CN113672974A - Authority management method, device, equipment and storage medium - Google Patents

Authority management method, device, equipment and storage medium Download PDF

Info

Publication number
CN113672974A
CN113672974A CN202110876430.XA CN202110876430A CN113672974A CN 113672974 A CN113672974 A CN 113672974A CN 202110876430 A CN202110876430 A CN 202110876430A CN 113672974 A CN113672974 A CN 113672974A
Authority
CN
China
Prior art keywords
permission
authority
target
application program
role
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110876430.XA
Other languages
Chinese (zh)
Inventor
尼见
李金伟
刘希超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing QIYI Century Science and Technology Co Ltd
Original Assignee
Beijing QIYI Century Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing QIYI Century Science and Technology Co Ltd filed Critical Beijing QIYI Century Science and Technology Co Ltd
Priority to CN202110876430.XA priority Critical patent/CN113672974A/en
Publication of CN113672974A publication Critical patent/CN113672974A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6281Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database at program execution time, where the protection is within the operating system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Stored Programmes (AREA)

Abstract

The embodiment of the invention provides a method, a device, equipment and a storage medium for managing authority, wherein the method comprises the following steps: after detecting that the target application program applies for the authority of the target sensitive authority, determining an authority set required by the target application program to realize functions; judging whether the target sensitive authority is in the authority set or not to obtain a judgment result; and generating an authority setting suggestion aiming at the target sensitive authority according to the judgment result and displaying the authority setting suggestion. Therefore, reasonable permission setting suggestions can be provided for the user, the safety of the privacy information of the user is protected while the normal use of the application program is ensured, and the permission management effect is improved.

Description

Authority management method, device, equipment and storage medium
Technical Field
The present invention relates to the field of terminal technologies, and in particular, to a method, an apparatus, a device, and a storage medium for rights management.
Background
Currently, a mobile terminal may install various applications. The operating system of the mobile terminal typically performs rights management on the installed application programs. After the application is granted the authority, the application can obtain the related information, especially the authority which may reveal the privacy information of the user, namely the sensitive authority.
In the related art, some operating systems, such as an android system, manage the sensitive rights in a manner of inquiring the user in real time for a rights application for the sensitive rights from an application program, and can grant the rights for use only if the user agrees.
In the above scheme, although the operating system may inquire whether the user agrees to grant the permission in real time for the permission application of the sensitive permission, the operating system only singly prompts whether the user allows the application program to apply for a certain permission, and since the permission of the operating system is numerous, it is difficult for a general user to comprehensively know the sensitive permission information applied in real time by the application program, and in many cases, the user cannot accurately analyze whether the permission corresponding to the application program should be granted, so that the normal permission application of the application program is rejected by the user, or the malicious permission application of the application program is agreed by the user. If a user grants a malicious application access to private information, the user's personal privacy may be compromised. Or the user refuses the authority application of a normal application program, and the normal use of the application program can be influenced. Therefore, the rights management method in the related art has a problem of poor management effect.
Disclosure of Invention
The embodiment of the invention aims to provide a permission method, a permission device, permission equipment and a storage medium so as to improve the permission management effect. The specific technical scheme is as follows:
in a first aspect of the present invention, there is provided a rights management method, including:
after detecting that the target application program applies for the authority of the target sensitive authority, determining an authority set required by the target application program to realize functions;
judging whether the target sensitive authority is in the authority set or not to obtain a judgment result;
and generating an authority setting suggestion aiming at the target sensitive authority according to the judgment result and displaying the authority setting suggestion.
In one embodiment, the set of permissions is the minimum set of permissions required by the target application to implement the function.
In one embodiment, determining a set of permissions required by a target application to implement a function comprises:
determining a role to which the target application program belongs from a plurality of roles, wherein the roles are obtained based on functions realized by the application program;
and determining the permission set corresponding to the role to which the target application program belongs.
In one embodiment, determining the role to which the target application belongs comprises:
and determining the role to which the target application program belongs based on the preset corresponding relation between the application program and the role.
In one embodiment, determining a set of permissions corresponding to a role to which a target application belongs includes:
and determining the permission set corresponding to the role to which the target application program belongs based on the preset corresponding relation between the role and the permission set.
In one embodiment, generating an authority setting suggestion for the target sensitive authority according to the judgment result includes:
if the target sensitive authority is in the authority set, generating an authority setting suggestion for granting the authority;
and if the target sensitive permission is not in the permission set, generating a permission setting suggestion for refusing to grant permission.
In one embodiment, presenting a permission setting suggestion includes:
and displaying the permission setting page, and displaying the permission setting suggestion in the permission setting page.
In one embodiment, after presenting the permission setting suggestion, the method further comprises:
receiving permission setting operation carried out by a user based on permission setting suggestions;
and responding to the authority setting operation, and performing authority management on the target sensitive authority.
In a second aspect of the present invention, there is also provided a rights management apparatus, including:
the determining module is used for determining a permission set required by the target application program to realize functions after detecting that the permission of the target application program is applied for the target sensitive permission;
the judging module is used for judging whether the target sensitive permission is in the permission set or not to obtain a judging result;
and the suggestion module is used for generating a permission setting suggestion aiming at the target sensitive permission and displaying the permission setting suggestion according to the judgment result.
In one embodiment, the set of permissions is the minimum set of permissions required by the target application to implement the function.
In one embodiment, the determining module is specifically configured to:
determining a role to which the target application program belongs from a plurality of roles, wherein the roles are obtained based on functions realized by the application program;
and determining the permission set corresponding to the role to which the target application program belongs.
In one embodiment, the determining module is specifically configured to:
and determining the role to which the target application program belongs based on the preset corresponding relation between the application program and the role.
In one embodiment, the determining module is specifically configured to:
and determining the permission set corresponding to the role to which the target application program belongs based on the preset corresponding relation between the role and the permission set.
In one embodiment, the suggestion module is specifically configured to:
if the target sensitive authority is in the authority set, generating an authority setting suggestion for granting the authority;
and if the target sensitive permission is not in the permission set, generating a permission setting suggestion for refusing to grant permission.
In one embodiment, the suggestion module is specifically configured to:
and displaying the permission setting page, and displaying the permission setting suggestion in the permission setting page.
In one embodiment, the method further comprises:
the receiving module is used for receiving the authority setting operation performed by the user based on the authority setting suggestion after the authority setting suggestion is displayed;
and the management module is used for responding to the authority setting operation and carrying out authority management on the target sensitive authority.
In another aspect of the present invention, there is also provided an electronic device, including a processor, a communication interface, a memory and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;
a memory for storing a computer program;
and the processor is used for realizing any one of the steps of the authority management method when executing the program stored in the memory.
In yet another aspect of the present invention, there is also provided a computer-readable storage medium having stored therein instructions, which when run on a computer, cause the computer to perform any of the above-described rights management methods.
In yet another aspect of the present invention, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above-described rights management methods.
The authority management method, the device, the equipment and the storage medium provided by the embodiment of the invention firstly determine the authority set required by the target application program to realize the function after detecting the authority application of the target application program aiming at the target sensitive authority, then judge whether the target sensitive authority is in the authority set, thus judging whether the authority application of the target application program to the target sensitive authority belongs to the over application, generating the authority setting suggestion based on the judgment result and displaying the authority setting suggestion to the user, so that the user can refer to the authority setting suggestion to carry out reasonable authority setting under the condition that the target sensitive authority is not known, the condition that the normal authority application of the application program is rejected by the user or the malicious authority application of the application program is agreed by the user is avoided, the normal use of the application program can be ensured, and the safety of the privacy information of the user can be protected, thereby improving the effect of authority management.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below.
Fig. 1 is a system architecture diagram according to an embodiment of the present invention.
Fig. 2 is a flowchart of a rights management method in an embodiment of the invention.
Fig. 3a is a schematic diagram of a permission setting page in the embodiment of the present invention.
Fig. 3b is a schematic diagram illustrating a permission setting suggestion in the embodiment of the present invention.
Fig. 3c is a schematic diagram illustrating a permission setting suggestion in the embodiment of the present invention.
Fig. 4 is a flowchart of a rights management method in an embodiment of the invention.
Fig. 5 is a schematic structural diagram of a rights management device in an embodiment of the invention.
Fig. 6 is a schematic structural diagram of a rights management device in an embodiment of the invention.
Fig. 7 is a schematic structural diagram of an electronic device for implementing a rights management method in an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention.
Fig. 1 is a system architecture diagram according to an embodiment of the present invention. The system architecture diagram shown in fig. 1 includes an operating system and an application program installed in the mobile terminal. The operating system herein may be, but is not limited to, an android system. The operating system of the mobile terminal can manage the authority of the application program, and the application program can acquire the relevant information after the authority is granted to the application program. The general rights include general rights that do not relate to the user's private information and sensitive rights that may reveal the user's private information. For normal permissions, the operating system can directly and automatically grant permissions. For sensitive permissions, special management of the operating system is required to protect the security of the user's private information. Based on this, the embodiment of the present invention provides a method for managing permissions, so as to improve the management effect of an operating system on sensitive permissions. The following describes a rights management method provided by an embodiment of the present invention in detail.
Fig. 2 is a flowchart of a rights management method according to an embodiment of the present invention. As shown in fig. 2, the rights management method provided in this embodiment at least includes the following steps:
step 201, after detecting that the target application program applies for the authority of the target sensitive authority, determining an authority set required by the target application program to realize the function.
Step 202, judging whether the target sensitive permission is in the permission set or not, and obtaining a judgment result.
And 203, generating an authority setting suggestion aiming at the target sensitive authority according to the judgment result and displaying the authority setting suggestion.
Wherein the target application program is an application program currently carrying out authority application.
The target sensitive permission is the sensitive permission currently applied by the target application program.
Accordingly, the above set of permissions may be a set of sensitive permissions needed to implement functionality for the target application.
According to the scheme, after the permission application of the target application program to the target sensitive permission is detected, firstly, the permission set required by the target application program to realize the function is determined, and then, whether the target sensitive permission is in the permission set or not is judged, so that whether the permission application of the target application program to the target sensitive permission belongs to the over application or not can be judged, and permission setting suggestions are generated and displayed to a user based on the judgment result, so that the user can refer to the permission setting suggestions to carry out reasonable permission setting under the condition that the target sensitive permission is not known, the condition that the normal permission application of the application program is rejected by the user or the malicious permission application of the application program is agreed by the user is avoided, the normal use of the application program can be ensured, the safety of user privacy information can be protected, and the permission management effect is improved.
In practical application, the authorities included in the authority set can be granted after application, the fewer the number of authorities included in the authority set, the fewer the granted authorities, and conversely, the greater the number of authorities included in the authority set, the greater the granted authorities. And as the number of the granted rights increases, the risk of revealing the privacy information of the user is higher. In order to protect the security of the privacy information of the user to the maximum extent, the number of the granted authorities can be reduced to the minimum. Based on this, in one embodiment, the above set of permissions is the minimum set of permissions required by the target application to implement the function. Here, the minimum set of rights, i.e., the number of rights included in the set, is the smallest. In the embodiment, because the determined permission set is the minimum permission set, the minimum permission can be granted under the condition that the target application program realizes the functions of the target application program, the excessive permission application is avoided, and the safety of the user privacy information is protected to the maximum extent.
Based on the above related embodiments, in an implementation manner, determining a set of permissions required by the target application to implement the function may include: determining a role to which the target application program belongs from a plurality of roles, wherein the roles are obtained based on functions realized by the application program; and determining the permission set corresponding to the role to which the target application program belongs.
In practical applications, a plurality of roles may be divided in advance according to the functions of each application program, that is, the roles are obtained based on the functions realized by the application programs.
For example, the application programs mainly implementing the video and audio playing function are video and audio playing, the application programs mainly implementing the map function are map, the application programs mainly implementing the communication function are communication, the application programs mainly implementing the game function are game, the application programs mainly implementing the shopping function are shopping, the application programs mainly implementing the payment function are payment, and the application programs implementing other functions are other, so as to deal with the application programs with some special functions.
Each role has a corresponding set of permissions. Because the number of roles is much smaller than that of various application programs, the number of the authority sets needing to be managed is greatly reduced by performing authority management through the roles, and the authority management is more convenient and higher in efficiency.
In implementation, each role can be set with the minimum set of permissions that can implement its function. The source of this idea provided by the inventors is Role-Based Access Control (RBAC).
In the traditional RBAC model, the system mainly comprises 3 parts of users, roles and authorities. Roles are set up to accomplish various tasks. In implementation, the user may be assigned a corresponding role depending on the user's responsibility and qualification. Users can be easily assigned from one role to another. A user may gain rights to certain roles by becoming a member of those roles. Roles can be given new permissions as needed. Rights can also be reclaimed from a role as needed.
The minimum permission principle is the security principle of the RBAC, i.e., the minimum set of permissions required for a role to complete its task is configured for the role.
In the embodiment of the invention, the application program is taken as a user, the roles are distributed to the application program, and the minimum permission set required by the application program to realize the functions is configured for each role. And, the permission set can be updated according to actual needs. Then, the set of permissions required by the target application to implement the function may specifically be a set of permissions required by the target application to implement the function based on the RBAC. Therefore, the scheme of the embodiment is also called a minimum authorization recommendation method based on RBAC. The scheme greatly facilitates the authority management of the application program.
In one embodiment, the determining the role to which the target application belongs may be implemented by: and determining the role to which the target application program belongs based on the preset corresponding relation between the application program and the role.
In practical application, functions of various commonly used application programs can be counted in advance, roles are allocated to the application programs, and based on the roles, the preset corresponding relation between the application programs and the roles is obtained and stored.
In the embodiment, the role to which the target application program belongs is quickly and accurately determined through the preset corresponding relation between the application program and the role, so that a foundation is laid for the subsequent generation of accurate permission setting suggestions.
In addition, the role to which the target application belongs may be determined in other ways. For example, function introduction information of the target application program is obtained, the function of the target application program is analyzed based on the function introduction information, and the role to which the target application program belongs is determined based on the analyzed function.
In an embodiment, determining a permission set corresponding to a role to which a target application belongs may include: and determining the permission set corresponding to the role to which the target application program belongs based on the preset corresponding relation between the role and the permission set.
In practical application, the authority sets corresponding to the roles can be counted in advance, and the corresponding relation between the preset roles and the authority sets is obtained and stored.
In the embodiment, the permission set corresponding to the role can be quickly and accurately determined through the preset corresponding relation between the role and the permission set, so that a foundation is laid for the subsequent generation of accurate permission setting suggestions.
In addition, the permission set corresponding to the role to which the target application program belongs can be determined in other manners. For example, the set of the granted permissions of other application programs with the same role is obtained, and the intersection is taken for the set of the granted permissions of other application programs, so as to obtain the permission set corresponding to the role to which the target application program belongs.
In an embodiment, according to the determination result, an authority setting suggestion for the target sensitive authority is generated, and a specific implementation manner of the authority setting suggestion may include: if the target sensitive authority is in the authority set, generating an authority setting suggestion for granting the authority; and if the target sensitive permission is not in the permission set, generating a permission setting suggestion for refusing to grant permission.
In practical application, if the target sensitive permission is in the permission set, it is indicated that the target sensitive permission belongs to the sensitive permission required by the target application program for realizing the function, and if no permission is granted, normal use of the application program may be affected, and at this time, it is considered that no over-application situation exists, and a permission setting suggestion for granting the permission may be generated. If the target sensitive permission is not in the permission set, it is indicated that the target sensitive permission has no influence on the function of the target application program, that is, if no permission is granted, the normal use of the application program is not influenced, at this time, it is considered that an over-application condition exists, and a permission setting suggestion for refusing to grant permission can be generated.
Therefore, based on the judgment result, a reasonable permission setting suggestion is generated for the user, the user can refer to the permission setting suggestion, and reasonable permission setting is carried out aiming at the target sensitive permission, so that the permission management effect is improved.
In one embodiment, the permission setting suggestion is presented, and a specific implementation manner of the permission setting suggestion may include: and displaying the permission setting page, and displaying the permission setting suggestion in the permission setting page.
In the related art, the operating system needs to ask the user whether to grant the authority for the sensitive authority, and generally provides an authority setting page for the user to perform authority setting, for example, the authority setting page shown in fig. 3a, specifically, a dialog box for authority setting pops up in fig. 3a, asks the user whether to "allow" the application a "to record audio", and provides two operation controls of prohibiting and allowing, if the user refuses to grant the authority, the user may choose to prohibit, if the user agrees to grant the authority, the user may choose to allow.
In this embodiment, while the permission setting page is displayed, permission setting suggestions are displayed, for example, the permission setting pages shown in fig. 3b and 3c are displayed, in fig. 3b and 3c, permission setting suggestions are added on the basis of fig. 3a, that is, "the permission is in the permission set of" application a ", permission is recommended to be granted," the permission is not in the permission set of "application a", and permission is recommended to be denied.
If the permission set is the minimum permission set corresponding to the role to which the target application program belongs, the permission setting suggestion can be exemplified as that the role to which the application program A belongs is a video class, the minimum permission set corresponding to the role contains a permission for recording audio, the permission is granted, or the role to which the application program A belongs is a video class, the minimum permission set corresponding to the role does not contain the permission for recording audio, and the permission is denied.
Therefore, the user can conveniently see the permission setting suggestion in time, and make reasonable permission setting by referring to the permission setting suggestion.
Of course, the permission setting suggestion can be separately shown on a page other than the permission setting page. For example, the permission setting suggestion may be presented in advance before the permission setting page is presented, so that the user can see the permission setting suggestion in time.
In one embodiment, after presenting the permission setting suggestion, the method may further include: receiving permission setting operation carried out by a user based on permission setting suggestions; and responding to the authority setting operation, and performing authority management on the target sensitive authority.
In practical application, after the user makes a reasonable permission setting operation with reference to the permission setting suggestion, the operating system can respond to the permission setting operation and execute management consistent with the permission setting operation, if the permission setting operation indicates that permission is refused to be granted, the operating system carries out the processing of refusing permission to be granted to the target sensitive permission, and if the permission setting operation indicates that permission is granted, the operating system carries out the processing of granting permission to the target sensitive permission. Since the authority setting operation is a reasonable authority setting operation made with reference to the authority setting advice, the authority management result made in response to the authority setting operation is also reasonable, thereby improving the authority management effect.
For the android system, the architecture of the operating system generally includes at least an application layer and a Linux kernel layer (kernel layer for short). The kernel layer is the foundation of the operating system and may provide process management, file network management, rights management, and the like. The application layer is the core of the application program, and in implementation, the application program is installed in the application layer. The application layer and the kernel layer can communicate in a Netlink socket mode and the like.
Based on this, the specific implementation manner of the above step 201 may include: and after detecting that the target application program applies for the authority of the target sensitive authority, the application layer transmits the authority to the kernel layer. Then, the kernel layer responds to the authority application, inquires the authority state of the target application program aiming at the target sensitive authority through the User Identification (UID) of the target application program, and returns the authority state to the application layer when the authority state is the state without authority grant; and the application layer determines the permission set required by the application program to realize the functions of the application program under the condition of receiving the permission state. The kernel layer will typically define a corresponding UID for each application.
Accordingly, a specific implementation manner of step 202 may include: and the application layer judges whether the target sensitive permission is in the permission set or not to obtain a judgment result.
Accordingly, the specific implementation manner of step 203 may include: and the application layer generates an authority setting suggestion aiming at the target sensitive authority according to the judgment result and displays the authority setting suggestion.
It should be noted that, when the kernel layer queries that the permission state of the target application program for the target sensitive permission is the state of not being granted permission, it may also directly determine whether the target sensitive permission is in the permission set, obtain a determination result, generate a permission setting suggestion for the target sensitive permission according to the determination result, and return the permission setting suggestion to the application layer. And then, the application layer shows the permission setting suggestion.
A more detailed description of the rights management method provided in the embodiment of the present invention is given below by taking a specific application scenario as an example.
In this embodiment, taking an operating system, namely, an android system, as an example, a minimum authorization recommendation method for the android system based on RBAC is provided.
In implementation, a set of sensitive permissions that may reveal user private data may be summarized in advance, for example: obtaining a COARSE LOCATION (ACCESS _ COARSE _ LOCATION), reading a short message content (READ _ SMS), reading a contact (READ _ CONTACTS), accessing a NETWORK (INTERNET), obtaining a WIFI STATE (ACCESS _ WIFI _ STATE), obtaining a NETWORK STATE (ACCESS _ NETWORK _ STATE), and the like. And, the application programs based on the android system are divided into different roles according to functions in advance, for example, each application program is divided into 7 roles according to the function of each application program, and the roles are respectively: video playback, map, communications, games, shopping, payment, and others. Thus, the corresponding relation between the preset application program and the role is obtained.
And then, configuring a minimum authority set required by the realization function for each role, namely, establishing a role authority corresponding relation table based on the minimum authorization principle of the RBAC, wherein the table comprises the preset corresponding relation between the role and the authority set. For example, the minimum set of permissions required by an application of a video playback class role includes: INTERNET, ACCESS _ WIFI _ STATE, ACCESS _ NETWORK _ STATE, for a total of three permissions.
The preset corresponding relationship between the application program and the role and the preset corresponding relationship between the role and the permission set can be stored in a preset policy library, which is also called as an RBAC policy library.
As shown in fig. 4, the rights management method is specifically as follows:
step one, installing the target application program into the android system.
And step two, the target application program carries out permission application aiming at the target sensitive permission when running.
The application program judges whether the application program has specific authority through a ContextComp.
And step three, after the android system detects that the target application program applies for the authority of the target sensitive authority, the android system determines the role corresponding to the application program based on the corresponding relation between the application program and the role preset in the policy library, determines the minimum authority set required by the role based on the role authority corresponding relation table in the policy library, judges whether the target sensitive authority is in the minimum authority set, generates an authority setting suggestion according to the judgment result, and feeds the authority setting suggestion back to the user so as to give a reasonable prompt to the user.
Specifically, the application of the authority of the application program is transferred from the application layer to the kernel layer, the kernel layer defines a corresponding UID for each application program, and determines whether the application program has a specific authority (i.e., a query authority state) by querying the UID. If the application program does not have the authority, the message can be sent to the application layer in a Netlink socket mode.
After receiving the message of the kernel layer, the application layer can inquire the policy library, determine the role corresponding to the application program based on the corresponding relation between the application program and the role preset in the policy library, determine the minimum permission set required by the role based on the role permission corresponding relation table in the policy library, judge whether the target sensitive permission is in the minimum permission set, generate permission setting suggestions according to the judgment result, and feed the permission setting suggestions back to the user to give reasonable prompts to the user.
For example, when a certain video and audio playing application program is operated, a position authority of a user is requested, the android system judges that the position authority is not in the minimum authority set of the video and audio playing application program according to the role authority corresponding relation table, an authority setting suggestion is generated based on the position authority, a dialog box for setting the authority is popped up, the authority setting suggestion is fed back to the user, and the user is advised to refuse to grant the authority.
When the application program requests the sensitive authority related to the user privacy information, the android system judges whether the application program has the condition of excessive authority application according to the authority set corresponding to the role affiliation of the application program based on the scheme, gives suggestions for more detailed and reasonable authority grant of the user according to the judgment result, performs real-time authority allocation of the application program, and better protects the user privacy.
Fig. 5 is a schematic structural diagram of a rights management device according to an embodiment of the present invention. As shown in fig. 5, the apparatus 500 includes:
the determining module 501 is configured to determine a permission set required by the target application to implement a function after detecting that a permission application of the target application for a target sensitive permission is applied;
a judging module 502, configured to judge whether the target sensitive permission is in the permission set, to obtain a judgment result;
and the suggestion module 503 is configured to generate a permission setting suggestion for the target sensitive permission according to the determination result, and display the permission setting suggestion.
In one embodiment, the set of permissions is the minimum set of permissions required by the target application to implement the function.
In an embodiment, the determining module 501 is specifically configured to:
determining a role to which the target application program belongs from a plurality of roles, wherein the roles are obtained based on functions realized by the application program;
and determining the permission set corresponding to the role to which the target application program belongs.
In an embodiment, the determining module 501 is specifically configured to:
and determining the role to which the target application program belongs based on the preset corresponding relation between the application program and the role.
In an embodiment, the determining module 501 is specifically configured to:
and determining the permission set corresponding to the role to which the target application program belongs based on the preset corresponding relation between the role and the permission set.
In one embodiment, the suggestion module 503 is specifically configured to:
if the target sensitive authority is in the authority set, generating an authority setting suggestion for granting the authority;
and if the target sensitive permission is not in the permission set, generating a permission setting suggestion for refusing to grant permission.
In one embodiment, the suggestion module 503 is specifically configured to:
and displaying the permission setting page, and displaying the permission setting suggestion in the permission setting page.
In one embodiment, as shown in fig. 6, the apparatus 500 may further include:
a receiving module 504, configured to receive, after displaying the permission setting suggestion, a permission setting operation performed by the user based on the permission setting suggestion;
and the management module 505 is configured to perform permission management on the target sensitive permission in response to the permission setting operation.
The functions of each module in each device provided in the embodiments of the present invention may refer to the corresponding description in the above embodiments of the right management method, and are not described herein again.
An embodiment of the present invention further provides an electronic device, as shown in fig. 7, including a processor 701, a communication interface 702, a memory 703 and a communication bus 704, where the processor 701, the communication interface 702, and the memory 703 complete mutual communication through the communication bus 704,
a memory 703 for storing a computer program;
the processor 701 is configured to implement the following steps when executing the program stored in the memory 703:
after detecting that the target application program applies for the authority of the target sensitive authority, determining an authority set required by the target application program to realize functions;
judging whether the target sensitive authority is in the authority set or not to obtain a judgment result;
and generating an authority setting suggestion aiming at the target sensitive authority according to the judgment result and displaying the authority setting suggestion.
The communication bus mentioned in the above terminal may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the terminal and other equipment.
The Memory may include a Random Access Memory (RAM) or a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the Integrated Circuit may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
In yet another embodiment of the present invention, a computer-readable storage medium is further provided, which has instructions stored therein, and when the instructions are executed on a computer, the instructions cause the computer to execute the rights management method described in any of the above embodiments.
In yet another embodiment, the present invention further provides a computer program product containing instructions which, when run on a computer, cause the computer to perform the method of rights management as described in any of the above embodiments.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (11)

1. A method of rights management, comprising:
after detecting that a target application program applies for the authority of a target sensitive authority, determining an authority set required by the target application program to realize functions;
judging whether the target sensitive permission is in the permission set or not to obtain a judgment result;
and generating an authority setting suggestion aiming at the target sensitive authority according to the judgment result and displaying the authority setting suggestion.
2. The method of claim 1, wherein the set of permissions is a minimum set of permissions needed for the target application to perform a function.
3. The method of claim 1 or 2, wherein the determining the set of permissions required by the target application to implement the function comprises:
determining a role to which the target application belongs from a plurality of roles, wherein the roles are obtained based on functions realized by the application;
and determining the permission set corresponding to the role to which the target application program belongs.
4. The method of claim 3, wherein determining the role to which the target application belongs comprises:
and determining the role to which the target application program belongs based on the preset corresponding relation between the application program and the role.
5. The method of claim 3, wherein the determining the set of permissions corresponding to the role to which the target application belongs comprises:
and determining the permission set corresponding to the role to which the target application program belongs based on the corresponding relation between the preset role and the permission set.
6. The method according to claim 1, wherein the generating of the permission setting suggestion for the target sensitive permission according to the determination result comprises:
if the target sensitive permission is in the permission set, generating a permission setting suggestion for granting permission;
and if the target sensitive permission is not in the permission set, generating a permission setting suggestion for refusing to grant permission.
7. The method of claim 1, wherein said presenting the permission setting suggestion comprises:
and displaying a permission setting page, and displaying the permission setting suggestion in the permission setting page.
8. The method of claim 1 or 7, further comprising, after said presenting said permission setting suggestion:
receiving permission setting operation carried out by a user based on the permission setting suggestion;
and responding to the authority setting operation, and carrying out authority management on the target sensitive authority.
9. A rights management device, comprising:
the determining module is used for determining a permission set required by the target application program to realize functions after detecting permission application of the target application program to the target sensitive permission;
the judging module is used for judging whether the target sensitive permission is in the permission set or not to obtain a judging result;
and the suggestion module is used for generating a permission setting suggestion aiming at the target sensitive permission according to the judgment result and displaying the permission setting suggestion to a user.
10. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1 to 8 when executing a program stored in the memory.
11. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 1 to 8.
CN202110876430.XA 2021-07-29 2021-07-29 Authority management method, device, equipment and storage medium Pending CN113672974A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110876430.XA CN113672974A (en) 2021-07-29 2021-07-29 Authority management method, device, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110876430.XA CN113672974A (en) 2021-07-29 2021-07-29 Authority management method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113672974A true CN113672974A (en) 2021-11-19

Family

ID=78540902

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110876430.XA Pending CN113672974A (en) 2021-07-29 2021-07-29 Authority management method, device, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113672974A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023103992A1 (en) * 2021-12-07 2023-06-15 中兴通讯股份有限公司 Container operation method and apparatus, electronic device, and storage medium
WO2023149186A1 (en) * 2022-02-07 2023-08-10 株式会社日立製作所 Candidate authority determination device, least authority identification system, information processing system, and candidate authority determination method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105205388A (en) * 2014-06-05 2015-12-30 腾讯科技(深圳)有限公司 Authority management method and system for application
CN107622203A (en) * 2017-09-30 2018-01-23 广东欧珀移动通信有限公司 Guard method, device, storage medium and the electronic equipment of sensitive information
CN109873803A (en) * 2018-05-04 2019-06-11 360企业安全技术(珠海)有限公司 The authority control method and device of application program, storage medium, computer equipment
CN110889109A (en) * 2018-09-10 2020-03-17 中兴通讯股份有限公司 Permission determination method and device and computer readable storage medium

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105205388A (en) * 2014-06-05 2015-12-30 腾讯科技(深圳)有限公司 Authority management method and system for application
CN107622203A (en) * 2017-09-30 2018-01-23 广东欧珀移动通信有限公司 Guard method, device, storage medium and the electronic equipment of sensitive information
CN109873803A (en) * 2018-05-04 2019-06-11 360企业安全技术(珠海)有限公司 The authority control method and device of application program, storage medium, computer equipment
CN110889109A (en) * 2018-09-10 2020-03-17 中兴通讯股份有限公司 Permission determination method and device and computer readable storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023103992A1 (en) * 2021-12-07 2023-06-15 中兴通讯股份有限公司 Container operation method and apparatus, electronic device, and storage medium
WO2023149186A1 (en) * 2022-02-07 2023-08-10 株式会社日立製作所 Candidate authority determination device, least authority identification system, information processing system, and candidate authority determination method

Similar Documents

Publication Publication Date Title
CN110298188B (en) Control method and system for dynamic access authority
CN104683336B (en) A kind of Android private data guard method and system based on security domain
WO2015124018A1 (en) Method and apparatus for application access based on intelligent terminal device
RU2637878C2 (en) Authentication of processes and resource permission
CN108243175B (en) Access control method and device based on bucket policy
US20100333213A1 (en) Systems and Methods for Determining Authorization to Operate Licensed Software Based on a Client Device Fingerprint
WO2015124017A1 (en) Method and apparatus for application installation based on intelligent terminal device
CN101366040A (en) Management of user access to objects
CN113672974A (en) Authority management method, device, equipment and storage medium
CN109766708B (en) Data resource access method, system, computer system and storage medium
JP2000259567A (en) Device and method for controlling access and storage medium
US20140230012A1 (en) Systems, methods, and media for policy-based monitoring and controlling of applications
CN111460496A (en) Permission configuration method based on user role, electronic device and storage medium
US9026456B2 (en) Business-responsibility-centric identity management
KR101561167B1 (en) System and Method for Controlling Application Permission on the Android Mobile Platform
US20160087989A1 (en) Assignment of Security Contexts to Define Access Permissions for File System Objects
US20180268127A1 (en) Methods and apparatus for controlling access to secure computing resources
KR102430882B1 (en) Method, apparatus and computer-readable medium for container work load executive control of event stream in cloud
CN114722412A (en) Data security storage method and device, electronic equipment and storage medium
CN114925395A (en) Data access method, device, equipment and storage medium
CN115730341A (en) Access control method, system, storage medium, electronic device and system-on-chip
CN111090839B (en) Resource operation authority management method and device, electronic equipment and storage medium
CN110175038A (en) The update method and device of soft-lock license
CN114580005B (en) Data access method, computer device and readable storage medium
CN114679301B (en) Method and system for accessing data of data lake by utilizing safe sandbox

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination