CN114448726A - Authority management method and device based on multiple identities - Google Patents

Authority management method and device based on multiple identities Download PDF

Info

Publication number
CN114448726A
CN114448726A CN202210291374.8A CN202210291374A CN114448726A CN 114448726 A CN114448726 A CN 114448726A CN 202210291374 A CN202210291374 A CN 202210291374A CN 114448726 A CN114448726 A CN 114448726A
Authority
CN
China
Prior art keywords
user
information
identity
authority
organization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210291374.8A
Other languages
Chinese (zh)
Other versions
CN114448726B (en
Inventor
朱士成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Glodon Co Ltd
Original Assignee
Glodon Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Glodon Co Ltd filed Critical Glodon Co Ltd
Priority to CN202210291374.8A priority Critical patent/CN114448726B/en
Priority claimed from CN202210291374.8A external-priority patent/CN114448726B/en
Publication of CN114448726A publication Critical patent/CN114448726A/en
Application granted granted Critical
Publication of CN114448726B publication Critical patent/CN114448726B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a method and a device for managing authority based on multiple identities, wherein the method comprises the following steps: acquiring service information of a target service system and first user identity information of a user of the target service system, wherein the first user identity information comprises: organization information and user role information; grouping users based on the organization information and the user role information to generate user group information; and respectively configuring the operation authorities of the users at different levels in the target service system based on the service information and the organization information, the user role information and the user group information corresponding to the users. Therefore, the operation authorities corresponding to different identities are configured by utilizing the multiple identities of the organization, group and role of the user, the operation convenience and the requirement flexibility of the user using the electronic bidding platform in the field of public resource transaction are obviously improved through management configuration and identity multiple identity authority control, and the use experience of the user is improved.

Description

Authority management method and device based on multiple identities
Technical Field
The invention relates to the technical field of authority management, in particular to an authority management method and device based on multiple identities.
Background
With the development of the field of public resource transaction and the introduction of various management methods for public resource transaction in China, the flexibility requirements of a public resource transaction center and market main bodies participating in bidding services on the identity management method of an electronic bidding platform are stronger. Most of the authority management of the existing bidding platform is a single authority management method based on roles, namely related roles are allocated to the functional departments of the public resource transaction center and the market main body participating in bidding activities, so that the identities owned by the personnel and the responsible system authority are identified.
However, in the existing role-based rights management method, under the condition that the organization of the public resource transaction center is complex, the convenience and the user experience of a user operation platform have been sharply reduced.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method and an apparatus for rights management based on multiple identities to solve the problems of complex user identity rights operation and poor experience in the rights management method based on roles in the prior art.
According to a first aspect, an embodiment of the present invention provides a rights management method based on multiple identities, including:
acquiring service information of a target service system and first user identity information of a user of the target service system, wherein the first user identity information comprises: organization information and user role information;
grouping users based on the organization information and the user role information to generate user group information;
and respectively configuring the operation authorities of the users at different levels in the target service system based on the service information and the organization information, the user role information and the user group information corresponding to the users.
Optionally, the acquiring the service information of the target service system includes:
acquiring system information corresponding to the target service system;
judging that the target business system is an application system or a service system based on the system information;
when the target business system is a service system, extracting business function modules corresponding to the target business system and business operation information corresponding to each business function module;
and generating the service information based on the service function module and the service operation information corresponding to each service function module.
Optionally, the grouping users based on the organization information and the user role information to generate user group information includes:
based on the organization mechanism information, dividing user groups according to organizations;
determining a user group to which a current user belongs based on user role information corresponding to the current user;
and generating the user group information based on the user information corresponding to each user group.
Optionally, the configuring, based on the service information and organization information, user role information, and user group information corresponding to each user, operation permissions of each user at different levels in the target service system respectively includes:
determining second user identity information of each user based on organization information, user role information and user group information corresponding to different users;
configuring corresponding user-level identity authorization of the current user in the target service system based on second user identity information and the service information corresponding to the current user;
configuring the corresponding group data level authority of the current user in the target service system based on the user group information corresponding to the current user and the service information;
and configuring the role authority corresponding to the current user in the target service system based on the user role information corresponding to the current user and the service information.
Optionally, the intra-group data-level permissions include: global data permissions, organizational level permissions, intra-group data permissions, and personal data permissions, wherein,
the global data authority is that the user in the user group of the current user has all the data authorities in the target service system;
the organization authority is the data authority created by all users under the organization of the target service system owned by the user in the user group of the current user;
the group data authority is the data authority which is created by all users under the user group under the target service system and owned by the user in the user group of the current user;
and the personal data authority is the data authority which can only be created by the current user in the user group where the current user is located.
Optionally, the method further comprises:
acquiring a current identity authority control management mode corresponding to a current user;
when the current identity authority control management mode is a splitting mode, determining operation authorities corresponding to different identities of a current user based on identity information corresponding to the current user, and sending the operation authority corresponding to a first identity to the current user, wherein the identity information comprises: the organization, the user group and the user role corresponding to the current user.
Optionally, the method further comprises:
and when the current identity authority control management mode is the mixed mode, determining the operation authorities corresponding to different identities of the current user based on the identity information corresponding to the current user, and sending the operation authorities corresponding to all the identities to the current user.
According to a second aspect, an embodiment of the present invention provides a multiple-identity-based rights management apparatus, including:
an obtaining module, configured to obtain service information of a target service system and first user identity information of a user of the target service system, where the first user identity information includes: organization information and user role information;
the first processing module is used for grouping users based on the organization information and the user role information to generate user group information;
and the second processing module is used for respectively configuring the operation authorities of the users at different levels in the target service system based on the service information and the organization information, the user role information and the user group information corresponding to the users.
According to a third aspect, embodiments of the present invention provide a non-transitory computer-readable storage medium storing computer instructions which, when executed by a processor, implement the method of the first aspect of the present invention and any one of its alternatives.
According to a fourth aspect, an embodiment of the present invention provides an electronic device, including: a memory and a processor, the memory and the processor being communicatively coupled to each other, the memory having stored therein computer instructions, the processor being configured to execute the computer instructions to perform the method of the first aspect of the present invention and any one of the alternatives thereof.
The technical scheme of the invention has the following advantages:
the embodiment of the invention provides a method and a device for managing authority based on multiple identities, wherein the method comprises the following steps of obtaining service information of a target service system and first user identity information of a user of the target service system, wherein the first user identity information comprises: organization information and user role information; grouping users based on the organization information and the user role information to generate user group information; and respectively configuring the operation authorities of the users at different levels in the target service system based on the service information and the organization information, the user role information and the user group information corresponding to the users. Therefore, the grouping of the users is determined by utilizing the organization mechanism and the user role to which the users belong, the operation authorities corresponding to different identities are configured by utilizing the multiple identities of the organization mechanism, the group and the role of the users, the operation convenience and the requirement flexibility of the users of the electronic bidding platform in the field of public resource transaction are obviously improved by management configuration and identity multiple identity authority control, and the use experience of the users is improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
FIG. 1 is a flow chart of a method for multiple identity based rights management in an embodiment of the present invention;
FIG. 2 is an organizational diagram of a multiple identity based rights management system according to an embodiment of the invention;
FIG. 3 is a diagram illustrating a working process of an identity authority configuration management layer according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a working process of an identity authorization control management layer according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating a multi-identity based rights management system according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an electronic device in an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the accompanying drawings, and it should be understood that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In addition, the technical features involved in the different embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
With the development of the field of public resource transaction and the introduction of various management methods for public resource transaction in China, the flexibility requirements of a public resource transaction center and market main bodies participating in bidding services on the identity management method of an electronic bidding platform are stronger. Most of the authority management of the existing bidding platform is a single authority management method based on roles, namely related roles are allocated to the functional departments of the public resource transaction center and the market main body participating in bidding activities, so that the identities owned by the personnel and the responsible system authority are identified.
However, in the existing role-based rights management method, under the condition that the organization of the public resource transaction center is complex, the convenience and the user experience of a user operation platform have been sharply reduced.
Based on the above problem, an embodiment of the present invention provides a rights management method based on multiple identities, and as shown in fig. 1, the rights management method based on multiple identities specifically includes the following steps:
step S101: and acquiring the service information of the target service system and the first user identity information of the user of the target service system.
The target business system serves for a computer application process, exemplarily, the target business system serves for an application process of a public resource transaction platform government purchase transaction, and business information includes: the purpose of acquiring the configuration module information and the operation information of the target service system is to carry out hierarchical control on authority control, and the module authority can be possessed before the operation authority is possessed. The first user identity information includes: organization information and user role information. Illustratively, the user role is a community resource trading center collection department leader or the like.
Specifically, the configuration module information mainly includes module basic information, a corresponding module address, and a module type that is a virtual module or a real module, the virtual module mainly is a cross-system link module, the maintenance authority management system mainly performs authority control, the corresponding real module is a module existing in the service system, and the operation information is specific service system operation information, such as addition, documentation, and the like.
Specifically, the organizations include but are not limited to abstract entities of market main companies, trading centers, administrative supervision departments and the like participating in electronic bidding behaviors, the organizational authority granularity is that users under the organizational organizations can share data asset information belonging to the current organizational structures, an Http interface is provided in the module and used for interfacing different other OA systems or registration platforms to acquire organizational structure information, visual Web page maintenance organizational structure information is also provided in addition, and the organizational structures are abstract models and generally correspond to public resource trading centers and market main bodies in the real world. The organization setting mainly provides meta-information for distinguishing organization-level data authority, and different organizations can only inquire data information of different organizations.
Step S102: and grouping the users based on the organization information and the user role information to generate user group information.
Specifically, based on the organization information and the user role information maintained in the above steps, user group information is visually maintained, and the user group information is used to associate the organization information and the user role information. Therefore, the company is associated with the position of the user through the department, and the multi-identity definition of the user is realized.
Step S103: and respectively configuring the operation authorities of the users at different levels in the target service system based on the service information and the organization information, the user role information and the user group information corresponding to the users.
Specifically, multiple identity information of the user is maintained based on all the configuration information, so that the operation authority of the user in different levels in the target service system is configured according to different identity information.
By executing the steps, the authority management method based on multiple identities provided by the embodiment of the invention determines the grouping of the users by utilizing the organization mechanism and the user role to which the users belong, configures the operation authorities corresponding to different identities by utilizing the multiple identities of the organization mechanism, the group and the role of the users, obviously improves the operation convenience and the demand flexibility of the users of the electronic bidding platform in the field of public resource transaction during the use process by managing the configuration and controlling the authority of the identity multiple identities, and improves the use experience of the users.
Specifically, in an embodiment, the acquiring the service information of the target service system in step S101 specifically includes the following steps:
step S201: and acquiring system information corresponding to the target service system.
The system information is used for distinguishing whether the target business system is an application system or a service system, and information such as the name, the code, the physical address and the like of the system can be maintained in the system information.
Step S202: and judging that the target business system is an application system or a service system based on the system information.
Specifically, the application system is a logically existing system, such as a public resource trading platform of a certain province, the process service does not exist in the computer application process service, and belongs to a logic combination concept of human division, while the service system corresponds to a physically existing system, and each service system corresponds to a computer application process service, such as an application process service supporting a government purchase trade of a public resource trading platform of a certain province.
Step S203: and when the target business system is a service system, extracting the business function module corresponding to the target business system and the business operation information corresponding to each business function module.
Step S204: and generating service information based on the service function modules and the service operation information corresponding to each service function module.
Therefore, by extracting the service function modules of the target service system and the service operation information corresponding to each service function module, a data basis is provided for the subsequent hierarchical authority management of the target service system.
Specifically, in an embodiment, the step S102 specifically includes the following steps:
step S301: based on the organization information, the user groups are divided according to the organizations.
Specifically, users within an organization are divided into groups of users according to the role or function of the organization.
Step S302: and determining a user group to which the current user belongs based on the user role information corresponding to the current user.
Specifically, the role or function corresponding to each user is determined according to the role information corresponding to the user, and then the user group to which the user belongs is determined.
Step S303: and generating user group information based on the user information corresponding to each user group.
Specifically, the user group information is used for associating the organization information and the user role information, and together with the organization information and the user role information, forms multiple identity information of the user. By grouping the users, convenience is provided for the users to configure the operation authority management of different levels, the operation convenience and the requirement flexibility of the users in the using process are further improved, and the user experience is improved.
Specifically, in an embodiment, the step S103 specifically includes the following steps:
step S401: and determining second user identity information of each user based on the organization information, the user role information and the user group information corresponding to different users.
Step S402: and configuring the user-level identity authorization corresponding to the current user in the target service system based on the second user identity information and the service information corresponding to the current user.
Each user can have multiple identity information, the second user identity information is an organization-user group-user role corresponding to the user, each second user identity information corresponds to different resource information, and third-level authorization in third-level authorization can be performed on the user identity to perform user-level identity authorization.
Step S403: and configuring the corresponding group data level authority of the current user in the target service system based on the user group information and the service information corresponding to the current user.
Specifically, the group data level permissions include: the system comprises a global data authority, an organization level authority, an intra-group data authority and a personal data authority, wherein the global data authority is that a user in a user group where a current user is located has all data authorities in a target service system; the organization authority is the data authority created by all users under the organization under the target service system owned by the user in the user group of the current user; the group data authority is the data authority created by all users under the user group under the target service system owned by the user in the user group of the current user; the personal data authority is the data authority which can only be created by the current user in the user group where the current user is located.
Further, the user group information is associated with organization and user role information, and maintains the data level permission level in the user group, the data level is divided into global data permission for the users in the group to have all data permissions in the service system, the organization level permission is the data permission created by the users in the group under the organization under the service system, the group data permission is the data permission created by the users in the group under the organization under the service system, and the personal data permission is the data permission created by the users in the group only by the users. And the permission configuration of the user group can reduce the role permission associated with the user group, the permission configuration is a third-level authorization second-level permission, and if the third-level permission configuration in the steps is not available, the permission configuration is obtained.
Step S404: and configuring the role authority corresponding to the current user in the target service system based on the user role information and the service information corresponding to the current user.
Specifically, if the collecting part of the public resource trading center is a role, the role information and the resource information to which the role belongs are maintained through a visual page, the authority of the step is maintained as the authority information of the role in the first level of three-level authorization, and if the authority of the role in the first level is not authorized by the second level and the third level, the role authority is locked by default. The role authority is locked so that users who have the role have the same use authority, and the role authority is owned by the users by default; the secondary authority is a user group authority which is smaller than the resource authority owned by the role, for example, the secondary authority is the same as the acquisition part length of a public resource trading center, but the acquisition part authority of a trading center in the city is smaller; the third-level authority is the user-specific authority, and is deleted compared with the second-level authority, for example, the captain of the collection part of the city trading center is only responsible for certain functional operations because of the duty support, and the third-level authorization mode is more flexible in authority control.
Specifically, in an embodiment, the method for rights management based on multiple identities further includes the following steps:
step S104: and acquiring a current identity authority control management mode corresponding to the current user.
The current identity authority control management mode is divided into a splitting mode and a mixing mode.
Step S105: and when the current identity authority control management mode is the splitting mode, determining the operation authorities corresponding to different identities of the current user based on the identity information corresponding to the current user, and sending the operation authority corresponding to the first identity to the current user.
Wherein the identity information comprises: the organization, the user group and the user role corresponding to the current user.
Specifically, the segmentation mode is that if the user has multiple identities, a system list and an identity list owned by the current user are displayed after the user logs in the system, a menu and data resource information owned by a first identity of the user are displayed by default, and the user renders different resource information by switching the system or the identities, so that the interaction convenience of the user is improved.
Step S106: and when the current identity authority control management mode is the mixed mode, determining the operation authorities corresponding to different identities of the current user based on the identity information corresponding to the current user, and sending the operation authorities corresponding to all the identities to the current user.
Specifically, in the hybrid mode, if the user has multiple identities, all menus and data information owned by the user can be uniformly displayed after the user logs in the system, so that the overall experience of the user system is improved, the user switching time is saved, and the working efficiency of the user is improved.
The technical scheme provided by the invention obviously improves the operation convenience and the requirement flexibility of the use process of the electronic bidding platform user in the field of public resource transaction through management configuration and identity multi-level identity authority control, and meets the requirements of data authority isolation and data authority control simplicity under the construction of a network platform in the whole province.
The following describes a multiple-identity rights management system established by using the multiple-identity-based rights management method provided by the embodiment of the present invention in detail with reference to specific application examples.
As shown in fig. 2, the rights management system for multiple identities is logically divided into a three-level structure, and a C1 level rights configuration management layer, which mainly provides meta-configuration information of multiple identities in a visual Web page manner, so that an administrator user of an electronic bidding platform can configure the rights information for public resource trading center personnel using the platform and market agents participating in bidding activities as required, and six configuration functions are mainly provided in the layer, namely [ system configuration ], [ module operation configuration ], [ organizational configuration ], [ group configuration ], [ role configuration ], and [ user identity configuration ]. The C2 identity authority control management layer is mainly oriented to each electronic bidding service system, provides logic for identity authority control of each service system, and uniformly schedules identity authority control management under a multi-service system depending on meta-configuration information of the C1 layer, and specific execution flow steps are shown in detail in fig. 4. The C3 layer generally refers to various platforms in the electronic bidding process, such as engineering construction transaction platform, government procurement transaction platform, etc., and is an application party and a user of the multi-identity rights management method.
Specifically, as shown in fig. 3, the configuration operation flow of the related module at the C1 layer specifically includes:
step C1S1 is to maintain the organization information at first, the organization includes but not limited to the abstract entities of market main companies, trading centers, administrative supervision departments, etc. participating in the electronic bidding behavior, the organization authority granularity is that users under the organization can share the data asset information under the current organization, the module provides an Http interface for connecting different other OA systems or registration platforms to obtain the organization information, and also provides the visual Web page maintenance organization information, the organization is the common resource trading center and the market main body in the abstract model corresponding to the real world. The organization setting mainly provides meta-information for distinguishing organization-level data authority, and different organizations can only inquire data information of different organizations.
Step C1S2, system information is maintained through visual Web page, system information is divided into application system and service system, application system is logically existed system, such as Henan province public resource transaction platform, the process service does not exist in computer application process service, belonging to artificially divided logic combination concept, service system is corresponding to physically existed system, each service system is corresponding to computer application process service, such as application process service supporting Henan province public resource transaction platform government purchase transaction, information such as name, code, physical address of system can be maintained in system information maintenance, and permission division mode of application system can be set according to user requirement, division mode and mixed mode in C1 layer description are corresponded.
Step C1S3 configures module information and operation information through a visual page depending on the system information configured in the above steps, where the module information mainly includes module basic information, a corresponding module address, and a module category, where the module is a virtual module or a real module, the virtual module is a cross-system link module, the maintenance authority management system mainly performs authority control, the corresponding real module is a module existing in the service system, and the operation is specific service system operation information, such as addition, documentation, and the like.
Step C1S4, maintaining role information, for example, the collecting part of the public resource trading center is a role, mainly providing visual page maintenance role information and role belonged resource information, the step right is maintained as the first level role right information of three-level authorization, if no two-level or three-level right authorization exists subsequently, the role right is defaulted to be locked.
Step C1S5 is based on the organization and role information visual maintenance user group information maintained in the above steps, user group information is related to organization and user role information, and maintains the data level authority level in the user group, the data level is the global data authority respectively for the users in the user group have all data authority in the service system, the organization authority level authority is the data authority created by the users in the group under the organization under the service system, the group data authority is the data authority created by the users in the group under the service system, the personal data is the data authority created by the users in the group only under the user. The role authority associated with the user group can be reduced through user group configuration, the secondary authority configuration is a third-level authorization second-level authority, and if the third-level authority configuration does not exist, the level of authority configuration is obtained.
Step C1S6 is based on all the above configuration information to maintain the multiple identity information of the user, this module provides the Http interface to connect and obtain the user information of different user platforms, in addition provides the visual Web page to maintain the user identity authority information, in the step, it mainly maintains the user basic information and the user identity authority information, each user can have multiple identity information, the organization-user group-user role is an identity information, each identity information corresponds to different resource information, it can carry on the third level authorization to the user identity, carries on the user level identity authorization.
By executing the steps, the authority management method based on multiple identities provided by the embodiment of the invention determines the grouping of the users by utilizing the organization mechanism and the user role to which the users belong, configures the operation authorities corresponding to different identities by utilizing the multiple identities of the organization mechanism, the group and the role of the users, obviously improves the operation convenience and the demand flexibility of the users of the electronic bidding platform in the field of public resource transaction during the use process by managing the configuration and controlling the authority of the identity multiple identities, and improves the use experience of the users.
An embodiment of the present invention further provides a rights management device based on multiple identities, as shown in fig. 5, the rights management device based on multiple identities includes:
an obtaining module 101, configured to obtain service information of a target service system and first user identity information of a user of the target service system, where the first user identity information includes: organization information and user role information. For details, refer to the related description of step S101 in the above method embodiment, and no further description is provided here.
The first processing module 102 is configured to group users based on the organization information and the user role information to generate user group information. For details, refer to the related description of step S102 in the above method embodiment, and no further description is provided here.
And the second processing module 103 is configured to configure operation permissions of the users at different levels in the target service system based on the service information and the organization information, the user role information, and the user group information corresponding to the users. For details, refer to the related description of step S103 in the above method embodiment, and no further description is provided here.
For further description of the multiple identity-based rights management apparatus provided in the embodiments of the present invention, reference is specifically made to the related description of the multiple identity-based rights management method embodiments, and the specific implementation processes of the two are similar, which are not described herein again.
Through the cooperative cooperation of the above components, the multiple-identity-based right management device provided by the embodiment of the invention determines the grouping of the users by using the organizational structure and the user role to which the users belong, configures the operation rights corresponding to different identities by using the multiple identities of the organizational structure, the group and the role of the users, significantly improves the operation convenience and the demand flexibility of the users of the electronic bidding platform in the field of public resource transaction and improves the user experience by managing the configuration and controlling the identity multiple-identity-based right.
An embodiment of the present invention further provides an electronic device, as shown in fig. 6, the electronic device may include a processor 901 and a memory 902, where the processor 901 and the memory 902 may be connected by a bus or in another manner, and fig. 6 takes the connection by the bus as an example.
Processor 901 may be a Central Processing Unit (CPU). The Processor 901 may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components, or combinations thereof.
The memory 902, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs, non-transitory computer executable programs, and modules, such as program instructions/modules corresponding to the methods in the embodiments of the present invention. The processor 901 executes various functional applications and data processing of the processor, i.e., implements the above-described method, by executing non-transitory software programs, instructions, and modules stored in the memory 902.
The memory 902 may include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created by the processor 901, and the like. Further, the memory 902 may include high speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory 902 may optionally include memory located remotely from the processor 901, which may be connected to the processor 901 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
One or more modules are stored in the memory 902, which when executed by the processor 901 performs the methods described above.
The specific details of the electronic device may be understood by referring to the corresponding related descriptions and effects in the above method embodiments, and are not described herein again.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, and the implemented program can be stored in a computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. The storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a Flash Memory (Flash Memory), a Hard Disk Drive (Hard Disk Drive, abbreviated as HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
The above embodiments are only for illustrating the technical solutions of the present invention and not for limiting the same, and although the present invention is described in detail with reference to the above embodiments, those of ordinary skill in the art should understand that: modifications and equivalents may be made to the embodiments of the invention without departing from the spirit and scope of the invention, which is to be covered by the claims.

Claims (10)

1. A rights management method based on multiple identities, comprising:
acquiring service information of a target service system and first user identity information of a user of the target service system, wherein the first user identity information comprises: organization information and user role information;
grouping users based on the organization information and the user role information to generate user group information;
and respectively configuring the operation authorities of the users at different levels in the target service system based on the service information and the organization information, the user role information and the user group information corresponding to the users.
2. The method of claim 1, wherein the obtaining the service information of the target service system comprises:
acquiring system information corresponding to the target service system;
judging that the target business system is an application system or a service system based on the system information;
when the target business system is a service system, extracting business function modules corresponding to the target business system and business operation information corresponding to each business function module;
and generating the service information based on the service function module and the service operation information corresponding to each service function module.
3. The method of claim 1, wherein grouping users based on the organizational structure information and the user role information to generate user group information comprises:
based on the organization mechanism information, dividing user groups according to organizations;
determining a user group to which a current user belongs based on user role information corresponding to the current user;
and generating the user group information based on the user information corresponding to each user group.
4. The method of claim 3, wherein the configuring the operation permissions of the users at different levels in the target service system based on the service information and the organization information, the user role information, and the user group information corresponding to the users respectively comprises:
determining second user identity information of each user based on organization information, user role information and user group information corresponding to different users;
configuring corresponding user-level identity authorization of the current user in the target service system based on second user identity information and the service information corresponding to the current user;
configuring the corresponding group data level authority of the current user in the target service system based on the user group information corresponding to the current user and the service information;
and configuring the role authority corresponding to the current user in the target service system based on the user role information corresponding to the current user and the service information.
5. The method of claim 4, wherein the intra-group data-level permissions comprise: global data permissions, organizational level permissions, intra-group data permissions, and personal data permissions, wherein,
the global data authority is that the user in the user group of the current user has all the data authorities in the target service system;
the organization authority is the data authority created by all users under the organization under the target service system owned by the user in the user group of the current user;
the group data authority is the data authority which is created by all users under the user group under the target service system and owned by the user in the user group of the current user;
and the personal data authority is the data authority which can only be created by the current user in the user group where the current user is located.
6. The method of claim 3, further comprising:
acquiring a current identity authority control management mode corresponding to a current user;
when the current identity authority control management mode is a splitting mode, determining operation authorities corresponding to different identities of a current user based on identity information corresponding to the current user, and sending the operation authority corresponding to a first identity to the current user, wherein the identity information comprises: the organization, the user group and the user role corresponding to the current user.
7. The method of claim 6, further comprising:
and when the current identity authority control management mode is the mixed mode, determining the operation authorities corresponding to different identities of the current user based on the identity information corresponding to the current user, and sending the operation authorities corresponding to all the identities to the current user.
8. A multiple-identity based rights management device, comprising:
an obtaining module, configured to obtain service information of a target service system and first user identity information of a user of the target service system, where the first user identity information includes: organization information and user role information;
the first processing module is used for grouping users based on the organization information and the user role information to generate user group information;
and the second processing module is used for respectively configuring the operation authorities of the users at different levels in the target service system based on the service information and the organization information, the user role information and the user group information corresponding to the users.
9. A non-transitory computer-readable storage medium storing computer instructions that, when executed by a processor, implement the method of any one of claims 1-7.
10. An electronic device, comprising:
a memory and a processor, the memory and the processor being communicatively coupled to each other, the memory having stored therein computer instructions, the processor implementing the method of any of claims 1-7 by executing the computer instructions.
CN202210291374.8A 2022-03-23 Authority management method and device based on multiple identities Active CN114448726B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210291374.8A CN114448726B (en) 2022-03-23 Authority management method and device based on multiple identities

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210291374.8A CN114448726B (en) 2022-03-23 Authority management method and device based on multiple identities

Publications (2)

Publication Number Publication Date
CN114448726A true CN114448726A (en) 2022-05-06
CN114448726B CN114448726B (en) 2024-07-12

Family

ID=

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115545622A (en) * 2022-11-30 2022-12-30 中建安装集团有限公司 Engineering material storage management system and method based on digital construction
CN115640605A (en) * 2022-10-19 2023-01-24 中电金信软件有限公司 Authority management method for financial institution

Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070233600A1 (en) * 2006-04-03 2007-10-04 Computer Associates Think, Inc. Identity management maturity system and method
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants
CN106713340A (en) * 2017-01-04 2017-05-24 深圳开维教育信息技术股份有限公司 Multi-hierarchy user permission management method
CN107770190A (en) * 2017-11-02 2018-03-06 山东浪潮通软信息科技有限公司 A kind of right management method and device
CN108062479A (en) * 2016-11-08 2018-05-22 杭州施强教育科技有限公司 A kind of enterprise management system user right collocation method
CN108092806A (en) * 2017-12-11 2018-05-29 国云科技股份有限公司 A kind of administration of multiple roles method based on cloudy platform
CN109995768A (en) * 2019-03-18 2019-07-09 网宿科技股份有限公司 A kind of method and device of server rights management
CN110084033A (en) * 2019-04-19 2019-08-02 广东中安金狮科创有限公司 User identity management method, system and computer readable storage medium
US10554649B1 (en) * 2017-05-22 2020-02-04 State Farm Mutual Automobile Insurance Company Systems and methods for blockchain validation of user identity and authority
US20200272755A1 (en) * 2017-10-20 2020-08-27 Hewlett Packard Enterprise Development Lp Accessing information based on privileges
CN111797378A (en) * 2020-07-06 2020-10-20 遵义科晟云达科技有限公司 Multiple identity management authentication platform of people's society information
CN111898149A (en) * 2020-08-05 2020-11-06 湖南优美科技发展有限公司 User management system and method for multiple organizations
CN111935073A (en) * 2020-06-19 2020-11-13 中国市政工程华北设计研究总院有限公司 Authority management method and system of cloud platform based on multi-organization architecture
CN112149974A (en) * 2020-09-11 2020-12-29 成都明途科技有限公司 Multi-level organized target task management method and device
CN112600820A (en) * 2020-12-09 2021-04-02 腾讯科技(深圳)有限公司 Network connection method, device, computer equipment and storage medium
US20210112065A1 (en) * 2019-10-10 2021-04-15 Palantir Technologies Inc. Systems and method for authenticating users of a data processing platform from multiple identity providers
CN112699354A (en) * 2019-10-22 2021-04-23 华为技术有限公司 User authority management method and terminal equipment
CN113098695A (en) * 2021-04-21 2021-07-09 金陵科技学院 Micro-service unified authority control method and system based on user attributes
CN113239377A (en) * 2021-05-14 2021-08-10 北京百度网讯科技有限公司 Authority control method, device, equipment and storage medium
CN113297550A (en) * 2021-06-17 2021-08-24 中国农业银行股份有限公司 Authority control method, device, equipment, storage medium and program product
CN113660219A (en) * 2021-07-27 2021-11-16 克拉玛依油城数据有限公司 Hierarchical authorization management method based on micro-service management and control

Patent Citations (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070233600A1 (en) * 2006-04-03 2007-10-04 Computer Associates Think, Inc. Identity management maturity system and method
CN103532981A (en) * 2013-10-31 2014-01-22 中国科学院信息工程研究所 Identity escrow and authentication cloud resource access control system and method for multiple tenants
CN108062479A (en) * 2016-11-08 2018-05-22 杭州施强教育科技有限公司 A kind of enterprise management system user right collocation method
CN106713340A (en) * 2017-01-04 2017-05-24 深圳开维教育信息技术股份有限公司 Multi-hierarchy user permission management method
US10554649B1 (en) * 2017-05-22 2020-02-04 State Farm Mutual Automobile Insurance Company Systems and methods for blockchain validation of user identity and authority
US20200272755A1 (en) * 2017-10-20 2020-08-27 Hewlett Packard Enterprise Development Lp Accessing information based on privileges
CN107770190A (en) * 2017-11-02 2018-03-06 山东浪潮通软信息科技有限公司 A kind of right management method and device
CN108092806A (en) * 2017-12-11 2018-05-29 国云科技股份有限公司 A kind of administration of multiple roles method based on cloudy platform
CN109995768A (en) * 2019-03-18 2019-07-09 网宿科技股份有限公司 A kind of method and device of server rights management
CN110084033A (en) * 2019-04-19 2019-08-02 广东中安金狮科创有限公司 User identity management method, system and computer readable storage medium
US20210112065A1 (en) * 2019-10-10 2021-04-15 Palantir Technologies Inc. Systems and method for authenticating users of a data processing platform from multiple identity providers
CN112699354A (en) * 2019-10-22 2021-04-23 华为技术有限公司 User authority management method and terminal equipment
CN111935073A (en) * 2020-06-19 2020-11-13 中国市政工程华北设计研究总院有限公司 Authority management method and system of cloud platform based on multi-organization architecture
CN111797378A (en) * 2020-07-06 2020-10-20 遵义科晟云达科技有限公司 Multiple identity management authentication platform of people's society information
CN111898149A (en) * 2020-08-05 2020-11-06 湖南优美科技发展有限公司 User management system and method for multiple organizations
CN112149974A (en) * 2020-09-11 2020-12-29 成都明途科技有限公司 Multi-level organized target task management method and device
CN112600820A (en) * 2020-12-09 2021-04-02 腾讯科技(深圳)有限公司 Network connection method, device, computer equipment and storage medium
CN113098695A (en) * 2021-04-21 2021-07-09 金陵科技学院 Micro-service unified authority control method and system based on user attributes
CN113239377A (en) * 2021-05-14 2021-08-10 北京百度网讯科技有限公司 Authority control method, device, equipment and storage medium
CN113297550A (en) * 2021-06-17 2021-08-24 中国农业银行股份有限公司 Authority control method, device, equipment, storage medium and program product
CN113660219A (en) * 2021-07-27 2021-11-16 克拉玛依油城数据有限公司 Hierarchical authorization management method based on micro-service management and control

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
UMME HABIBA等: "Assessment Criteria for Cloud Identity Management Systems", 《2013 IEEE 19TH PACIFIC RIM INTERNATIONAL SYMPOSIUM ON DEPENDABLE COMPUTING》, 26 May 2014 (2014-05-26) *
丁海宁;: "计算机网络分布式系统中角色访问控制的授权策略", 科技经济市场, no. 11, 15 November 2007 (2007-11-15) *
张琪: "基于角色的权限管理系统的设计与实现", 《硕士电子期刊》, 15 January 2014 (2014-01-15) *
雷开春 , 罗万伯 , 刘晓峰 , 胡经: ""基于角色的访问控制"中用户角色权限的管理", 信息安全与通信保密, no. 06, 10 June 2004 (2004-06-10) *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115640605A (en) * 2022-10-19 2023-01-24 中电金信软件有限公司 Authority management method for financial institution
CN115545622A (en) * 2022-11-30 2022-12-30 中建安装集团有限公司 Engineering material storage management system and method based on digital construction
CN115545622B (en) * 2022-11-30 2023-04-07 中建安装集团有限公司 Engineering material storage management system and method based on digital construction

Similar Documents

Publication Publication Date Title
US9047462B2 (en) Computer account management system and realizing method thereof
CN105119966B (en) A kind of public platform management method and device
WO2020228531A1 (en) Consortium blockchain governance method and apparatus, computer device and storage medium
CN107153565A (en) Configure the method and its network equipment of resource
CN114500521A (en) Computing power scheduling method, device, scheduling equipment, system and storage medium
CN103780686A (en) Method and system for customizing application approval procedure in cloud organization
CN107480554A (en) A kind of right management method, rights management device and intelligent terminal
CN111767144A (en) Transaction routing determination method, device, equipment and system for transaction data
CN112597511A (en) Remote government affair service cooperation method and device
CN113596168B (en) Verification method and device based on block chain alliance chain
CN110784517A (en) Service application integration method, system, terminal and storage medium based on block chain
CN111950866B (en) Role-based multi-tenant organization structure management system, method, equipment and medium
CN103051623A (en) Method for limiting calling of open platform
CN104166581B (en) A kind of virtual method towards increment manufacturing equipment
CN106487770A (en) Method for authenticating and authentication device
CN114448726A (en) Authority management method and device based on multiple identities
CN114448726B (en) Authority management method and device based on multiple identities
US11042514B2 (en) Collaboration computer system
CN114640485B (en) Centralized access method, device, equipment and storage medium for service data
CN110472406A (en) A kind of data permission control method and system across operation system
CN114298694A (en) Block chain service platform management method and device, computer equipment and storage medium
CN105245819A (en) Method and device for scheduling multipoint control unit (MCU) resources
Olugboyega et al. Model for creating cloud-BIM environment in aec firms: a grounded theory approach
CN114338433B (en) Block chain resource allocation method, device, system and computer equipment
CN104539687A (en) Community cloud resource safety sharing method based on trust negotiation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant