Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the embodiment of the invention, for the application scenes with the same role and different service permissions, the user groups are divided based on the role and the service permissions, so that the users belonging to the same role are divided into different user groups due to different service permissions, the access control can be performed on the access requests of the users according to the service permissions of the user groups to which the users belong, and the behavior limitation of the users with the same role and different service permissions can be realized.
Referring to fig. 1, fig. 1 is a flowchart of an access control method according to an embodiment of the present invention, and as shown in fig. 1, the method mainly includes the following steps:
step 101, dividing user groups according to roles and service permissions, configuring behavior filtering rules for each user group, and configuring service permission information corresponding to each user group for each service type.
In this embodiment, the roles that the user assumes in the access control system, for example, in the access control system related to medical services, the patient is one role and the doctor is the other role.
In this embodiment, the user groups are divided according to roles and service permissions, so that users belonging to the same role and the same service permission form one user group.
And 102, when the user logs in the access control system, determining a user group to which the user belongs according to the behavior filtering rule, and recording the user group to which the user belongs.
Step 103, after the user logs in the access control system, receiving an access request of the user for any service type, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and performing access control on the access request according to the service authority of the user for the service type.
As can be seen from the method shown in fig. 1, in this embodiment, user groups are divided according to roles and service permissions, and by configuring a behavior filtering rule for each user group, users with different service permissions in the same role are divided into different user groups when logging in an access control system, and by configuring service permission information corresponding to each user group for each service type, when receiving an access request of a user for any service type, the service permission of the user for the service type can be determined according to the service permission information configured for the service type and a record of the user group to which the user belongs, and access control is performed on the access request according to the service permission information, so that behavior restriction on the user can be realized in an application scenario with different service permissions in the same role.
Referring to fig. 2, fig. 2 is a flowchart of an access control method according to a second embodiment of the present invention, and as shown in fig. 2, the method mainly includes the following steps:
step 201, dividing user groups according to roles and service authorities, configuring behavior filtering rules for each user group, and configuring service authority information corresponding to each user group for each service type;
in this embodiment, the behavior filtering rule configured for each user group includes at least one of the following:
rule 1: the login mode set for the user group, namely the user who logs in the access control system through the login mode set for the user group belongs to the user group;
rule 2: a user information list known to belong to the user group, that is, a user whose user information is located in the user information list known to belong to the user group belongs to the user group;
rule 3: and designating the user information list belonging to the user group, namely, the user information in the user information list designated to belong to the user group belongs to the user group.
Step 2021, when the user logs in to the access control system, for each user group, performs the following steps 2022 to 2024:
step 2022, when the behavior filtering rule configured for the user group includes the login manner set for the user group, determining the login manner of the user, and if the login manner of the user is the same as the login manner set for the user group, determining that the user belongs to the user group;
step 2023, when the behavior filtering rule configured for the user group includes a user information list known to belong to the user group, if the user information is located in the user information list known to belong to the user group, determining that the user belongs to the user group;
step 2024, when the behavior filtering rule configured for the user group includes the user information list specified to belong to the user group, if the user information is located in the user information list specified to belong to the user group, determining that the user belongs to the user group.
In this embodiment, when the operations in steps 2022 to 2024 are performed on a certain user group, and it is not determined that the user belongs to the user group, it may be determined that the user does not belong to the user group.
In this embodiment, the user group to which the user belongs may be finally determined by performing the operations of step 2022 to step 2024 on each user group.
The above steps 2021 to 2024 are specific refinements of "determining the user group to which the user belongs according to the behavior filtering rule when the user logs in to the access control system" in step 102 shown in fig. 1.
Step 2025, record the user group to which the user belongs.
Step 203, after the user logs in the access control system, receiving an access request of the user for any service type, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and performing access control on the access request according to the service authority of the user for the service type.
As can be seen from the method shown in fig. 2, in this embodiment, user groups are divided according to roles and service permissions, a user who logs in to the access control system is divided into different user groups according to specific contents included in specific behavior filtering rules by configuring a behavior filtering rule for each user group, and service permission information corresponding to each user group is configured for each service type, so that when an access request of a user for any service type is received, the service permission of the user for the service type can be determined according to the service permission information configured for the service type and a record of the user group to which the user belongs, and access control is performed on the access request according to the service permission information, so that behavior restriction on the user can be realized in application scenarios with different service permissions in the same role.
Referring to fig. 3, fig. 3 is a flowchart of an access control method provided by a third embodiment of the present invention, and as shown in fig. 3, the method mainly includes the following steps:
step 301, dividing user groups according to roles and service permissions, configuring behavior filtering rules for each user group, and configuring service permission information corresponding to each user group for each service type.
In practical applications, the service authority may be various, such as various operation authorities for the service.
In this embodiment, the service authority information configured for each service type and corresponding to each user group includes a user group identifier and an access authority; wherein the access rights include permission to access and prohibition of access.
And step 302, when the user logs in the access control system, determining the user group to which the user belongs according to the behavior filtering rule, and adding the user group identification to which the user belongs to the user information.
In this embodiment, after determining the user group to which the user belongs according to the behavior filtering rule, the user group to which the user belongs may be recorded, so that the user group may be determined subsequently based on the record of the user group to which the user belongs, and the user group does not need to be determined again according to the behavior filtering rule.
In this embodiment, the recording the user group to which the user belongs specifically includes: and adding the user group identification to which the user belongs to the user information. Here, the user group identifier to which the user belongs is added to the user information, that is, the user group identifier to which the user belongs is used as one item of information included in the user information, so that the user group to which the user belongs can be determined subsequently only according to the user group identifier included in the user information.
The above step 302 is a detailed refinement of step 102 shown in fig. 1.
Step 3031, after the user logs in the access control system, receiving an access request of the user for any service type.
Step 3032, searching the service authority information of the user group identification in the service authority information configured for the service type.
Step 3033, determining the access authority in the searched service authority information as the service authority of the user to the service type.
The above steps 3032 to 3033 are specific refinements of "determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs" in the step 103 shown in fig. 1.
Step 3034, performing access control on the access request according to the service authority of the user to the service type.
In this embodiment, performing access control on the access request according to the service permission of the user for the service type specifically includes:
if the user's service authority to the service type is allowed to access, then the service is processed according to the access request, and a service processing result is returned;
and if the service authority of the user to the service type is access prohibition, returning an access response carrying the information indicating that the access is prohibited.
As can be seen from the method shown in fig. 3, in this embodiment, user groups are divided according to roles and service permissions; configuring a behavior filtering rule for each user group, so that users with the same role and different service authorities are divided into different user groups when logging in an access control system, and recording user group identifications of the users to which the users belong and adding the user information; by configuring the service authority information corresponding to each user group for each service type, when receiving an access request of a user for any service type, the service authority of the user for the service type can be determined according to the service authority information configured for the service type and the user group identification in the user information, and access control is performed on the access request according to the service authority information and the user group identification, so that behavior limitation on the user can be realized in application scenes with the same role and different service authorities.
Referring to fig. 4, fig. 4 is a flowchart of an access control method according to a fourth embodiment of the present invention, and as shown in fig. 4, the method mainly includes the following steps:
step 401, dividing user groups according to roles and service permissions, configuring behavior filtering rules for each user group, and configuring service permission information corresponding to each user group for each service type.
In practical applications, the service authority may be various, such as various operation authorities for the service.
In this embodiment, the service authority information configured for each service type and corresponding to each user group includes a user group identifier and an access authority; wherein the access rights include permission to access and prohibition of access.
Step 402, when the user logs in the access control system, determining the user group to which the user belongs according to the behavior filtering rule, and adding the user information into a user information list of the user group to which the user belongs.
In this embodiment, after determining the user group to which the user belongs according to the behavior filtering rule, the user group to which the user belongs may be recorded, so that the user group may be determined subsequently based on the record of the user group to which the user belongs, and the user group does not need to be determined again according to the behavior filtering rule.
In this embodiment, the recording the user group to which the user belongs specifically includes: and adding the user information into a user information list of a user group to which the user belongs.
The above step 402 is a detailed refinement of step 102 shown in fig. 1.
Step 4031, after the user logs in the access control system, an access request of the user for any service type is received.
Step 4032, the access right in the service right information configured for the service type is judged, if the access rights in the service right information configured for the service type are all allowed to be accessed, step 4033 is executed, if the access rights in the service right information configured for the service type are all forbidden to be accessed, step 4034 is executed, and if the access rights do not belong to the two situations, step 4035 is executed.
Step 4033, determine the business authority of the user to the business type as allowing access;
step 4034, determine the business authority of the user to the business type is forbidden to access;
step 4035, determine the service right information with the access right allowed to access in the service right information configured for the service type, search the user information in the user information list of the user group corresponding to the service right information with the access right allowed to access, if the user information is found, determine the service right of the user to the service type as allowed to access, otherwise, determine the service right of the user to the service type as prohibited to access.
The above steps 4032 to 4035 are specific refinements of "determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs" in step 103 shown in fig. 1.
Step 4036, access control is performed on the access request according to the service authority of the user on the service type.
In this embodiment, performing access control on the access request according to the service permission of the user for the service type specifically includes:
if the user's service authority to the service type is allowed to access, then the service is processed according to the access request, and a service processing result is returned;
and if the service authority of the user to the service type is access prohibition, returning an access response carrying the information indicating that the access is prohibited.
As can be seen from the method shown in fig. 4, in this embodiment, user groups are divided according to roles and service permissions; configuring a behavior filtering rule for each user group, so that users with the same role and different service permissions are divided into different user groups when logging in an access control system, and user information is added into a user information list of the user group to which the user belongs; by configuring the service authority information corresponding to each user group for each service type, when receiving an access request of a user for any service type, the service authority of the user for the service type can be determined according to the service authority information configured for the service type and a user information list of the user group to which the user belongs, and access control is performed on the access request according to the service authority information, so that behavior limitation on the user can be realized in application scenes with the same role and different service authorities.
The access control method according to the embodiment of the present invention is described in detail above, and the following description is made with reference to specific examples:
suppose a company develops an access control system for medical services, which can provide medical services to patients, wherein the patients who suffer from a certain disease (such as new coronary pneumonia) can be provided with medical services with different business rights in the same role, for example, the patients who suffer from the certain disease are regarded as the same role, but when the medical services are provided, the patients who belong to the role and meet certain conditions can be provided with the certain medical services, and the patients who belong to the role and do not meet the certain conditions are not provided with the certain medical services, in which case, the situations of different business rights in the same role can occur.
For the above situation, the access control method provided by the above embodiment of the present invention may be adopted to realize the behavior limitation on the patient suffering from the specific disease, and the specific implementation process is as follows:
and step S1, dividing user groups according to roles and service authorities.
Specifically, for patients who have suffered from such a specific disease, the user groups are divided into two user groups according to whether or not to enjoy the specific medical service, wherein users in one user group (hereinafter, referred to as user group 1) enjoy the specific medical service and users in the other user group (hereinafter, referred to as user group 2) do not enjoy the specific medical service.
In addition, the same processing method as that in step S1 is also applied to patients with or suffering from other diseases, and will not be described herein and hereinafter.
Step S2, configuring behavior filtering rules for each user group, and configuring service authority information corresponding to each user group for each service type.
Specifically, the behavior filtering rule configured for the user group 1 specifically includes: the registration of the patient suffering from the specific disease, the patient known to be located in a certain place and in the user information list (hereinafter referred to as user information list 1) suffering from the specific disease, and the patient provided by the company and in the user information list (hereinafter referred to as user information list 2) suffering from the specific disease are completed by scanning the two-dimensional code provided by the doctor. The behavior filtering rules configured for the user group 2 are as follows: and filtering out the patients suffering from the specific disease by using the behavior filtering rule configured for the user group 1.
In addition, assume that there are service 1 and service 2, where service 1 is a specific medical service and service 2 is not a specific medical service. The service authority information configured for the two services is as follows:
1) the service authority information corresponding to the user group 1 configured for the service 1 comprises: identification and access permission of the user group 1; the service authority information corresponding to the user group 2 configured for the service 1 includes: identification and barring of access by the user population 2.
2) The service authority information corresponding to the user group 1 configured for the service 2 comprises: identification and access permission of the user group 1; the service authority information corresponding to the user group 2 configured for the service 2 includes: identification and permission of the user group 2.
And step S3, when the user logs in the access control system, determining the user group to which the user belongs according to the behavior filtering rule, and recording the user group to which the user belongs.
When a patient suffering from the specific disease logs in the access control system, if the patient suffering from the specific disease is registered by scanning the two-dimensional code provided by a doctor, or the patient in the user information list 1 or the user information list 2, the patient can be determined to belong to the user group 1, the patient can be added into the user information list of the user group 1, otherwise, the patient is determined to belong to the user group 2, and the patient can be added into the user information list of the user group 2.
Step S4, after the user logs in the access control system, receiving an access request of the user for any service type, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and performing access control on the access request according to the service authority of the user for the service type.
After a patient suffering from the specific disease logs in the access control system, if the patient wants to access the service 1, an access request for the service 1 is triggered, after the access control system receives the access request, the access control system determines that only the patient in the user group 1 can access the service 1, so that the information of the patient is searched in a user information list of the user group 1, if the information is searched, the patient is determined to be allowed to access the service 1, so that the access request is subjected to service processing, and if the information is not searched, the patient is determined to be forbidden to access the service 1, so that an access response carrying indication forbidding access information can be returned, so that the patient knows that the patient cannot access the service 1.
After logging in the access control system, if a patient suffering from the specific disease wants to access the service 2, an access request for the service 2 is triggered, and after receiving the access request, the access control system determines that the patients in the user group 1 and the user group 2 can both access the service 2, so that the patient is determined to access the service 2, and thus the access request is subjected to service processing.
As can be seen from the above example, the patient suffering from the specific disease is divided into two user groups according to different access rights to the service 1 and the service 2, and the patient is divided into one of the two user groups when logging in the access control system by configuring the behavior filtering rules for the two user groups; by respectively configuring the service authority information corresponding to each user group for the service 1 and the service 2, when receiving an access request of a patient for the service 1 or the service 2, the service authority of the patient to the service type can be determined according to the service authority information configured for the service 1 or the service 2 and the record of the user group to which the patient belongs, and the access control is performed on the access request according to the service authority information, so that the behavior control of the patient suffering from the specific disease is realized.
An embodiment of the present invention further provides an access control apparatus, as shown in fig. 5, the apparatus includes:
a configuration unit 501, configured to divide user groups according to roles and service permissions, configure behavior filtering rules for each user group, and configure service permission information corresponding to each user group for each service type;
the recording unit 502 is used for determining a user group to which the user belongs according to the behavior filtering rule and recording the user group to which the user belongs when the user logs in the access control system;
the processing unit 503, after the user logs in the access control system, receives an access request of the user for any service type, determines the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and performs access control on the access request according to the service authority of the user for the service type.
In the device shown in figure 5 of the drawings,
the behavior filtering rule configured for each user group comprises at least one of the following: a login mode set for the user group, a user information list known to belong to the user group, and a user information list designated to belong to the user group;
the recording unit 502 determines the user group to which the user belongs according to the behavior filtering rule, and records the user group to which the user belongs, including:
for each of the user groups, the user group is,
when the behavior filtering rule configured for the user group comprises a login mode set for the user group, determining the login mode of the user, and if the login mode of the user is the same as the login mode set for the user group, determining that the user belongs to the user group;
when the behavior filtering rule configured for the user group comprises a user information list known to belong to the user group, if the user information is located in the user information list known to belong to the user group, determining that the user belongs to the user group;
when the behavior filtering rule configured for the user group comprises a user information list appointed to belong to the user group, if the user information is located in the user information list appointed to belong to the user group, determining that the user belongs to the user group.
In the device shown in figure 5 of the drawings,
the service authority information which is configured for each service type and corresponds to each user group comprises user group identification and access authority; the access right comprises permission access and prohibition access;
the recording unit 502 records a user group to which the user belongs, and includes: adding the user group identification to which the user belongs to the user information;
the processing unit 503, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, includes:
searching the service authority information configured for the service type for the user group identification in the user information;
and determining the access authority in the searched service authority information as the service authority of the user to the service type.
In the device shown in figure 5 of the drawings,
the service authority information which is configured for each service type and corresponds to each user group comprises user group identification and access authority; the access right comprises permission access and prohibition access;
the recording unit 502 records a user group to which the user belongs, and includes: adding the user information into a user information list of a user group to which the user belongs;
the processing unit 503, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, includes:
if the access rights in the service right information configured for the service type are all allowed to be accessed, determining that the service right of the user to the service type is allowed to be accessed;
if the access rights in the service right information configured for the service type are all access forbidding, determining that the service right of the user to the service type is access forbidding;
if the service type does not belong to the two conditions, determining that the access right in the service right information configured for the service type is the service right information allowing access, searching the user information in a user information list of a user group corresponding to the service right information allowing access, if the user information is searched, determining that the service right of the user to the service type is allowed access, otherwise, determining that the service right of the user to the service type is forbidden access.
In the device shown in figure 5 of the drawings,
the processing unit 503, performing access control on the access request according to the service authority of the user to the service type, includes:
if the user's service authority to the service type is allowed to access, then the service is processed according to the access request, and a service processing result is returned;
and if the service authority of the user to the service type is access prohibition, returning an access response carrying the information indicating that the access is prohibited.
An embodiment of the present invention further provides an electronic device, as shown in fig. 6, where the electronic device includes: at least one processor 601, and a memory 602 connected to the at least one processor 601 through a bus; the memory 602 stores one or more computer programs executable by the at least one processor 601; the at least one processor 601, when executing the one or more computer programs, implements the steps in the access control method shown in any of the flowcharts of fig. 1-4.
Embodiments of the present invention also provide a computer-readable storage medium storing one or more computer programs, which when executed by a processor implement the steps in the access control method shown in any of the flowcharts in fig. 1-4.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.