CN113806726A - Access control method and device, electronic equipment and storage medium - Google Patents

Access control method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN113806726A
CN113806726A CN202110123099.4A CN202110123099A CN113806726A CN 113806726 A CN113806726 A CN 113806726A CN 202110123099 A CN202110123099 A CN 202110123099A CN 113806726 A CN113806726 A CN 113806726A
Authority
CN
China
Prior art keywords
user
service
access
user group
service type
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110123099.4A
Other languages
Chinese (zh)
Inventor
李岳涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jingdong Tuoxian Technology Co Ltd
Original Assignee
Beijing Jingdong Tuoxian Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jingdong Tuoxian Technology Co Ltd filed Critical Beijing Jingdong Tuoxian Technology Co Ltd
Priority to CN202110123099.4A priority Critical patent/CN113806726A/en
Publication of CN113806726A publication Critical patent/CN113806726A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24564Applying rules; Deductive queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files
    • G06F9/4451User profiles; Roaming

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an access control method, an access control device, electronic equipment and a storage medium, wherein the method comprises the following steps: dividing user groups according to roles and service authorities, configuring behavior filtering rules for each user group, and configuring service authority information corresponding to each user group for each service type; when a user logs in an access control system, determining a user group to which the user belongs according to the behavior filtering rule, and recording the user group to which the user belongs; after a user logs in an access control system, receiving an access request of the user aiming at any service type, determining the service authority of the user to the service type according to service authority information configured for the service type and records of a user group to which the user belongs, and performing access control on the access request according to the service authority of the user to the service type. The invention can realize the action restriction on the user in the application scene with the same role and different service authorities.

Description

Access control method and device, electronic equipment and storage medium
Technical Field
The present invention relates to the field of information security technologies, and in particular, to an access control method and apparatus, an electronic device, and a storage medium.
Background
Access control is a technique that restricts a user's access to certain information items, or the use of certain control functions, by a defined set of user identities and the items to which they belong. Access control is generally performed by assigning roles to users and assigning permissions to the roles, thereby restricting user behavior according to the roles.
The user behavior is limited according to the role, and the method is only suitable for a simpler application scene, but not suitable for a more complex application scene, for example, the behavior limitation of the user cannot be realized in the application scenes with the same role and different service permissions.
Disclosure of Invention
In view of this, the present invention provides an access control method, an access control apparatus, an electronic device, and a storage medium, which can implement behavior restriction on a user in application scenarios with the same role and different service permissions.
In order to achieve the purpose, the invention provides the following technical scheme:
an access control method comprising:
dividing user groups according to roles and service authorities, configuring behavior filtering rules for each user group, and configuring service authority information corresponding to each user group for each service type;
when a user logs in an access control system, determining a user group to which the user belongs according to the behavior filtering rule, and recording the user group to which the user belongs;
after a user logs in an access control system, receiving an access request of the user aiming at any service type, determining the service authority of the user to the service type according to service authority information configured for the service type and records of a user group to which the user belongs, and performing access control on the access request according to the service authority of the user to the service type.
An access control device comprising:
the configuration unit is used for dividing user groups according to roles and service authorities, configuring behavior filtering rules for each user group and configuring service authority information corresponding to each user group for each service type;
the recording unit is used for determining a user group to which the user belongs according to the behavior filtering rule and recording the user group to which the user belongs when the user logs in the access control system;
and the processing unit is used for receiving an access request of a user for any service type after the user logs in the access control system, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and performing access control on the access request according to the service authority of the user for the service type.
An electronic device, comprising: the system comprises at least one processor and a memory connected with the at least one processor through a bus; the memory stores one or more computer programs executable by the at least one processor; the at least one processor, when executing the one or more computer programs, implements the steps in the above-described access control method.
A computer readable storage medium storing one or more computer programs which, when executed by a processor, implement the steps in the above-described access control method.
According to the technical scheme, the user groups are divided according to roles and service authorities, the behavior filtering rules are configured for each user group, and the service authority information corresponding to each user group is configured for each service type; when a user logs in the access control system, the user group to which the user belongs can be determined according to the behavior filtering rule; after a user logs in an access control system, when an access request of the user for any service type is received, the service authority of the user for the service type can be determined according to the service authority information configured for the service type and the record of the user group to which the user belongs, and the access control is performed on the access request according to the service authority information. It can be seen that, in the present invention, through the division of the user group, the users belonging to the same role are divided into different user groups due to different service permissions, so that access control can be performed on the access request of the user according to the service permission of the user group to which the user belongs, instead of performing access control on the access request of the user according to the service permission of the user role, and therefore, the behavior limitation of the user can be realized in the application scene of different service permissions of the same role.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive labor.
Fig. 1 is a flowchart of an access control method according to an embodiment of the present invention;
fig. 2 is a flowchart of an access control method according to a second embodiment of the present invention;
fig. 3 is a flowchart of an access control method provided in the third embodiment of the present invention;
fig. 4 is a flowchart of an access control method according to a fourth embodiment of the present invention;
fig. 5 is a schematic structural diagram of an access control device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device according to a first embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In the embodiment of the invention, for the application scenes with the same role and different service permissions, the user groups are divided based on the role and the service permissions, so that the users belonging to the same role are divided into different user groups due to different service permissions, the access control can be performed on the access requests of the users according to the service permissions of the user groups to which the users belong, and the behavior limitation of the users with the same role and different service permissions can be realized.
Referring to fig. 1, fig. 1 is a flowchart of an access control method according to an embodiment of the present invention, and as shown in fig. 1, the method mainly includes the following steps:
step 101, dividing user groups according to roles and service permissions, configuring behavior filtering rules for each user group, and configuring service permission information corresponding to each user group for each service type.
In this embodiment, the roles that the user assumes in the access control system, for example, in the access control system related to medical services, the patient is one role and the doctor is the other role.
In this embodiment, the user groups are divided according to roles and service permissions, so that users belonging to the same role and the same service permission form one user group.
And 102, when the user logs in the access control system, determining a user group to which the user belongs according to the behavior filtering rule, and recording the user group to which the user belongs.
Step 103, after the user logs in the access control system, receiving an access request of the user for any service type, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and performing access control on the access request according to the service authority of the user for the service type.
As can be seen from the method shown in fig. 1, in this embodiment, user groups are divided according to roles and service permissions, and by configuring a behavior filtering rule for each user group, users with different service permissions in the same role are divided into different user groups when logging in an access control system, and by configuring service permission information corresponding to each user group for each service type, when receiving an access request of a user for any service type, the service permission of the user for the service type can be determined according to the service permission information configured for the service type and a record of the user group to which the user belongs, and access control is performed on the access request according to the service permission information, so that behavior restriction on the user can be realized in an application scenario with different service permissions in the same role.
Referring to fig. 2, fig. 2 is a flowchart of an access control method according to a second embodiment of the present invention, and as shown in fig. 2, the method mainly includes the following steps:
step 201, dividing user groups according to roles and service authorities, configuring behavior filtering rules for each user group, and configuring service authority information corresponding to each user group for each service type;
in this embodiment, the behavior filtering rule configured for each user group includes at least one of the following:
rule 1: the login mode set for the user group, namely the user who logs in the access control system through the login mode set for the user group belongs to the user group;
rule 2: a user information list known to belong to the user group, that is, a user whose user information is located in the user information list known to belong to the user group belongs to the user group;
rule 3: and designating the user information list belonging to the user group, namely, the user information in the user information list designated to belong to the user group belongs to the user group.
Step 2021, when the user logs in to the access control system, for each user group, performs the following steps 2022 to 2024:
step 2022, when the behavior filtering rule configured for the user group includes the login manner set for the user group, determining the login manner of the user, and if the login manner of the user is the same as the login manner set for the user group, determining that the user belongs to the user group;
step 2023, when the behavior filtering rule configured for the user group includes a user information list known to belong to the user group, if the user information is located in the user information list known to belong to the user group, determining that the user belongs to the user group;
step 2024, when the behavior filtering rule configured for the user group includes the user information list specified to belong to the user group, if the user information is located in the user information list specified to belong to the user group, determining that the user belongs to the user group.
In this embodiment, when the operations in steps 2022 to 2024 are performed on a certain user group, and it is not determined that the user belongs to the user group, it may be determined that the user does not belong to the user group.
In this embodiment, the user group to which the user belongs may be finally determined by performing the operations of step 2022 to step 2024 on each user group.
The above steps 2021 to 2024 are specific refinements of "determining the user group to which the user belongs according to the behavior filtering rule when the user logs in to the access control system" in step 102 shown in fig. 1.
Step 2025, record the user group to which the user belongs.
Step 203, after the user logs in the access control system, receiving an access request of the user for any service type, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and performing access control on the access request according to the service authority of the user for the service type.
As can be seen from the method shown in fig. 2, in this embodiment, user groups are divided according to roles and service permissions, a user who logs in to the access control system is divided into different user groups according to specific contents included in specific behavior filtering rules by configuring a behavior filtering rule for each user group, and service permission information corresponding to each user group is configured for each service type, so that when an access request of a user for any service type is received, the service permission of the user for the service type can be determined according to the service permission information configured for the service type and a record of the user group to which the user belongs, and access control is performed on the access request according to the service permission information, so that behavior restriction on the user can be realized in application scenarios with different service permissions in the same role.
Referring to fig. 3, fig. 3 is a flowchart of an access control method provided by a third embodiment of the present invention, and as shown in fig. 3, the method mainly includes the following steps:
step 301, dividing user groups according to roles and service permissions, configuring behavior filtering rules for each user group, and configuring service permission information corresponding to each user group for each service type.
In practical applications, the service authority may be various, such as various operation authorities for the service.
In this embodiment, the service authority information configured for each service type and corresponding to each user group includes a user group identifier and an access authority; wherein the access rights include permission to access and prohibition of access.
And step 302, when the user logs in the access control system, determining the user group to which the user belongs according to the behavior filtering rule, and adding the user group identification to which the user belongs to the user information.
In this embodiment, after determining the user group to which the user belongs according to the behavior filtering rule, the user group to which the user belongs may be recorded, so that the user group may be determined subsequently based on the record of the user group to which the user belongs, and the user group does not need to be determined again according to the behavior filtering rule.
In this embodiment, the recording the user group to which the user belongs specifically includes: and adding the user group identification to which the user belongs to the user information. Here, the user group identifier to which the user belongs is added to the user information, that is, the user group identifier to which the user belongs is used as one item of information included in the user information, so that the user group to which the user belongs can be determined subsequently only according to the user group identifier included in the user information.
The above step 302 is a detailed refinement of step 102 shown in fig. 1.
Step 3031, after the user logs in the access control system, receiving an access request of the user for any service type.
Step 3032, searching the service authority information of the user group identification in the service authority information configured for the service type.
Step 3033, determining the access authority in the searched service authority information as the service authority of the user to the service type.
The above steps 3032 to 3033 are specific refinements of "determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs" in the step 103 shown in fig. 1.
Step 3034, performing access control on the access request according to the service authority of the user to the service type.
In this embodiment, performing access control on the access request according to the service permission of the user for the service type specifically includes:
if the user's service authority to the service type is allowed to access, then the service is processed according to the access request, and a service processing result is returned;
and if the service authority of the user to the service type is access prohibition, returning an access response carrying the information indicating that the access is prohibited.
As can be seen from the method shown in fig. 3, in this embodiment, user groups are divided according to roles and service permissions; configuring a behavior filtering rule for each user group, so that users with the same role and different service authorities are divided into different user groups when logging in an access control system, and recording user group identifications of the users to which the users belong and adding the user information; by configuring the service authority information corresponding to each user group for each service type, when receiving an access request of a user for any service type, the service authority of the user for the service type can be determined according to the service authority information configured for the service type and the user group identification in the user information, and access control is performed on the access request according to the service authority information and the user group identification, so that behavior limitation on the user can be realized in application scenes with the same role and different service authorities.
Referring to fig. 4, fig. 4 is a flowchart of an access control method according to a fourth embodiment of the present invention, and as shown in fig. 4, the method mainly includes the following steps:
step 401, dividing user groups according to roles and service permissions, configuring behavior filtering rules for each user group, and configuring service permission information corresponding to each user group for each service type.
In practical applications, the service authority may be various, such as various operation authorities for the service.
In this embodiment, the service authority information configured for each service type and corresponding to each user group includes a user group identifier and an access authority; wherein the access rights include permission to access and prohibition of access.
Step 402, when the user logs in the access control system, determining the user group to which the user belongs according to the behavior filtering rule, and adding the user information into a user information list of the user group to which the user belongs.
In this embodiment, after determining the user group to which the user belongs according to the behavior filtering rule, the user group to which the user belongs may be recorded, so that the user group may be determined subsequently based on the record of the user group to which the user belongs, and the user group does not need to be determined again according to the behavior filtering rule.
In this embodiment, the recording the user group to which the user belongs specifically includes: and adding the user information into a user information list of a user group to which the user belongs.
The above step 402 is a detailed refinement of step 102 shown in fig. 1.
Step 4031, after the user logs in the access control system, an access request of the user for any service type is received.
Step 4032, the access right in the service right information configured for the service type is judged, if the access rights in the service right information configured for the service type are all allowed to be accessed, step 4033 is executed, if the access rights in the service right information configured for the service type are all forbidden to be accessed, step 4034 is executed, and if the access rights do not belong to the two situations, step 4035 is executed.
Step 4033, determine the business authority of the user to the business type as allowing access;
step 4034, determine the business authority of the user to the business type is forbidden to access;
step 4035, determine the service right information with the access right allowed to access in the service right information configured for the service type, search the user information in the user information list of the user group corresponding to the service right information with the access right allowed to access, if the user information is found, determine the service right of the user to the service type as allowed to access, otherwise, determine the service right of the user to the service type as prohibited to access.
The above steps 4032 to 4035 are specific refinements of "determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs" in step 103 shown in fig. 1.
Step 4036, access control is performed on the access request according to the service authority of the user on the service type.
In this embodiment, performing access control on the access request according to the service permission of the user for the service type specifically includes:
if the user's service authority to the service type is allowed to access, then the service is processed according to the access request, and a service processing result is returned;
and if the service authority of the user to the service type is access prohibition, returning an access response carrying the information indicating that the access is prohibited.
As can be seen from the method shown in fig. 4, in this embodiment, user groups are divided according to roles and service permissions; configuring a behavior filtering rule for each user group, so that users with the same role and different service permissions are divided into different user groups when logging in an access control system, and user information is added into a user information list of the user group to which the user belongs; by configuring the service authority information corresponding to each user group for each service type, when receiving an access request of a user for any service type, the service authority of the user for the service type can be determined according to the service authority information configured for the service type and a user information list of the user group to which the user belongs, and access control is performed on the access request according to the service authority information, so that behavior limitation on the user can be realized in application scenes with the same role and different service authorities.
The access control method according to the embodiment of the present invention is described in detail above, and the following description is made with reference to specific examples:
suppose a company develops an access control system for medical services, which can provide medical services to patients, wherein the patients who suffer from a certain disease (such as new coronary pneumonia) can be provided with medical services with different business rights in the same role, for example, the patients who suffer from the certain disease are regarded as the same role, but when the medical services are provided, the patients who belong to the role and meet certain conditions can be provided with the certain medical services, and the patients who belong to the role and do not meet the certain conditions are not provided with the certain medical services, in which case, the situations of different business rights in the same role can occur.
For the above situation, the access control method provided by the above embodiment of the present invention may be adopted to realize the behavior limitation on the patient suffering from the specific disease, and the specific implementation process is as follows:
and step S1, dividing user groups according to roles and service authorities.
Specifically, for patients who have suffered from such a specific disease, the user groups are divided into two user groups according to whether or not to enjoy the specific medical service, wherein users in one user group (hereinafter, referred to as user group 1) enjoy the specific medical service and users in the other user group (hereinafter, referred to as user group 2) do not enjoy the specific medical service.
In addition, the same processing method as that in step S1 is also applied to patients with or suffering from other diseases, and will not be described herein and hereinafter.
Step S2, configuring behavior filtering rules for each user group, and configuring service authority information corresponding to each user group for each service type.
Specifically, the behavior filtering rule configured for the user group 1 specifically includes: the registration of the patient suffering from the specific disease, the patient known to be located in a certain place and in the user information list (hereinafter referred to as user information list 1) suffering from the specific disease, and the patient provided by the company and in the user information list (hereinafter referred to as user information list 2) suffering from the specific disease are completed by scanning the two-dimensional code provided by the doctor. The behavior filtering rules configured for the user group 2 are as follows: and filtering out the patients suffering from the specific disease by using the behavior filtering rule configured for the user group 1.
In addition, assume that there are service 1 and service 2, where service 1 is a specific medical service and service 2 is not a specific medical service. The service authority information configured for the two services is as follows:
1) the service authority information corresponding to the user group 1 configured for the service 1 comprises: identification and access permission of the user group 1; the service authority information corresponding to the user group 2 configured for the service 1 includes: identification and barring of access by the user population 2.
2) The service authority information corresponding to the user group 1 configured for the service 2 comprises: identification and access permission of the user group 1; the service authority information corresponding to the user group 2 configured for the service 2 includes: identification and permission of the user group 2.
And step S3, when the user logs in the access control system, determining the user group to which the user belongs according to the behavior filtering rule, and recording the user group to which the user belongs.
When a patient suffering from the specific disease logs in the access control system, if the patient suffering from the specific disease is registered by scanning the two-dimensional code provided by a doctor, or the patient in the user information list 1 or the user information list 2, the patient can be determined to belong to the user group 1, the patient can be added into the user information list of the user group 1, otherwise, the patient is determined to belong to the user group 2, and the patient can be added into the user information list of the user group 2.
Step S4, after the user logs in the access control system, receiving an access request of the user for any service type, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and performing access control on the access request according to the service authority of the user for the service type.
After a patient suffering from the specific disease logs in the access control system, if the patient wants to access the service 1, an access request for the service 1 is triggered, after the access control system receives the access request, the access control system determines that only the patient in the user group 1 can access the service 1, so that the information of the patient is searched in a user information list of the user group 1, if the information is searched, the patient is determined to be allowed to access the service 1, so that the access request is subjected to service processing, and if the information is not searched, the patient is determined to be forbidden to access the service 1, so that an access response carrying indication forbidding access information can be returned, so that the patient knows that the patient cannot access the service 1.
After logging in the access control system, if a patient suffering from the specific disease wants to access the service 2, an access request for the service 2 is triggered, and after receiving the access request, the access control system determines that the patients in the user group 1 and the user group 2 can both access the service 2, so that the patient is determined to access the service 2, and thus the access request is subjected to service processing.
As can be seen from the above example, the patient suffering from the specific disease is divided into two user groups according to different access rights to the service 1 and the service 2, and the patient is divided into one of the two user groups when logging in the access control system by configuring the behavior filtering rules for the two user groups; by respectively configuring the service authority information corresponding to each user group for the service 1 and the service 2, when receiving an access request of a patient for the service 1 or the service 2, the service authority of the patient to the service type can be determined according to the service authority information configured for the service 1 or the service 2 and the record of the user group to which the patient belongs, and the access control is performed on the access request according to the service authority information, so that the behavior control of the patient suffering from the specific disease is realized.
An embodiment of the present invention further provides an access control apparatus, as shown in fig. 5, the apparatus includes:
a configuration unit 501, configured to divide user groups according to roles and service permissions, configure behavior filtering rules for each user group, and configure service permission information corresponding to each user group for each service type;
the recording unit 502 is used for determining a user group to which the user belongs according to the behavior filtering rule and recording the user group to which the user belongs when the user logs in the access control system;
the processing unit 503, after the user logs in the access control system, receives an access request of the user for any service type, determines the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and performs access control on the access request according to the service authority of the user for the service type.
In the device shown in figure 5 of the drawings,
the behavior filtering rule configured for each user group comprises at least one of the following: a login mode set for the user group, a user information list known to belong to the user group, and a user information list designated to belong to the user group;
the recording unit 502 determines the user group to which the user belongs according to the behavior filtering rule, and records the user group to which the user belongs, including:
for each of the user groups, the user group is,
when the behavior filtering rule configured for the user group comprises a login mode set for the user group, determining the login mode of the user, and if the login mode of the user is the same as the login mode set for the user group, determining that the user belongs to the user group;
when the behavior filtering rule configured for the user group comprises a user information list known to belong to the user group, if the user information is located in the user information list known to belong to the user group, determining that the user belongs to the user group;
when the behavior filtering rule configured for the user group comprises a user information list appointed to belong to the user group, if the user information is located in the user information list appointed to belong to the user group, determining that the user belongs to the user group.
In the device shown in figure 5 of the drawings,
the service authority information which is configured for each service type and corresponds to each user group comprises user group identification and access authority; the access right comprises permission access and prohibition access;
the recording unit 502 records a user group to which the user belongs, and includes: adding the user group identification to which the user belongs to the user information;
the processing unit 503, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, includes:
searching the service authority information configured for the service type for the user group identification in the user information;
and determining the access authority in the searched service authority information as the service authority of the user to the service type.
In the device shown in figure 5 of the drawings,
the service authority information which is configured for each service type and corresponds to each user group comprises user group identification and access authority; the access right comprises permission access and prohibition access;
the recording unit 502 records a user group to which the user belongs, and includes: adding the user information into a user information list of a user group to which the user belongs;
the processing unit 503, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, includes:
if the access rights in the service right information configured for the service type are all allowed to be accessed, determining that the service right of the user to the service type is allowed to be accessed;
if the access rights in the service right information configured for the service type are all access forbidding, determining that the service right of the user to the service type is access forbidding;
if the service type does not belong to the two conditions, determining that the access right in the service right information configured for the service type is the service right information allowing access, searching the user information in a user information list of a user group corresponding to the service right information allowing access, if the user information is searched, determining that the service right of the user to the service type is allowed access, otherwise, determining that the service right of the user to the service type is forbidden access.
In the device shown in figure 5 of the drawings,
the processing unit 503, performing access control on the access request according to the service authority of the user to the service type, includes:
if the user's service authority to the service type is allowed to access, then the service is processed according to the access request, and a service processing result is returned;
and if the service authority of the user to the service type is access prohibition, returning an access response carrying the information indicating that the access is prohibited.
An embodiment of the present invention further provides an electronic device, as shown in fig. 6, where the electronic device includes: at least one processor 601, and a memory 602 connected to the at least one processor 601 through a bus; the memory 602 stores one or more computer programs executable by the at least one processor 601; the at least one processor 601, when executing the one or more computer programs, implements the steps in the access control method shown in any of the flowcharts of fig. 1-4.
Embodiments of the present invention also provide a computer-readable storage medium storing one or more computer programs, which when executed by a processor implement the steps in the access control method shown in any of the flowcharts in fig. 1-4.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (12)

1. An access control method, characterized in that the method comprises:
dividing user groups according to roles and service authorities, configuring behavior filtering rules for each user group, and configuring service authority information corresponding to each user group for each service type;
when a user logs in an access control system, determining a user group to which the user belongs according to the behavior filtering rule, and recording the user group to which the user belongs;
after a user logs in an access control system, receiving an access request of the user aiming at any service type, determining the service authority of the user to the service type according to service authority information configured for the service type and records of a user group to which the user belongs, and performing access control on the access request according to the service authority of the user to the service type.
2. The method of claim 1,
the behavior filtering rule configured for each user group comprises at least one of the following: a login mode set for the user group, a user information list known to belong to the user group, and a user information list designated to belong to the user group;
the determining the user group to which the user belongs according to the behavior filtering rule includes:
for each of the user groups, the user group is,
when the behavior filtering rule configured for the user group comprises a login mode set for the user group, determining the login mode of the user, and if the login mode of the user is the same as the login mode set for the user group, determining that the user belongs to the user group;
when the behavior filtering rule configured for the user group comprises a user information list known to belong to the user group, if the user information is located in the user information list known to belong to the user group, determining that the user belongs to the user group;
when the behavior filtering rule configured for the user group comprises a user information list appointed to belong to the user group, if the user information is located in the user information list appointed to belong to the user group, determining that the user belongs to the user group.
3. The method of claim 1,
the service authority information which is configured for each service type and corresponds to each user group comprises user group identification and access authority; the access right comprises permission access and prohibition access;
the recording of the user group to which the user belongs comprises: adding the user group identification to which the user belongs to the user information;
the determining the service authority of the user to the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs comprises the following steps:
searching the service authority information configured for the service type for the user group identification in the user information;
and determining the access authority in the searched service authority information as the service authority of the user to the service type.
4. The method of claim 1,
the service authority information which is configured for each service type and corresponds to each user group comprises user group identification and access authority; the access right comprises permission access and prohibition access;
the recording of the user group to which the user belongs comprises: adding the user information into a user information list of a user group to which the user belongs;
the determining the service authority of the user to the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs comprises the following steps:
if the access rights in the service right information configured for the service type are all allowed to be accessed, determining that the service right of the user to the service type is allowed to be accessed;
if the access rights in the service right information configured for the service type are all access forbidding, determining that the service right of the user to the service type is access forbidding;
if the service type does not belong to the two conditions, determining that the access right in the service right information configured for the service type is the service right information allowing access, searching the user information in a user information list of a user group corresponding to the service right information allowing access, if the user information is searched, determining that the service right of the user to the service type is allowed access, otherwise, determining that the service right of the user to the service type is forbidden access.
5. The method according to claim 3 or 4,
the access control of the access request according to the service authority of the user to the service type includes:
if the user's service authority to the service type is allowed to access, then the service is processed according to the access request, and a service processing result is returned;
and if the service authority of the user to the service type is access prohibition, returning an access response carrying the information indicating that the access is prohibited.
6. An access control apparatus, characterized in that the apparatus comprises:
the configuration unit is used for dividing user groups according to roles and service authorities, configuring behavior filtering rules for each user group and configuring service authority information corresponding to each user group for each service type;
the recording unit is used for determining a user group to which the user belongs according to the behavior filtering rule and recording the user group to which the user belongs when the user logs in the access control system;
and the processing unit is used for receiving an access request of a user for any service type after the user logs in the access control system, determining the service authority of the user for the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and performing access control on the access request according to the service authority of the user for the service type.
7. The apparatus of claim 6,
the behavior filtering rule configured for each user group comprises at least one of the following: a login mode set for the user group, a user information list known to belong to the user group, and a user information list designated to belong to the user group;
the recording unit determines the user group to which the user belongs according to the behavior filtering rule, and the method comprises the following steps:
for each of the user groups, the user group is,
when the behavior filtering rule configured for the user group comprises a login mode set for the user group, determining the login mode of the user, and if the login mode of the user is the same as the login mode set for the user group, determining that the user belongs to the user group;
when the behavior filtering rule configured for the user group comprises a user information list known to belong to the user group, if the user information is located in the user information list known to belong to the user group, determining that the user belongs to the user group;
when the behavior filtering rule configured for the user group comprises a user information list appointed to belong to the user group, if the user information is located in the user information list appointed to belong to the user group, determining that the user belongs to the user group.
8. The apparatus of claim 6,
the service authority information which is configured for each service type and corresponds to each user group comprises user group identification and access authority; the access right comprises permission access and prohibition access;
the recording unit records the user group to which the user belongs, and comprises: adding the user group identification to which the user belongs to the user information;
the processing unit determines the service authority of the user to the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and comprises the following steps:
searching the service authority information configured for the service type for the user group identification in the user information;
and determining the access authority in the searched service authority information as the service authority of the user to the service type.
9. The apparatus of claim 6,
the service authority information which is configured for each service type and corresponds to each user group comprises user group identification and access authority; the access right comprises permission access and prohibition access;
the recording unit records the user group to which the user belongs, and comprises: adding the user information into a user information list of a user group to which the user belongs;
the processing unit determines the service authority of the user to the service type according to the service authority information configured for the service type and the record of the user group to which the user belongs, and comprises the following steps:
if the access rights in the service right information configured for the service type are all allowed to be accessed, determining that the service right of the user to the service type is allowed to be accessed;
if the access rights in the service right information configured for the service type are all access forbidding, determining that the service right of the user to the service type is access forbidding;
if the service type does not belong to the two conditions, determining that the access right in the service right information configured for the service type is the service right information allowing access, searching the user information in a user information list of a user group corresponding to the service right information allowing access, if the user information is searched, determining that the service right of the user to the service type is allowed access, otherwise, determining that the service right of the user to the service type is forbidden access.
10. The apparatus according to claim 8 or 9,
the processing unit, which performs access control on the access request according to the service authority of the user to the service type, includes:
if the user's service authority to the service type is allowed to access, then the service is processed according to the access request, and a service processing result is returned;
and if the service authority of the user to the service type is access prohibition, returning an access response carrying the information indicating that the access is prohibited.
11. An electronic device, comprising: the system comprises at least one processor and a memory connected with the at least one processor through a bus; the memory stores one or more computer programs executable by the at least one processor; characterized in that the at least one processor, when executing the one or more computer programs, implements the steps in the method of any of claims 1-5.
12. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more computer programs which, when executed by a processor, implement the steps in the method of any one of claims 1-5.
CN202110123099.4A 2021-01-29 2021-01-29 Access control method and device, electronic equipment and storage medium Pending CN113806726A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110123099.4A CN113806726A (en) 2021-01-29 2021-01-29 Access control method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110123099.4A CN113806726A (en) 2021-01-29 2021-01-29 Access control method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN113806726A true CN113806726A (en) 2021-12-17

Family

ID=78892821

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110123099.4A Pending CN113806726A (en) 2021-01-29 2021-01-29 Access control method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN113806726A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115766296A (en) * 2023-01-09 2023-03-07 广东中思拓大数据研究院有限公司 User account authority control method, device, server and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115766296A (en) * 2023-01-09 2023-03-07 广东中思拓大数据研究院有限公司 User account authority control method, device, server and storage medium

Similar Documents

Publication Publication Date Title
CN110192198B (en) Security for accessing stored resources
US7921287B2 (en) Application level access privilege to a storage area on a computer device
CN102473227B (en) Information management apparatus, information management method, and information management program
US9111104B2 (en) Entitlements determination via access control lists
US7120698B2 (en) Access control for an e-commerce application
CN110858833A (en) Access control policy configuration method, device and system and storage medium
CN111400355B (en) Data query method and device
CN109726579A (en) Resource access authority group technology and equipment
US20060156021A1 (en) Method and apparatus for providing permission information in a security authorization mechanism
CN111984949B (en) Authentication method, device, electronic equipment and storage medium
US20060156020A1 (en) Method and apparatus for centralized security authorization mechanism
To et al. A Hilbert-based framework for preserving privacy in location-based services
CN113806726A (en) Access control method and device, electronic equipment and storage medium
Lin et al. Protecting location privacy and query privacy: a combined clustering approach
CN111324799B (en) Search request processing method and device
US20090113557A1 (en) Different permissions for a control point in a media provision entity
JPH06214863A (en) Information resource managing device
Shastri et al. Remodeling: improved privacy preserving data mining (PPDM)
CN115618378A (en) Column-level hive access control system and method
CN106469281B (en) Management method of data files in cloud, cloud management point and system
Lin et al. A MovingObject Index for Efficient Query Processing with Peer-Wise Location Privacy
JP7225554B2 (en) Information processing device, information processing system and information processing program
CN110941599A (en) Authority control method and device, electronic equipment and storage medium
JPH10198593A (en) Object-oriented database system
CN111131205B (en) Authority management method and device based on Restful interface

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination