CN114244595A

CN114244595A - Method and device for acquiring authority information, computer equipment and storage medium

Info

Publication number: CN114244595A
Application number: CN202111506120.5A
Authority: CN
Inventors: 马晨明; 董勇; 单荣杨
Original assignee: Beijing Dajia Internet Information Technology Co Ltd
Current assignee: Beijing Dajia Internet Information Technology Co Ltd
Priority date: 2021-12-10
Filing date: 2021-12-10
Publication date: 2022-03-25
Anticipated expiration: 2041-12-10
Also published as: CN114244595B

Abstract

The disclosure relates to a method and a device for acquiring authority information, computer equipment and a storage medium, and belongs to the technical field of networks. The method comprises the following steps: acquiring at least one data record associated with the authority of the target object; constructing a topological relation graph based on the at least one data record; and acquiring the control data of the authority based on the service rule information associated with the authority and the topological relation graph. According to the method and the device, the data records associated with the authority are dumped into the corresponding topological relation graph, so that when the management and control data of the authority are generated, after the business rule information is analyzed into the query operation, the complex cascade query operation does not need to be executed on the data records, but the related query operation can be directly executed on the topological relation graph, namely graph data, so that the calculation efficiency on the management and control data is greatly improved, the limitation of a RBAC (role-based access control) model is broken, and the method and the device can be suitable for application scenes with various jobs and complex business rules.

Description

Method and device for acquiring authority information, computer equipment and storage medium

Technical Field

The present disclosure relates to the field of network technologies, and in particular, to a method and an apparatus for acquiring rights information, a computer device, and a storage medium.

Background

With the development of internet technology, in some communication applications, a Role-Based Access Control (RBAC) model is generally used to assign permissions to accounts of users. For example, in an enterprise communication application, a series of roles (e.g., jobs) are usually created for each enterprise, and different access control permissions are configured for different roles, so that after the account of each user establishes a corresponding relationship with a role, the access control permission configured for the role is acquired. The RBAC model only supports the creation of a small number of roles (usually 10-20), needs manual assistance when the roles are created, and cannot be applied to scenes with various roles and complex business rules.

Disclosure of Invention

The disclosure provides a method and a device for acquiring authority information, computer equipment and a storage medium, so as to at least provide an authority management and control scheme suitable for scenes with various types of jobs and complex business rules. The technical scheme of the disclosure is as follows:

according to an aspect of the embodiments of the present disclosure, a method for acquiring authority information is provided, including:

acquiring at least one data record associated with the authority of the target object;

constructing a topological relation graph based on the at least one data record, wherein the topological relation graph is used for representing the incidence relation between the attribute name and the attribute value in each data record;

and acquiring control data of the authority based on the service rule information associated with the authority and the topological relation graph, wherein the control data is used for providing an access control strategy for the resource associated with the authority.

In one possible implementation, each of the at least one data record corresponds to a child object within the target object;

the topological relation graph comprises a plurality of nodes, and different nodes with topological relation are connected through directed edges, wherein each node corresponds to an attribute value of a sub-object, and each directed edge corresponds to an attribute name of the attribute value corresponding to the pointed node.

In one possible embodiment, the constructing the topological relation graph based on the at least one data record includes:

constructing each node in the topological relation graph based on each attribute value in each data record;

and constructing each directed edge connecting different nodes in the topological relation graph based on each attribute name in each data record.

In a possible implementation manner, the obtaining the management and control data of the authority based on the business rule information associated with the authority and the topological relation graph includes:

analyzing the service rule information to obtain at least one query instruction for the topological relation graph;

executing the at least one query instruction based on the topological relation graph to obtain at least one query result;

generating the governing data based on the at least one query result.

In one possible implementation manner, the topological relation graph is stored in a form of a hash table, wherein a plurality of sets are recorded in the hash table, and each set stores an attribute value of one node in the topological relation graph, an attribute name of a directed edge accessing the node, and attribute values of other nodes connected with the node;

the executing the at least one query instruction based on the topological relation graph to obtain at least one query result comprises:

and executing corresponding processing operation on each set in the hash table based on the at least one query instruction to obtain at least one query result.

In one possible embodiment, the performing, based on the at least one query instruction, the corresponding processing operation on each set in the hash table to obtain the at least one query result includes:

for each query instruction, determining a target attribute value carried by the query instruction;

and acquiring a query result of the query instruction based on a target set corresponding to the target attribute value in the hash table, wherein the target set is used for representing each sub-object with the target attribute value.

In a possible implementation manner, in a case that the query instruction carries a plurality of target attribute values, the obtaining a query result of the query instruction based on a target set corresponding to the target attribute value in the hash table includes:

and executing processing operation matched with the query semantics of the query instruction on a target set corresponding to the target attribute values to obtain a query result of the query instruction.

In one possible implementation, the management data is stored in a bitmap form, each element in the bitmap is used for characterizing whether an index of a row where the element is located has the authority on an index of a column where the element is located;

the generating the governance data based on the at least one query result comprises:

assigning a corresponding index to each child object in the target object;

and based on the at least one query result, assigning values to the elements determined by the row where the index associated with each sub-object is located and the columns where the indexes associated with other sub-objects are located, so as to generate the bitmap.

In one possible embodiment, the sub-objects of the target object comprise at least one of: a member sub-object, a department sub-object, or an application sub-object associated with the target object;

the generated bitmap includes at least one of: a bitmap corresponding to the member sub-object, a bitmap corresponding to the member sub-object and the department sub-object, or a bitmap corresponding to the member sub-object and the application sub-object.

In one possible embodiment, the assigning a corresponding index to each child object in the target object includes:

distributing corresponding indexes to each member sub-object, each department sub-object and each application sub-object related to the target object;

the assigning, based on the at least one query result, the elements determined by the row of the index associated with each sub-object and the columns of the indexes associated with other sub-objects to generate the bitmap includes:

for each member sub-object, based on the at least one query result, assigning values to elements determined by the row where the index associated with the member sub-object is located and the column where the index associated with other sub-objects is located, so as to generate a first bitmap, a second bitmap and a third bitmap of the authority;

wherein each row and each column in the first bitmap corresponds to a member sub-object, each row in the second bitmap corresponds to a member sub-object and each column corresponds to a department sub-object, each row in the third bitmap corresponds to a member sub-object and each column corresponds to an application sub-object.

In a possible implementation manner, the assigning the determined element in the row where the index associated with each sub-object is located and the column where the indexes associated with other sub-objects are located includes:

when the query result indicates that the sub-object has the right to any other sub-object, assigning the element to be 1 in the bitmap;

and when the query result indicates that the sub-object does not have the right to any other sub-object, assigning the element to be 0 in the bitmap.

In one possible embodiment, the method further comprises:

dividing each sub-object in the target object into a plurality of sub-object sets;

for each computing device in a plurality of computing devices, determining any sub-object set that does not generate governing data from the plurality of sub-object sets;

generating part of management and control data corresponding to the sub-object set based on the query result corresponding to the sub-object set in the at least one query result;

and combining all parts of management and control data generated by the plurality of computing devices to obtain the management and control data.

In one possible embodiment, the method further comprises:

every target time interval, acquiring an updating instruction associated with the authority received in the target time interval, wherein the updating instruction is used for changing at least one of data record or business rule information associated with the authority of the target object;

updating the topological relation graph based on the updating instruction;

and updating the management and control data of the authority based on the updated topological relation graph.

In one possible embodiment, the method further comprises:

the method comprises the steps that a version number is distributed to management and control data obtained for the first time and management and control data obtained by updating each time, and the version number and a generation timestamp of the management and control data are monotonically increased;

and responding to any permission query request carrying a version number, and returning target state information when the carried version number is the same as the maximum version number of the control data, wherein the target state information is used for representing that the control data is unchanged.

According to another aspect of the embodiments of the present disclosure, there is provided an apparatus for acquiring authority information, including:

a first acquisition unit configured to perform acquisition of at least one data record associated with a right of a target object;

the building unit is configured to execute building of a topological relation graph based on the at least one data record, wherein the topological relation graph is used for representing the association relation between the attribute name and the attribute value in each data record;

and the second acquisition unit is configured to execute the acquisition of management and control data of the authority based on the service rule information associated with the authority and the topological relation graph, wherein the management and control data is used for providing an access control strategy for the resource associated with the authority.

In a possible embodiment, the building unit is configured to perform:

In one possible implementation, the second obtaining unit includes:

the analysis subunit is configured to analyze the service rule information to obtain at least one query instruction for the topological relation graph;

the execution subunit is configured to execute the at least one query instruction based on the topological relation graph to obtain at least one query result;

a generating subunit configured to perform generating the governance data based on the at least one query result.

the execution subunit is configured to perform:

In one possible embodiment, the execution subunit is configured to perform:

In one possible embodiment, in a case that a plurality of the target attribute values are carried in the query instruction, the execution subunit is configured to perform:

the generating subunit includes:

an assigning subunit configured to perform assigning a corresponding index to each sub-object in the target object;

and the generating sub-unit is configured to perform assignment on elements determined by the row where the index associated with each sub-object is located and the column where the indexes associated with other sub-objects are located based on the at least one query result so as to generate the bitmap.

In one possible embodiment, the allocation subunit is configured to perform:

the generation subunit is configured to perform:

In one possible embodiment, the generating subunit is configured to perform:

In one possible embodiment, the apparatus further comprises:

a dividing unit configured to perform dividing each sub-object in the target object into a plurality of sub-object sets;

the generation subunit configured to perform:

In one possible embodiment, the apparatus further comprises:

a third obtaining unit, configured to execute every target duration, and obtain an update instruction associated with the authority received in the target duration, where the update instruction is used to change at least one of a data record or business rule information associated with the authority of the target object;

the building unit is further configured to update the topological relation graph based on the updating instruction;

the second obtaining unit is further configured to update the management and control data of the authority based on the updated topological relation graph.

In one possible embodiment, the apparatus further comprises:

the allocation unit is configured to allocate a version number to the management and control data acquired for the first time and the management and control data obtained by updating each time, wherein the version number is monotonically increased with a generation timestamp of the management and control data;

and the return unit is configured to execute that a version number is carried in response to any permission query request, and when the carried version number is the same as the maximum version number of the management and control data, return target state information, wherein the target state information is used for representing that the management and control data is unchanged.

According to another aspect of the embodiments of the present disclosure, there is provided a computer apparatus including:

one or more processors;

one or more memories for storing the one or more processor-executable instructions;

wherein the one or more processors are configured to perform the method for acquiring rights information in any one of the possible embodiments of the above-mentioned aspect.

According to another aspect of the embodiments of the present disclosure, there is provided a computer-readable storage medium, wherein at least one instruction of the computer-readable storage medium, when executed by one or more processors of a computer device, enables the computer device to perform the method for acquiring rights information in any one of the possible implementations of the above-mentioned one aspect.

According to another aspect of the embodiments of the present disclosure, there is provided a computer program product including one or more instructions executable by one or more processors of a computer device, so that the computer device can perform the method for acquiring rights information in any one of the possible implementations of the above-mentioned one aspect.

The technical scheme provided by the embodiment of the disclosure at least brings the following beneficial effects:

by dumping the data records associated with the authority into the corresponding topological relation graph, when the management and control data of the authority is generated, after the business rule information is analyzed into the query operation, the complex cascade query operation is not required to be executed on the data records, but the related query operation can be directly executed on the topological relation graph, namely graph data, so that the calculation efficiency on the management and control data is greatly improved, the limitation of an RBAC model is broken, and the method and the device can be suitable for application scenes with various jobs and complex business rules.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and, together with the description, serve to explain the principles of the disclosure and are not to be construed as limiting the disclosure.

Fig. 1 is a schematic diagram of an implementation environment of a rights information obtaining method according to an exemplary embodiment;

FIG. 2 is a flow diagram illustrating a method for obtaining rights information in accordance with an exemplary embodiment;

FIG. 3 is a flow diagram illustrating a method for obtaining rights information in accordance with an exemplary embodiment;

FIG. 4 is a schematic diagram of a topological relationship diagram provided by an embodiment of the present disclosure;

fig. 5 is a schematic architecture diagram of a network topology system based on memory computing according to an embodiment of the present disclosure;

FIG. 6 is a schematic diagram of a bitmap for managing data provided by an embodiment of the present disclosure;

FIG. 7 is a schematic diagram illustrating a storage format of management data of a single child object according to an embodiment of the present disclosure;

FIG. 8 is a flowchart of a service update for calculating and storing permissions according to an embodiment of the present disclosure;

FIG. 9 is a schematic diagram of an online service architecture for managing data according to an embodiment of the present disclosure;

FIG. 10 is a schematic diagram of an interaction interface of an application provided by an embodiment of the present disclosure;

FIG. 11 is a schematic view of an interactive interface of an application provided by an embodiment of the present disclosure;

fig. 12 is a block diagram illustrating a logical structure of an apparatus for acquiring rights information according to an exemplary embodiment;

FIG. 13 is a block diagram illustrating a computer device according to an exemplary embodiment of the present disclosure;

fig. 14 is a schematic structural diagram of a computer device provided in an embodiment of the present disclosure.

Detailed Description

In order to make the technical solutions of the present disclosure better understood by those of ordinary skill in the art, the technical solutions in the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings.

It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the disclosure described herein are capable of operation in sequences other than those illustrated or otherwise described herein. The implementations described in the exemplary embodiments below are not intended to represent all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present disclosure, as detailed in the appended claims.

The user information to which the present disclosure relates may be information authorized by the user or sufficiently authorized by each party.

With the development of internet technology, in some communication applications, a Role-Based Access Control (RBAC) model is generally used to assign permissions to accounts of users. For example, in enterprise communication applications, since private information such as an organization structure of an enterprise address book and user information of a high management layer in an enterprise is carried, authority control and data security of such applications are very important.

In the RBAC model, users and permissions are managed through roles, for example, a series of roles (e.g., jobs) are usually created for each enterprise, different access control permissions are configured for different roles, and after a corresponding relationship between an account of each user and a role is established, the access control permission configured for the role is acquired. The RBAC model only supports the creation of a small number of roles (usually 10 to 20 roles), but in some enterprise office fields, permission judgment cannot be performed only according to a single dimension of a department (for example, some members under the same department have visible permission for members of another department, and some members do not have visible permission for members of another department), so that there is a common case that permission judgment is performed according to cross-combination calculation of attributes of the department and the members, which requires the creation of one role for each group of cross-combination in the RBAC model, and in the preliminary evaluation of the cross-combination case, thousands of different roles need to be created, while the RBAC model requires a system administrator to create roles in advance, which cannot be supported by the RBAC model.

In addition, in some enterprise office fields, it is desirable to finely control the department visibility, the member searchable and/or chat authority, etc. for different departments or members, and the authorities need to be further divided into one-way and/or two-way, so dynamic calculation of each authority needs to be performed according to the organizational structure attribute, the entity attribute, the environment attribute and some special rules, with the high-speed development of business, the authority requirement is unstable, sometimes, in order to quickly respond to the business party requirement, the system needs to support certain flexibility to ensure the stability of the system, and also needs to support business requirement change for a certain period in time, while the RBAC model does not support dynamic calculation authority, and also cannot provide flexibility for unstable authority requirement, in other words, the RBAC model cannot be applied to various kinds of businesses, such as, Scenarios with complex business rules.

In view of this, the embodiments of the present disclosure provide a method for acquiring authority information, which can construct a network topology (i.e., a topological relational graph) composed of attribute values of all members based on a memory, to solve a problem of cascade query that cannot be handled by a conventional MySQL or other relational database, and can cope with a rapid change of a service requirement by creating an operation primitive NetQL of service rule information, and in addition, finally, the finally acquired management and control data of corresponding authority can accurately represent whether each member has a certain authority to another member, so that fine access control can be achieved on resources associated with authorities of various services.

Further, in terms of calculation and storage problems, in consideration of factors such as expansion of stored data volume, high availability and calculation speed, snapshots of management and control data of various authorities are regularly constructed through timing tasks, and a distributed calculation architecture is applied to relieve the calculation load of a single node so as to support the lateral expansion of calculation capacity.

Furthermore, aiming at the aspect of online service, a bottom-of-pocket strategy and a fault-tolerant mechanism are formulated, so that the stability and high availability of the service are ensured, and the online QPS (Query Per Second, which is an index for measuring throughput) of the service is improved by means of read-write separation, multi-level cache, version number, limitation and the like of the tube control data.

Hereinafter, an implementation environment of the embodiments of the present disclosure will be described.

Fig. 1 is a schematic diagram of an implementation environment of a rights information obtaining method according to an exemplary embodiment, referring to fig. 1, in which at least one terminal 101 and a server 102 may be included, and the following details are described below:

the terminal 101 is installed and operated with an application program supporting query authority and/or resource access, optionally, the application program includes but is not limited to: the application program may be a communication application (e.g., an enterprise communication application) for the target object, a social application supporting member communication in the target object, a conference application, an attendance application, or the like. Wherein the target object uniquely corresponds to an organizational entity including, but not limited to: enterprises, institutions, illegal organizations, and the like, which are not specifically limited in this disclosure.

The terminal 101 is in direct or indirect communication connection with the server 102 by wired or wireless means.

The server 102 includes at least one of a server, a plurality of servers, a cloud computing platform, or a virtualization center. The server 102 is configured to provide a background service for the application program supporting the query right and/or the resource access, for example, the server 102 is configured to provide external management and control data of various rights. Optionally, the server 102 undertakes primary computational work and the terminal 101 undertakes secondary computational work; or, the server 102 undertakes the secondary computing work, and the terminal 101 undertakes the primary computing work; or, the terminal 101 and the server 102 perform cooperative computing by using a distributed computing architecture.

Optionally, the server 102 is an independent physical server, or a server cluster or distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as cloud service, cloud database, cloud computing, cloud function, cloud storage, web service, cloud communication, middleware service, domain name service, security service, Content Delivery Network (CDN), big data and artificial intelligence platform, and the like.

Schematically, assuming that a target object is an enterprise, taking communication and office scenes in the enterprise as an example, for an application program supporting query authority and/or resource access, it is mainly required to finely control mutual visibility and chatability between accounts registered in the application program, where the visibility includes department visibility, member visibility and application visibility, the department visibility refers to whether a user can check a tab of a certain department when opening an address book in the application program, the member visibility refers to whether the user can check a certain member (a member of the department or other department members or a high-level leader or the like) when opening the address book in the application program, the application refers to whether the user can check a third-party application associated with the target object and which third-party applications can be checked in the application program, where the chat ability generally corresponds to the search ability, i.e. whether the user can search for a certain member in the application and initiate a chat session to the searched member. By the method for acquiring the authority information, management and control data with the members as granularity can be generated, so that the visibility and the chatability of each member to any member or department or application can be finely controlled.

The terminal 101 generally refers to one of a plurality of terminals, and the device type of the terminal 101 includes: but not limited to, at least one of a smartphone, a tablet, a smart speaker, a smart watch, a laptop, or a desktop computer. For example, the terminal 101 may be a smartphone or other handheld portable communication device.

Those skilled in the art will appreciate that the number of terminals 101 described above may be greater or fewer. For example, the number of the terminals 101 may be only one, or the number of the terminals 101 may be several tens or hundreds, or more. The number and the device type of the terminals 101 are not limited in the embodiment of the present disclosure.

Fig. 2 is a flowchart illustrating a method for acquiring rights information according to an exemplary embodiment, and referring to fig. 2, the method for acquiring rights information is applied to a computer device, and is described below by taking the computer device as a server as an example.

In step 201, the server obtains at least one data record associated with the rights of the target object.

In step 202, the server constructs a topological relation graph based on the at least one data record, wherein the topological relation graph is used for representing the association relation between the attribute name and the attribute value in each data record.

In step 203, the server obtains, based on the business rule information associated with the authority and the topological relation diagram, management and control data of the authority, where the management and control data is used to provide an access control policy for a resource associated with the authority.

According to the method provided by the embodiment of the disclosure, by dumping the data records associated with the authority into the corresponding topological relation graph, when the management and control data of the authority is generated, after the business rule information is analyzed into the query operation, the complex cascade query operation is not required to be executed on the data records, but the related query operation can be directly executed on the topological relation graph, namely graph data, so that the calculation efficiency on the management and control data is greatly improved, the limitation of the RBAC model is broken, and the method can be suitable for application scenarios with various jobs and complex business rules.

In one possible embodiment, constructing the topological relation graph based on the at least one data record comprises:

In a possible implementation manner, the obtaining the management and control data of the authority based on the business rule information associated with the authority and the topological relation diagram includes:

generating the governing data based on the at least one query result.

In a possible implementation manner, the topological relation graph is stored in a hash table, wherein a plurality of sets are recorded in the hash table, and each set stores an attribute value of a node in the topological relation graph, an attribute name of a directed edge accessing the node, and attribute values of other nodes connected with the node;

executing the at least one query instruction based on the topological relation graph, and obtaining at least one query result comprises:

In one possible embodiment, performing, based on the at least one query instruction, a corresponding processing operation on each set in the hash table to obtain the at least one query result includes:

In a possible implementation manner, in a case that the query instruction carries a plurality of the target attribute values, obtaining a query result of the query instruction based on the target set corresponding to the target attribute value in the hash table includes:

and executing processing operation matched with the query semantics of the query instruction on a plurality of target sets corresponding to the target attribute values to obtain a query result of the query instruction.

In a possible implementation manner, the management data is stored in a bitmap form, and each element in the bitmap is used for representing whether the index of the row where the element is located has the authority on the index of the column where the element is located;

generating the governance data based on the at least one query result comprises:

assigning a corresponding index to each child object in the target object;

based on the at least one query result, assigning values to elements determined by the row of the index associated with each sub-object and the column of the indexes associated with other sub-objects to generate the bitmap.

In one possible implementation, assigning a corresponding index to each child object in the target object includes:

based on the at least one query result, assigning values to elements determined by the row of the index associated with each sub-object and the columns of the indexes associated with other sub-objects to generate the bitmap comprises:

for each member sub-object, based on the at least one query result, assigning values to elements determined by the row where the index associated with the member sub-object is located and the column where the indexes associated with other sub-objects are located, so as to generate a first bitmap, a second bitmap and a third bitmap of the authority;

each row and each column in the first bitmap correspond to a member sub-object, each row in the second bitmap corresponds to a member sub-object and each column corresponds to a department sub-object, each row in the third bitmap corresponds to a member sub-object and each column corresponds to an application sub-object.

In one possible embodiment, assigning values to the elements determined by the row of the index associated with each sub-object and the columns of the indexes associated with other sub-objects includes:

when the query result indicates that the sub-object does not have the right to any other sub-object, the element is assigned to 0 in the bitmap.

In one possible embodiment, the method further comprises:

for each computing device in the plurality of computing devices, determining any sub-object set which does not generate the management and control data from the plurality of sub-object sets;

and combining the parts of the management and control data generated by the plurality of computing devices to obtain the management and control data.

In one possible embodiment, the method further comprises:

every target time interval, acquiring an updating instruction associated with the authority and received in the target time interval, wherein the updating instruction is used for changing at least one item of data record or business rule information associated with the authority of the target object;

updating the topological relation graph based on the updating instruction;

In one possible embodiment, the method further comprises:

allocating a version number to the management and control data acquired for the first time and the management and control data acquired by updating each time, wherein the version number and a generation timestamp of the management and control data are monotonically increased;

All the above optional technical solutions may be combined arbitrarily to form the optional embodiments of the present disclosure, and are not described herein again.

Fig. 3 is a flowchart illustrating a method for acquiring rights information according to an exemplary embodiment, and referring to fig. 3, the method for acquiring rights information is executed by a computer device, and the computer device is taken as a server for example.

In step 301, the server obtains at least one data record associated with the rights of the target object, each of the at least one data record corresponding to a child object within the target object.

Optionally, the target object uniquely corresponds to an organizational entity including, but not limited to: an enterprise, a business entity, an illegal person organization, etc., the sub-objects within the target object including at least one of: a department sub-object, a member sub-object, or an application sub-object associated with the target object.

Optionally, the authority of the target object refers to an access authority of the application program to address book information of the target object and an accessed third party application, where the address book information at least includes: due to the organization structure of the department sub-object in the target object and the contact information of each member sub-object, it is not desirable that all users can access all address book information in view of data security, so that it is necessary to perform fine authority control on part of the address book information that each user can see.

Since different rights may be associated with different sub-objects, the server needs to read the data records of each sub-object from the underlying database into the memory according to the sub-object related to the rights. Optionally, the rights include, but are not limited to: visibility permission, searchability permission, chatability permission, etc., which are not specifically limited in the embodiments of the present disclosure.

In an exemplary scenario, taking a target object as an enterprise as an example, for enterprise office applications, it is mainly required to refine and control visibility rights, searchable rights, chat rights, and the like of a gate child object or a member child object in address book information, and it is also required to refine and control access rights to an application child object associated with the target object, so that a server needs to read a data record of department attributes and a data record of member attributes related to address book information from an underlying database, and read a data record of application attributes associated with the target object, where the data record of department attributes is used to store attribute information of names, levels, parents, subsections, and the like of corresponding department child objects, and the data record of member attributes is used to store names, sexes, ages, native places, and the like of corresponding member child objects, The data records of the application attributes are used for storing the name, the associated service type, the docking department, the docking member and other attribute information of the corresponding application sub-object. The attribute information of the department sub-object, the member sub-object or the application sub-object related to the disclosure is authorized or fully authorized by each party.

In step 302, the server constructs a topological relation graph based on the at least one data record, wherein the topological relation graph is used for representing the association relation between the attribute name and the attribute value in each data record.

The topological relation graph comprises a plurality of nodes, and different nodes with topological relation are connected through directed edges, wherein each node corresponds to an attribute value of one sub-object, and each directed edge corresponds to an attribute name of the pointed node corresponding to the attribute value.

Since each data record includes a plurality of fields, each field stores an attribute value, and each attribute value has a corresponding attribute name, in other words, for a data table, each row in the data table corresponds to a data record, each column in the data table corresponds to a field, and the column name, i.e., the field name, is the attribute name.

In some embodiments, since each node in the topological relationship graph corresponds to an attribute value and each directed edge corresponds to an attribute name, the server may construct each node in the topological relationship graph based on each attribute value in each data record; and constructing each directed edge connecting different nodes in the topological relation graph based on each attribute name in each data record.

Optionally, in the topological relation graph, each attribute value in each data record is used as a node in the topological relation graph, and then, for each data record, since there must exist a target attribute value (for example, a name of a member sub-object, a department sub-object, or an application sub-object, an identification code of a member sub-object, a department sub-object, or an application sub-object, and a primary key identification of each data record, etc.) capable of uniquely identifying the data record, the node corresponding to the target attribute value is used as a starting point of all directed edges related to the data record, and then other nodes corresponding to other attribute values stored in the data record are connected, and each directed edge corresponds to an attribute name of an attribute value corresponding to a pointed node (i.e., an end point of the edge).

In the above process, the original at least one data record in the data table is converted into a topological relation graph in a graph data form, and the topological relation between the nodes and the edges in the topological relation graph can be converted into other forms for storage, so that the original cascading query required to be performed on the data record is converted into a relevant operation on other data structures, for example, the topological relation can be converted into a form of a hash table (HashMap, HashSet, and the like) for storage, so that the cascading query on the data record can be converted into an operation of intersection, union, complement, and the like on a set in the hash table, and the Input (Input)/Output (Output), i.e., I/O operation, of the database is reduced.

In some embodiments, the server stores the topological relation graph in a form of a hash table, where the hash table records a plurality of sets, and each set stores an attribute value of a node in the topological relation graph, an attribute name of a directed edge accessing the node, and attribute values of other nodes connected to the node. In the above process, after the data records in the traditional two-dimensional table format are read into the memory, the data records are converted into the graph data format to construct a mesh topology structure, which is similar to a graph database constructed based on the memory.

In the following, how to convert a plurality of data records into a topological relationship diagram will be described by taking the data records of two member child objects as an example. The two data records are shown in table 1 below:

TABLE 1

Name (R)	Sex	Age (age)	Native place
				Member A	For male	25	Anhui province
Member B	For male	20	Anhui province

The two data records in table 1 above can be converted into a topological relation graph as shown in fig. 4, in which 6 different attribute values of "member a", "male", "25", "Anhui", "member B", "20" coexist in the two data records, so that the topological relation graph includes 6 nodes, further, 3 directed edges respectively related to "sex", "age", and "native" of the 3 attribute names can be constructed for each data record, with the member name as a target attribute value (i.e. the starting point of the directed edge), and each directed edge points to a node where an attribute value corresponding to the attribute name of the present directed edge is located from the node where the member name is located, for example, from the node where the member a is located, the directed edge corresponding to the attribute name of "sex" points to a node corresponding to the attribute value of "male", and so on, and will not be described in detail here.

As shown in the topological relation diagram in fig. 4, the topological relations between the nodes and the edges may be converted into a hash table for storage, and optionally, for each node in the topological relation table, the node and the surrounding topological relations are constructed into one set and stored in the hash table, at this time, 6 sets (also called relation set Entitynet) may be constructed for 6 nodes in fig. 4, that is, the following 6 sets are stored in the hash table:

{ Member A, { sex, [ male ] }, { age, [25] }, { native, [ Anhui province ] }

{ Member B, { sex, [ male ] }, { age, [20] }, { native, [ Anhui province ] }

{ male, { -sex, [ member A, member B ] }

{ Anhui province, { -native, [ Member A, Member B ] }

{20, { -age, [ Member B ] }

{25, { -age, [ Member A ] }

Illustratively, the set is stored in a data structure similar to a recursive HashMap and HashSet combination, the HashMap stores a target attribute value and Entity (Entity) relationship, for example, the first and second sets store a target attribute value (member name) and an associated Entity relationship (corresponding to other attribute values and corresponding attribute names in the data record), and the HashMap also stores an attribute value set corresponding to a relationship, for example, the third to sixth sets store an attribute value set corresponding to a relationship (other attribute values and corresponding attribute names) and an attribute value set corresponding to a relationship (all member names corresponding to the attribute names).

By converting the topological relation between the edges and the nodes in the topological relation graph into a plurality of sets and storing the sets in the hash table, the topological relation can take the attribute Value corresponding to each set as a Key (Key) and the corresponding attribute name as a Value (Value), so that the topological relation can be stored in a Key-Value Key Value pair mode. For example, the fifth set is stored as a Key-Value Key Value pair with "20" as Key and "{ -age, [ member B ] }" as Value. Wherein, the symbol "" represents the reverse relationship, the reverse relationship of Anhui province to the native place is the member A and the member B, and the forward relationship of the member A to the sex is the male.

The embodiment of the disclosure relates to a topological relation graph, has high-efficiency query performance, and is very suitable for application scenarios with relatively small data volume, complex data association and certain requirements on the query performance, such as enterprise internal office and communication scenarios.

In step 303, the server parses the service rule information associated with the authority to obtain at least one query instruction for the topological relation graph.

Wherein, the service rule information is: according to the business requirements of the target object, a control rule is constructed for each child object in the target object for the type of authority, for example, if the type of authority refers to a visibility authority, then a possible business rule information is that a member child object whose job is a leader has visibility authority for all parent departments and child departments of the leader department, and the specific content of the business rule information is not limited in the embodiment of the disclosure.

In some embodiments, after the system administrator inputs the service rule information associated with the authority, by executing the parser, the complex service rule information can be parsed into one query instruction for the topological relation graph, so that by executing each query instruction, whether each sub-object can have a corresponding authority for another sub-object under the constraint of the service rule information can be obtained. Illustratively, after business rule information associated with the visibility right is input, each query instruction is obtained through analysis of an execution analyzer, and each query instruction is executed on the topological relation graph, so that whether each member sub-object in the enterprise can see any door sub-object, member sub-object or application sub-object in the address list information can be obtained under the constraint of the business rule information associated with the visibility right.

Optionally, the business rule information includes but is not limited to: organization structure attribute, entity attribute, environment attribute, special rule, etc., and several possible service rule information corresponding to different permissions are shown in table 2 below:

TABLE 2

It can be seen that table 2 shows that the business rule information relates to complex cascading query operations, for example, the rule "leaders and human resource managers can see levels 03 and 04 and all parents and children of the leaders", if no topological relation graph is constructed, since the change of any member attribute affects all members, for example, taking visibility authority as an example, after a certain member X is converted from part-time labor to full-time labor, other members and departments visible to the member X, and other members can see whether the member X can have a series of changes in the address book, the full amount of business rule information needs to be recalculated at each time of querying the authority so as to sense the latest change of the authority in the system (avoid using old business rule information to cause errors in authority management), considering some enterprises developing rapidly, when each round of query authority needs to traverse related data records of tens of thousands of members, the calculation speed and the processing efficiency of the authority query request or the resource access request needing authentication are low, and moreover, it can be seen from observation table 2 that the influence factors of the business rule information are limited to the member attribute and the department attribute related to the address book information, so that the calculation speed of the system for the control data of the authority can be increased only by loading the related data records into the memory through the step 301 and converting the data records into a topological relation graph, and the response speed and the processing efficiency of the authority query request or the resource access request needing authentication can be increased.

In some embodiments, since the embodiments of the present disclosure have converted data records in a conventional data table into a memory-based topological relation graph, when analyzing service rule information, if an SQL command for operating a data record is analyzed, the graph data in the topological relation graph cannot be directly operated, and in view of this, the embodiments of the present disclosure provide an operation primitive NetQL, which is an exemplary illustration of a query instruction. The primitive is a control program for a computer process, and is generally a program segment composed of a plurality of instructions, and is used to implement a certain function (the embodiment of the present disclosure refers to a query function for a topological relation graph), and the primitive cannot be interrupted in the execution process, that is, has the property of atomic operation, and is therefore called a primitive.

In the above process, the business rule information is converted into the operation primitive NetQL, which is equivalent to the operation primitive NetQL wrapped by the basic syntax, and is similar to the process of parsing the complex query statement into the SQL command in the traditional database, except that the basic syntax of the SQL command is different from that of the operation primitive NetQL provided by the embodiment of the present disclosure. The operation primitive NetQL can perform query operation directly on the hash table of the topological relation diagram, and illustratively, the syntax rule of the operation primitive NetQL is shown in table 3 below:

TABLE 3

Primitive language	Means of	Primitive language	Means of
				{}	Entity/set	+	Union set
->	Forward relation	-	Difference set
				～	Inverse relationship	&	Intersection set
*	Relational recursion	[ relationship x, set]	Relationship filter
				{ set }? { Collection }	Three-eye calculation	()	Calculating priority symbols
？	Parameter(s)	#	Terminator/entity token

In the following, how several simpler query operations are analyzed as NetQL query instructions will be described by taking the syntax rules of the operation primitive NetQL shown in table 3 as an example, and for other complex service rule information, the syntax rules can be analyzed as NetQL query instructions in a similar manner.

For example, the query operation is: the data of which the gender of the member is male is queried through a query statement of ' male → gender # ', and the query statement is analyzed into a ' NetQL query command of ' (male → gender) # ' in the execution analyzer for execution.

For example, the query operation is: the data of the members with gender of male and female can be queried through a query statement of 'male → gender + female → gender #', and the query statement is parsed into a '(((male → gender) + (female → gender)) #)' NetQL query instruction in an execution parser to be executed, namely, an entity set with gender of male and an entity set with gender of female are merged.

For example, the query operation is: the member name is queried through the member ID (Identification), and the final execution parser parses the result to obtain a "UserId" → UserId [ username,% ] → username # "NetQL query command for execution. If the query operation is to query the member nickname of a member with a member ID of 123, at this time, the parser is executed to parse out "123 → -userld [ username,% ] → username #" NetQL query instruction, "-userld" represents obtaining the inverse relationship of the attribute value "123" to the attribute name "member ID", and then the username attribute is filtered out by "[ usern ame,% ]", and the attribute value of the username attribute is obtained.

Fig. 5 is a schematic structural diagram of a network topology system based on memory computing according to an embodiment of the present disclosure, and as shown in fig. 5, after the system receives an external retrieval request, firstly, a NetQL layer 501 converts service logic that needs to be processed by the retrieval request into a NetQL query instruction through an analysis engine, and then, an execution engine executes the NetQL query instruction on a hash table of a topology graph. Optionally, the hash table is stored in a JVM (Java Virtual Machine) memory of the data persistence layer 502, and the server extracts data records from the underlying data layer 503 by a data extraction manner such as ORM (Object Relational Mapping), maps the data records into a topological relation diagram, and caches the hash table corresponding to the topological relation diagram in the JVM memory. Alternatively, the underlying data layer 503 may hold data records based on a variety of storage engines, including but not limited to: MySQL, HBase, Hive, Redis, Kafka and the like, and the embodiment of the disclosure does not specifically limit the type of the storage engine.

In step 304, the server executes the at least one query instruction based on the topological relation graph to obtain at least one query result.

In some embodiments, since the topological relation in the topological relation diagram may be stored in a form of a hash table, when the query instruction is executed, the corresponding processing operation may be directly performed on each set in the hash table based on the at least one query instruction, so as to obtain the at least one query result. In the process, the processing operation is executed on each set in the hash table, so that the complex cascade query of the original data record is avoided, and the set intersection and complementation operation with smaller calculation amount and higher query speed can be directly executed from the constructed graph database, so that the query efficiency can be greatly improved.

In some embodiments, for each query instruction, the server determines a target attribute value carried by the query instruction; and acquiring a query result of the query instruction based on a target set corresponding to the target attribute value in the hash table, wherein the target set is used for representing each sub-object with the target attribute value. The target attribute value refers to an attribute value to be operated by the query instruction, for example, if all sub-objects with sexes of men are desired to be checked, the target attribute value carried in the query instruction is "men", or if all sub-objects with genders of Anhui province are desired to be checked, the target attribute value carried in the query instruction is "Anhui province". The server parses the query instruction to obtain the target attribute value, and then queries each sub-object having the target attribute value, i.e. the target set, in the hash table by using the target attribute value as an index to obtain the query result, for example, when the target attribute value is "male", each sub-object having the attribute value of "male" is queried in the hash table, and a set formed by all sub-objects having the attribute value of "male" is determined as the target set, which is the query result of this time.

In a possible implementation manner, since the query instruction may carry multiple target attribute values, that is, the query instruction is intended to operate the multiple attribute values, at this time, the server needs to execute a processing operation matched with the query semantics of the query instruction on multiple target sets corresponding to the target attribute values, so as to obtain a query result of the query instruction. For example, the query instruction specifies all the child objects with male gender and female gender, the query instruction carries 2 target attribute values "male" and "female", at this time, the query semantic obtained by analyzing the query instruction is "union", the server needs to first obtain a target set formed by all the child objects with the attribute value of "male", then obtain another target set formed by all the child objects with the attribute value of "female", and then execute the query semantic "union" on the 2 target sets, that is, the union of the 2 target sets is used as the final query result.

In the process, the query operation specified by the query instruction is converted into the processing operation which is matched with the query semantics and is executed on the target set in the hash table, so that the calculation amount for acquiring the query result can be greatly simplified, the calculation efficiency for acquiring the query result is improved, and the calculation resources of the server are saved.

In some embodiments, if the service rule information is analyzed to obtain a NetQL query instruction, the sets in the hash table may be directly subjected to intersection and complementation operation, so as to implement the query operation indicated in the service rule information, it should be noted that, in the embodiments of the present disclosure, only NetQL is used as an exemplary description of a primitive for operating the sets in the hash table, and a person skilled in the art may construct other primitives or instructions capable of operating on graph data according to service requirements, and configure corresponding syntax rules, which is not specifically limited in the embodiments of the present disclosure.

In step 305, the server generates, based on the at least one query result, management data of the right, the management data being used for providing an access control policy for the resource associated with the right.

In some embodiments, the management data is stored in a bitmap, each element in the bitmap is used to characterize whether the index of the row where the element is located has the right to the index of the column where the element is located, optionally, each element in the bitmap is a binary value, when an element takes 1, the index representing the row where the element is located has a corresponding right to the index of the column where the element is located, and when an element takes 0, the index representing the row where the element is located does not have a corresponding right to the index of the column where the element is located.

In the above process, the management and control data is stored in the form of a bitmap, and only one unique index needs to be allocated to each sub-object in the target object, so that the bitmap can represent whether each sub-object has a corresponding authority over other sub-objects, that is, the authority management of sub-object level fine granularity is realized, and can also represent whether the authority between any two sub-objects is one-way or two-way, for example, the sub-object i has the authority over the sub-object j, but the sub-object j does not have the authority over the sub-object i, and represents that the sub-object i has the one-way authority over the sub-object j, so that the bitmap shows that the value of the element in the ith row and the jth column is 1, but the value of the element in the jth row and the ith column is 0.

In some embodiments, the server assigns a corresponding index to each child object in the target object; based on the at least one query result, it is determined whether each sub-object has the right to other sub-objects to generate the bitmap. Optionally, the server determines whether each sub-object has the right to the other sub-objects based on the at least one query result, then assigns values to elements determined by rows where indexes associated with each sub-object are located and columns where indexes associated with the other sub-objects are located based on whether each sub-object has the right to the other sub-objects, and finally generates a bitmap for managing data after assigning values to each element in the bitmap.

In some embodiments, when an Index is assigned to each sub-object in the target object, since each sub-object itself has a sub-object ID (for example, a character string of varchar32 type), and it is possible that each sub-object is also assigned an account ID (for example, non-self-increment, random long type data) after the account is registered in the application program, and when a bitmap for managing and controlling data is constructed, an Index (for example, int integer, whose value ranges from 1 to N, where N > 1, where N refers to the total number of sub-objects in the target object) needs to be assigned to each sub-object, so that a self-increment ID field (i.e., Index) can be newly added to the data record of each sub-object, and thus on the basis of saving the corresponding relationship between the original sub-object ID and the account ID, a triple map object of < sub-object ID, account ID, Index > needs to be created, the triple is used for recording the ternary correspondence between the IDs of each sub-object.

In some embodiments, when assigning values to elements in a bitmap is performed, and when the query result indicates that the sub-object has the right to any other sub-object, in the bitmap, assigning a value of 1 to an element determined by a row where an index associated with the sub-object is located and a column where an index associated with the other sub-object is located; and when the query result indicates that the sub-object does not have the authority on any other sub-object, assigning 0 to the element determined by the row where the index associated with the sub-object is located and the column where the index associated with the other sub-object is located in the bitmap.

In some embodiments, since the sub-objects of the target object include at least one of: the member sub-object, the department sub-object or the application sub-object associated with the target object, and therefore the bitmap generated based on the introduction manner includes at least one of the following items: a bitmap corresponding to the member sub-object, a bitmap corresponding to the member sub-object and the department sub-object, or a bitmap corresponding to the member sub-object and the application sub-object.

Optionally, when the index is allocated to the sub-object, based on the manner of allocating the index, a corresponding index is allocated to each member sub-object, department sub-object and application sub-object in the target object.

Optionally, when generating the bitmap, assigning values to elements determined by the row where the index associated with the member sub-object is located and the column where the index associated with other sub-objects is located based on the at least one query result, so as to generate a first bitmap, a second bitmap and a third bitmap of the authority, in other words, the server generates 3 bitmaps for each member sub-object, wherein each row and each column in the first bitmap correspond to one member sub-object, that is, the first bitmap is a bitmap corresponding to the member sub-object and used for representing authority control data of the member-member, each row in the second bitmap corresponds to one member sub-object and each column corresponds to one department sub-object, that is, the second bitmap is a bitmap corresponding to the member sub-object and the department sub-object and used for representing authority control data of the member-department, each row in the third bitmap corresponds to a member sub-object and each column corresponds to an application sub-object, that is, the third bitmap is a bitmap corresponding to the member sub-object and the application sub-object, and is used for representing member-application permission management data.

In the process, 3 bitmaps are generated for each member sub-object, and different bitmaps are used for describing authority control data of the member sub-objects and different types of sub-objects, so that the authority of the member sub-objects can be further finely controlled.

In some embodiments, the 3 bitmaps are integrated into 1 bitmap, that is, the bitmap includes N rows and M (M + N + J + K) columns, each row in the N rows corresponds to one member sub-object, but each column in the first N columns in the M columns corresponds to one member sub-object, each column from the N +1 th column to the N + J th column corresponds to one department sub-object, and each column from the N + J +1 th column to the M column corresponds to one application sub-object, where N, J, K is an integer greater than or equal to 1, M is an integer greater than N, N is the number of member sub-objects included in the target object, J is the number of department sub-objects included in the target object, and K is the number of application sub-objects associated with the target object.

In the above process, since the business rule information can indicate which sub-objects have related rights to other sub-objects under the constraint of the related business rules, it can be easily determined which elements should be assigned with 1 and the rest of elements are assigned with 0, so as to obtain a sub-object level fine-grained bitmap, which is also the management and control data of the rights.

Fig. 6 is a schematic diagram of a bitmap for managing data according to an embodiment of the present disclosure, and as shown in fig. 6, an index is assigned to each sub-object in a target object to obtain [ u [ ]₁,u₂,u₃,u₄,…,u_n]So as to construct a bitmap with the size of n × n (n rows and n columns, n is an integer greater than 1), each element in the bitmap represents whether the sub-object of the corresponding row index has the right to the sub-object of the corresponding column index, for example, if the bitmap is the control data of the visibility right, then [ u_i,u_j]0 represents the child object u_iThe sub-object u cannot be seen in the address book_j(i.e., without visibility rights), [ u ]_i,u_j]1 stands for sub-object u_iThe sub-object u can be seen in the address book_j(i.e., with visibility rights).

In the above control data stored in the bitmap (i.e. bit array), since each element is either 0 or 1, taking 30000 sub-objects included in the target object as an example, after cartesian product expansion, the space occupied by the bitmap is:

30000*30000bit/8/1024/1024＝107M

that is, when 30000 sub-objects are included in the target object, the management and control data of each authority needs to occupy 107M of storage space, even when the size is expanded to 10w (ten thousand) of sub-objects, the required total storage overhead is 1192M, and a single sub-object only needs 120K of storage space, so that the growth rate of the service expansion of the target object in a short period can be met, and the storage overhead is low.

In the step 303-, the above step 301-302 can be executed only once, and the topological relation graph obtained for the first time is reused in the subsequent process, and similarly, the service rule information of all the permissions can also be input once, so that only the service rule information is analyzed once, and in the subsequent process of generating the bitmap of each permission, only each query instruction obtained by analyzing the service rule information associated with the permission needs to be screened out for execution, which is not specifically limited in the embodiment of the present disclosure.

In some embodiments, after the server acquires the control data for each authority, the control data for each authority (i.e., caching a plurality of bitmaps) may be cached in the memory, and when a subsequent user-side request, such as an authority query request, a resource access request, and the like, reaches the system, the cached control data may be directly called to respond to the user-side request, so that the decoupling of the authority calculation and the online query is achieved, and the influence of the real-time authority calculation on the response speed of the online query is avoided. In the next embodiment, the caching method of the management and control data of various permissions will be described in detail, which is not described herein.

In the above embodiment, how the server generates the respective management and control data of each authority (taking a bitmap form as an example) is described, and in order to decouple the authority calculation and the online query, that is, to complete the read-write separation effect on the management and control data, the management and control data of each authority may be stored in the memory, so as to support the read operation of the high QPS of the system, and ensure the stability of providing the authority query service to the outside as much as possible. Optionally, each management and control data with various permissions is stored in a Remote Dictionary service (Remote Dictionary service) storage middleware, and a high availability service of the management and control data can be ensured through a high availability architecture of the Redis, for example, a Sentinel master/slave architecture component is added, a Proxy Server is enabled or a Cluster architecture is converted, and the like, and the determination can be made according to specific service properties.

In some embodiments, since Redis is a database architecture of Key-Value type storage, in order to provide query service for external management data, a Key (Key) is separately stored for each sub-object, the Key of each sub-object is used to characterize a name, a permission type, and a sub-object ID (or Index) of a target object, and a Value corresponding to the Key is a Value set of a series of elements of a row of an Index corresponding to a current sub-object in a bitmap of the permission, as shown in fig. 7, fig. 7 is a single element provided by this disclosureThe principle diagram of the storage format of the management and control data of the child object is that, in one example, the Key is the entity _ name: contacts: visible: u₁Represents the child object u₁The Value of the visibility right under the address book of the enterprise entity _ name is [1,0,0,0, …,1 ]]Is a set, and the value of each element in the set represents a sub-object u₁Whether another sub-object associated with the index of the element position can be seen in the address book, for example, the value of the 1 st element is 1, which represents the sub-object u₁The sub-object u can be seen in the address book₁The value of the 2 nd element is 0, and represents the sub-object u₁The sub-object u cannot be seen in the address book₂So on, it is not described herein.

In some embodiments, if the Key-Value form management and control data corresponding to all child objects are collected into the same computing device (i.e., computing node) for computation, it may result in that a single computing device cannot respond to the computing service of the right quickly during the peak period, and therefore, the design mode of the producer/consumer may be migrated to the embodiment of the present disclosure to accelerate the computation of the right. In a design mode of a producer/consumer, partitioning all sub-objects according to Index indexes of the sub-objects, wherein each partition corresponds to one consumer, each consumer is responsible for calculating management and control data of the authority of the sub-objects in the corresponding partition, and if the number of the consumers is large, the range of the Index corresponding to each partition can be set to be small, such as [0,500], [500,1000], so that the concurrent processing capacity can be increased by using the sufficient number of the consumers.

From the perspective of a producer, when an external authority calculation request is received, the authority calculation request is analyzed to obtain a full-scale calculation task, then, the full-scale calculation task is decomposed into a plurality of calculation subtasks needing to be processed, each calculation subtask corresponds to a partition, that is, each calculation subtask is used for indicating that the calculation needs to process the management and control data of the authority of which sub-objects in a single partition.

From the perspective of a consumer, only the computing subtask issued by a producer needs to be processed, when the computing subtask is processed, after the computing subtask is processed, the management and control data of the authority of each subobject in the partition obtained through computing can be updated to Redis storage middleware, and infinite expansion can be performed through the transverse expansion of the consumer, namely, only the partition needs to be added during expansion, so that the consumer can be increased, and the computing efficiency of the system on the management and control data is greatly improved.

In the producer/consumer architecture, the coordinating device is responsible for dividing each sub-object in the target object into a plurality of sub-object sets, where the dividing process is a partitioning process of the producer, optionally, since each sub-object has a unique index, each sub-object corresponding to each index range may be determined as one sub-object set (i.e., one partition) by dividing the plurality of index ranges, and when an external authority calculation request is received, the coordinating device is further responsible for parsing the calculation request to obtain a global calculation task, and then decomposing the global calculation task into a plurality of calculation sub-tasks, where each calculation sub-task corresponds to one partition, i.e., one sub-object set. For example, assuming that 40000 sub-objects are included in the target object, the coordinating device divides the target object into the following sub-object sets according to the Index: [0,1000], [1000,2000], … and [39000,40000], then, the global computing task obtained by analyzing the authority computing request is decomposed into 40 computing subtasks corresponding to 40 sub-object sets respectively, the 40 computing subtasks are issued and written into Redis, after the downstream 40 computing devices monitor the computing subtasks issued by Redis, the computing subtasks occupied in a preemptive manner are immediately processed, for example, the computing subtasks of the sub-object set with the index range of [0,1000], after being occupied by the computing device 1, the computing device 1 computes management and control data (namely bitmaps) of the authority, the searching authority, the chatability authority and the like of each sub-object with the index range of [0,1000], and so on, when the system expands, one computing device 41 is added, so that expansion can be performed, the response time of the authority computing request can be reduced, for example, assuming that 40 partitions exist, after 20 computing devices (consumers) are newly added to one computing device, the response time of the permission computing request can be theoretically shortened from 40/20 to 40/21.

Optionally, the computing device is not locally responsible for storing the management and control data of various permissions of all the sub-objects in the corresponding sub-object set, but only after receiving the computation sub-task, pulls the graph data corresponding to the index range from the Redis storage middleware to perform computation, which is not specifically limited in the embodiment of the present disclosure.

In other words, after dividing each sub-object of the target object into a plurality of sub-object sets, for each of the plurality of computing devices, determining any sub-object set that does not generate the management and control data from the plurality of sub-object sets, for example, after monitoring a newly issued computing sub-task for each sub-object set in Redis, each computing device acquires one computing sub-task in a preemptive manner, and then, in the above step 304, executes at least one query instruction (NetQL primitive) obtained by parsing the service rule information based on the topological relation graph, so as to obtain at least one query result, and when each computing device executes the preempted computing sub-task, each computing device can generate part of the management and control data corresponding to the sub-object set based on a query result corresponding to the sub-object set in the at least one query result, wherein the sub-object set corresponds to the computing sub-task preempted by the computing device, the plurality of computing devices can generate a plurality of parts of control data in parallel by performing parallel processing on the plurality of computing sub-tasks, and all the parts of control data generated by the plurality of computing devices in parallel are merged to obtain final control data.

In some embodiments, since the service rule information or the data record itself is not constant, and a change to any field in the data record of a member or a department in the target object or a change to any service rule information causes a change to the management and control data of the overall authority, after the data record or the service rule information is changed, the system needs to rebuild each management and control data of each authority once, that is, to rebuild the topological relation diagram according to the latest data record, to parse each corresponding query instruction according to the latest service rule information, and then to generate new management and control data, which is similar to each step in the above embodiments. In the scenes of rapid service development and iteration, changes in the system may be frequent, if the computation of full management and control data is triggered in each change, the resource utilization rate of the system is low, and the computation cost is high.

In some embodiments, the polling mechanism of the timed task is represented as: the server acquires an updating instruction associated with the authority received in the target duration at intervals of the target duration, wherein the updating instruction is used for changing at least one item of data record or business rule information associated with the authority of the target object; updating the topological relation graph based on the updating instruction; and updating the management and control data of the authority based on the updated topological relation graph. Wherein the target duration is any value greater than 0.

Optionally, after receiving any instruction, the server analyzes that the instruction is an update instruction associated with the authority, and caches the update instruction in an instruction cache region (e.g., a wait queue), when a polling mechanism is triggered by a timed task, every target time interval pulls all update instructions cached in the target time interval from the instruction cache region, for example, every target time interval pulls all cached update instructions from the wait queue, then empties the wait queue, then changes at least one of a data record or service rule information based on the update instruction, and reconstructs a new topological relation graph based on a manner similar to that of the foregoing

step

301 and 302; next, when the timed task triggers the authority calculation, analyzing the newly changed service rule information based on a manner similar to the above-mentioned

step

303 and 305 to obtain each query instruction, executing each query instruction on the new topological relation diagram to obtain final query results, and then generating new management and control data and storing the new management and control data in the Redis storage middleware in a covering manner.

Fig. 8 is a service update flow chart of authority calculation and storage provided by an embodiment of the present disclosure, as shown in fig. 8, when configuring an authority rule, a system administrator usually writes update instructions for data records or service rule information (both may be collectively referred to as an authority policy, for example, a NetQL statement), and in the authority management module, the update instructions are persisted in a MySQL database, which is equivalent to the above process of caching in the instruction cache region. The timing task scheduling module is responsible for scheduling timing tasks, the timing tasks can be divided into two types, the first timing task is used for periodically pulling an update instruction from the MySQL database and constructing a new topological relation graph, the second timing task is used for periodically calculating new control data according to the latest business rule information and the latest topological relation graph, the two timing tasks can be set with different timings, for example, the timing of the first timing task is 10 minutes, the timing of the second timing task is 20 minutes, and the two steps of updating the topological relation graph and updating the control data can be decoupled and converted into asynchronous updating by setting different timings for the two timing tasks, so that the flexibility of the system can be further improved.

When the timed task Schedule module triggers the first timed task, each update instruction cached in the time period from the last pulling completion to the current pulling time is pulled from the MySQL database, then, for the update instruction related to the changed data record, the data record is correspondingly changed, and then a new topological relation diagram is constructed in a manner similar to that of the

step

301 and 302, and certainly, each set (EntityNet) in the new hash table is correspondingly constructed.

When the timed task Schedule module triggers the second timed task, each update instruction cached in the time period from the last pulling completion to the current pulling time is pulled from the MySQL database, then, for the update instruction related to the changed business rule information, the business rule information is correspondingly changed, then, new management and control data is generated based on a manner similar to that of the

step

303 and 305, and then, the new management and control data is updated to the corresponding Redis storage middleware.

On the basis of providing the online query service based on the Redis storage middleware, since the latest management and control data can be synchronized in the Redis storage middleware, and the Redis database has high availability, so that the online query requirement under most conditions can be met, but in order to further improve the query efficiency, an L2 cache can be constructed on the basis of Re dis, Key-Value data accessed within a latest period of time (such as the latest 5 minutes or the latest 10 minutes) in a Redis layer is loaded into an L2 cache, and the LRU (Least Recently Used) strategy is adopted for the Key-Value data in the L2 cache area to carry out memory management, and the memory capacity or the number of keys in the L2 cache area is limited, therefore, a second-level Cache mechanism of Cache-Redis is provided, and the external online query requirement can be responded at the highest speed.

In some embodiments, after a query request of a user side reaches a system, whether Key-Value data is hit is queried from an L2 cache region, if yes, the Key-Value data cached in an L2 cache region is directly returned, if not, the Key-Value data is continued to a Redis storage middleware for searching, and because the Redis storage middleware is capable of searching for the corresponding Key-Value data due to the full amount of management and control data cached in the Redis storage middleware. In general, the effective caching time of the L2 cache is short, which is to prevent the condition that the old management data in the L2 cache is still being served after the management data of the authority is changed, so that the effective caching time of the L2 cache can be set to be less than the update period of the management data (i.e. less than the timing of the second timing task), thereby ensuring the data consistency of the final management data.

Considering that the Redis storage middleware may fail with a small probability, a layer L3 may be provided, and a layer L3 may provide a bottom-entering policy that all sub-objects are visible or that all last-stage departments are visible, and perform bottom-entering according to attribute values of the sub-objects, for example, according to different attribute values of leaders, human resource managers, first-line employees, non-first-line employees, and the like, to provide different bottom-entering policies, so as to ensure that online query services can be continuously provided through the bottom-entering policy in the layer L3 when the Redis storage middleware is down or fails. That is, a third level caching mechanism of Cache-Redis-L3 is provided at this time.

In some embodiments, a concept of adding a version number to all the management and control data may be added, that is, the server allocates a version number to both the management and control data acquired for the first time and the management and control data acquired each time, where the version number monotonically increases with the generation timestamp of the management and control data, that is, the version number of the management and control data acquired for the first time is the smallest, and the version number of the management and control data generated for the latest is the largest, so that whether the management and control data is the latest version can be directly determined according to the size of the version number. On this basis, if a version number is stored in a client (i.e. an application program) on a user side, a version number stored by the client can be added in a next permission query request, when the server receives a permission query request carrying the version number, the server responds to any permission query request or resource access request carrying the version number, the version number carried in the permission query request or resource access request can be compared with the maximum version number of local management and control data, when the carried version number is the same as the maximum version number of the management and control data, target state information is returned, the target state information is used for representing that the management and control data is unchanged, for example, the target state information is a state code, at this time, the query operation of the management and control data is not needed, the computing resources of the server can be greatly saved, otherwise, when the carried version number is different from the maximum version number of the management and control data, the above-mentioned related three-level Cache mechanism of Cache-Redis-L3 needs to be queried to find the latest management and control data and return the latest management and control data to the client. In the process, the Cache mechanism of the first-level version number is added to the third-level Cache mechanism of the Cache-Redis-L3, so that the four-level Cache mechanism of the version number-Cache-Redis-L3 is presented overall, the response speed of the server to the permission query request can be greatly improved, and the network bandwidth between the client and the server is saved.

In some embodiments, a flow control policy may be added in the server to flow limit the request interface receiving the right query request, so as to prevent the service response of the online query from being slow or even unavailable (i.e. down) due to the sudden increase of the flow.

Fig. 9 is a schematic diagram of an online service architecture for managing and controlling data according to an embodiment of the present disclosure, and as shown in fig. 9, it is assumed that a system manages and controls the following 4 types of permissions: under the mechanism of flow control (current limiting), the server externally provides a multi-level Cache mechanism of L3-Cache-Redis, stores an organization structure of an address book in an enterprise in a JSON (JavaScript Object Notation) tree format, caches two kinds of bottom strategies of whole member visibility and last-stage department visibility, and can configure different bottom strategies according to different member attribute values. In addition, in the Redis layer, the version number (i.e. timestamp) of each Key-Value data is updated in real time, for example, the following records: u. of₁-updatetime＝1，u₂-update time 2, representing the sub-object u₁Has the latest version number of 1, and the sub-object u₂Is 2. In addition, a mapping relationship between the sub-object ID and the Index may be cached, or a ternary mapping relationship between the sub-object ID, the account ID, and the Index may be cached, and since the Index needs to be allocated to both the member and the department, the mapping relationship between the member ID of the member and the member Index may be recorded: such as userid1-index1, userid2-index2, etc., and department ID-department index mapping relationship of department: such as deparatentid 1-index1, deparatentid 2-index2, and the like. Further, 3 bitmaps, that is, respective control data of the 3 kinds of permissions, are recorded for the member visibility permission, the member searchable permission, and the department visibility permission, respectively. At the bottom layer, the asynchronous offline permission calculation task is provided, and reference may be made to the description of asynchronous calculation and updating of the management and control data in fig. 8, which is not repeated here.

Fig. 10 is a schematic view of an interaction interface of an application program provided in an embodiment of the present disclosure, as shown in fig. 10, when the interaction interface is displayed in the application program, because the contact book information is displayed in the interaction interface, a client needs to determine currently visible sub-objects (department sub-objects or member sub-objects) through management and control data of visibility rights, and only the department sub-objects or member sub-objects satisfying the visibility rights can be displayed in the interaction interface, thereby ensuring data security of a contact book department organization architecture and member contact information.

Fig. 11 is a schematic view of an interaction interface of an application provided in an embodiment of the present disclosure, as shown in fig. 11, when a certain member X initiates a fuzzy search for a keyword "Y" in the application, a client needs to determine each currently searchable sub-object (member sub-object or department sub-object) through control data of a searchable right, and only department sub-objects or member sub-objects that satisfy the searchable right and match the keyword "Y" can be displayed in a search result page, so that data security of a contact department organization architecture and member contact information is ensured.

In the process of testing the response time consumption of the system request interface based on the system framework, the response time consumption of the request interface of the system is found to be below 180ms in a peak period, which shows that the current online query service for the pipe control data can support sufficient QPS, i.e. the current system has high query request and response speed.

The authority management scheme of the communication application based on the memory computing in the embodiments can deal with the service scene needing to finely control the authority, achieve fine-grained control of the subobject level, establish the topological relation diagram by converting the data record format into the graph data format, provide a NetQL primitive for operating the set of hash tables corresponding to the topological relation diagram, can be adapted to various query operations on the topological relation diagram, achieve the effect of read-write separation on the pipe control data on line by caching the generated control data of various authorities, achieve high availability by a Redis storage middleware, support infinite capacity expansion based on a producer/consumer architecture, enable a server to have higher computing efficiency on the pipe control data, and because the control data of various authorities are stored in the Redis storage middleware, the multi-level cache mechanism can support faster response speed to the permission query request and the resource access request, in addition, the fault tolerance rate of the server is further improved through the bottom-of-pocket strategy, the multi-level cache mechanism can save communication overhead and network bandwidth, and the server has higher response performance.

Fig. 12 is a block diagram illustrating a logical structure of an apparatus for acquiring rights information according to an exemplary embodiment. Referring to fig. 12, the apparatus includes a first acquisition unit 1201, a construction unit 1202, and a second acquisition unit 1203.

A first obtaining unit 1201 configured to perform obtaining at least one data record associated with a right of a target object;

a building unit 1202 configured to execute building a topological relation graph based on the at least one data record, where the topological relation graph is used for representing an association relation between an attribute name and an attribute value in each data record;

a second obtaining unit 1203, configured to perform obtaining, based on the business rule information associated with the authority and the topological relation graph, management and control data of the authority, where the management and control data is used to provide an access control policy for a resource associated with the authority.

According to the device provided by the embodiment of the disclosure, by dumping the data records associated with the authority into the corresponding topological relation graph, when the management and control data of the authority is generated, after the business rule information is analyzed into the query operation, the complex cascade query operation is not required to be executed on the data records, but the related query operation can be directly executed on the topological relation graph, namely graph data, so that the calculation efficiency on the management and control data is greatly improved, the limitation of the RBAC model is broken, and the device can be suitable for application scenarios with various jobs and complex business rules.

In one possible embodiment, each of the at least one data record corresponds to a sub-object within the target object, the sub-object including at least one of a department sub-object or a member sub-object;

In a possible implementation, the building unit 1202 is configured to perform:

In a possible implementation, based on the apparatus composition of fig. 12, the second acquiring unit 1203 includes:

the execution subunit is configured to perform:

In one possible embodiment, the execution subunit is configured to perform:

based on the apparatus composition of fig. 12, the generating subunit includes:

an allocation subunit configured to perform an allocation of a corresponding index to each sub-object in the target object;

and the generating sub-unit is configured to perform assignment on the elements determined by the row where the index associated with each sub-object is located and the columns where the indexes associated with other sub-objects are located based on the at least one query result so as to generate the bitmap.

In one possible embodiment, the allocation subunit is configured to perform:

the generation subunit is configured to perform:

In one possible embodiment, the generating subunit is configured to perform:

In a possible embodiment, based on the apparatus composition of fig. 12, the apparatus further comprises:

the generation subunit configured to perform:

the third acquisition unit is configured to execute target time interval and acquire an update instruction associated with the authority received in the target time interval, wherein the update instruction is used for changing at least one of data record or business rule information associated with the authority of the target object;

the building unit 1202 is further configured to execute updating the topological relation graph based on the updating instruction;

the second obtaining unit 1203 is further configured to update the management and control data of the authority based on the updated topological relation diagram.

and the return unit is configured to execute that a version number is carried in response to any permission query request, and when the carried version number is the same as the maximum version number of the management and control data, target state information is returned, and the target state information is used for representing that the management and control data is unchanged.

With regard to the apparatuses in the above-described embodiments, the specific manner in which each unit performs operations has been described in detail in the embodiments of the acquisition method related to the authority information, and will not be elaborated here.

Fig. 13 shows a block diagram of a computer device according to an exemplary embodiment of the present disclosure, where the computer device is a terminal or a server, and the computer device is a terminal 1300 for example. The terminal 1300 may be: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio Layer III, motion video Experts compression standard Audio Layer 3), an MP4 player (Moving Picture Experts Group Audio Layer IV, motion video Experts compression standard Audio Layer 4), a notebook computer, or a desktop computer. Terminal 1300 may also be referred to by other names such as user equipment, portable terminal, laptop terminal, desktop terminal, etc.

In general, terminal 1300 includes: a processor 1301 and a memory 1302.

Processor 1301 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. The processor 1301 may be implemented in at least one hardware form of a DSP (Digital Signal Processing), an FPGA (Field-Programmable Gate Array), and a PLA (Programmable Logic Array). The processor 1301 may also include a main processor and a coprocessor, where the main processor is a processor for Processing data in an awake state, and is also referred to as a Central Processing Unit (CPU); a coprocessor is a low power processor for processing data in a standby state. In some embodiments, the processor 1301 may be integrated with a GPU (Graphics Processing Unit), which is responsible for rendering and drawing content that the display screen needs to display. In some embodiments, processor 1301 may further include an AI (Artificial Intelligence) processor for processing computational operations related to machine learning.

Memory 1302 may include one or more computer-readable storage media, which may be non-transitory. The memory 1302 may also include high speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in the memory 1302 is used to store at least one instruction for execution by the processor 1301 to implement the method of obtaining rights information provided by various embodiments of the present disclosure.

In some embodiments, terminal 1300 may further optionally include: a peripheral interface 1303 and at least one peripheral. Processor 1301, memory 1302, and peripheral interface 1303 may be connected by a bus or signal line. Each peripheral device may be connected to the peripheral device interface 1303 via a bus, signal line, or circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 1304, touch display 1305, camera assembly 1306, audio circuitry 1307, positioning assembly 1308, and power supply 1309.

Peripheral interface 1303 may be used to connect at least one peripheral associated with I/O (Input/Output) to processor 1301 and memory 1302. In some embodiments, processor 1301, memory 1302, and peripheral interface 1303 are integrated on the same chip or circuit board; in some other embodiments, any one or two of the processor 1301, the memory 1302, and the peripheral device interface 1303 may be implemented on a separate chip or circuit board, which is not limited in this embodiment.

The Radio Frequency circuit 1304 is used to receive and transmit RF (Radio Frequency) signals, also called electromagnetic signals. The radio frequency circuitry 1304 communicates with communication networks and other communication devices via electromagnetic signals. The radio frequency circuit 1304 converts an electrical signal into an electromagnetic signal to transmit, or converts a received electromagnetic signal into an electrical signal. Optionally, the radio frequency circuit 1304 includes: an antenna system, an RF transceiver, one or more amplifiers, a tuner, an oscillator, a digital signal processor, a codec chipset, a subscriber identity module card, and so forth. The radio frequency circuitry 1304 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocols include, but are not limited to: metropolitan area networks, various generation mobile communication networks (2G, 3G, 4G, and 5G), Wireless local area networks, and/or WiFi (Wireless Fidelity) networks. In some embodiments, the radio frequency circuit 1304 may also include NFC (Near Field Communication) related circuits, which are not limited by this disclosure.

The display screen 1305 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display screen 1305 is a touch display screen, the display screen 1305 also has the ability to capture touch signals on or over the surface of the display screen 1305. The touch signal may be input to the processor 1301 as a control signal for processing. At this point, the display 1305 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, display 1305 may be one, providing the front panel of terminal 1300; in other embodiments, display 1305 may be at least two, either on different surfaces of terminal 1300 or in a folded design; in still other embodiments, display 1305 may be a flexible display disposed on a curved surface or on a folded surface of terminal 1300. Even further, the display 1305 may be arranged in a non-rectangular irregular figure, i.e., a shaped screen. The Display 1305 may be made of LCD (Liquid Crystal Display), OLED (Organic Light-Emitting Diode), or the like.

The camera assembly 1306 is used to capture images or video. Optionally, camera assembly 1306 includes a front camera and a rear camera. Generally, a front camera is disposed at a front panel of the terminal, and a rear camera is disposed at a rear surface of the terminal. In some embodiments, the number of the rear cameras is at least two, and each rear camera is any one of a main camera, a depth-of-field camera, a wide-angle camera and a telephoto camera, so that the main camera and the depth-of-field camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize panoramic shooting and VR (Virtual Reality) shooting functions or other fusion shooting functions. In some embodiments, camera assembly 1306 may also include a flash. The flash lamp can be a monochrome temperature flash lamp or a bicolor temperature flash lamp. The double-color-temperature flash lamp is a combination of a warm-light flash lamp and a cold-light flash lamp, and can be used for light compensation at different color temperatures.

The audio circuit 1307 may include a microphone and a speaker. The microphone is used for collecting sound waves of a user and the environment, converting the sound waves into electric signals, and inputting the electric signals to the processor 1301 for processing, or inputting the electric signals to the radio frequency circuit 1304 for realizing voice communication. For stereo capture or noise reduction purposes, multiple microphones may be provided, each at a different location of terminal 1300. The microphone may also be an array microphone or an omni-directional pick-up microphone. The speaker is used to convert electrical signals from the processor 1301 or the radio frequency circuitry 1304 into sound waves. The loudspeaker can be a traditional film loudspeaker or a piezoelectric ceramic loudspeaker. When the speaker is a piezoelectric ceramic speaker, the speaker can be used for purposes such as converting an electric signal into a sound wave audible to a human being, or converting an electric signal into a sound wave inaudible to a human being to measure a distance. In some embodiments, audio circuitry 1307 may also include a headphone jack.

The positioning component 1308 is used for positioning the current geographic position of the terminal 1300 for implementing navigation or LBS (Location Based Service). The Positioning component 1308 can be a Positioning component based on the GPS (Global Positioning System) of the united states, the beidou System of china, the graves System of russia, or the galileo System of the european union.

Power supply 1309 is used to provide power to various components in terminal 1300. The power source 1309 may be alternating current, direct current, disposable or rechargeable. When the power source 1309 comprises a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.

In some embodiments, terminal 1300 also includes one or more sensors 1310. The one or more sensors 1310 include, but are not limited to: acceleration sensor 1311, gyro sensor 1312, pressure sensor 1313, fingerprint sensor 1314, optical sensor 1315, and proximity sensor 1316.

The acceleration sensor 1311 can detect the magnitude of acceleration on three coordinate axes of the coordinate system established with the terminal 1300. For example, the acceleration sensor 1311 may be used to detect components of gravitational acceleration in three coordinate axes. The processor 1301 may control the touch display screen 1305 to display the user interface in a landscape view or a portrait view according to the gravitational acceleration signal collected by the acceleration sensor 1311. The acceleration sensor 1311 may also be used for acquisition of motion data of a game or a user.

The gyro sensor 1312 may detect the body direction and the rotation angle of the terminal 1300, and the gyro sensor 1312 may cooperate with the acceleration sensor 1311 to acquire a 3D motion of the user with respect to the terminal 1300. Processor 1301, based on the data collected by gyroscope sensor 1312, may perform the following functions: motion sensing (such as changing the UI according to a user's tilting operation), image stabilization at the time of photographing, game control, and inertial navigation.

Pressure sensor 1313 may be disposed on a side bezel of terminal 1300 and/or underlying touch display 1305. When the pressure sensor 1313 is disposed on the side frame of the terminal 1300, a user's holding signal to the terminal 1300 may be detected, and the processor 1301 performs left-right hand recognition or shortcut operation according to the holding signal acquired by the pressure sensor 1313. When the pressure sensor 1313 is disposed at a lower layer of the touch display screen 1305, the processor 1301 controls an operability control on the UI interface according to a pressure operation of the user on the touch display screen 1305. The operability control comprises at least one of a button control, a scroll bar control, an icon control and a menu control.

The fingerprint sensor 1314 is used for collecting the fingerprint of the user, and the processor 1301 identifies the identity of the user according to the fingerprint collected by the fingerprint sensor 1314, or the fingerprint sensor 1314 identifies the identity of the user according to the collected fingerprint. When the identity of the user is identified as a trusted identity, the processor 1301 authorizes the user to perform relevant sensitive operations, including unlocking a screen, viewing encrypted information, downloading software, paying, changing settings, and the like. The fingerprint sensor 1314 may be disposed on the front, back, or side of the terminal 1300. When a physical button or vendor Logo is provided on the terminal 1300, the fingerprint sensor 1314 may be integrated with the physical button or vendor Logo.

The optical sensor 1315 is used to collect the ambient light intensity. In one embodiment, the processor 1301 can control the display brightness of the touch display screen 1305 according to the intensity of the ambient light collected by the optical sensor 1315. Specifically, when the ambient light intensity is high, the display brightness of the touch display screen 1305 is increased; when the ambient light intensity is low, the display brightness of the touch display 1305 is turned down. In another embodiment, the processor 1301 can also dynamically adjust the shooting parameters of the camera assembly 1306 according to the ambient light intensity collected by the optical sensor 1315.

Proximity sensor 1316, also known as a distance sensor, is typically disposed on a front panel of terminal 1300. Proximity sensor 1316 is used to gather the distance between the user and the front face of terminal 1300. In one embodiment, the processor 1301 controls the touch display 1305 to switch from the bright screen state to the dark screen state when the proximity sensor 1316 detects that the distance between the user and the front face of the terminal 1300 gradually decreases; the touch display 1305 is controlled by the processor 1301 to switch from the rest state to the bright state when the proximity sensor 1316 detects that the distance between the user and the front face of the terminal 1300 gradually becomes larger.

Those skilled in the art will appreciate that the configuration shown in fig. 13 is not intended to be limiting with respect to terminal 1300 and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components may be employed.

Fig. 14 is a schematic structural diagram of a computer device provided in an embodiment of the present disclosure, where the computer device 1400 may generate a relatively large difference due to different configurations or performances, and may include one or more processors (CPUs) 1401 and one or more memories 1402, where the memory 1402 stores at least one program code, and the at least one program code is loaded and executed by the processors 1401 to implement the method for obtaining the authority information provided in the foregoing embodiments. Certainly, the computer device 1400 may further have components such as a wired or wireless network interface, a keyboard, and an input/output interface, so as to perform input and output, and the computer device 1400 may further include other components for implementing device functions, which are not described herein again.

In an exemplary embodiment, a computer-readable storage medium including at least one instruction, for example, a memory including at least one instruction, is further provided, where the at least one instruction is executable by a processor in a computer device to perform the method for acquiring rights information in the above-described embodiments. Alternatively, the computer-readable storage medium may be a non-transitory computer-readable storage medium, and the non-transitory computer-readable storage medium may include a ROM (Read-Only Memory), a RAM (Random-Access Memory), a CD-ROM (Compact Disc Read-Only Memory), a magnetic tape, a floppy disk, an optical data storage device, and the like, for example.

In an exemplary embodiment, a computer program product is further provided, which includes one or more instructions that can be executed by a processor of a computer device to implement the method for acquiring rights information provided in the foregoing embodiments.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. A method for acquiring authority information is characterized by comprising the following steps:

2. The method for acquiring authority information according to claim 1, wherein each data record in the at least one data record corresponds to a sub-object in the target object;

3. The method for acquiring authority information according to claim 2, wherein the constructing a topological relation graph based on the at least one data record comprises:

4. The method for acquiring authority information according to claim 1, wherein the acquiring the management and control data of the authority based on the service rule information associated with the authority and the topological relation graph includes:

generating the governing data based on the at least one query result.

5. The method for acquiring authority information according to claim 4, wherein the topological relation graph is stored in a hash table, wherein a plurality of sets are recorded in the hash table, and each set stores an attribute value of a node in the topological relation graph, an attribute name of a directed edge accessing the node, and attribute values of other nodes connected to the node;

6. The method for acquiring authority information according to claim 5, wherein the performing, based on the at least one query instruction, corresponding processing operations on the respective sets in the hash table to obtain the at least one query result includes:

7. An apparatus for acquiring authority information, comprising:

8. A computer device, comprising:

one or more processors;

wherein the one or more processors are configured to execute the instructions to implement the method of acquiring rights information of any one of claims 1-6.

9. A computer-readable storage medium, wherein at least one instruction of the computer-readable storage medium, when executed by one or more processors of a computer device, enables the computer device to perform the method of acquiring rights information of any one of claims 1 to 6.

10. A computer program product comprising one or more instructions for execution by one or more processors of a computer device to enable the computer device to perform the method of acquiring rights information of any one of claims 1 to 6.