CN113642032B - Resource authorization method and resource authorization system based on set operation - Google Patents

Resource authorization method and resource authorization system based on set operation Download PDF

Info

Publication number
CN113642032B
CN113642032B CN202111207338.0A CN202111207338A CN113642032B CN 113642032 B CN113642032 B CN 113642032B CN 202111207338 A CN202111207338 A CN 202111207338A CN 113642032 B CN113642032 B CN 113642032B
Authority
CN
China
Prior art keywords
authority
user
positive
negative
hash table
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111207338.0A
Other languages
Chinese (zh)
Other versions
CN113642032A (en
Inventor
王洪哲
丁兆俊
蒙菊花
曲金凤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Yousheng Boda Software Co ltd
Original Assignee
Beijing Yousheng Boda Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yousheng Boda Software Co ltd filed Critical Beijing Yousheng Boda Software Co ltd
Priority to CN202111207338.0A priority Critical patent/CN113642032B/en
Publication of CN113642032A publication Critical patent/CN113642032A/en
Application granted granted Critical
Publication of CN113642032B publication Critical patent/CN113642032B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9014Indexing; Data structures therefor; Storage structures hash tables
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9024Graphs; Linked lists
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/903Querying
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/906Clustering; Classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Computational Linguistics (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a resource authorization method based on collective operation, which is characterized by identifying a hierarchical classification number in an organization structure where a service role corresponding to a user ID in an authorization change request is located, respectively establishing a positive authority hash table and a negative authority linked list according to the hierarchical classification number, storing all the user IDs containing the hierarchical classification number in the positive authority hash table, storing the user IDs in the negative authority linked list, deleting the user IDs stored in the negative authority linked list from the positive authority hash table, and persisting the modified positive authority hash table to a database. The invention grants positive authority to all personnel related to the selected user, grants negative authority to the whole body, and intensively solves the problem of authority adjustment by using the positive authority and the negative authority, thereby realizing the authority rapid authorization under the condition of saving hardware resource storage resources and network transmission resources under the condition of coping with a multi-person unit and multi-level architecture.

Description

Resource authorization method and resource authorization system based on set operation
Technical Field
The embodiment of the invention relates to the technical field of collective operation, in particular to a resource authorization method and a resource authorization system based on collective operation.
Background
In recent years, with the continuous progress of computer technology and the continuous development of internet technology, internet applications and internet management platforms are infiltrated into various fields of life and production, and the scales of the internet applications and the internet management platforms are larger and larger. With the wider application and larger scale of internet application and management platforms, the number of users is also increased, the scale of system resources is also increased, and in practical application, specific resources can only be accessed by specific users.
The method for accessing a resource by a user is called that the user has a certain right, the rights of all users in a system are definitely different, an administrator, a common user and other users of different types exist, the rights of all users are not completely the same, and therefore the system administrator needs to allocate the rights to all users. As the number of users increases, the resource scale increases, and the work load index for assigning rights to users increases until a system administrator is unable to do, so that the existing internet application system uses a special rights management module to manage the rights of users: some authority management modules do not have the concept of roles, and the operation is complex; some rights management modules are solidified in rights and cannot be modified, and the ways can be applied to small-range authorization scenes, but are difficult to apply to increasingly complex authorization management.
In a large-scale authorization scenario, operation and maintenance personnel face authorization adjustment of multiple departments (levels), multiple user groups or different kinds of posts in an organization structure, if a traditional single authorization is used, a large amount of personnel and a large amount of time are consumed to complete large-scale or large-scale authorization operation, the efficiency is very underground, and errors are easy to occur.
Disclosure of Invention
Therefore, the embodiment of the invention provides a resource authorization method and a resource authorization system based on set operation, so as to solve the problems of overstaffed authorization management operation and low efficiency caused by simple authorization flow and solidification in the prior art.
In order to achieve the above object, an embodiment of the present invention provides the following:
a resource authorization method based on set operation is characterized in that hierarchical classification numbers in an organization structure where service roles corresponding to user IDs in authorization change requests are located are identified, a positive authority hash table and a negative authority linked list are respectively established according to the hierarchical classification numbers, the user IDs which all contain the hierarchical classification numbers are stored in the positive authority hash table, the user IDs are stored in the negative authority linked list, the user IDs stored in the negative authority linked list are deleted from the positive authority hash table, and the modified positive authority hash table is durably stored in a database.
Furthermore, the organization architecture is a multi-level tree organization architecture, each level in the organization architecture is configured with a unique level classification number, and the level classification numbers of two different positions of the same level are different; the user configured in the organization structure can bind a user position number, and the user position number is a hierarchical classification number combination obtained by superposing hierarchical classification numbers from the top hierarchy of the organization structure to the hierarchy where the user is located.
Further, the establishing of the positive authority hash table according to the hierarchical classification number includes cycling and splitting all users with positive authority by taking the user as a minimum unit, and adding all user IDs of the hierarchical classification number including the identified business role into the positive authority hash table for temporary storage.
Further, the establishing of the negative authority linked list according to the hierarchical classification number includes cycling and splitting all negative authority users by taking personnel as a minimum unit, the negative authority users are users needing to disconnect the selected users from the service role association, user IDs of all negative authority users are placed in the negative authority one-way linked list to be temporarily stored, and subscript pointers are established for the negative authority users.
Further, deleting the user ID stored in the negative authority linked list from the positive authority hash table includes extracting the user IDs in the negative authority linked list one by one according to the sequence of subscript pointers, performing key lookup and deletion by the positive authority hash table, configuring the modified positive authority hash table as interface data of positive and negative authority control to be returned, and persisting the positive authority hash table to the bottom layer database after configuration.
A resource authorization system using a resource authorization method based on set operation comprises the following modules:
the organization architecture module is used for establishing an organization architecture, adding a hierarchical classification number and a service role to an architecture node of the organization architecture, and generating a user position number according to the service role of a user;
the user management module is used for generating an initial service role according to the registration information of the user and configuring a user ID for the user;
the authority management module is used for respectively establishing a positive authority hash table and a negative authority linked list according to the user information of the selected user and deleting the user ID stored in the negative authority linked list from the positive authority hash table;
the positive authority hash table is used for adding all user IDs including hierarchical classification numbers of the identified service roles into the positive authority hash table for temporary storage by the user according to the service roles of the selected user;
and the negative authority linked list is used for placing the user ID of the selected user into the negative authority one-way linked list for temporary storage according to the service role of the selected user and establishing a subscript pointer for the negative authority user.
According to the embodiment of the invention, the following advantages are provided:
the resource authorization method and the resource authorization system based on the collective operation of the embodiment of the invention grant positive authority to all personnel associated with the selected user, grant negative authority to the whole body, and solve the problem of authority adjustment in a centralized way by using the positive authority and the negative authority, thereby realizing the fast authority authorization under the condition of saving hardware resource storage resources and network transmission resources under the condition of coping with multi-person units and multi-level architectures.
The resource authorization method based on set operation in the embodiment of the invention can rapidly complete various flexible authorization configurations by using various operations among sets under the condition of high-efficiency complex data structure.
In terms of interfaces, the resource authorization method based on the set operation only needs to frame a large range when operation and maintenance personnel face large-area authorization, and then negative permission elimination is carried out one by one; when operation and maintenance personnel face dispersed multi-block authorization, a plurality of right-authorization user groups can be directly merged; when operation and maintenance personnel face authorization change, the positive and negative relations can be utilized to rapidly complete the access and the discharge of a large number of people, and meanwhile, the single-point authority can be rapidly blocked.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so as to be understood and read by those skilled in the art, and are not used to limit the conditions that the present invention can be implemented, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the effects and the achievable by the present invention, should still fall within the range that the technical contents disclosed in the present invention can cover.
Fig. 1 is a flowchart of a method for resource authorization based on set operation according to an embodiment of the present invention;
FIG. 2 is a diagram of an organizational structure tree interface of a resource authorization method based on set operations according to an embodiment of the present invention;
fig. 3 is a role and resource association interface diagram of a resource authorization method and a resource authorization system based on set operation according to an embodiment of the present invention;
FIG. 4 is a flowchart illustrating a resource authorization method based on set operations according to an embodiment of the present invention;
fig. 5 is a view personnel permission interface diagram of a resource authorization method and a resource authorization system based on set operation according to an embodiment of the present invention;
FIG. 6 is a popup interface diagram illustrating a resource authorization method and a resource authorization system based on collective operations according to an embodiment of the present invention, where a selected user adds permissions;
fig. 7 is a system structure diagram of a resource authorization system based on set operation according to an embodiment of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the present specification, the terms "upper", "lower", "left", "right", "middle", and the like are used for clarity of description, and are not intended to limit the scope of the present invention, and changes or modifications in the relative relationship may be made without substantial changes in the technical content.
Name interpretation:
hash table
A Hash table (also called Hash table) is a data structure directly accessed according to a Key value (Key value), and it is used to access a record by mapping the Key value to a position in the table to speed up the search. If the key is k, its value is stored in the storage location of f (k). Thus, the record to be checked can be directly obtained without comparison. This correspondence f is called a hash function, and a table built according to this idea is a hash table.
Linked list
A linked list is a non-continuous, non-sequential storage structure on a physical storage unit, and the logical order of data elements is realized by the order of pointer links in the linked list. A linked list is composed of a series of nodes (each element in the linked list is called a node), which can be dynamically generated at runtime. Each node comprises two parts: one is a data field that stores the data element and the other is a pointer field that stores the address of the next node. Compared with a linear table sequential structure, the operation is complex. Since it is not necessary to store in order, the linked list can be inserted with O (1) complexity, which is much faster than another linear list order list, but it takes O (n) time to find a node or access a node with a specific number, and the time complexity of the linear list and the order list is O (logn) and O (1), respectively.
Application program
An application is a systematic and programmable program module covering code logic, and may include multiple types of resources, and an application itself may also be referred to as a resource. In this patent, an application owner refers to an accessible address of an application.
(Resource)
A resource is a broad concept, and buttons, menus, applications, and logos can all be referred to as a resource. The core purpose is similar to the abstract class in programming, and allows operation and maintenance personnel and users to visualize an entity under the abstract concept of resources. Rather, to conceptually cover as much as possible, various entities that are modeled as objects on the interface and in the program are collectively categorized into resources.
As shown in fig. 1, a resource authorization method based on set operation is characterized in that:
1. system configuration:
1-1, designing an organization architecture: the organization structure is a multi-level tree organization structure, each level is configured with a unique level classification number, the level classification numbers of two positions of the same level are different, the hierarchy classification numbers are distributed to corresponding level positions according to the positions of users and are configured with user position numbers, and the user position numbers are a hierarchy classification number combination obtained by superposing the level classification numbers from the top level of the organization structure to the level where the users are located. If the division level of an organization architecture is sequentially divided into an organization, a department, a sub-department, a user group, a post (service role) and a user from top to bottom, the organization architecture is only one embodiment and is not unique, and the organization architecture needs to be specifically designed according to different compositions of an organization group. As shown in fig. 2, the top layer of the diagram has 3 levels, the hierarchical classification numbers of the levels are respectively "1", "2" and "3", and the user position numbers are respectively "1", "2" and "3"; the second layer has 5 second levels, wherein 3 second levels are positioned below the first level, the hierarchical classification numbers of the 3 second levels are respectively '1', '2', '3', the user position numbers of the 3 second levels are respectively '1-1', '1-2', '1-3', the other two second levels are arranged below the second level, the hierarchical classification numbers of the other two second levels are respectively '1', '2', the user position numbers are respectively '2-1', '2-2', and the like, so that each position in each hierarchy has a unique user position number, the user position numbers are stored by the hierarchical classification numbers at ordinary times, and the user position numbers can be generated only when the position numbers are changed, the mode can reduce the storage amount of data, improve the transportation speed of the system, enable each position in the organization structure to have an independent mark, and the user position numbers are a combination of a plurality of independent marks, the identification combination has uniqueness, so that the system can identify the context in the organization structure where the user is located, and the subsequent operation is convenient.
1-2, designing a business role: the business roles are designed according to actual requirements, for example, positions such as an operator, a counter person, a hall manager and the like need to be set in a bank organization, so that the business roles corresponding to the positions such as the operator, the counter person, the hall manager and the like need to be designed. To reduce complexity, business roles cannot be nested, i.e., one business role cannot contain another. In addition, corresponding applications and resources are respectively associated according to the use, the hierarchy and the responsibility of the service roles, the authority of the resources and the resource groups is allocated to the service roles, and the user can be authorized to the resource authority or the resource group authority contained in the service roles only after the user is allocated to one or more service roles. As shown in fig. 3, in the role and resource association interface, an organization structure tree is set in the interface for a manager to select an edited role, associate the role with the resource, record authorizers and authorization time, and edit a positive authority role and a negative authority role, so that the resource authorization module can be edited from positive and negative directions, and various complex organization structure authorization requirements can be met.
1-3, initial authorized user: inputting user information, setting the position of a user in an organization structure according to the user information, and configuring a user position number. And generating a user ID with a user position number to realize the initial authorization of the user, wherein the hierarchical classification number of the user ID comprises the hierarchical classification number of the business role because the business role is at the next lower layer in the organization structure.
2. Change authorization
2-1, identifying an authorized change request:
as shown in fig. 4, when an authorization change request occurs, the system identifies the hierarchical classification number of the service role included in the user ID of the selected user, and generates a positive authority hash table and a negative authority linked list, where no sequence requirement is generated between the positive authority hash table and the negative authority linked list.
2-2, generating a positive authority hash table:
the system circulates and splits all users with positive authority by taking the user as the minimum unit, so that the system can conveniently obtain the users with the same positive authority from an organization structure, for example, in a large organization, part of users in the department A have the positive authority, for the users with the management authority, the operation only needs to check the corresponding business role on an operation interface, and the system needs to enter the department A and traverse all personnel in the department A to screen out the users with the positive authority. As shown in the view personnel authority interface diagram of fig. 5, the selected users are quickly selected by the organization structure tree, all users with positive authority are circulated and split by taking the users as the minimum unit, information such as role types, affiliated departments, authority types and the like of the users are displayed, an editor can quickly know the authorization condition of the users, functions of adding positive authority, adding negative authority, inquiring and the like are arranged in the interface, and authority authorization editing is realized. As shown in fig. 6, if the function of adding positive authority or adding negative authority is selected, a popup interface for personnel to select and add authority pops up, and the selected user is selected from the organizational structure tree.
And (3) adding all user IDs of the hierarchical classification numbers containing the service roles identified in the step (2-1) into a positive authority hash table for temporary storage, wherein the user IDs are keys, the values are not null, and the values can record authority code identifications. The positive authority hash table stores the user ID, so that occupied resources can be reduced on the basis of system identification of the user, the working efficiency is improved, and personnel name information or login names can be stored, so that the service readability is improved. The authority code identification has many purposes, and is a dictionary table, namely, similar to 010 stands for Beijing, 011 stands for Shanghai, and the storage space is saved by using the dictionary table, such as 010 stands for the access authority of the A system, 020 stands for the access authority of the B system, 021 stands for the management authority of the B system, and the like.
2-3, generating a negative authority linked list
The system circulates and splits all negative authority users by taking personnel as the minimum unit, so that the system can conveniently obtain the users with the same negative authority from the organization structure. The negative authority users are the users needing to disconnect the selected users from the business role association, the system puts all the negative authority users into a negative authority one-way linked list for temporary storage, and establishes subscript pointers for the negative authority users. The negative authority linked list stores user ID for unifying the interactive information between the negative authority linked list and the positive authority hash table, and the interactive information has identifiability and uniqueness.
2-4, deleting the negative authority user from the positive authority hash table
The system extracts the user IDs in the negative authority linked list one by one according to the sequence of the subscript pointers, key lookup and deletion are carried out on the positive authority hash table, the modified positive authority hash table is used as interface data of positive and negative authority control needing to be returned for configuration, the positive authority hash table is persisted to a bottom layer database after configuration, and the user behaviors are filtered as a part of authority attributes. And the negative authority linked list can be displayed for the user, so that the user can check and adjust conveniently.
The application scene one: deleting selected users from single post business roles
If the bank has personnel change and needs to modify the authorization condition of part of the service personnel, the administrator issues user authorization modification corresponding to the selected service personnel, after the system receives the requirement, the system identifies the selected service role corresponding to the user ID of the selected user, namely the selected service role is the service personnel, and establishes a positive authority hash table and a negative authority linked list.
The user information of all the salesmen is temporarily stored in a positive authority hash table, wherein the user ID is a key. And simultaneously establishing a one-way linked list to temporarily store the user information of the selected user one by one, and establishing a subscript pointer. And then extracting the content of the negative authority node according to the subscript pointer, performing key lookup and deletion by using the positive authority hash table, and persisting the modified positive authority hash table to a bottom database to delete the selected user from the service role of a single post.
Application scenario two: deleting a plurality of selected users from different post business roles
If the bank has personnel change and needs to modify the authorization conditions of part of the service personnel and part of the counter personnel, the administrator issues user authorization modification corresponding to the selected service personnel and the selected counter personnel, after the system receives the requirement, the system identifies the selected service role corresponding to the user ID of the selected user, namely the selected service role is the service personnel and the counter personnel, and establishes a positive authority hash table and a negative authority linked list.
The method comprises the steps that user information of all salesmen and counter personnel is temporarily stored in a positive authority hash table, the storage sequence of the salesmen and the counter personnel is according to the default arrangement sequence of an organization architecture, and user IDs are keys. And simultaneously establishing a one-way linked list to temporarily store the user information of the selected user one by one, establishing a subscript pointer, extracting the content of the negative authority node according to the subscript pointer, performing key lookup and deletion by using the positive authority hash table, and persisting the modified positive authority hash table to a bottom database to delete the selected user from the service role of a single post.
Application scenario three: multiple users simultaneously issuing authorization requirements
When the administrator a is modifying the user right and is not finished, one peer or upper level of the administrator a is the administrator B, and the administrator B modifies the user right at this time, the modifying operation of the administrator B may conflict with the modifying operation of the administrator a. When the situation occurs, the solution can be realized by following the principle of first-come first-obtained:
1. timing of modification
a. Optimistic strategies: the system optimistically defaults that administrator a simply views the operation and does not modify it when it is operating, i.e., B is not denied operation when a begins operating, and the system optimistically believes that B will not modify it. When the system perceives that one party is beginning to modify, the system locks and rejects the other party for the post-modification.
Modification mode for optimistic strategy:
all rejections: when the A administrator operates, the B administrator operates, and the system refuses the operation of the B administrator.
Partial rejection: when the administrator A operates, the administrator B operates, when the operation is finished after a certain administrator, the system detects whether the user ID of the selected user selected by the administrator A is the same as the user ID of the selected user selected by the administrator B, if the user ID is different, the operation of the administrator B is not influenced, and the administrator B can operate normally; and if the same user ID of the selected user exists, giving feedback to the administrator B that the selected user is subjected to user permission change, and the administrator B asks for refreshing or re-login and then operates the selected user.
b. Pessimistic strategies: as long as the a administrator who enters the operation function first logs in, the B administrator who enters the operation function later is not permitted to log in. Compared with an optimistic strategy, the pessimistic strategy has the advantages that the system detects that the A administrator selects the editing focus and feeds the selected editing focus back to the background immediately to lock the database and record the operation track, and at the moment, the B administrator selects the focus and is prompted instead of prompting when the B administrator finishes editing and submitting.
As shown in fig. 7, a resource authorization system using a resource authorization method based on set operation includes the following modules:
the organization architecture module 1 is used for establishing an organization architecture, adding a hierarchical classification number and a service role to an architecture node of the organization architecture, and generating a user position number according to the service role of a user.
And the user management module 2 is used for generating an initial service role according to the registration information of the user and configuring a user ID for the user.
And the authority management module 3 is used for respectively establishing a positive authority hash table and a negative authority linked list according to the user information of the selected user, and deleting the user ID stored in the negative authority linked list from the positive authority hash table.
And 4, adding all user IDs including hierarchical classification numbers of the identified service roles into the positive authority hash table for temporary storage by the user according to the service roles of the selected user.
And the negative authority linked list 5 is used for placing the user ID of the selected user into the negative authority one-way linked list for temporary storage according to the service role of the selected user and establishing a subscript pointer for the negative authority user.
Although the invention has been described in detail above with reference to a general description and specific examples, it will be apparent to one skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.

Claims (3)

1. A resource authorization method based on set operation is characterized in that: identifying a hierarchical classification number in an organization structure where a user ID corresponding to a service role in an authorization change request is located, and respectively establishing a positive authority hash table and a negative authority linked list according to the hierarchical classification number;
circulating and splitting all users with positive authority by taking the user as a minimum unit, and adding all user IDs including the hierarchical classification numbers of the identified business roles into a positive authority hash table for temporary storage;
circularly and splitting all negative authority users by taking personnel as a minimum unit, wherein the negative authority users are users needing to disconnect the selected users from the service role association, putting the user IDs of all the negative authority users into a negative authority one-way linked list for temporary storage, and establishing subscript pointers for the negative authority users;
and extracting the user IDs in the negative authority linked list one by one according to the sequence of the subscript pointers, performing key lookup and deletion by using the positive authority hash table, configuring the modified positive authority hash table as interface data of positive and negative authority control needing to be returned, and persisting the positive authority hash table to a bottom database after configuration.
2. The method of claim 1, wherein the resource authorization method based on set operation comprises: the organization structure is a multi-level tree organization structure, each level in the organization structure is configured with a unique level classification number, and the level classification numbers of two different positions of the same level are different;
the user configured in the organization structure can bind a user position number, and the user position number is a hierarchical classification number combination obtained by superposing hierarchical classification numbers from the top hierarchy of the organization structure to the hierarchy where the user is located.
3. A resource authorization system using the resource authorization method based on set operation as claimed in claim 1, characterized by comprising the following modules:
the organization architecture module is used for establishing an organization architecture, adding a hierarchical classification number and a service role to an architecture node of the organization architecture, and generating a user position number according to the service role of a user;
the user management module is used for generating an initial service role according to the registration information of the user and configuring a user ID for the user;
the authority management module is used for respectively establishing a positive authority hash table and a negative authority linked list according to the user information of the selected user and deleting the user ID stored in the negative authority linked list from the positive authority hash table;
the positive authority hash table is used for adding all user IDs including hierarchical classification numbers of the identified service roles into the positive authority hash table for temporary storage by the user according to the service roles of the selected user;
and the negative authority linked list is used for placing the user ID of the selected user into the negative authority one-way linked list for temporary storage according to the service role of the selected user and establishing a subscript pointer for the negative authority user.
CN202111207338.0A 2021-10-18 2021-10-18 Resource authorization method and resource authorization system based on set operation Active CN113642032B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111207338.0A CN113642032B (en) 2021-10-18 2021-10-18 Resource authorization method and resource authorization system based on set operation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111207338.0A CN113642032B (en) 2021-10-18 2021-10-18 Resource authorization method and resource authorization system based on set operation

Publications (2)

Publication Number Publication Date
CN113642032A CN113642032A (en) 2021-11-12
CN113642032B true CN113642032B (en) 2022-01-25

Family

ID=78427226

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111207338.0A Active CN113642032B (en) 2021-10-18 2021-10-18 Resource authorization method and resource authorization system based on set operation

Country Status (1)

Country Link
CN (1) CN113642032B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001043344A1 (en) * 1999-12-13 2001-06-14 Rsa Security Inc. System and method for generating and managing attribute certificates
CN104333553A (en) * 2014-11-11 2015-02-04 安徽四创电子股份有限公司 Mass data authority control strategy based on combination of blacklist and whitelist
CN106571863A (en) * 2016-10-26 2017-04-19 中央军委装备发展部第六十三研究所 Hybrid switching satellite multi-service wireless resource management method based on fast indexing

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2001043344A1 (en) * 1999-12-13 2001-06-14 Rsa Security Inc. System and method for generating and managing attribute certificates
CN104333553A (en) * 2014-11-11 2015-02-04 安徽四创电子股份有限公司 Mass data authority control strategy based on combination of blacklist and whitelist
CN106571863A (en) * 2016-10-26 2017-04-19 中央军委装备发展部第六十三研究所 Hybrid switching satellite multi-service wireless resource management method based on fast indexing

Also Published As

Publication number Publication date
CN113642032A (en) 2021-11-12

Similar Documents

Publication Publication Date Title
CN100375971C (en) System and method for hierarchical layout specialization
CN109344603B (en) Unified login system
US8433717B2 (en) System and method for efficiently securing enterprise data resources
US8327419B1 (en) System and method for efficiently securing enterprise data resources
JP4398371B2 (en) How to control access to a relational database
CN110443010A (en) One kind permission visual configuration control method, device, terminal and storage medium in information system
US9430665B2 (en) Dynamic authorization to features and data in JAVA-based enterprise applications
EP0697662A1 (en) Method and system for advanced role-based access control in distributed and centralized computer systems
CN110457891A (en) A kind of authority configuration interface display method, device, terminal and storage medium
EP3513333B1 (en) Managing transactions requesting non-existent index keys in database systems
CN101739526A (en) Service system-oriented and oriented object-based rights management method
CN104252454B (en) A kind of data permission control method and system towards cloud computing multi-tenant pattern
CN104008441A (en) Task management system and method for automatically submitting files into version library
US20100050267A1 (en) Method and system for the automated transformation of access control management information in computer systems
CN110968894B (en) Fine granularity access control scheme for game service data
CN111428257A (en) System and method for opening database metadata through automatic approval
CN103473332A (en) Data archive repository with virtual test architecture
CN103198143A (en) Simulation resource data processing and controlling system for virtual tests
CN104717206B (en) A kind of Internet of Things resource access right control method and system
CN114066238B (en) Forest land protection utilization planning index determination system, cloud platform system and method
CN113642032B (en) Resource authorization method and resource authorization system based on set operation
US20080201761A1 (en) Dynamically Associating Attribute Values with Objects
CN110852634A (en) Data storage method, storage device, server, readable storage medium and equipment
CN103793635A (en) Multi-level menu permission establishing method
CN110019467A (en) For the big data integration system of social security information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant