tree nodes (data), the requested data resources are not fed back to the user. For example, referring to fig. 2, fig. 2 shows an application scenario diagram of a rights management model, where user 1 and user 2 both belong to role 1 of an administrator, where the roles of user 1 and user 2 may correspond to the same rights tree, for example, user 1 and user 2 are associated with rights of "view file" and "view report" under the operation rights, and user 1 is associated with a child node of "credit standing file" in "file resource" in the resource tree in advance; and the child node of the 'report in south China' in the 'report resource' is associated; the user 2 is associated with the operation authority of 'viewing files' and 'viewing reports', and the user 2 is associated with the 'risk file' child node in 'file resources' in advance; and associates the 'Huazhong area report' child node. Therefore, on the premise that the user 1 has the authority of viewing the report, only the resource on which the report in the south China is hung is viewed; on the premise of 'viewing files', only the right of viewing the 'credit worthiness files' is provided. Therefore, if the user 1 sends a request for viewing the resources of the central area report or a request for viewing the resources of the risk file through the user side, and the server determines that the user 1 does not have the data authority, the corresponding resources of the central area report or the resources of the risk file are not fed back to the user 1.
As an optional implementation manner of this embodiment, the method further includes: in response to receiving a change pre-configured role request for a user, a new role is configured for the user.
In this optional implementation manner, if a request sent by the user side for changing the role for the user is received, the role pre-configured by the user is changed to a new role, so that the operation permission of the user is changed. At this time, child nodes in the resource tree associated with the user, namely, data permissions, can also be changed in a customized manner. After the role of the user is changed, the operation authority of the user is correspondingly changed, and the data authority can be changed or not.
As an optional implementation manner of this embodiment, the method further includes: and responding to a received request for changing the pre-associated preset node in the resource tree for the user, and changing the association relation for the user.
In this optional implementation manner, after receiving a request sent by a user side to change a node in a pre-associated resource tree for a user, the association relationship between the user and the resource tree node is changed, that is, the data permission is changed. After the incidence relation between the user and the resource tree node is changed, if the role of the user is not changed, the operation authority of the user is not changed, namely after the data authority is changed, the operation authority can be changed or not.
The embodiment judges the user authority, which is divided into two parts, wherein one part is to judge whether the operation authority is satisfied. And the other part is to judge whether the data authority is satisfied, and obtain the data authority range of the user by analyzing the resource tree path of the user.
In this embodiment, the concepts of "resource" and "resource tree" are introduced to the conventional rights control method, the advantages of the RBAC model and the ABAC are combined, rights are configured based on the resource, and the resources are established one by one according to the corresponding hierarchical relationship under the rights model, so as to achieve accurate rights control. Meanwhile, the operation authority and the data authority are distinguished, so that the authority management is more flexible, and the management complexity is greatly reduced.
The method and the device meet the requirement of flexible and complex authority control and support a fine-grained data authority mode. And the operation authority and the data authority are distinguished, and the access of a simple scene is very simple. And a hard coding mode of a client is abandoned, and dynamic permission configuration and hot plug are supported. The problem of role expansion is solved, and ten to fifteen roles of each distributed system are effectively controlled. Authority audit at a platform system level and even a company level can be met.
It should be noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system such as a set of computer-executable instructions and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order different than presented herein.
According to an embodiment of the present disclosure, there is also provided an apparatus for implementing the above rights management method, as shown in fig. 3, the apparatus includes:
a configuration unit 301 configured to configure corresponding roles for all users after defining at least one role; a generating unit 302 configured to establish a permission tree based on the category of the permission, so as to associate each role to a corresponding permission tree, wherein each permission tree includes a root node and at least one child node; a second generating unit 303, configured to, after acquiring at least one category of resources, establish a resource tree for each category of resources, where each resource tree includes at least one node, and each node has a resource mounted thereon; an associating unit 302 configured to associate a preset node in the resource tree nodes to a preset user.
The device further comprises a first determining unit, wherein the first determining unit is used for responding to the received operation request of the user, and determining whether the target authority tree corresponding to the target role contains the authority corresponding to the operation or not after determining the target role corresponding to the user.
The device still includes: a second determining unit, configured to determine whether a node in the resource tree associated with the user includes the requested operation if the node includes the authority corresponding to the operation; and feeding back the target resource mounted by the target node to the user.
Associating each of the roles with a corresponding authority tree includes: associating each role to a root node of a corresponding authority tree; or, each role is associated to a part of the child nodes of the corresponding authority tree.
The apparatus also includes a configuration unit to configure a new role for a user in response to receiving a change of a pre-configured role request for the user.
The device also comprises a changing unit which responds to the received request for changing the pre-associated preset nodes in the resource tree for the user and changes the association relation for the user.
Establishing a resource tree for each type of resource comprises: and establishing the resource tree from top to bottom based on a preset control logic specification.
The embodiment of the present disclosure provides an electronic device, as shown in fig. 4, the electronic device includes one or more processors 41 and a memory 42, where one processor 41 is taken as an example in fig. 4.
The controller may further include: an input device 43 and an output device 44.
The processor 41, the memory 42, the input device 43 and the output device 44 may be connected by a bus or other means, and fig. 4 illustrates the connection by a bus as an example.
The processor 41 may be a Central Processing Unit (CPU). The processor 41 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or combinations thereof. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory 42, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the control methods in the embodiments of the present disclosure. The processor 41 executes various functional applications of the server and data processing by running non-transitory software programs, instructions and modules stored in the memory 42, namely, implements the rights management method of the above-described method embodiment.
The memory 42 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of a processing device operated by the server, and the like. Further, the memory 42 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, memory 42 may optionally include memory located remotely from processor 41, which may be connected to a network connection device via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 43 may receive input numeric or character information and generate key signal inputs related to user settings and function control of the processing device of the server. The output device 44 may include a display device such as a display screen.
One or more modules are stored in the memory 42, which when executed by the one or more processors 41, perform the method as shown in fig. 1.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program to instruct related hardware, and the program can be stored in a computer readable storage medium, and when executed, the program can include the processes of the embodiments of the motor control methods described above. The storage medium may be a magnetic disk, an optical disk, a Read-only memory (ROM), a Random Access Memory (RAM), a flash memory (FlashMemory), a hard disk (hard disk drive, abbreviated as HDD) or a Solid State Drive (SSD), etc.; the storage medium may also comprise a combination of memories of the kind described above.
Although the embodiments of the present disclosure have been described in conjunction with the accompanying drawings, those skilled in the art may make various modifications and variations without departing from the spirit and scope of the present disclosure, and such modifications and variations fall within the scope defined by the appended claims.
Claims (10)
1. A method of rights management, comprising:
after defining at least one role, configuring corresponding roles for all users;
establishing a permission tree based on the permission category to associate each role to a corresponding permission tree, wherein each permission tree comprises a root node and at least one child node;
after the resources of at least one category are obtained, establishing a resource tree for each category of resources, wherein each resource tree comprises at least one node, and each node is mounted with resources;
and associating preset nodes in the resource tree nodes to preset users.
2. The rights management method of claim 1, further comprising:
in response to receiving an operation request of a user, after a target role corresponding to the user is determined, whether a target permission tree corresponding to the target role contains a permission corresponding to the operation is determined.
3. The rights management method of claim 2, further comprising:
if the authority corresponding to the operation is contained, determining whether the node in the resource tree associated with the user contains the requested operation;
and feeding back the target resource mounted by the target node to the user.
4. The rights management method of claim 1, wherein associating each of the roles with a corresponding rights tree comprises:
associating each role to a root node of a corresponding authority tree;
or, each role is associated to a part of the child nodes of the corresponding authority tree.
5. The rights management method of claim 1, further comprising:
in response to receiving a change pre-configured role request for a user, a new role is configured for the user.
6. The rights management method of claim 1, further comprising:
and responding to a received request for changing the pre-associated preset node in the resource tree for the user, and changing the association relation for the user.
7. The rights management method of claim 1, wherein the building a resource tree for each type of resource comprises:
and establishing the resource tree from top to bottom based on a preset control logic specification.
8. A rights management device, comprising:
the configuration unit is configured to configure corresponding roles for all users after at least one role is defined;
the generating unit is configured to establish a permission tree based on the permission category so as to associate each role to a corresponding permission tree, wherein each permission tree comprises a root node and at least one child node;
the second generation unit is configured to establish a resource tree for each type of resources after the resources of at least one type are acquired, wherein each resource tree comprises at least one node, and each node is mounted with resources;
an associating unit configured to associate a preset node in the resource tree nodes to a preset user.
9. A computer-readable storage medium storing computer instructions for causing a computer to perform the method of rights management of any of claims 1-7.
10. An electronic device, comprising: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to cause the at least one processor to perform the method of rights management of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110788261.4A CN113505996A (en) | 2021-07-13 | 2021-07-13 | Authority management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110788261.4A CN113505996A (en) | 2021-07-13 | 2021-07-13 | Authority management method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113505996A true CN113505996A (en) | 2021-10-15 |
Family
ID=78012852
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110788261.4A Pending CN113505996A (en) | 2021-07-13 | 2021-07-13 | Authority management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113505996A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114944944A (en) * | 2022-05-05 | 2022-08-26 | 北京蓝海在线科技有限公司 | Permission allocation method and device based on JSON data and computer equipment |
| US20230122504A1 (en) * | 2021-10-20 | 2023-04-20 | Dell Products L.P. | Common Access Management Across Role-Based Access Control and Attribute-Based Access Control |
| CN116186652A (en) * | 2022-12-22 | 2023-05-30 | 博上(山东)网络科技有限公司 | Authority management method, system, equipment and readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111581633A (en) * | 2020-03-31 | 2020-08-25 | 浪潮通用软件有限公司 | Function authority control method, device and medium based on cloud computing |
| CN111935131A (en) * | 2020-08-06 | 2020-11-13 | 中国工程物理研究院计算机应用研究所 | SaaS resource access control method based on resource authority tree |
| CN112182622A (en) * | 2020-10-12 | 2021-01-05 | 上海赛可出行科技服务有限公司 | Authority management system design method based on resource control |
| CN112733162A (en) * | 2020-12-31 | 2021-04-30 | 北京乐学帮网络技术有限公司 | Resource allocation method, device, computer equipment and storage medium |
| WO2021137757A1 (en) * | 2019-12-31 | 2021-07-08 | Envision Digital International Pte. Ltd. | Authority management method and apparatus, and electronic device, and storage medium thereof |
-
2021
- 2021-07-13 CN CN202110788261.4A patent/CN113505996A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2021137757A1 (en) * | 2019-12-31 | 2021-07-08 | Envision Digital International Pte. Ltd. | Authority management method and apparatus, and electronic device, and storage medium thereof |
| CN111581633A (en) * | 2020-03-31 | 2020-08-25 | 浪潮通用软件有限公司 | Function authority control method, device and medium based on cloud computing |
| CN111935131A (en) * | 2020-08-06 | 2020-11-13 | 中国工程物理研究院计算机应用研究所 | SaaS resource access control method based on resource authority tree |
| CN112182622A (en) * | 2020-10-12 | 2021-01-05 | 上海赛可出行科技服务有限公司 | Authority management system design method based on resource control |
| CN112733162A (en) * | 2020-12-31 | 2021-04-30 | 北京乐学帮网络技术有限公司 | Resource allocation method, device, computer equipment and storage medium |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20230122504A1 (en) * | 2021-10-20 | 2023-04-20 | Dell Products L.P. | Common Access Management Across Role-Based Access Control and Attribute-Based Access Control |
| CN114944944A (en) * | 2022-05-05 | 2022-08-26 | 北京蓝海在线科技有限公司 | Permission allocation method and device based on JSON data and computer equipment |
| CN116186652A (en) * | 2022-12-22 | 2023-05-30 | 博上(山东)网络科技有限公司 | Authority management method, system, equipment and readable storage medium |
| CN116186652B (en) * | 2022-12-22 | 2024-01-02 | 博上(山东)网络科技有限公司 | Authority management method, system, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20220124081A1 (en) | System for Managing Remote Software Applications | |
| US10754932B2 (en) | Centralized consent management | |
| CN113505996A (en) | Authority management method and device | |
| US10097531B2 (en) | Techniques for credential generation | |
| US10037430B2 (en) | System and method for controlling the on and off state of features of business logic at runtime | |
| US20120331118A1 (en) | System and method for hosted dynamic case management | |
| JP2015523661A (en) | Data detection and protection policy for email | |
| US20210021440A1 (en) | Presenter server for brokering presenter clients | |
| US10333778B2 (en) | Multiuser device staging | |
| CN113282896A (en) | Authority management method and system | |
| US11146560B1 (en) | Distributed governance of computing resources | |
| US20090048894A1 (en) | Techniques for propagating changes in projects | |
| CN111949973A (en) | Identity recognition and access management system and method | |
| US11757976B2 (en) | Unified application management for heterogeneous application delivery | |
| US11561995B2 (en) | Multitenant database instance view aggregation | |
| CN112804216B (en) | Multi-granularity self-adaptive service flow access control method and device | |
| US11444950B2 (en) | Automated verification of authenticated users accessing a physical resource | |
| US20210367975A1 (en) | Application security for service provider networks | |
| US10862747B2 (en) | Single user device staging | |
| CN111191251A (en) | Data authority control method, device and storage medium | |
| CN114338059B (en) | Application opening method, device, terminal and storage medium | |
| CN114791805A (en) | Service data processing method and device | |
| CN118041797A (en) | Data interaction system management method, device and storage medium | |
| CN117371014A (en) | Object management method and system | |
| CN117094725A (en) | Block chain-based rule judging method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |