CN114244595B

CN114244595B - Authority information acquisition method and device, computer equipment and storage medium

Info

Publication number: CN114244595B
Application number: CN202111506120.5A
Authority: CN
Inventors: 马晨明; 董勇; 单荣杨
Original assignee: Beijing Dajia Internet Information Technology Co Ltd
Current assignee: Beijing Dajia Internet Information Technology Co Ltd
Priority date: 2021-12-10
Filing date: 2021-12-10
Publication date: 2024-03-12
Anticipated expiration: 2041-12-10
Also published as: CN114244595A

Abstract

The disclosure relates to a method, a device, computer equipment and a storage medium for acquiring authority information, and belongs to the technical field of networks. The method comprises the following steps: acquiring at least one data record associated with the authority of the target object; constructing a topological relation diagram based on the at least one data record; and acquiring management and control data of the authority based on the business rule information associated with the authority and the topological relation diagram. According to the method and the device, the data record associated with the authority is dumped into the corresponding topological relation diagram, so that after business rule information is analyzed into the query operation when the management and control data of the authority is generated, the complex cascade query operation is not required to be executed on the data record, but the related query operation can be directly executed on the topological relation diagram, namely the diagram data, so that the calculation efficiency of the management and control data is greatly improved, the limitation of an RBAC model is broken, and the method and the device are applicable to application scenes with various roles and complex business rules.

Description

Authority information acquisition method and device, computer equipment and storage medium

Technical Field

The disclosure relates to the field of network technologies, and in particular, to a method and device for acquiring authority information, a computer device and a storage medium.

Background

With the development of internet technology, in some communication applications, a Role-based access control (RBAC) model is generally used to assign rights to account numbers of respective users. For example, in an enterprise communication application, a series of roles (such as job positions) are generally created for each enterprise, and different access control rights are configured for different roles, so that after a corresponding relationship between each account of each user and a role is established, access control rights configured for the role are acquired. The RBAC model only supports the creation of a small number of roles (usually 10-20), and manual assistance is needed when the roles are created, so that the RBAC model cannot be applied to scenes with various roles and complex business rules.

Disclosure of Invention

The disclosure provides a method, a device, a computer device and a storage medium for acquiring authority information, so as to at least provide an authority management and control scheme suitable for scenes with various roles and complex business rules. The technical scheme of the present disclosure is as follows:

according to an aspect of the embodiments of the present disclosure, there is provided a method for acquiring rights information, including:

acquiring at least one data record associated with the authority of the target object;

Constructing a topological relation diagram based on the at least one data record, wherein the topological relation diagram is used for representing the association relation between attribute names and attribute values in each data record;

and acquiring control data of the authority based on the business rule information associated with the authority and the topological relation diagram, wherein the control data is used for providing an access control strategy for resources associated with the authority.

In one possible implementation, each of the at least one data record corresponds to a child object within the target object;

the topological relation graph comprises a plurality of nodes, and different nodes with topological relation are connected through directed edges, wherein each node corresponds to an attribute value of one sub-object, and each directed edge corresponds to an attribute name of the attribute value corresponding to the directed node.

In one possible implementation manner, the constructing a topological relation diagram based on the at least one data record includes:

constructing each node in the topological relation diagram based on each attribute value in each data record;

and constructing each directed edge connecting different nodes in the topological relation diagram based on each attribute name in each data record.

In a possible implementation manner, the obtaining the management data of the authority based on the business rule information associated with the authority and the topological relation diagram includes:

analyzing the business rule information to obtain at least one query instruction for the topological relation diagram;

executing the at least one query instruction based on the topological relation diagram to obtain at least one query result;

and generating the control data based on the at least one query result.

In one possible implementation manner, the topological relation diagram is stored in a hash table form, wherein a plurality of sets are recorded in the hash table, and each set stores an attribute value of one node in the topological relation diagram, an attribute name of a directed edge accessed to the node and attribute values of other nodes connected with the node;

executing the at least one query instruction based on the topological relation diagram, and obtaining at least one query result comprises:

and executing corresponding processing operation on each set in the hash table based on the at least one query instruction to obtain the at least one query result.

In one possible implementation manner, the performing, based on the at least one query instruction, a corresponding processing operation on each set in the hash table, to obtain the at least one query result includes:

For each inquiry instruction, determining a target attribute value carried by the inquiry instruction;

and acquiring a query result of the query instruction based on a target set corresponding to the target attribute value in the hash table, wherein the target set is used for representing each sub-object with the target attribute value.

In one possible implementation manner, in a case that the query instruction carries a plurality of target attribute values, the obtaining, based on a target set corresponding to the target attribute values in the hash table, a query result of the query instruction includes:

and executing processing operation matched with the query semantics of the query instruction on the target sets corresponding to the target attribute values to obtain the query result of the query instruction.

In one possible implementation manner, the management and control data is stored in a bitmap form, and each element in the bitmap is used for representing whether the index of the row where the element is located has the right to the index of the column where the element is located;

the generating the management and control data based on the at least one query result includes:

distributing corresponding indexes to each sub-object in the target object;

And assigning values to elements determined by the row of the index associated with each sub-object and the column of the index associated with other sub-objects based on the at least one query result to generate the bitmap.

In one possible implementation, the sub-objects of the target object include at least one of: a member sub-object, a department sub-object, or an application sub-object associated with the target object;

the generated bitmap includes at least one of: a bitmap corresponding to the member sub-object, a bitmap corresponding to the member sub-object and the department sub-object, or a bitmap corresponding to the member sub-object and the application sub-object.

In one possible implementation manner, the assigning a corresponding index to each sub-object in the target object includes:

allocating corresponding indexes to each member sub-object, each department sub-object and each application sub-object associated with the target object;

the assigning, based on the at least one query result, the element determined by the row of the index associated with each sub-object and the column of the index associated with the other sub-object to generate the bitmap includes:

Assigning values to the elements determined by the row of the index associated with the member sub-object and the column of the index associated with other sub-objects based on the at least one query result, so as to generate a first bitmap, a second bitmap and a third bitmap of the authority;

wherein each row and each column in the first bitmap corresponds to one member sub-object, each row in the second bitmap corresponds to one member sub-object and each column corresponds to one department sub-object, and each row in the third bitmap corresponds to one member sub-object and each column corresponds to one application sub-object.

In one possible implementation manner, the assigning the element determined by the row of the index associated with each sub-object and the column of the index associated with the other sub-object includes:

when the query result indicates that the child object has the right to any other child object, the element is assigned to be 1 in the bitmap;

and when the query result indicates that the child object does not have the right to any other child object, the element is assigned to be 0 in the bitmap.

In one possible embodiment, the method further comprises:

Dividing each sub-object in the target object into a plurality of sub-object sets;

determining, for each computing device of a plurality of computing devices, any set of sub-objects from the plurality of sets of sub-objects that did not generate the management and control data;

generating partial management and control data corresponding to the sub-object set based on the query result corresponding to the sub-object set in the at least one query result;

and merging the control data of each part generated by the plurality of computing devices to obtain the control data.

In one possible embodiment, the method further comprises:

acquiring an update instruction associated with the authority received in the target duration every interval, wherein the update instruction is used for changing at least one item of data records or business rule information associated with the authority of the target object;

updating the topological relation diagram based on the updating instruction;

and updating the management and control data of the authority based on the updated topological relation diagram.

In one possible embodiment, the method further comprises:

distributing version numbers to the management and control data obtained by primary acquisition and management and control data obtained by each update, wherein the version numbers and the generation time stamps of the management and control data are monotonically increased;

And responding to the version number carried in any authority inquiry request, and returning target state information when the carried version number is the same as the maximum version number of the management and control data, wherein the target state information is used for representing that the management and control data has no change.

According to another aspect of the embodiments of the present disclosure, there is provided an apparatus for acquiring rights information, including:

a first acquisition unit configured to perform acquisition of at least one data record associated with rights of a target object;

a construction unit configured to perform construction of a topological relation diagram based on the at least one data record, wherein the topological relation diagram is used for representing association relation between attribute names and attribute values in each data record;

and the second acquisition unit is configured to acquire management and control data of the authority based on the business rule information associated with the authority and the topological relation diagram, wherein the management and control data is used for providing an access control strategy for resources associated with the authority.

In a possible implementation, the building unit is configured to perform:

In one possible embodiment, the second acquisition unit includes:

the analysis subunit is configured to execute analysis of the business rule information to obtain at least one query instruction for the topological relation diagram;

an execution subunit configured to execute the at least one query instruction based on the topological relation diagram to obtain at least one query result;

and a generation subunit configured to perform generation of the management and control data based on the at least one query result.

The execution subunit is configured to execute:

In one possible implementation, the execution subunit is configured to perform:

In one possible implementation, in a case where the query instruction carries a plurality of the target attribute values, the execution subunit is configured to execute:

The generation subunit includes:

an allocation subunit configured to perform allocation of a corresponding index to each of the sub-objects in the target object;

and the generating subunit is configured to perform assignment on the element determined by the row of the index associated with each sub-object and the column of the index associated with other sub-objects based on the at least one query result so as to generate the bitmap.

In one possible implementation, the allocation subunit is configured to perform:

the generation subunit is configured to perform:

In one possible implementation, the generating subunit is configured to perform:

In one possible embodiment, the apparatus further comprises:

a dividing unit configured to perform division of each sub-object in the target object into a plurality of sub-object sets;

The generation subunit is configured to perform:

In one possible embodiment, the apparatus further comprises:

a third obtaining unit configured to perform a target time length every interval, and obtain an update instruction associated with the authority received in the target time length, where the update instruction is used to alter at least one of a data record or business rule information associated with the authority of the target object;

the building unit is further configured to perform updating of the topological relation graph based on the updating instruction;

the second obtaining unit is further configured to perform updating of the management and control data of the authority based on the updated topological relation diagram.

In one possible embodiment, the apparatus further comprises:

The distribution unit is configured to distribute version numbers to the management and control data acquired for the first time and the management and control data obtained by updating each time, and the version numbers and the generation time stamps of the management and control data are monotonically increased;

and the return unit is configured to execute responding to any permission query request to carry a version number, and return target state information when the carried version number is the same as the maximum version number of the management and control data, wherein the target state information is used for representing that the management and control data is unchanged.

According to another aspect of the disclosed embodiments, there is provided a computer apparatus comprising:

one or more processors;

one or more memories for storing the one or more processor-executable instructions;

wherein the one or more processors are configured to perform the method for obtaining rights information in any of the possible implementations of the aspect described above.

According to another aspect of the disclosed embodiments, there is provided a computer-readable storage medium, at least one instruction of which, when executed by one or more processors of a computer device, enables the computer device to perform the method of obtaining rights information in any one of the possible implementations of the above aspect.

According to another aspect of the disclosed embodiments, there is provided a computer program product comprising one or more instructions executable by one or more processors of a computer device to enable the computer device to perform the method of obtaining rights information in any one of the possible implementations of the above aspect.

The technical scheme provided by the embodiment of the disclosure at least brings the following beneficial effects:

by dumping the data record associated with the authority into the corresponding topological relation diagram, after the business rule information is analyzed into the query operation when the management and control data of the authority is generated, the complex cascade query operation is not required to be executed on the data record, and the related query operation can be directly executed on the topological relation diagram, namely the diagram data, so that the calculation efficiency of the management and control data is greatly improved, the limitation of the RBAC model is broken, and the method is suitable for application scenes with various functions and complex business rules.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure and do not constitute an undue limitation on the disclosure.

FIG. 1 is a schematic diagram of an implementation environment of a method for acquiring rights information, according to an exemplary embodiment;

FIG. 2 is a flowchart illustrating a method of obtaining rights information in accordance with an exemplary embodiment;

FIG. 3 is a flowchart illustrating a method of obtaining rights information in accordance with an exemplary embodiment;

FIG. 4 is a schematic illustration of a topology graph provided by an embodiment of the present disclosure;

fig. 5 is a schematic architecture diagram of a network topology system based on memory computation according to an embodiment of the present disclosure;

FIG. 6 is a schematic diagram of a bitmap of management and control data provided by an embodiment of the present disclosure;

FIG. 7 is a schematic diagram of a storage format of management data for a single child object provided by an embodiment of the present disclosure;

FIG. 8 is a business update flow chart of rights calculation and storage provided by an embodiment of the present disclosure;

FIG. 9 is a schematic diagram of an online service architecture for managing data according to an embodiment of the present disclosure;

FIG. 10 is a schematic diagram of an interactive interface of an application provided by an embodiment of the present disclosure;

FIG. 11 is a schematic diagram of an interactive interface of an application provided by an embodiment of the present disclosure;

fig. 12 is a logical block diagram of an apparatus for acquiring rights information according to an exemplary embodiment;

FIG. 13 illustrates a block diagram of a computer device provided by an exemplary embodiment of the present disclosure;

fig. 14 is a schematic structural diagram of a computer device according to an embodiment of the present disclosure.

Detailed Description

In order to enable those skilled in the art to better understand the technical solutions of the present disclosure, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings.

It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the foregoing figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the disclosure described herein may be capable of operation in sequences other than those illustrated or described herein. The implementations described in the following exemplary examples are not representative of all implementations consistent with the present disclosure. Rather, they are merely examples of apparatus and methods consistent with some aspects of the present disclosure as detailed in the accompanying claims.

The user information referred to in the present disclosure may be information authorized by the user or sufficiently authorized by each party.

With the development of internet technology, in some communication applications, a Role-based access control (RBAC) model is generally used to assign rights to account numbers of respective users. For example, in an enterprise communication application, since private information such as an organization architecture of an enterprise address book and user information of a high management layer in an enterprise is carried, authority control and data security of the application are very important.

In the RBAC model, users and rights are managed by roles, for example, a series of roles (such as job positions) are generally created for each enterprise, and different access control rights are configured for different roles, so that after a corresponding relationship between each user account and a role is established, the access control rights configured for the role are acquired. While the RBAC model only supports the creation of a small number of roles (typically 10-20), in some business office areas, the permission determination cannot be performed only according to a single dimension of a division (for example, some members have visible permissions to members of another division and some members do not have visible permissions to members of another division in the same division), so there are situations where it is necessary to determine the permissions according to cross-combination calculation of attributes of the division and the members, which is generally not supported by the RBAC model, where it is necessary to create one role for each set of cross-combinations, where it is necessary to create thousands of different roles in a preliminary evaluation of the cross-combinations, and where it is necessary for the RBAC model to create roles in advance.

In addition, in some business office fields, it is desirable to be able to refine control the visibility of departments, visibility of members, searchable and/or chattable rights of members, etc. for different departments or members, and the rights need to be further divided into one-way and/or two-way, so that each right needs to be dynamically calculated according to organization architecture attributes, entity attributes, environment attributes and some special rules, and as the business progresses at a high speed, the requirements of the rights are unstable, sometimes, in order to quickly respond to the business needs, the system needs to support a certain flexibility to ensure the stability of the system, also needs to support a certain period of business needs to change in time, and the RBAC model does not support dynamic calculation rights, or cannot provide flexibility to the unstable rights needs, in other words, the RBAC model cannot be suitable for scenes with various kinds of functions and complicated business rules.

In view of this, the embodiments of the present disclosure provide a method for obtaining authority information, which can construct a network topology structure (i.e., a topological relation graph) composed of attribute values of all members based on a memory, so as to solve the problem of cascade query that cannot be handled by a relational database such as traditional MySQL, and through creating an operation primitive NetQL of service rule information, can cope with rapid change of service requirements, and in addition, finally, obtained management and control data of corresponding authorities can accurately represent whether each member has a certain authority or not, so that resources associated with authorities of various services can be accessed and controlled in a refined manner.

Furthermore, in terms of calculation and storage problems, taking factors such as expansion of the stored data volume, high availability and calculation speed into consideration, a snapshot of management and control data of each authority is constructed regularly through a timing task, and a distributed calculation architecture is applied to relieve calculation load of a single node so as to support lateral expansion of calculation capacity.

Furthermore, a spam policy and a fault tolerance mechanism are formulated aiming at the aspect of online service, so that the stability and high availability of the service are ensured, and the online QPS (Query Per Second, query rate Per Second is an index for measuring throughput) of the service is improved by means of read-write separation, multi-level cache, version number, limitation and the like of management and control data.

The following describes an implementation environment of the embodiments of the present disclosure.

Fig. 1 is a schematic view of an implementation environment of a method for obtaining rights information according to an exemplary embodiment, referring to fig. 1, where at least one terminal 101 and a server 102 may be included in the implementation environment, which is described in detail below:

the terminal 101 installs and runs applications supporting query rights and/or resource access, optionally including but not limited to: office applications of the target object (such as enterprise office applications), communication applications of the target object (such as enterprise communication applications), social applications supporting member communication in the target object, conference applications, attendance checking applications, and the like, and the type of the application program is not specifically limited in the embodiments of the present disclosure. Wherein the target object uniquely corresponds to an organizational entity, including but not limited to: enterprises, institutions, illegal organizations, etc., to which embodiments of the present disclosure are not particularly limited.

The terminal 101 is directly or indirectly communicatively connected to the server 102 by wired or wireless means.

Server 102 includes at least one of a server, a plurality of servers, a cloud computing platform, or a virtualization center. The server 102 is configured to provide background services for applications that support query rights and/or resource access, e.g., the server 102 is configured to provide externally managed data of various rights. Optionally, the server 102 takes on primary computing work and the terminal 101 takes on secondary computing work; alternatively, the server 102 takes on secondary computing work and the terminal 101 takes on primary computing work; alternatively, a distributed computing architecture is used for collaborative computing between the terminal 101 and the server 102.

Optionally, the server 102 is a stand-alone physical server, or a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, content delivery networks (Content Delivery Network, CDN), and basic cloud computing services such as big data and artificial intelligence platforms.

Illustratively, assuming that a target object is an enterprise, taking communication and office scenes in the enterprise as examples, for an application program supporting query permission and/or resource access, the permission of two dimensions, namely visibility and chattability, of each account registered in the application program, needs to be finely controlled, wherein the visibility comprises department visibility, member visibility and application visibility, the department visibility refers to whether a user can view a tag column of a certain department when opening an address book in the application program, the member visibility refers to whether a user can view a certain member (a local door member or other department member or a higher-level leader, etc.) when opening the address book in the application program, the application visibility refers to whether a user can view a third party application associated with the target object and which third party application can be viewed in the application program, and the chattability generally corresponds to the chattability, that is, whether the user can search a certain member in the application program and initiate a session to the searched member. By using the method for acquiring the authority information provided by the embodiment of the disclosure, the management and control data with the members as granularity can be generated, so that the visibility and chattability of each member to any member or department or application can be finely controlled.

Terminal 101 refers broadly to one of a plurality of terminals, the device types of terminal 101 including: at least one of a smart phone, a tablet computer, a smart speaker, a smart watch, a notebook computer, or a desktop computer, but is not limited thereto. For example, the terminal 101 may be a smart phone or other handheld portable communication device.

Those skilled in the art will appreciate that the number of terminals 101 may be greater or lesser. For example, the number of the terminals 101 may be only one, or the number of the terminals 101 may be several tens or hundreds, or more. The embodiment of the present disclosure does not limit the number and device type of the terminals 101.

Fig. 2 is a flowchart illustrating a method for acquiring rights information according to an exemplary embodiment, and referring to fig. 2, the method for acquiring rights information is applied to a computer device, and is described below by taking the computer device as a server.

In step 201, the server obtains at least one data record associated with rights of a target object.

In step 202, the server builds a topological relation diagram based on the at least one data record, wherein the topological relation diagram is used for representing the association relation between the attribute names and the attribute values in each data record.

In step 203, the server obtains, based on the business rule information associated with the right and the topological graph, management data of the right, where the management data is used to provide an access control policy for a resource associated with the right.

According to the method provided by the embodiment of the disclosure, the data record associated with the authority is dumped into the corresponding topological relation diagram, so that after business rule information is analyzed into query operation when the management and control data of the authority is generated, the data record does not need to be subjected to complex cascade query operation, but the related query operation can be directly performed on the topological relation diagram, namely the diagram data, thereby greatly improving the calculation efficiency of the management and control data, breaking the limitation of the RBAC model, and being applicable to application scenes with various functions and complex business rules.

the topological relation graph comprises a plurality of nodes, and different nodes with topological relation are connected through directed edges, wherein each node corresponds to an attribute value of one sub-object, and each directed edge corresponds to an attribute name of the attribute value corresponding to the pointed node.

In one possible implementation, constructing the topological relation graph based on the at least one data record includes:

based on each attribute name in each data record, each directed edge connecting different nodes in the topological relation diagram is constructed.

In one possible implementation, based on the business rule information associated with the right and the topological relation diagram, obtaining the management and control data of the right includes:

the management and control data is generated based on the at least one query result.

based on the topological relation diagram, executing the at least one query instruction to obtain at least one query result comprises:

Based on the at least one query instruction, corresponding processing operations are performed on each set in the hash table, resulting in the at least one query result.

In one possible implementation manner, based on the at least one query instruction, performing a corresponding processing operation on each set in the hash table, and obtaining the at least one query result includes:

In one possible implementation manner, when the query instruction carries a plurality of target attribute values, obtaining the query result of the query instruction based on the target set corresponding to the target attribute values in the hash table includes:

and executing processing operation matched with the query semantics of the query instruction on a plurality of target sets corresponding to the target attribute values to obtain the query result of the query instruction.

In one possible implementation, the management data is stored in a bitmap form, and each element in the bitmap is used to represent whether the index of the row where the element is located has the right to the index of the column where the element is located;

Based on the at least one query result, generating the management data includes:

allocating a corresponding index to each sub-object in the target object;

based on the at least one query result, an element determined by the row of the index associated with each sub-object and the column of the index associated with the other sub-object is assigned to generate the bitmap.

In one possible implementation, assigning a corresponding index to each child object in the target object includes:

based on the at least one query result, assigning values to elements determined by the row of the index associated with each sub-object and the column of the index associated with the other sub-object to generate the bitmap includes:

Assigning values to the elements determined by the row of the index associated with the member sub-object and the column of the index associated with other sub-objects based on the at least one query result to generate a first bitmap, a second bitmap and a third bitmap of the authority;

wherein each row and each column in the first bitmap corresponds to a member sub-object, each row in the second bitmap corresponds to a member sub-object and each column corresponds to a department sub-object, and each row in the third bitmap corresponds to a member sub-object and each column corresponds to an application sub-object.

In one possible implementation, assigning the element determined by the row in which the index associated with each child object is located and the column in which the index associated with the other child object is located includes:

when the query result indicates that the child object has the authority to any other child object, the element is assigned to be 1 in the bitmap;

when the query result indicates that the child object does not have the right for any other child object, the element is assigned a value of 0 in the bitmap.

In one possible embodiment, the method further comprises:

determining, for each computing device of the plurality of computing devices, any set of sub-objects from the plurality of sets of sub-objects that did not generate the management data;

and merging the partial control data generated by the plurality of computing devices to obtain the control data.

In one possible embodiment, the method further comprises:

acquiring an update instruction associated with the authority received in the target duration every time the target duration is needed, wherein the update instruction is used for changing at least one item of data records or business rule information associated with the authority of the target object;

updating the topological relation diagram based on the updating instruction;

In one possible embodiment, the method further comprises:

Any combination of the above-mentioned optional solutions may be adopted to form an optional embodiment of the present disclosure, which is not described herein in detail.

Fig. 3 is a flowchart illustrating a method for acquiring rights information, which is performed by a computer device, with reference to fig. 3, according to an exemplary embodiment, and is described below by taking the computer device as a server.

In step 301, a server obtains at least one data record associated with rights for a target object, each of the at least one data record corresponding to a child object within the target object.

Optionally, the target object corresponds uniquely to an organization entity, including but not limited to: enterprises, institutions, illegal organizations, etc., the sub-objects within the target object include at least one of: a department sub-object, a member sub-object, or an application sub-object associated with the target object.

Optionally, the permission of the target object refers to access permission of address book information of the target object and an accessed third party application in the application program, where the address book information at least includes: the organization architecture of the department sub-objects and the contact information of each member sub-object in the target object do not want all users to access all address book information in view of data security, so that fine authority management and control are required for part of address book information seen by each user.

Since different rights may be associated with different sub-objects, the server needs to read the data records of each sub-object from the underlying database into memory according to the sub-object to which the rights relate. Optionally, the rights include, but are not limited to: visibility rights, searchable rights, chattable rights, etc., to which embodiments of the present disclosure are not specifically limited.

In an exemplary scenario, taking a target object as an enterprise as an example, for an enterprise office application, visibility authority, searchability authority, chattability authority and the like of a department sub-object or a member sub-object in address book information are required to be controlled in a refined manner, and access authority of an application sub-object associated with the target object is also required to be controlled in a refined manner, so that a server needs to read a data record of a department attribute related to the address book information and a data record of a member attribute from a database at the bottom layer, and read a data record of an application attribute associated with the target object, wherein the data record of the department attribute is used for storing attribute information of a name, a grade, a father department, a child department and the like of the corresponding department sub-object, and the data record of the member attribute is used for storing attribute information of a name, a gender, an age, a through department, a affiliated department and the like of the corresponding member sub-object, and the data record of the application attribute is used for storing attribute information of a name, an associated service type, a docking department, a member and the like of the corresponding department and the like. The attribute information of the department sub-object, the member sub-object or the application sub-object related in the disclosure is authorized or fully authorized by each party.

In step 302, the server builds a topological relation diagram based on the at least one data record, wherein the topological relation diagram is used for representing the association relation between the attribute names and the attribute values in each data record.

Since each data record includes a plurality of fields, each field stores an attribute value, and each attribute value has a corresponding attribute name, in other words, for a data table, each row in the data table corresponds to a data record, each column in the data table corresponds to a field, and the column name, i.e., the field name, is the attribute name.

In some embodiments, since each node in the topology graph corresponds to an attribute value and each directed edge corresponds to an attribute name, the server may construct the nodes in the topology graph based on the respective attribute values in each data record; based on each attribute name in each data record, each directed edge connecting different nodes in the topological relation diagram is constructed.

Optionally, in the topology graph, each attribute value in each data record is taken as a node in the topology graph, then, for each data record, since there must be a target attribute value (for example, the name of a member sub-object, a department sub-object or an application sub-object, for example, the identification code of the member sub-object, the department sub-object or the application sub-object, for example, the primary key identification of each data record, etc.) capable of uniquely identifying the data record, a node corresponding to the target attribute value is taken as the starting point of all the directed edges related to the data record, and then, other nodes corresponding to other attribute values stored in the data record are connected, and each directed edge corresponds to the attribute name of the attribute value corresponding to the pointed node (i.e., the end point of the edge).

In the above process, by converting the original at least one data record in the data table into a topological relation diagram in the form of graph data, and the topological relation between the nodes and edges in the topological relation diagram can be converted into other forms for storage, so that the original cascade query on the data record is converted into related operations on other data structures, for example, the topological relation can be converted into hash table (HashMap, hashSet) for storage, so that the cascade query on the data record can be converted into operations of intersection, union, complement and the like on a set in the hash table, and Input/Output (Output) I/O operation of the database is reduced.

In some embodiments, the server stores the topological relation graph in a hash table form, wherein a plurality of sets are recorded in the hash table, and each set stores an attribute value of one node in the topological relation graph, an attribute name of a directed edge accessing the node and attribute values of other nodes connected with the node. In the above process, the data record in the conventional two-dimensional table format is read into the memory and then converted into the graph data format, so as to construct a net topology structure, which is similar to a graph database constructed based on the memory.

In the following, a description will be given of how to convert a plurality of data records into a topological relation diagram, taking the data records of two member sub-objects as an example. The two data records are shown in table 1 below:

TABLE 1

Name of the name	Sex (sex)	Age of	Is all right through
				Member A	Man's body	25	Anhui province
Member B	Man's body	20	Anhui province

The two data records in table 1 may be converted into a topological relation diagram as shown in fig. 4, where the two data records have 6 mutually different attribute values, i.e. "member a", "man", "25", "Anhui province", "member B", "20", so that the topological relation diagram includes 6 nodes, further, for each data record, the member name is taken as a target attribute value (i.e. the start point of the directed edge), 3 directed edges respectively related to the 3 attribute names, i.e. "sex", "age", "native" can be constructed, and each directed edge starts from the node where the member name is located, points to the node where the attribute value corresponding to the attribute name on the directed edge is located, for example, starts from the node where the member a is located, points to the node corresponding to the attribute value of "man" with the directed edge corresponding to the attribute name of "sex", and so on, and will not be repeated here.

The topological relation between each node and edge in the topological relation diagram shown in fig. 4 can be converted into a hash table form to be stored, alternatively, for each node in the topological relation table, the node and the surrounding topological relation are constructed into a set and stored in the hash table, at this time, 6 sets (also called relation sets) can be constructed for 6 nodes in fig. 4, that is, the following 6 sets are stored in the hash table:

{ Member A, { sex, [ Man ] }, { age, [25] }, { through, [ Anhui province ] }

{ Member B, { sex, [ Man ] }, { age, [20] }, { native, [ Anhui province ] }

{ Man, { -gender, [ Member A, member B ] }

{ Anhui province, { -native place, [ Member A, member B ] }

{20, { age, [ Member B ] }

{25, { age, [ Member A ] }

Illustratively, the above sets are stored in a data structure similar to a recursive HashMap and HashSet combination, in which the relationships between the target attribute values and entities (entities) are stored, for example, in the first and second sets, the relationships between the target attribute values (member names) and the associated entities (other attribute values and corresponding attribute names in the corresponding data records) are stored, and in addition, the sets of attribute values corresponding to the relationships, for example, the third to sixth sets, are stored in the HashMap, and the sets of attribute values corresponding to the relationships (all member names corresponding to the attribute names) are stored.

The topological relation between the edges and the nodes in the topological relation graph is converted into a plurality of sets to be stored in the hash table, so that the topological relation can be stored in a Key-Value Key Value pair mode by taking the attribute Value corresponding to each set as a Key and taking the corresponding attribute name as a Value. For example, the fifth set is stored as a Key-Value Key pair with "20" as Key and "{ -age, [ member B ] }" as Value. Wherein, the symbols 'to' indicate the reverse relation, the reverse relation of the Anhui province for native place is that the member A and the member B, and the forward relation of the member A for sex is that the male.

The embodiment of the disclosure relates to a topological relation diagram, has high-efficiency query performance, and is very suitable for application scenes, such as enterprise internal office and communication scenes, with relatively small data volume, complex data association and certain requirements on the query performance.

In step 303, the server parses the business rule information associated with the authority to obtain at least one query instruction for the topology graph.

Wherein, the business rule information refers to: according to the business requirement of the target object, a management and control rule is constructed for each sub-object in the target object aiming at the authority of the type, for example, if the authority of the type refers to the visibility authority, one possible business rule information is that the member sub-object with the role as the leading has the visibility authority to all father departments and sub-departments of the leading department, and the specific content of the business rule information is not limited in the embodiment of the disclosure.

In some embodiments, after the system administrator inputs the business rule information associated with the authority, by executing the parser, the complex business rule information can be parsed into one query instruction for the topological relation graph, so that whether each sub-object can have a corresponding authority for another sub-object under the constraint of the business rule information can be obtained by executing each query instruction. Schematically, after the business rule information associated with the visibility authority is input, each query instruction is obtained by executing the analysis of the analyzer, and each query instruction is executed on the topological relation diagram, so that whether each member sub-object in the enterprise can see any department sub-object, member sub-object or application sub-object in the address book information can be obtained under the constraint of the business rule information associated with the visibility authority.

Optionally, the business rule information includes, but is not limited to: the organization architecture properties, entity properties, environment properties, and special rules, etc., several possible business rule information corresponding to different rights are shown in table 2 below:

TABLE 2

It can be seen that the business rule information shown in table 2 relates to a complex cascade query operation, for example, rule "leaders and human resource managers can see business rule information of levels 03 and 04 and all father departments and sub departments of the leadership departments", if a topological relation diagram is not constructed, all members are affected due to the change of the attribute of any member, for example, after a certain member X is converted from a part-time labor service to a full-time labor service, other members and departments visible by the member X and other members can see whether the member X can see a series of changes in the address list, therefore, when each query authority limit is met, the latest change of the authority in the system is perceived (old business rule information is avoided to cause authority management), when each round of query authority limit is considered, the related data records of ten thousand members are required to be traversed, the query request or the resource access request is required to be processed, and the data access speed is required to be limited by the relevant data records, and the data is required to be processed by the system, and the data access speed is limited by the corresponding to the data records, and the corresponding to the data request is limited by the step 301.

In some embodiments, since the embodiments of the present disclosure have converted the data records in the conventional data table into the memory-based topological relation diagram, if the SQL command for operating the data records is parsed, it is unable to directly operate the graph data in the topological relation diagram when parsing the business rule information, and accordingly, the embodiments of the present disclosure provide an operation primitive NetQL, which is an exemplary illustration of a query instruction, by converting the business rule information into at least one operation primitive NetQL, each set in the hash table of the topological relation diagram can be subjected to an intersection and complement operation using each operation primitive NetQL to obtain the final each query result. The primitive refers to a control program for a computer process, generally a program segment composed of several instructions, for implementing a specific function (the embodiment of the present disclosure refers to a query function for a topological graph), which cannot be interrupted during execution, i.e. has the property of atomic operation, and is therefore called primitive.

In the above process, by converting the business rule information into the operation primitive NetQL, which is equivalent to converting the complex business rule information into the operation primitive NetQL wrapped by the basic grammar, the process of parsing the complex query statement into the SQL command in the conventional database is similar, except that the basic grammars of the SQL command and the operation primitive NetQL proposed by the embodiment of the present disclosure are different. The operation primitive NetQL may directly perform a query operation on the hash table of the topological graph, and illustratively, the syntax rules of the operation primitive NetQL are as follows in table 3:

TABLE 3 Table 3

Primitives	Meaning of	Primitives	Meaning of
				{}	Entity/collection	+	Union set
->	Forward relationship	-	Difference set
				～	Inverse relationship	&	Intersection set
*	Relation recursion	[ relation x, set]	Relation filter
				{ set }? { set }	Three-dimensional calculation	()	Calculating priority symbols
？	Parameters (parameters)	#	Terminator/entity symbol

In the following, taking the grammar rule of the operation primitive NetQL shown in table 3 as an example, how several simpler query operations are resolved into NetQL query instructions, and for other complex business rule information, it is also possible to resolve into NetQL query instructions in a similar manner.

For example, the query operation is: the data of which the sex of the member is male can be queried by a query statement of ' male-sex# ', and the query statement is analyzed into a ' net QL query instruction of ' male-sex# ' in an execution analyzer for execution.

For example, the query operation is: the data of the sex of the member is male and female can be queried through a query statement of 'male-sex+female-sex#', the query statement is analyzed into a '((male-sex) + (female-sex))#' NetQL query instruction in an execution analyzer, and then the execution is performed, namely, the entity set with the sex of male and the entity set with the sex of female are combined.

For example, the query operation is: and querying the member name through the member ID (Identification), and finally executing the query instruction of 'userId → -userId [ username,% ] → -username#' NetQL by a parser. If the query operation is a member nickname of a member with a query member ID of 123, then a parser is executed to parse "123→ -userld [ username,% ] →username#" NetQL query instruction, "-userld" represents the inverse relation of the obtained attribute value "123" to the attribute name "member ID", and then the username attribute is filtered out through "[ username,% ]", and the attribute value of the username attribute is obtained.

Fig. 5 is a schematic architecture diagram of a network topology system based on memory computation according to an embodiment of the present disclosure, as shown in fig. 5, after the system receives an external search requirement, firstly, in a NetQL layer 501, service logic to be processed by the search requirement is converted into a NetQL query instruction through an analysis engine, and then, the NetQL query instruction is executed on a hash table of a topology relationship diagram through an execution engine. Optionally, the hash table is stored in a JVM (Java Virtual Machine ) memory of the data persistence layer 502, and the server extracts a data record from the underlying data layer 503 by a data extraction manner such as ORM (Object Relational Mapping, object relation mapping), and maps the data record to a topology relation graph, and caches the hash table corresponding to the topology relation graph in the JVM memory. Optionally, the underlying data layer 503 may maintain data records based on a variety of storage engines including, but not limited to: mySQL, HBase, hive, redis, kafka, etc., the type of storage engine is not specifically limited by the disclosed embodiments.

In step 304, the server executes the at least one query instruction based on the topological graph to obtain at least one query result.

In some embodiments, since the topological relation in the topological relation diagram can be stored in the form of a hash table, when the query instruction is executed, corresponding processing operations can be directly executed on each set in the hash table based on the at least one query instruction, so as to obtain the at least one query result. In the process, by executing processing operation on each set in the hash table, complex cascade query on the original data record is avoided, and set intersection and compensation operation with smaller calculation amount and faster query speed can be directly executed from the constructed graph database, so that the query efficiency can be greatly improved.

In some embodiments, for each query instruction, the server determines a target attribute value carried by the query instruction; and acquiring a query result of the query instruction based on a target set corresponding to the target attribute value in the hash table, wherein the target set is used for representing each sub-object with the target attribute value. The target attribute value refers to an attribute value to be operated by the query instruction, for example, if all sub-objects with gender of men are to be checked, the target attribute value carried in the query instruction is "men", and if all sub-objects with native places of Anhui province are to be checked, the target attribute value carried in the query instruction is "Anhui province". The server analyzes the query instruction to obtain the target attribute value, and then queries each sub-object having the target attribute value, that is, a target set, in the hash table by taking the target attribute value as an index to obtain the query result, for example, when the target attribute value is "man", each sub-object having the attribute value of "man" is queried in the hash table, and a set formed by all sub-objects having the attribute value of "man" is determined as a target set, and the target set is the query result of this time.

In one possible implementation manner, since the query instruction may carry multiple target attribute values, that is, multiple attribute values to be operated by the query instruction, the server needs to execute processing operations matched with query semantics of the query instruction on multiple target sets corresponding to the target attribute values, so as to obtain a query result of the query instruction. For example, the query instruction designates all sub-objects with the query gender being male and the query gender being female, the query instruction carries 2 target attribute values of "male" and "female", the query semantic obtained by analyzing the query instruction is a "union set" at this time, the server needs to acquire one target set formed by all sub-objects with the attribute value of "male" first, then acquire another target set formed by all sub-objects with the attribute value of "female", and then execute the query semantic "union set" on the 2 target sets, namely, the union set of the 2 target sets is taken as a final query result.

In the process, the query operation designated by the query instruction is converted into the processing operation matched with the query semantics for the target set in the hash table, so that the calculated amount when the query result is acquired can be greatly simplified, the calculation efficiency for acquiring the query result is improved, and the calculation resources of the server are saved.

In some embodiments, if the analysis of the service rule information obtains a NetQL query instruction, the operations of intersection and complementation may be directly performed on each set in the hash table, so as to implement the query operation indicated in the service rule information, and it should be noted that, in the embodiments of the present disclosure, only NetQL is used as an exemplary description of a primitive for operating on a set in the hash table, and those skilled in the art may construct other primitives or instructions capable of operating on graph data according to service requirements, and configure corresponding grammar rules, which are not specifically limited in this embodiment of the present disclosure.

In step 305, the server generates, based on the at least one query result, management data for the right, the management data being used to provide access control policies for resources associated with the right.

In some embodiments, the management data is stored in a bitmap, where each element in the bitmap is used to indicate whether the index of the row of the element has the authority for the index of the column of the element, optionally, each element in the bitmap is a binary value, when the element takes 1, the index representing the row of the element has the corresponding authority for the index of the column of the element, and when the element takes 0, the index representing the row of the element does not have the corresponding authority for the index of the column of the element.

In the above process, the management and control data is stored in the form of a bitmap, and only a unique index is required to be allocated to each sub-object in the target object, so that the bitmap can be used for characterizing whether each sub-object has corresponding authority to other sub-objects, namely, implementing authority management and control of sub-object level fine granularity, and further characterizing whether authority between any two sub-objects is unidirectional or bidirectional, for example, sub-object i has the authority to sub-object j, but sub-object j does not have the authority, and represents that sub-object i has unidirectional authority to sub-object j, therefore, the element in the ith row and jth column is represented as 1, and the element in the jth row and jth column is represented as 0 in the bitmap.

In some embodiments, the server assigns a corresponding index to each child object in the target object; based on the at least one query result, it is determined whether each child object has the right to other child objects to generate the bitmap. Optionally, the server determines, based on the at least one query result, whether each sub-object has the right to the other sub-objects, then, based on whether each sub-object has the right to the other sub-objects, assigns values to elements determined by a row of an index associated with each sub-object and a column of an index associated with the other sub-objects, and finally assigns values to each element in the bitmap, and then, may generate a bitmap for managing data.

In some embodiments, when an Index is allocated to each sub-object in the target object, since each sub-object has a sub-object ID (for example, a character string of the varchar32 type), it is possible that each sub-object is further allocated with an account ID (for example, non-self-increasing random long type data) after registering an account in an application program, and when a bitmap of the management data is constructed, an Index needs to be allocated to each sub-object (for example, an int integer type, a value range of 1 to N > 1, N refers to the total number of sub-objects in the target object), so a self-increasing ID field (i.e., index) may be newly added to a data record of each sub-object, and therefore, on the basis of preserving the correspondence between the original sub-object ID and the account ID, a < sub-object ID, account ID, index > triplet Mapping object is also required to be created.

In some embodiments, when the query result indicates that the sub-object has the authority to any other sub-object, the element determined by the row of the index associated with the sub-object and the column of the index associated with the other sub-object is assigned to be 1 in the bitmap when the assignment of the element in the bitmap is performed; and when the query result indicates that the sub-object does not have the weight for any other sub-object, in the bitmap, the element determined by the row of the index associated with the sub-object and the column of the index associated with the other sub-object is assigned 0.

In some embodiments, since the child objects of the target object include at least one of: a member sub-object, a department sub-object, or an application sub-object associated with the target object, and therefore, the bitmap generated based on the above-described introduction includes at least one of: a bitmap corresponding to the member sub-object, a bitmap corresponding to the member sub-object and the department sub-object, or a bitmap corresponding to the member sub-object and the application sub-object.

Optionally, when assigning indexes to the sub-objects, each member sub-object, each department sub-object and each application sub-object in the target object are assigned corresponding indexes based on the above index assignment manner.

Optionally, when generating the bitmaps, each member sub-object is assigned based on the at least one query result, so as to generate a first bitmap, a second bitmap and a third bitmap of the rights, in other words, the server generates 3 bitmaps for each member sub-object, where each row and each column in the first bitmap corresponds to one member sub-object, that is, the first bitmap is a bitmap corresponding to the member sub-object and is used for characterizing the rights management data of the member-member, each row in the second bitmap corresponds to one member sub-object and each column corresponds to one department sub-object, that is, the second bitmap is a bitmap corresponding to the member sub-object and the department sub-object, and is used for characterizing the rights management data of the member-department, and each row and each column in the first bitmap corresponds to one member sub-object, that is, the third bitmap corresponds to the member sub-object and is used for characterizing the rights management data of the member-member application sub-object.

In the above process, 3 bitmaps are generated for each member sub-object, and different bitmaps are used for describing the rights management and control data of the member sub-object and the sub-objects of different types, so that the rights of the member sub-object can be further finely managed and controlled.

In some embodiments, the 3 bitmaps are integrated into 1 bitmap, where the bitmap includes N rows and M (m=n+j+k) columns, where each of the N rows corresponds to a member sub-object, each of the first N columns in the M columns corresponds to a member sub-object, each of the n+1th column to the n+j column corresponds to a department sub-object, each of the n+j+1th column to the M column corresponds to an application sub-object, where N, J, K is an integer greater than or equal to 1, M is an integer greater than N, N is the number of member sub-objects included in the target object, J is the number of department sub-objects included in the target object, and K is the number of application sub-objects associated with the target object.

In the above process, the business rule information can indicate which sub-objects have related rights to other sub-objects under the constraint of related business rules, so that it is easy to determine which elements should be assigned 1, and the other elements should be assigned 0, so that a sub-object level fine-grained bitmap is obtained, which is the management and control data of the rights.

FIG. 6 is a schematic diagram of a bitmap of management and control data according to an embodiment of the present disclosure, where as shown in FIG. 6, an index is allocated to each child object in a target object to obtain [ u ] ₁ ,u ₂ ,u ₃ ,u ₄ ,…,u _n ]Thus constructing a bitmap of size n x n (n rows and n columns, n being an integer greater than 1), each element in the bitmap representing whether the sub-object of the corresponding row index has the right to the sub-object of the corresponding column index, e.g., assuming the bitmap is the management data of the visibility right, [ u ] _i ,u _j ]=0 represents child object u _i Sub-object u cannot be seen in address book _j (i.e., without visibility rights) [ u ] _i ,u _j ]=1 represents child object u _i The child object u can be seen in the address book _j (i.e., having visibility rights).

In the above management and control data stored in a bitmap (i.e., bit array) manner, since each element is either 0 or 1, taking 30000 sub-objects contained in the target object as an example, after the cartesian product expansion, the space occupied by the bitmap is:

30000*30000bit/8/1024/1024＝107M

that is, when 30000 sub-objects are included in the target object, the management and control data of each authority needs to occupy 107M of storage space, and even when the scale is extended to 10w (ten thousand) sub-objects, the total storage overhead required is only 1192M, and a single sub-object also only needs 120K of storage space, so that the growth speed of business expansion of the target object in a short period can be met, and the storage overhead is low.

In the above steps 303-305, the server obtains the management and control data of the authority based on the service rule information associated with the authority and the topological relation diagram, where the management and control data is used to provide the access control policy for the resource associated with the authority, and in this embodiment of the disclosure, the generation process of the management and control data of a single authority is only illustrated by taking the generation process of the management and control data of the single authority as an example, when there is a requirement for fine access control of multiple authorities in the system, the flow of the above steps 301-305 is executed for each authority, and then the corresponding management and control data can be generated for each group of authorities, alternatively, because in an enterprise office scenario, the data records associated with various authorities (such as visibility authority, searchable authority, chattable authority, etc.) are the same, that is the data records of the department attribute or member attribute in the target object, so when the management and control data are generated for multiple authorities, the first obtained topological relation diagram can be multiplexed in the subsequent process only, and the corresponding service rule information can be analyzed once, and the specific service rule information can be analyzed only when the service rule is required to be analyzed once, and the service rule is not required to be analyzed for the specific rule is generated.

In some embodiments, after the server obtains the management and control data for each authority, the management and control data of each authority can be cached in the memory (i.e. a plurality of bitmaps are cached), and when a subsequent request of the user side, such as an authority query request, a resource access request, and the like, arrives at the system, the cached management and control data can be directly called to respond to the request of the user side, so that decoupling of authority calculation and online query is achieved, and the response speed of the online query is prevented from being influenced by the authority real-time calculation. In the next embodiment, a detailed description will be given of a caching manner of the control data of various authorities, which is not described herein.

In the above embodiment, it is described how the server generates the respective management and control data (for example, in the form of a bitmap) of each authority, and in order to enable the authority calculation and the online query to be decoupled, that is, to complete the effect of separating the reading from the writing of the management and control data, the respective management and control data of each authority may be stored in the memory, so as to support the reading operation of the high QPS of the system, and ensure the stability of providing the authority query service to the outside as much as possible. Optionally, each piece of management and control data of various authorities is stored in a Redis (Remote Dictionary Server, remote dictionary service) storage middleware, and the high availability service of the management and control data can be ensured through the high availability architecture of the Redis, for example, adding a Sentinel main-equipment architecture component, enabling a Proxy server or converting to a Cluster architecture, and the like, which can be determined according to specific business properties.

In some embodiments, since Redis is a database architecture of Key-Value type storage, in order to facilitate external providing of query services of managed data, a Key is stored separately for each sub-object, where the Key of each sub-object is used to characterize the name, rights type, and sub-object ID (or Index) of the target object, the Value corresponding to the Key is the Value set of a series of elements on which the Index corresponding to the current sub-object in the bitmap of the rights is located, as shown in FIG. 7, FIG. 7 is a schematic diagram of the storage format of managed data of a single sub-object provided by an embodiment of the present disclosure, in one example, the Key is the element_name: containers: units: u ₁ Representing child object u ₁ The visibility authority under the address book of the enterprise enterprise_name to which the enterprise belongs is [1,0, …,1]Is a set, the value of each element in the set represents a sub-object u ₁ Whether another sub-object associated with the index of the element position can be seen in the address book, e.g. 1 st element has a value of 1, representing sub-object u ₁ The child object u can be seen in the address book ₁ The 2 nd element takes a value of 0 and represents a sub-object u ₁ The child object u cannot be seen in the address book ₂ And so on, the details are not repeated here.

In some embodiments, if the managed data in the form of Key-Value corresponding to all the sub-objects is centralized in the same computing device (i.e., computing node) for computing, it may result in a computing service that a single computing device cannot respond quickly to rights during peak hours, and thus, the design pattern of the producer/consumer may be migrated to the embodiments of the present disclosure for accelerating rights computation. In the producer/consumer design mode, all the sub-objects are partitioned according to Index indexes of the sub-objects, each partition corresponds to one consumer, each consumer is responsible for calculating the management data of the authority of the sub-objects in the corresponding partition, and if the number of consumers is large, the Index range corresponding to each partition can be set smaller, such as [0,500], [500,1000], so that the concurrent processing capacity can be increased by using the sufficient number of consumers.

From the perspective of a producer, when an external authority computing request is received, the authority computing request is analyzed to obtain a full computing task, and then the full computing task is decomposed into a plurality of computing subtasks to be processed, wherein each computing subtask corresponds to one partition, namely, each computing subtask is used for indicating authority of which sub-objects in a single partition need to be processed in the current computing.

From the consumer perspective, only the computing subtask issued by the producer needs to be processed, when the computing subtask is processed, the management and control data of the authority of each sub-object in the partition obtained by calculation can be updated to the Redis storage middleware after the computing subtask is processed, and the unlimited expansion can be carried out through the transverse expansion of the consumer, namely, the partition only needs to be increased when the expansion is carried out, so that the consumer is increased, and the computing efficiency of the system for managing and controlling the data is greatly improved.

Illustratively, the producer is called a coordinating device, the consumer is called a computing device, under the architecture of the producer/consumer, the coordinating device is responsible for dividing each sub-object in the target object into a plurality of sub-object sets, the dividing process is a partitioning process of the producer, optionally, since each sub-object has a unique index, the sub-object corresponding to each index range can be determined as a sub-object set (i.e. a partition) through dividing a plurality of index ranges, and when an external authority computing request is received, the coordinating device is also responsible for analyzing the computing request to obtain a global computing task, and then decomposing the global computing task into a plurality of computing sub-tasks, wherein each computing sub-task corresponds to one partition, i.e. a sub-object set. For example, assuming 40000 child objects are included in the target object, the coordinator device divides the target object into the following child object sets according to Index: [0,1000], [1000,2000], …, [39000,40000], then, resolving the global computing task obtained by analyzing the rights computing request into 40 computing subtasks corresponding to the 40 sub-object sets respectively, issuing and writing the 40 computing subtasks into Redis, immediately processing the preempted computing subtasks in a preempted mode after the 40 computing devices at the downstream monitor the computing subtasks issued by Redis, for example, the computing subtasks of the sub-object set with the index range of [0,1000], after the preempted computing device 1, computing the visibility rights, the search rights, the boring rights and other management data (i.e. bit map) of each sub-object with the index range of [0,1000] by the computing device 1, so that when the system is compatible, one computing device 41 is added, expansion can be performed, the response time of the rights computing request can be reduced, for example, 40 partitions are assumed, 20 computing devices (consumers) can theoretically shorten the response time of the computing request from 40/20 to 40/21 after the computing device is newly added.

Optionally, the computing device is not responsible for storing the management and control data of various rights corresponding to all the sub-objects in the sub-object set locally, but only pulls the graph data of the corresponding index range from the dis storage middleware to calculate after receiving the calculation sub-task, which is not particularly limited in the embodiment of the present disclosure.

In other words, after dividing each sub-object of the target object into a plurality of sub-object sets, determining, for each computing device in the plurality of computing devices, any sub-object set that does not generate the management data from the plurality of sub-object sets, for example, after monitoring a newly issued computing sub-task in the Redis for each sub-object set, each computing device acquires one computing sub-task in a preemptive manner, then, in the step 304, executes at least one query instruction (NetQL primitive) obtained by parsing the service rule information based on the topological relation diagram, at least one query result is obtained, and when each computing device executes the preempted computing sub-task, each computing device may generate part of the management data corresponding to the sub-object set based on the query result corresponding to the sub-object set in the at least one query result, where the sub-object set corresponds to the computing device preempted computing sub-task, and the plurality of computing devices can generate a plurality of part of the management data in parallel by processing the plurality of computing sub-tasks in parallel, and each computing device generates the final part of management data in parallel.

In some embodiments, since the business rule information or the data record itself is not a constant one, and the change of any field in the data record of a member or a department in the target object or the change of any business rule information will cause the change of the management and control data of the whole authority, when the data record or the business rule information is changed, the system needs to reconstruct the management and control data of each authority once in full, that is, reconstruct the topological relation diagram according to the latest data record, parse the corresponding query instructions according to the latest business rule information, and then generate new management and control data, which is similar to the steps in the above embodiments. Under the scene of rapid business development and iteration, the change in the system may be frequent, if the change triggers the calculation of the total management and control data, the resource utilization rate of the system is lower, the calculation cost is higher, and for this reason, a polling mechanism of a timing task can be adopted, i.e. all the changes in a certain period are periodically pulled through the timing task, then the total calculation is carried out on the management and control data in batches, and finally the total calculation is asynchronously written into the Redis storage middleware to update the management and control data, thereby further improving the resource utilization rate of the system and reducing the calculation cost when updating the management and control data on the basis of read-write separation.

In some embodiments, the polling mechanism for the timed task described above is expressed as: the server acquires an update instruction associated with the authority received in the target duration every time the target duration is divided, wherein the update instruction is used for changing at least one item of data record or business rule information associated with the authority of the target object; updating the topological relation diagram based on the updating instruction; and updating the management and control data of the authority based on the updated topological relation diagram. Wherein the target duration is any value greater than 0.

Optionally, after receiving any instruction and parsing the instruction into an update instruction associated with the authority, the server caches the update instruction in an instruction cache (for example, a waiting queue), and when the polling mechanism is triggered by the timing task, pulls all update instructions cached in the target duration from the instruction cache at each interval, for example, pulls all cached update instructions from the waiting queue at each interval target duration, then clears the waiting queue, then changes at least one item of data record or business rule information based on the update instruction, and reconstructs a new topological relation diagram based on a similar manner as in steps 301-302; then, when the timed task triggers the authority calculation, based on the similar way of the steps 303-305, the latest changed service rule information is analyzed to obtain each inquiry instruction, each inquiry instruction is executed on the new topological relation diagram to obtain the final each inquiry result, then new management and control data is generated and is stored in the Redis storage middleware in a covering way.

Fig. 8 is a flowchart of a business update for authority calculation and storage, as shown in fig. 8, where when a system administrator configures an authority rule, an update instruction of a data record or business rule information (both may be collectively called as an authority policy, for example, netQL statement) is generally written, and in an authority management module, the update instruction is persisted in a MySQL database, which is equivalent to the above-mentioned process of caching into an instruction cache region. The timing task Schedule module is responsible for scheduling timing tasks, the timing tasks can be divided into two types, the first timing task is used for periodically pulling an update instruction from a MySQL database and constructing a new topological relation diagram, the second timing task is used for periodically calculating new management and control data according to the latest business rule information and the latest topological relation diagram, different timings can be set for the two timing tasks, for example, the first timing task is 10 minutes, the second timing task is 20 minutes, and the two steps of updating the topological relation diagram and updating the management and control data can be decoupled and converted into asynchronous updating by setting different timings for the two timing tasks, so that the flexibility of the system can be further improved.

When the timing task Schedule module triggers the first timing task, each update instruction cached in the time period from the last time of pulling to the current time of pulling is pulled from the MySQL database, then, for the update instruction related to the change data record, the corresponding change is performed on the data record, and then, a new topological relation diagram is constructed based on a similar manner to the steps 301-302, and of course, each set (EntityNet) in the new hash table is correspondingly constructed.

When the timing task Schedule module triggers the second timing task, each update instruction cached in the time period from the last completion of the pulling to the current pulling time is pulled from the MySQL database, then, for the update instruction related to the changed business rule information, the corresponding change is performed on the business rule information, then, new management and control data is generated based on the similar manner as in the steps 303-305, and then, the new management and control data is updated into the corresponding Redis storage middleware.

On the basis of providing online query service based on the Redis storage middleware, since the Redis storage middleware can synchronize to the latest management and control data and the Redis database has high availability, online query requirements in most cases can be met, but in order to further improve query efficiency, an L2 Cache region can be constructed on the basis of Re dis, key-Value data accessed in the Redis layer within the latest period of time (such as the latest 5 minutes or the latest 10 minutes) is loaded into the L2 Cache region, an LRU (Least Recently Used ) strategy is adopted for the Key-Value data in the L2 Cache region to conduct memory management, and the quantity of memory capacity or keys in the L2 Cache region is limited, so that a secondary Cache mechanism of Cache-Redis is provided to ensure the fastest speed to respond to the external online query requirements.

In some embodiments, after the query request at the user side arrives at the system, firstly, whether Key-Value data is hit is queried from the L2 cache region, if so, the Key-Value data cached in the L2 cache region is directly returned, and if not hit, the query request is continued to the Redis storage middleware for searching, and because of the total amount of control data cached in the Redis storage middleware, the corresponding Key-Value data can be searched under normal conditions. In general, the effective buffering time of the L2 buffer is shorter, which is to prevent the situation that the stale management data in the L2 buffer is still providing service after the management data of the authority is changed, so that the effective buffering time of the L2 buffer can be set to be smaller than the update period of the management data (i.e. smaller than the timing of the second timing task), so as to ensure the data consistency of the final management data.

Considering that the Redis storage middleware may malfunction under the condition of small probability, an L3 layer may be provided, the L3 layer may provide a spam policy that all sub-objects are visible or the last-stage department is visible, the spam is performed according to the attribute values of the sub-objects, for example, according to different attribute values of a leader, a human resource manager, first-line staff, non-first-line staff and the like, and different spam policies are provided, so that when the Redis storage middleware is down or malfunctions, the online query service can be continuously provided through the spam policies in the L3 layer. Namely, a three-level Cache mechanism of Cache-Redis-L3 is provided at this time.

In some embodiments, a version number concept may be added to all the management and control data, in other words, the server distributes a version number to the management and control data obtained by the first acquisition and each update, where the version number monotonically increases with the generation timestamp of the management and control data, that is, the version number of the management and control data obtained by the first acquisition is the smallest, and the version number of the management and control data generated by the latest generation is the largest, so that whether the management and control data is the latest version can be directly determined according to the size of the version number. On the basis, if the version number is stored in the client (i.e. the application program) at the user side, the version number stored in the client can be added in the next authority query request, when the server receives the authority query request carrying the version number, the version number carried in the authority query request or the resource access request can be compared with the maximum version number of the local management and control data, when the carried version number is the same as the maximum version number of the management and control data, the target state information is used for representing that the management and control data is unchanged, for example, the target state information is a state code, and the query operation of the management and control data is not needed at this time, so that the computing resource of the server can be greatly saved, otherwise, when the carried version number is different from the maximum version number of the management and control data, the three-level Cache mechanism of the Cache-Redis-L3 related to the latest management and control data is required to be queried and returned to the client. In the process, the buffer mechanism of the first-level version number is added on the three-level buffer mechanism of the Cache-Redis-L3, so that the four-level buffer mechanism of the version number-Cache-Redis-L3 is generally presented, the response speed of the server to the permission query request can be greatly improved, and the network bandwidth between the client and the server is saved.

In some embodiments, a flow control policy may be added to the server to limit the request interface for receiving the permission query request, so as to prevent the service response of the online query from being slow or even unavailable (i.e., down) due to the flow bump.

Fig. 9 is a schematic diagram of an online service architecture for managing data according to an embodiment of the present disclosure, as shown in fig. 9, assuming that a system manages the following 4 types of rights: the method comprises the steps that under the flow control (current limiting) mechanism, a server provides a multi-level caching mechanism of L3-Cache-Redis outwards, an organization structure of an address book in an enterprise is stored in a JSON (JavaScript Object Notation, JS object numbered) tree format, then two bottom-of-the-way strategies of full-staff visibility and final-stage department visibility are cached, and the two bottom-of-the-way strategies can be configured according to different member attribute valuesThe same bottom-covering strategy. In addition, the version number (i.e., timestamp) of each Key-Value data is updated in real time in the Redis layer, for example, recording: u (u) ₁ -updatetime＝1，u ₂ -updatetime = 2 representing the child object u ₁ Is 1, child object u ₂ Is 2. In addition, the mapping relationship between the sub-object ID and the Index can be cached, or the ternary mapping relationship between the sub-object ID, the account ID and the Index can be cached, and the mapping relationship between the member ID and the member Index of the member can be recorded respectively because the Index is required to be allocated to the member and the department: such as userid1-index1, userid2-index2, etc., and department ID-department index mapping relationship of departments: such as departmentid1-index1, departmentid2-index2, etc., and so on. Further, 3 bitmaps, namely management and control data of the 3 rights, are recorded for the member visibility rights, the member searchability rights and the department visibility rights respectively. At the bottom level, the asynchronous offline rights calculation task can refer to the description of asynchronous calculation of the management and control data and updating of the management and control data in fig. 8, and the description is not repeated here.

Fig. 10 is a schematic diagram of an interactive interface of an application program provided in an embodiment of the present disclosure, as shown in fig. 10, when the interactive interface is displayed in the application program, because address book information is displayed in the interactive interface, a client needs to determine each sub-object (a department sub-object or a member sub-object) that is currently visible through management and control data of visibility rights, and only the department sub-object or the member sub-object that satisfies the visibility rights can be displayed in the interactive interface, thereby ensuring data security of address book department organization architecture and member contact information.

Fig. 11 is a schematic diagram of an interactive interface of an application program provided in an embodiment of the present disclosure, as shown in fig. 11, when a member X initiates a fuzzy search for a keyword "Y" in the application program, a client needs to determine each sub-object (member sub-object or department sub-object) that is currently searchable through management and control data of a searchable authority, and only the department sub-object or member sub-object that satisfies the searchable authority and matches with the keyword "Y" can be displayed in a search result page, thereby guaranteeing data security of an address book department organization architecture and member contact information.

In the process of testing the response time consumption of the system request interface based on the system framework, the response time consumption of the request interface of the system in the peak period is found to be below 180ms, which indicates that the current online query service of the management and control data can support enough QPS, namely, the current system has high query request and response speed.

According to the authority management scheme of the communication application based on memory computing, which is related to the various embodiments, service scenes needing to carry out fine control on the authority can be treated, fine-grained management and control at the level of sub-objects is achieved, a topological relation graph is built by converting a data record format into a graph data format, a NetQL primitive for operating a set of hash tables corresponding to the topological relation graph is provided, the network management scheme can be adapted to various query operations on the topological relation graph, management and control data of various authorities generated through caching can achieve the effect of read-write separation on line, high availability is achieved through Redis storage middleware, infinite capacity is supported based on a producer/consumer architecture, the management and control data has higher computing efficiency, the management and control data of various authorities are stored in the Redis storage middleware, the response speed to authority query requests and resource access requests can be supported through a multi-level caching mechanism, in addition, the fault tolerance of the server can be further improved through a spam policy, the communication and the network bandwidth can be saved, and the service bandwidth can be improved.

Fig. 12 is a logical block diagram of an apparatus for acquiring rights information according to an exemplary embodiment. Referring to fig. 12, the apparatus includes a first acquisition unit 1201, a construction unit 1202, and a second acquisition unit 1203.

A first obtaining unit 1201 configured to perform obtaining at least one data record associated with rights of a target object;

a building unit 1202 configured to perform building a topological relation diagram based on the at least one data record, wherein the topological relation diagram is used for representing the association relation between the attribute names and the attribute values in each data record;

a second obtaining unit 1203 configured to obtain, based on the business rule information associated with the right and the topological relation diagram, management data of the right, the management data being used to provide an access control policy for a resource associated with the right.

According to the device provided by the embodiment of the disclosure, the data record associated with the authority is dumped into the corresponding topological relation diagram, so that after business rule information is analyzed into query operation when the management and control data of the authority is generated, the data record does not need to be subjected to complex cascade query operation, but the related query operation can be directly performed on the topological relation diagram, namely the diagram data, thereby greatly improving the calculation efficiency of the management and control data, breaking the limitation of the RBAC model, and being applicable to application scenes with various functions and complex business rules.

In one possible implementation, each of the at least one data record corresponds to a child object within the target object, the child object comprising at least one of a department child object or a member child object;

In a possible implementation, the building unit 1202 is configured to perform:

In one possible implementation, based on the apparatus composition of fig. 12, the second acquisition unit 1203 includes:

And a generation subunit configured to perform generating the management data based on the at least one query result.

the execution subunit is configured to execute:

In one possible implementation, the execution subunit is configured to perform:

In one possible implementation, in a case where a plurality of the target attribute values are carried in the query instruction, the execution subunit is configured to execute:

based on the apparatus composition of fig. 12, the generating subunit includes:

and a generating subunit configured to perform, based on the at least one query result, assigning a value to an element determined by a row in which the index associated with each child object is located and a column in which the index associated with the other child object is located, so as to generate the bitmap.

the generating subunit is configured to perform:

In one possible embodiment, the device based on fig. 12 is composed, and the device further comprises:

the generation subunit is configured to perform:

a third obtaining unit configured to perform each interval of a target duration, obtain an update instruction associated with the authority received within the target duration, and use the update instruction to alter at least one of a data record or business rule information associated with the authority of the target object;

the building unit 1202 is further configured to perform updating the topology relation graph based on the updating instruction;

The second obtaining unit 1203 is further configured to perform updating of the management data of the authority based on the updated topology map.

and the return unit is configured to respond to any permission query request to carry a version number, and return target state information which is used for representing that the management and control data has no change when the carried version number is the same as the maximum version number of the management and control data.

With respect to the apparatus in the above-described embodiments, the specific manner in which the respective units perform the operations has been described in detail in the embodiments regarding the method of acquiring the authority information, and will not be described in detail here.

Fig. 13 shows a block diagram of a computer device, which is a terminal or a server, and is illustrated as a terminal 1300 according to an exemplary embodiment of the present disclosure. The terminal 1300 may be: a smart phone, a tablet computer, an MP3 player (Moving Picture Experts Group Audio Layer III, motion picture expert compression standard audio plane 3), an MP4 (Moving Picture Experts Group Audio Layer IV, motion picture expert compression standard audio plane 4) player, a notebook computer, or a desktop computer. Terminal 1300 may also be referred to by other names of user devices, portable terminals, laptop terminals, desktop terminals, etc.

In general, the terminal 1300 includes: a processor 1301, and a memory 1302.

Processor 1301 may include one or more processing cores, such as a 4-core processor, an 8-core processor, and the like. Processor 1301 may be implemented in at least one hardware form of DSP (Digital Signal Processing ), FPGA (Field-Programmable Gate Array, field programmable gate array), PLA (Programmable Logic Array ). Processor 1301 may also include a main processor, which is a processor for processing data in an awake state, also called a CPU (Central Processing Unit ), and a coprocessor; a coprocessor is a low-power processor for processing data in a standby state. In some embodiments, processor 1301 may integrate a GPU (Graphics Processing Unit, image processor) for rendering and rendering of content required to be displayed by the display screen. In some embodiments, the processor 1301 may also include an AI (Artificial Intelligence ) processor for processing computing operations related to machine learning.

Memory 1302 may include one or more computer-readable storage media, which may be non-transitory. Memory 1302 may also include high-speed random access memory, as well as non-volatile memory, such as one or more magnetic disk storage devices, flash memory storage devices. In some embodiments, a non-transitory computer readable storage medium in memory 1302 is used to store at least one instruction for execution by processor 1301 to implement the method of obtaining rights information provided by various embodiments in the present disclosure.

In some embodiments, the terminal 1300 may further optionally include: a peripheral interface 1303 and at least one peripheral. The processor 1301, the memory 1302, and the peripheral interface 1303 may be connected by a bus or signal lines. The respective peripheral devices may be connected to the peripheral device interface 1303 through a bus, a signal line, or a circuit board. Specifically, the peripheral device includes: at least one of radio frequency circuitry 1304, a touch display screen 1305, a camera assembly 1306, audio circuitry 1307, a positioning assembly 1308, and a power supply 1309.

A peripheral interface 1303 may be used to connect I/O (Input/Output) related at least one peripheral to the processor 1301 and the memory 1302. In some embodiments, processor 1301, memory 1302, and peripheral interface 1303 are integrated on the same chip or circuit board; in some other embodiments, either or both of the processor 1301, the memory 1302, and the peripheral interface 1303 may be implemented on separate chips or circuit boards, which is not limited in this embodiment.

The Radio Frequency circuit 1304 is used to receive and transmit RF (Radio Frequency) signals, also known as electromagnetic signals. The radio frequency circuit 1304 communicates with a communication network and other communication devices via electromagnetic signals. The radio frequency circuit 1304 converts an electrical signal to an electromagnetic signal for transmission, or converts a received electromagnetic signal to an electrical signal. Optionally, the radio frequency circuit 1304 includes: antenna systems, RF transceivers, one or more amplifiers, tuners, oscillators, digital signal processors, codec chipsets, subscriber identity module cards, and so forth. The radio frequency circuit 1304 may communicate with other terminals via at least one wireless communication protocol. The wireless communication protocol includes, but is not limited to: metropolitan area networks, various generations of mobile communication networks (2G, 3G, 4G, and 5G), wireless local area networks, and/or WiFi (Wireless Fidelity ) networks. In some embodiments, the radio frequency circuit 1304 may also include NFC (Near Field Communication, short range wireless communication) related circuits, which are not limited by the present disclosure.

The display screen 1305 is used to display a UI (User Interface). The UI may include graphics, text, icons, video, and any combination thereof. When the display 1305 is a touch display, the display 1305 also has the ability to capture touch signals at or above the surface of the display 1305. The touch signal may be input to the processor 1301 as a control signal for processing. At this point, the display 1305 may also be used to provide virtual buttons and/or a virtual keyboard, also referred to as soft buttons and/or a soft keyboard. In some embodiments, the display screen 1305 may be one, providing the front panel of the terminal 1300; in other embodiments, the display 1305 may be at least two, disposed on different surfaces of the terminal 1300 or in a folded configuration; in still other embodiments, the display 1305 may be a flexible display disposed on a curved surface or a folded surface of the terminal 1300. Even more, the display screen 1305 may be arranged in a non-rectangular irregular pattern, i.e., a shaped screen. The display screen 1305 may be made of LCD (Liquid Crystal Display ), OLED (Organic Light-Emitting Diode) or other materials.

The camera assembly 1306 is used to capture images or video. Optionally, camera assembly 1306 includes a front camera and a rear camera. Typically, the front camera is disposed on the front panel of the terminal and the rear camera is disposed on the rear surface of the terminal. In some embodiments, the at least two rear cameras are any one of a main camera, a depth camera, a wide-angle camera and a tele camera, so as to realize that the main camera and the depth camera are fused to realize a background blurring function, and the main camera and the wide-angle camera are fused to realize a panoramic shooting and Virtual Reality (VR) shooting function or other fusion shooting functions. In some embodiments, camera assembly 1306 may also include a flash. The flash lamp can be a single-color temperature flash lamp or a double-color temperature flash lamp. The dual-color temperature flash lamp refers to a combination of a warm light flash lamp and a cold light flash lamp, and can be used for light compensation under different color temperatures.

The audio circuit 1307 may include a microphone and a speaker. The microphone is used for collecting sound waves of users and environments, converting the sound waves into electric signals, and inputting the electric signals to the processor 1301 for processing, or inputting the electric signals to the radio frequency circuit 1304 for voice communication. For purposes of stereo acquisition or noise reduction, a plurality of microphones may be provided at different portions of the terminal 1300, respectively. The microphone may also be an array microphone or an omni-directional pickup microphone. The speaker is then used to convert electrical signals from the processor 1301 or the radio frequency circuit 1304 into sound waves. The speaker may be a conventional thin film speaker or a piezoelectric ceramic speaker. When the speaker is a piezoelectric ceramic speaker, not only the electric signal can be converted into a sound wave audible to humans, but also the electric signal can be converted into a sound wave inaudible to humans for ranging and other purposes. In some embodiments, the audio circuit 1307 may also comprise a headphone jack.

The location component 1308 is used to locate the current geographic location of the terminal 1300 to enable navigation or LBS (Location Based Service, location-based services). The positioning component 1308 may be a positioning component based on the united states GPS (Global Positioning System ), the beidou system of china, the grainer system of russia, or the galileo system of the european union.

A power supply 1309 is used to power the various components in the terminal 1300. The power supply 1309 may be an alternating current, a direct current, a disposable battery, or a rechargeable battery. When the power supply 1309 comprises a rechargeable battery, the rechargeable battery may support wired or wireless charging. The rechargeable battery may also be used to support fast charge technology.

In some embodiments, terminal 1300 also includes one or more sensors 1310. The one or more sensors 1310 include, but are not limited to: acceleration sensor 1311, gyroscope sensor 1312, pressure sensor 1313, fingerprint sensor 1314, optical sensor 1315, and proximity sensor 1316.

The acceleration sensor 1311 can detect the magnitudes of accelerations on three coordinate axes of the coordinate system established with the terminal 1300. For example, the acceleration sensor 1311 may be used to detect components of gravitational acceleration in three coordinate axes. Processor 1301 may control touch display screen 1305 to display a user interface in either a landscape view or a portrait view based on gravitational acceleration signals acquired by acceleration sensor 1311. The acceleration sensor 1311 may also be used for the acquisition of motion data of a game or user.

The gyro sensor 1312 may detect a body direction and a rotation angle of the terminal 1300, and the gyro sensor 1312 may collect a 3D motion of the user on the terminal 1300 in cooperation with the acceleration sensor 1311. Processor 1301 can implement the following functions based on the data collected by gyro sensor 1312: motion sensing (e.g., changing UI according to a tilting operation by a user), image stabilization at shooting, game control, and inertial navigation.

Pressure sensor 1313 may be disposed on a side frame of terminal 1300 and/or below touch display screen 1305. When the pressure sensor 1313 is disposed at a side frame of the terminal 1300, a grip signal of the terminal 1300 by a user may be detected, and the processor 1301 performs left-right hand recognition or shortcut operation according to the grip signal collected by the pressure sensor 1313. When the pressure sensor 1313 is disposed at the lower layer of the touch display screen 1305, the processor 1301 realizes control of the operability control on the UI interface according to the pressure operation of the user on the touch display screen 1305. The operability controls include at least one of a button control, a scroll bar control, an icon control, and a menu control.

The fingerprint sensor 1314 is used to collect a fingerprint of the user, and the processor 1301 identifies the identity of the user based on the fingerprint collected by the fingerprint sensor 1314, or the fingerprint sensor 1314 identifies the identity of the user based on the collected fingerprint. Upon recognizing that the user's identity is a trusted identity, the user is authorized by processor 1301 to perform relevant sensitive operations including unlocking the screen, viewing encrypted information, downloading software, paying for and changing settings, etc. The fingerprint sensor 1314 may be disposed on the front, back, or side of the terminal 1300. When a physical key or vendor Logo is provided on the terminal 1300, the fingerprint sensor 1314 may be integrated with the physical key or vendor Logo.

The optical sensor 1315 is used to collect ambient light intensity. In one embodiment, processor 1301 may control the display brightness of touch display screen 1305 based on the intensity of ambient light collected by optical sensor 1315. Specifically, when the ambient light intensity is high, the display brightness of the touch display screen 1305 is turned up; when the ambient light intensity is low, the display brightness of the touch display screen 1305 is turned down. In another embodiment, processor 1301 may also dynamically adjust the shooting parameters of camera assembly 1306 based on the intensity of ambient light collected by optical sensor 1315.

A proximity sensor 1316, also referred to as a distance sensor, is typically provided on the front panel of the terminal 1300. The proximity sensor 1316 is used to collect the distance between the user and the front of the terminal 1300. In one embodiment, when proximity sensor 1316 detects a gradual decrease in the distance between the user and the front of terminal 1300, processor 1301 controls touch display 1305 to switch from a bright screen state to a inactive screen state; when the proximity sensor 1316 detects that the distance between the user and the front surface of the terminal 1300 gradually increases, the touch display screen 1305 is controlled by the processor 1301 to switch from the off-screen state to the on-screen state.

Those skilled in the art will appreciate that the structure shown in fig. 13 is not limiting of terminal 1300 and may include more or fewer components than shown, or may combine certain components, or may employ a different arrangement of components.

Fig. 14 is a schematic structural diagram of a computer device according to an embodiment of the present disclosure, where the computer device 1400 may have a relatively large difference due to different configurations or performances, and may include one or more processors (Central Processing Units, CPU) 1401 and one or more memories 1402, where at least one program code is stored in the memories 1402, and the at least one program code is loaded and executed by the processors 1401 to implement the method for obtaining rights information provided in the embodiments above. Of course, the computer device 1400 may also have a wired or wireless network interface, a keyboard, and an input/output interface, so as to perform input/output, and the computer device 1400 may also include other components for implementing the functions of the device, which are not described herein.

In an exemplary embodiment, a computer readable storage medium is also provided, such as a memory, comprising at least one instruction executable by a processor in a computer device to perform the method of obtaining rights information in the above embodiments. Alternatively, the above-described computer-readable storage medium may be a non-transitory computer-readable storage medium, which may include, for example, ROM (Read-Only Memory), RAM (Random-Access Memory), CD-ROM (Compact Disc Read-Only Memory), magnetic tape, floppy disk, optical data storage device, and the like.

In an exemplary embodiment, there is also provided a computer program product including one or more instructions executable by a processor of a computer device to perform the method for obtaining rights information provided in the above embodiments.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. The method for acquiring the authority information is characterized by comprising the following steps:

acquiring at least one data record associated with the authority of a target object, wherein each data record in the at least one data record corresponds to a sub-object in the target object, and the authority refers to address book information of the target object and access authority of an accessed third party application in an application program;

Constructing a topological relation diagram based on the at least one data record, wherein the topological relation diagram is used for representing the association relation between attribute names and attribute values in each data record, the topological relation diagram comprises a plurality of nodes, different nodes with topological relation are connected through directed edges, each node corresponds to one attribute value of one sub-object, and each directed edge corresponds to the attribute name of the attribute value corresponding to the directed node;

analyzing business rule information associated with the authority to obtain at least one query instruction of the topological relation diagram, wherein the business rule information refers to a management and control rule constructed for each sub-object in the target object aiming at the authority according to business requirements of the target object;

and generating control data of the authority based on the at least one query result, wherein the control data is used for providing an access control strategy for resources associated with the authority.

2. The method for obtaining rights information according to claim 1, wherein constructing a topological relation diagram based on the at least one data record comprises:

3. The method according to claim 1, wherein the topology graph is stored in a hash table, wherein a plurality of sets are recorded in the hash table, and each set stores an attribute value of one node in the topology graph, an attribute name of a directed edge accessing the node, and attribute values of other nodes connected to the node;

4. The method according to claim 3, wherein performing a corresponding processing operation on each set in the hash table based on the at least one query instruction, to obtain the at least one query result includes:

5. The method according to claim 1, wherein the management and control data is stored in a bitmap form, and each element in the bitmap is used for representing whether the index of the row in which the element is located has the authority to the index of the column in which the element is located;

distributing corresponding indexes to each sub-object in the target object;

6. The method of claim 5, wherein the sub-objects of the target object include at least one of: a member sub-object, a department sub-object, or an application sub-object associated with the target object;

7. The method according to claim 5, wherein assigning the element determined by the row of the index associated with each sub-object and the column of the index associated with the other sub-object comprises:

8. The method for acquiring rights information according to claim 1, characterized in that the method further comprises:

9. The method for acquiring rights information according to claim 1, characterized in that the method further comprises:

updating the topological relation diagram based on the updating instruction;

10. The method for acquiring rights information according to claim 1, characterized in that the method further comprises:

11. An apparatus for acquiring rights information, comprising:

a first obtaining unit configured to perform obtaining at least one data record associated with a permission of a target object, where each data record in the at least one data record corresponds to a sub-object in the target object, and the permission refers to access permission of an application program to address book information of the target object and an accessed third party application;

the construction unit is configured to execute construction of a topological relation diagram based on the at least one data record, wherein the topological relation diagram is used for representing the association relation between attribute names and attribute values in each data record, the topological relation diagram comprises a plurality of nodes, different nodes with topological relation are connected through directed edges, each node corresponds to one attribute value of one sub-object, and each directed edge corresponds to the attribute name of the attribute value corresponding to the directed node;

a second acquisition unit including:

the analysis subunit is configured to execute analysis of service rule information associated with the authority to obtain at least one query instruction for the topological relation diagram, wherein the service rule information refers to a management and control rule constructed for each sub-object in the target object aiming at the authority according to the service requirement of the target object;

and a generation subunit configured to execute, based on the at least one query result, generation of control data of the rights, the control data being used to provide access control policies to resources associated with the rights.

12. The apparatus according to claim 11, wherein the construction unit is configured to perform:

13. The apparatus according to claim 11, wherein the topology graph is stored in a hash table, wherein a plurality of sets are recorded in the hash table, and each set stores an attribute value of one node in the topology graph, an attribute name of a directed edge accessing the node, and attribute values of other nodes connected to the node;

The execution subunit is configured to execute:

14. The apparatus according to claim 13, wherein the execution subunit is configured to execute:

15. The apparatus according to claim 11, wherein the management data is stored in a bitmap form, and each element in the bitmap is used to characterize whether or not an index of a row in which the element is located has the authority to an index of a column in which the element is located;

the generation subunit includes:

16. The apparatus for acquiring rights information according to claim 15, wherein the sub-object of the target object comprises at least one of: a member sub-object, a department sub-object, or an application sub-object associated with the target object;

17. The apparatus according to claim 15, wherein the generation subunit is configured to perform:

18. The apparatus for acquiring rights information according to claim 11, characterized in that the apparatus further comprises:

The generation subunit is configured to perform:

19. The apparatus for acquiring rights information according to claim 11, characterized in that the apparatus further comprises:

20. The apparatus for acquiring rights information according to claim 11, characterized in that the apparatus further comprises:

21. A computer device, comprising:

one or more processors;

wherein the one or more processors are configured to execute the instructions to implement the method of obtaining rights information as claimed in any one of claims 1 to 10.

22. A computer-readable storage medium, wherein at least one instruction in the computer-readable storage medium, when executed by one or more processors of a computer device, enables the computer device to perform the method of obtaining rights information as claimed in any one of claims 1 to 10.