CN114462069A - Multi-level tenant resource access management method, system, intelligent terminal and storage medium - Google Patents
Multi-level tenant resource access management method, system, intelligent terminal and storage medium Download PDFInfo
- Publication number
- CN114462069A CN114462069A CN202210376417.2A CN202210376417A CN114462069A CN 114462069 A CN114462069 A CN 114462069A CN 202210376417 A CN202210376417 A CN 202210376417A CN 114462069 A CN114462069 A CN 114462069A
- Authority
- CN
- China
- Prior art keywords
- tenant
- access
- resource
- target
- resources
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/906—Clustering; Classification
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Bioethics (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a multi-level tenant resource access management method, a system, an intelligent terminal and a storage medium, relating to the technical field of user authority management, wherein the method is applied to a proxy node which has the authority of directly requesting to access all resources of all tenants, and comprises the following steps: classifying the resources of each tenant according to a preset classification rule; acquiring grade information of an access tenant and a destination tenant and category information of destination resources to be accessed by the access tenant; whether the access tenant can access the target resource of the target tenant is judged according to the preset access rule, so that the access tenant can access the resource in the self authority and can access part of the resource needing to be accessed in a cross-authority mode, and the problem of resource isolation when the access tenant accesses the resource is effectively solved.
Description
Technical Field
The present application relates to the technical field of user right management, and in particular, to a method, a system, an intelligent terminal, and a storage medium for managing access to resources of multiple tenants.
Background
The multi-tenant system refers to a set of system instances which can simultaneously serve a plurality of organizations, namely tenants, and resources among the organizations are mutually isolated.
Specifically, in the multi-tenant system, there is an attribution relationship between tenants, and according to the role and authority of the tenant, the tenant can be divided into at least a low-level tenant, a medium-level tenant, a high-level tenant and a manager. Generally, the multi-level multi-tenant system has the following characteristics:
for example, while a high-level tenant may access resources of all middle-level tenants or low-level tenants under its branch, it may not access resources of middle-level tenants or low-level tenants under other high-level tenant branches. The two lower tenants also cannot access each other's resources. In addition, for the case of multiple multi-level multi-tenant systems, a higher-level tenant in one multi-level multi-tenant system cannot access the resources of lower-level tenants in other multi-level multi-tenant systems.
Therefore, the existing multi-level multi-tenant system causes the problem of resource isolation, so that the visiting tenant is difficult to visit resources outside the self authority, and the office efficiency is easily influenced.
Disclosure of Invention
The method has the characteristic that resources can be accessed by different tenants in a cross-permission mode.
The above object of the present application is achieved by the following technical solutions:
a multi-level tenant resource access management method is applied to a proxy node, wherein the proxy node has the authority of directly requesting to access all resources of all tenants, and the method comprises the following steps:
classifying the resources of each tenant according to a preset classification rule;
acquiring grade information of an access tenant and a destination tenant and category information of destination resources to be accessed by the access tenant;
and judging whether the access tenant can access the target resource of the target tenant or not according to a preset access rule.
By adopting the technical scheme, when the access tenant wants to access the resources of the target tenant in a cross-permission mode, the proxy node can acquire the grade information of the access tenant, the grade information of the target tenant and the target resources to be accessed by the access tenant, and judge whether the access tenant is authorized to access the target resources of the target tenant according to the preset access rule. When the access tenant has right to access the target resource of the target tenant, the access tenant can access the target resource. Therefore, the access tenant can access the resources in the self authority and can also access part of the resources needing to be accessed in a cross-authority mode, and the problem of resource isolation when the access tenant accesses the resources is effectively solved.
The present application may be further configured in a preferred example to: the resources of each tenant at least comprise one or more of authority public resources, condition range resources, application access resources and current-level private resources.
The present application may be further configured in a preferred example to: the method for judging whether the access tenant can access the target resource of the target tenant according to the preset access rule comprises the following steps:
for the authority public resources of the target tenant, if the level information of the access tenant is not lower than that of the target tenant and the access tenant belongs to the authority-assigned tenant, allowing the access tenant to directly access;
for condition range resources of a target tenant, if the grade information of the access tenant is not lower than that of the target tenant and the access tenant meets the preset access condition of the target tenant, allowing the access tenant to access;
for the application access resource of the target tenant, if the level information of the access tenant is not lower than that of the target tenant, the access request of the access tenant is forwarded to the target tenant;
and for the current-level private resources of the target tenant, if the level information of the access tenant is not lower than that of the target tenant, forwarding the access request of the access tenant to a higher-level tenant of the target tenant.
By adopting the technical scheme, according to the confidentiality of the respective resources of the authority public resource, the condition range resource, the application access resource and the current-level private resource, the access tenants are opened at different levels, such as the access tenants are allowed to directly access, the access tenants are allowed to access according to the access conditions, the access tenants need to access and initiate access requests to the target tenants and the access tenants need to access and initiate access requests to the higher-level tenants of the target tenants, so that the resources are ensured to have certain confidentiality while the resources are opened.
The present application may be further configured in a preferred example to: the method for classifying the resources of each tenant according to the preset classification rule comprises the following steps:
acquiring accessed records of all resources of each tenant;
and calling a resource classification model, and determining the category of each target resource according to the accessed record of each target resource.
By adopting the technical scheme, whether the target resource needs to have the access right opened to more people or not can be judged according to the historical access amount of each target resource, so that the access right of the access tenant can be adjusted in time according to the requirement.
The present application may be further configured in a preferred example to: the method for calling the resource classification model and determining the category of each target resource according to the accessed record of each target resource comprises the following steps:
and judging whether the accessed record of the target resource contains a record authorized to be accessed by the target tenant, if so, attributing the target resource to the authority public resource, the condition range resource or the access application resource.
The present application may be further configured in a preferred example to: the method for calling the resource classification model and determining the category of each target resource according to the accessed record of each target resource further comprises the following steps:
and judging whether the accessed record of the target resource contains a record authorized to be accessed by the target tenant, and if not, classifying the target resource into the current-level private resource.
The present application may be further configured in a preferred example to: the method for attributing the target resource to the authority public resource, the condition range resource or the access application resource comprises the following steps:
if the number of the accessed tenants of the target resource is greater than the first preset number, the target resource is classified as the authority public resource;
if the number of the accessed access tenants of the target resource does not exceed the first preset number and is greater than the second preset number, the target resource is classified as a condition range resource;
if the number of the accessed access tenants of the target resource does not exceed the second preset number, the target resource is classified as the access application resource.
The second purpose of the application is to provide a multi-level tenant resource access management system which has the characteristic of being capable of allowing different tenants to access resources in a cross-permission mode.
The second application object of the present application is achieved by the following technical scheme:
a multi-level tenant resource access management system, comprising,
the classification module is used for classifying the resources of each tenant according to a preset classification rule;
the acquisition module is used for acquiring the grade information of an access tenant and a target tenant and the category information of target resources to be accessed by the access tenant;
and the permission judging module is used for judging whether the access tenant can access the target resource of the target tenant according to a preset access rule.
The third purpose of the application is to provide an intelligent terminal or the intelligent terminal has the characteristic of cross-authority access resources for different tenants.
The third objective of the present application is achieved by the following technical solutions:
an intelligent terminal comprises a memory and a processor, wherein the memory is stored with a computer program which can be loaded by the processor and executes the multi-level tenant resource access management method.
The fourth purpose of the present application is to provide a computer storage medium, which can store corresponding programs and has the characteristic of facilitating the realization of cross-authority access of resources by different tenants.
The fourth application purpose of the present application is achieved by the following technical solutions:
a computer readable storage medium storing a computer program capable of being loaded by a processor and executing any of the above methods for multi-level tenant resource access management.
In summary, the present application includes at least one of the following beneficial technical effects:
1. when an access tenant wants to access resources of a destination tenant in a cross-authority mode, the proxy node can acquire the level information of the access tenant, the level information of the destination tenant and the destination resources to be accessed by the access tenant, and judges whether the access tenant has the right to access the destination resources of the destination tenant or not according to a preset access rule, so that the access tenant can access the resources in the self-authority and can access part of the resources needing cross-authority access, and the problem of resource isolation when the access tenant accesses the resources is effectively reduced;
2. dividing resources of each tenant into four types of resources, namely authority public resources, condition range resources, application access resources and current-level private resources, so as to ensure that the resources have certain confidentiality while the resources are opened;
3. according to the historical access amount of each target resource, whether the target resource needs to open access authority for more people can be judged, so that the access authority of the access tenant can be adjusted in time according to the requirement.
Drawings
Fig. 1 is a flowchart illustrating a multi-level tenant resource access management method according to an embodiment of the present application.
Fig. 2 is a system diagram of a plurality of multi-level multi-tenant systems and a proxy node according to an embodiment of the present application.
Fig. 3 is a system diagram of a multi-level tenant resource access management system according to an embodiment of the present application.
Fig. 4 is a schematic structural diagram of an intelligent terminal according to an embodiment of the present application.
In the figure, 21, a classification module; 22. an acquisition module; 23. an authority judgment module; 301. a CPU; 302. a ROM; 303. a RAM; 304. a bus; 305. an I/O interface; 306. an input section; 307. an output section; 308. a storage section; 309. a communication section; 310. a driver; 311. a removable media.
Detailed Description
The present application is described in further detail below with reference to the attached drawings.
The present embodiment is only for explaining the present application, and it is not limited to the present application, and those skilled in the art can make modifications of the present embodiment without inventive contribution as needed after reading the present specification, but all of them are protected by patent law within the scope of the claims of the present application.
The embodiment of the application provides a multi-level tenant resource access management method which is mainly applied to a scene that tenants perform cross access. Specifically, each tenant can directly access the resources of all tenants under its branch, but cannot access the resources of other tenants at the same level, nor cannot access the resources of tenants under the branches of other tenants at the same level. Of course, for a plurality of multi-level multi-tenant systems, a tenant cannot access resources of other multi-level multi-tenant systems across the systems, so that the resources are isolated from each other, and inconvenience is brought to the tenant for accessing the resources.
For this purpose, the method establishes a proxy node among a plurality of multi-level tenant systems, and the proxy node has the authority of directly requesting to access all resources of all tenants. The multi-level tenant resource access management method is mainly applied to the proxy node, and provides convenience for tenants to access resources outside self authority.
The embodiments of the present application will be described in further detail with reference to the drawings attached hereto.
The main flow of the multi-level tenant resource access management method is described as follows.
As shown in fig. 1 and 2:
step S101: and classifying the resources of each tenant according to a preset classification rule.
For each tenant, the resources managed by the tenant are various, and the resources mainly include four resources, namely right public resources, condition range resources, application access resources and current-level private resources. The four resources have different requirements on confidentiality, and further determine the degree of openness of each resource for the tenant. For each tenant, the resources managed by the tenant are at least one or more of the four resources. In order for a tenant to have access to resources outside its privileges, the resources managed by each tenant need to be classified.
It can be understood that, when the agent node starts to execute the access agent work, the requirement of each tenant for various resources cannot be known, so that each tenant can classify the resources managed by itself at this time, so that the agent node obtains the category information of all the resources managed by each tenant.
Of course, all the resources of all the tenants can be updated according to the access conditions of the tenants, so that the access rights to different resources can be closer to the requirements of the tenants. The method and the device mainly adjust the category information of all resources in a mode of calling a resource classification model. The specific implementation method will be described in detail below.
Step S102: and acquiring the grade information of the access tenant and the destination tenant and the category information of the destination resource to be accessed by the access tenant.
The access tenant is a tenant sending an access request to the proxy node, the destination tenant is a tenant requested to be accessed by the access tenant, the destination resource is a resource which the access tenant wants to request to access the destination tenant and is managed by the access tenant, and the access tenant may be an authority public resource, a condition range resource, an application access resource or a local-level private resource.
For each tenant, each tenant also has respective level information according to its respective role and authority. For example: the tenant with the lowest job level is the lower-level tenant, and the authority of the tenant with the lowest job level is also the lowest authority. The upper-level tenant of the lower-level tenant is the middle-level tenant. The middle-level tenant can manage a plurality of low-level tenants simultaneously. Correspondingly, the upper-level tenant of the middle-level tenant is the high-level tenant. The senior tenant can manage a plurality of the intermediate tenants at the same time. The upper level of the high-level tenant is a manager, and can simultaneously manage a plurality of high-level tenants.
When an access tenant initiates an access request to a proxy node, first, the level information of the access tenant, the level information of a destination tenant and the category information of a destination resource are obtained for further judgment.
Step S103: and judging whether the access tenant can access the target resource of the target tenant or not according to a preset access rule.
According to the introduction, the method mainly comprises the steps of permission public resources, condition range resources, application access resources and current-level private resources. And the permission public resources are resources which are shared by different tenants. The condition range type resources are resources shared by part of tenants, and when the access tenants access the type resources, the access conditions preset by the target tenants need to be met. The application for accessing the resources is the more important resource. The current-level private resources are resources managed only by a specific tenant. Such resources are more important than applications for access to the class of resources.
Thus, for each class of resource, the accessing tenant has a different access rule at the time of initiating the access request. When the access tenant meets the corresponding rule, the proxy node can provide the access tenant authority to access the target resource.
In the application, when an access tenant initiates an access request, no matter what kind of resource the access tenant wants to access, the first condition to be satisfied is that the access tenant can only access the resource of a target tenant whose level information does not exceed its own level information. In some specific examples, the middle-level tenant can only access the resources of the middle-level tenant or the resources of the low-level tenant, and cannot access the resources of the high-level tenant; and the low-level tenant can only access the resources of the low-level tenant and cannot access the resources of the middle-level tenant or the resources of the high-level tenant. In other words, if an accessing tenant with lower level information initiates a request for accessing the resources of a tenant with higher level information, the proxy node must reject the request to ensure the fairness of the authority owned by each tenant.
And for the authority public resource of the target tenant, if the level information of the access tenant is not lower than that of the target tenant and the access tenant belongs to the authority-assigned tenant, allowing the access tenant to directly access. Wherein, the entitled tenant can be understood as a tenant with an authority distribution capability, for example: the administrator or the tenant assigned with the administrative authority, which may be a high-level tenant or a medium-level tenant, needs to determine whether the current access tenant is an entitled tenant according to actual conditions. It can be understood that, for the tenant with the authority, the tenant is determined to have a certain management authority, so that the authority public resource can be directly opened, so that the tenant can access the resource outside the authority conveniently and more conveniently. On the contrary, if the level information of the access tenant is not lower than that of the destination tenant and the access tenant does not belong to the permission-assigned tenant, the proxy node limits partial access permission of the access tenant. In some specific examples, the broker node may set an access right of a first preset duration for these access tenants that do not belong to the assigned right class, that is, allow such access tenants to access within the first preset duration. Preferably, the first preset time period may be 10 minutes or 30 minutes, and may be adaptively adjusted according to actual situations.
And for the condition range resources of the target tenant, if the grade information of the access tenant is not lower than that of the target tenant and the access tenant meets the preset access condition of the target tenant, allowing the access tenant to access. Wherein, each tenant sets access conditions in advance for the condition range resources managed by the tenant. The proxy node can acquire the level information of the target tenant and also can acquire the resources managed by the target tenant and the corresponding category information. For a target tenant with a condition range resource, when the proxy node acquires the relevant information of the target tenant, the proxy node can also acquire the access condition set by the target tenant. The access condition may specifically be: and further dividing the condition range resources according to the resource fields in advance, wherein the resources in each field are opened for the access tenants in the corresponding field for a second preset time length, and the resource opening time in different fields is different. Namely, the agent node allows an access tenant in a certain domain to access the resources in the corresponding domain within a second preset time length. Of course, in order to enhance the protection of resources, resources in different fields can be opened in a time-sharing manner. And otherwise, when the grade information of the access tenant is not lower than that of the destination tenant and the domain resource matched with the domain where the access tenant is located does not exist in the condition range resource, the proxy node rejects the request of the access tenant. Of course, all the condition range class resources can be set with uniform access conditions by the proxy node. The second preset duration can be set according to actual needs.
And for the application access resources of the target tenant, if the level information of the access tenant is not lower than that of the target tenant, the access request of the access tenant is forwarded to the target tenant. The application for accessing the resources is the resources which can be accessed only after the permission of the target tenant. That is, such resources need to be authorized by the destination tenant for access, and therefore, whether the access tenant meets the access condition needs to be determined by the destination tenant.
And for the current-level private resources of the target tenant, if the level information of the access tenant is not lower than that of the target tenant, forwarding the access request of the access tenant to a higher-level tenant of the target tenant. The resources are similar to the resources for applying for access, but are more important than the resources for applying for access, so that the superior tenant of the target tenant is required to authorize the access authority so as to reasonably protect the resources.
It is worth noting that with multiple update iterations of the multi-level multi-tenant system, the openability of some resources may also change. For example, previously important resources may become common resources, while new resources are also replenished. This requires the invocation of the resource categorization model to re-categorize the resources managed by each tenant. The specific method comprises the following steps: firstly, accessed records of all resources of each tenant are obtained, and then the category of each destination resource is determined according to the accessed records of each destination resource. In the embodiment of the application, all accesses of the access tenant to the destination resource are recorded by the destination tenant, and an authorizer of each access is also recorded in the access record. Therefore, the proxy node can acquire the accessed records of all resources through the destination tenant.
According to the introduction, it can be understood that the access permissions provided by the target tenant when the access permissions public resources, the condition range resources or the access class resources are applied by the access tenant, and the access permissions are provided by the upper tenant of the target tenant when the access permissions public resources, the condition range resources or the access class resources are applied by the access tenant. Therefore, taking a certain target tenant as an example, the specific process of reclassifying all resources thereof is as follows:
first, an accessed record of a first destination resource of the destination tenant is obtained. And then, judging whether the accessed record of the first target resource contains a record authorized to be accessed by the target tenant, if so, attributing the target resource to an authority public resource, a condition range resource or an access application resource, and if not, attributing the target resource to a local private resource. If the judgment result is the former, further judgment is carried out:
if the number of the accessed tenants of the target resource is greater than the first preset number, the target resource is classified as the authority public resource; if the number of the accessed tenants of the target resource is not more than the first preset number and is more than the second preset number, the target resource is classified as a condition range resource; if the number of the accessed access tenants of the target resource does not exceed the second preset number, the target resource is classified as the access application resource.
It can be understood that, because the respective characteristics of the four types of resources, i.e., the right public type resource, the condition range type resource, the application access type resource and the present-level private type resource, are different, the number of times that each type of resource is accessed is also decreased according to the size of the respective open access right. That is, the number of times of accessing the right public resource is the largest, the number of times of accessing the condition scope resource is the second largest, the number of times of accessing the application access resource is the second smallest, and the number of times of accessing the current level private resource is the smallest. Therefore, the method and the device set the first preset quantity and the second preset quantity so as to re-divide the authority public resources, the condition range resources and the access application resources. The first preset number and the second preset number can be adaptively designed according to actual conditions.
In some specific examples, assume that the first type of destination resource is an application access class resource before reclassification. After a period of time, the number of the visited tenants where the destination resource is visited is increased and exceeds a first preset number. At this point, the destination resource may be classified as a rights public class resource. Of course, further analysis of the accessed records may also be done: if the analysis shows that most of the access tenants in the accessed records are the access tenants of the specified class, the target resource can be set as the directly accessible public resource for the access tenants of the specified class. And the number of the access tenants of which the designated class is subordinate to the class is larger than a third preset number. The third preset number can also be set according to actual conditions.
The multi-level tenant resource access management method provided by the embodiment of the application not only enables the access tenant to access resources in the access authority of the access tenant, but also enables the access tenant to access resources beyond the access authority of the access tenant in a cross-authority mode, reduces the isolation between the resources and protects the resources beyond the access authority of the non-access tenant.
Fig. 3 is a system diagram of a multi-level tenant resource access management system according to an embodiment of the present application.
Fig. 3 shows a multi-level tenant resource access management system, which includes a classification module 21, an obtaining module 22, and an authority judgment module 23, where:
the classification module 21 is configured to classify resources of each tenant according to a preset classification rule;
an obtaining module 22, configured to obtain rank information of an access tenant and a destination tenant, and category information of a destination resource to be accessed by the access tenant;
and the permission judging module 23 is configured to judge whether the access tenant can access the destination resource of the destination tenant according to a preset access condition.
Fig. 4 shows a schematic structural diagram of a smart terminal suitable for implementing the embodiment of the present application.
As shown in fig. 4, the smart terminal includes a Central Processing Unit (CPU)301 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)302 or a program loaded from a storage section into a Random Access Memory (RAM) 303. In the RAM 303, various programs and data necessary for system operation are also stored. The CPU 301, ROM 302, and RAM 303 are connected to each other via a bus 304. An input/output (I/O) interface 305 is also connected to bus 304.
The following components are connected to the I/O interface 305: an input portion 306 including a keyboard, a mouse, and the like; an output portion 307 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 308 including a hard disk and the like; and a communication section 309 including a network interface card such as a LAN card, a modem, or the like. The communication section 309 performs communication processing via a network such as the internet. A drive 310 is also connected to the I/O interface 305 as needed. A removable medium 311 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 310 as necessary, so that a computer program read out therefrom is mounted into the storage section 308 as necessary.
In particular, according to embodiments of the present application, the process described above with reference to the flowchart fig. 1 may be implemented as a computer software program. For example, embodiments of the present application include a computer program product comprising a computer program embodied on a machine-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 309, and/or installed from the removable medium 311. The above-described functions defined in the system of the present application are executed when the computer program is executed by the Central Processing Unit (CPU) 301.
It should be noted that the computer readable medium shown in the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units or modules described in the embodiments of the present application may be implemented by software or hardware. The described units or modules may also be provided in a processor, and may be described as: a processor is connected with a classification module 21, an acquisition module 22 and a permission judgment module 23. The names of these units or modules do not in some cases constitute a limitation to the units or modules themselves, for example, the classification module 21 may also be described as a "module for classifying resources of each tenant according to a preset classification rule".
As another aspect, the present application also provides a computer-readable storage medium, which may be included in the electronic device described in the above embodiments; or may be separate and not incorporated into the electronic device. The computer-readable storage medium stores one or more programs that, when executed by one or more processors, perform the data encryption transmission method described herein.
The above description is only a preferred embodiment of the application and is illustrative of the principles of the technology employed. It will be appreciated by those skilled in the art that the scope of the application referred to in the present application is not limited to the embodiments with a particular combination of the above-mentioned features, but also encompasses other embodiments with any combination of the above-mentioned features or their equivalents without departing from the spirit of the application. For example, the above features may be replaced with (but not limited to) features having similar functions as those described in this application.
Claims (10)
1. A multi-level tenant resource access management method is applied to a proxy node, wherein the proxy node has the authority of directly requesting to access all resources of all tenants, and the method is characterized by comprising the following steps:
classifying the resources of each tenant according to a preset classification rule;
acquiring grade information of an access tenant and a destination tenant and category information of destination resources to be accessed by the access tenant;
and judging whether the access tenant can access the target resource of the target tenant or not according to a preset access rule.
2. The method of claim 1, wherein the resources of each tenant comprise at least one or more of an authority public class resource, a condition scope class resource, an application access class resource and a present-level private class resource.
3. The method according to claim 2, wherein the method for determining whether the access tenant can access the destination resource of the destination tenant according to the preset access rule comprises:
for the authority public resources of the target tenant, if the level information of the access tenant is not lower than that of the target tenant and the access tenant belongs to the authority-assigned tenant, allowing the access tenant to directly access;
for the condition range type resource of the target tenant, if the grade information of the access tenant is not lower than that of the target tenant and the access tenant meets the preset access condition of the target tenant, allowing the access tenant to access;
for the application access type resource of a target tenant, if the level information of the access tenant is not lower than that of the target tenant, the access request of the access tenant is forwarded to the target tenant;
and for the current-level private resources of the target tenant, if the level information of the access tenant is not lower than that of the target tenant, forwarding the access request of the access tenant to a higher-level tenant of the target tenant.
4. The method according to claim 3, wherein the method for classifying the resources of each tenant according to the preset classification rule comprises:
acquiring accessed records of all resources of each tenant;
and calling a resource classification model, and determining the category of each target resource according to the accessed record of each target resource.
5. The method of claim 4, wherein the method for invoking the resource classification model and determining the category of each destination resource according to the accessed record of each destination resource comprises:
and judging whether the accessed record of the target resource contains a record authorized to be accessed by the target tenant, if so, attributing the target resource to the authority public resource, the condition range resource or the access application resource.
6. The method of claim 5, wherein the invoking of the resource classification model, the determining of the category of each destination resource based on the accessed record of each destination resource, further comprises:
and judging whether the accessed record of the target resource contains a record authorized to be accessed by the target tenant, and if not, classifying the target resource into the current-level private resource.
7. The method of claim 5, wherein the step of attributing the destination resource to an authorized public class resource, a conditional scope class resource or an access application class resource comprises:
if the number of the accessed tenants of the target resource is greater than the first preset number, the target resource is classified as the authority public resource;
if the number of the accessed access tenants of the target resource does not exceed the first preset number and is greater than the second preset number, the target resource is classified as a condition range resource;
if the number of the accessed access tenants of the target resource does not exceed the second preset number, the target resource is classified as the access application resource.
8. A multi-level tenant resource access management system, comprising,
the classification module (21) is used for classifying the resources of each tenant according to a preset classification rule;
the acquisition module (22) is used for acquiring the grade information of the access tenant and the target tenant and the category information of the target resource to be accessed by the access tenant;
and the permission judging module (23) is used for judging whether the access tenant can access the target resource of the target tenant according to a preset access rule.
9. An intelligent terminal, comprising a memory and a processor, the memory having stored thereon a computer program that can be loaded by the processor and that executes the method according to any one of claims 1 to 7.
10. A computer-readable storage medium, in which a computer program is stored which can be loaded by a processor and which executes the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210376417.2A CN114462069B (en) | 2022-04-12 | 2022-04-12 | Multi-level tenant resource access management method, system, intelligent terminal and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210376417.2A CN114462069B (en) | 2022-04-12 | 2022-04-12 | Multi-level tenant resource access management method, system, intelligent terminal and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114462069A true CN114462069A (en) | 2022-05-10 |
| CN114462069B CN114462069B (en) | 2022-07-22 |
Family
ID=81417336
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210376417.2A Active CN114462069B (en) | 2022-04-12 | 2022-04-12 | Multi-level tenant resource access management method, system, intelligent terminal and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114462069B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117749505A (en) * | 2023-12-26 | 2024-03-22 | 上海航恩智能科技有限公司 | Authority control method, authority control system, electronic equipment and storage medium |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631116A (en) * | 2009-08-10 | 2010-01-20 | 中国科学院地理科学与资源研究所 | Distributed dual-license and access control method and system |
| CN102236762A (en) * | 2010-04-30 | 2011-11-09 | 国际商业机器公司 | Method for processing file access for multi-tenancy application and file agent device |
| CN104123616A (en) * | 2014-07-25 | 2014-10-29 | 南京邮电大学 | Cloud computing system towards multiple tenants |
| US20150180872A1 (en) * | 2013-12-20 | 2015-06-25 | Cube, Co. | System and method for hierarchical resource permissions and role management in a multitenant environment |
| CN106933648A (en) * | 2015-12-31 | 2017-07-07 | 中国电信股份有限公司 | For the method and system of multi-tenant container resource management |
| CN107204978A (en) * | 2017-05-24 | 2017-09-26 | 北京邮电大学 | A kind of access control method and device based on multi-tenant cloud environment |
| US20170339156A1 (en) * | 2016-05-23 | 2017-11-23 | Jpmorgan Chase Bank, N.A. | Security design and architecture for a multi-tenant hadoop cluster |
| CN110855599A (en) * | 2018-08-20 | 2020-02-28 | 中兴通讯股份有限公司 | Multi-tenant access control method and device and computer readable storage medium |
| WO2020211652A1 (en) * | 2019-04-18 | 2020-10-22 | 华为技术有限公司 | Tenant resource management method and device in multi-tenant scenario |
| CN112052096A (en) * | 2020-09-14 | 2020-12-08 | 北京达佳互联信息技术有限公司 | Resource processing method and device, server and terminal |
| CN112364336A (en) * | 2020-11-18 | 2021-02-12 | 深圳航天智慧城市系统技术研究院有限公司 | Unified authority management method, device, equipment and computer readable storage medium for database |
| CN113986528A (en) * | 2021-09-29 | 2022-01-28 | 济南浪潮数据技术有限公司 | Method, system, equipment and storage medium for multi-tenant space resource management |
| CN114090969A (en) * | 2022-01-17 | 2022-02-25 | 北京天维信通科技有限公司 | Multilevel multi-tenant cross authorization management method |
-
2022
- 2022-04-12 CN CN202210376417.2A patent/CN114462069B/en active Active
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101631116A (en) * | 2009-08-10 | 2010-01-20 | 中国科学院地理科学与资源研究所 | Distributed dual-license and access control method and system |
| CN102236762A (en) * | 2010-04-30 | 2011-11-09 | 国际商业机器公司 | Method for processing file access for multi-tenancy application and file agent device |
| US20150180872A1 (en) * | 2013-12-20 | 2015-06-25 | Cube, Co. | System and method for hierarchical resource permissions and role management in a multitenant environment |
| CN104123616A (en) * | 2014-07-25 | 2014-10-29 | 南京邮电大学 | Cloud computing system towards multiple tenants |
| CN106933648A (en) * | 2015-12-31 | 2017-07-07 | 中国电信股份有限公司 | For the method and system of multi-tenant container resource management |
| US20170339156A1 (en) * | 2016-05-23 | 2017-11-23 | Jpmorgan Chase Bank, N.A. | Security design and architecture for a multi-tenant hadoop cluster |
| CN107204978A (en) * | 2017-05-24 | 2017-09-26 | 北京邮电大学 | A kind of access control method and device based on multi-tenant cloud environment |
| CN110855599A (en) * | 2018-08-20 | 2020-02-28 | 中兴通讯股份有限公司 | Multi-tenant access control method and device and computer readable storage medium |
| WO2020211652A1 (en) * | 2019-04-18 | 2020-10-22 | 华为技术有限公司 | Tenant resource management method and device in multi-tenant scenario |
| CN112052096A (en) * | 2020-09-14 | 2020-12-08 | 北京达佳互联信息技术有限公司 | Resource processing method and device, server and terminal |
| CN112364336A (en) * | 2020-11-18 | 2021-02-12 | 深圳航天智慧城市系统技术研究院有限公司 | Unified authority management method, device, equipment and computer readable storage medium for database |
| CN113986528A (en) * | 2021-09-29 | 2022-01-28 | 济南浪潮数据技术有限公司 | Method, system, equipment and storage medium for multi-tenant space resource management |
| CN114090969A (en) * | 2022-01-17 | 2022-02-25 | 北京天维信通科技有限公司 | Multilevel multi-tenant cross authorization management method |
Non-Patent Citations (2)
| Title |
|---|
| 周欣等: "基于图书馆数字资源访问系统的读者行为数据挖掘研究", 《现代情报》 * |
| 张春等: "基于对用户访问数据挖掘的数字图书馆智能服务模型", 《情报资料工作》 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117749505A (en) * | 2023-12-26 | 2024-03-22 | 上海航恩智能科技有限公司 | Authority control method, authority control system, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114462069B (en) | 2022-07-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10749873B2 (en) | User abstracted RBAC in a multi tenant environment | |
| US9064033B2 (en) | Intelligent decision support for consent management | |
| US10262149B2 (en) | Role access to information assets based on risk model | |
| US11379598B2 (en) | Knowledge graph access limitation by discovery restrictions | |
| US20090222882A1 (en) | Unified management policy | |
| US11178186B2 (en) | Policy rule enforcement decision evaluation with conflict resolution | |
| CN102299915A (en) | Access control based on network layer claims | |
| US20180067848A1 (en) | Memory access control method and system | |
| WO2020156135A1 (en) | Method and device for processing access control policy and computer-readable storage medium | |
| US8180894B2 (en) | System and method for policy-based registration of client devices | |
| CN109639643A (en) | Customer manager's information sharing method, electronic device and readable storage medium storing program for executing based on block chain | |
| US11750619B2 (en) | Modify assigned privilege levels and limit access to resources | |
| CN114462069B (en) | Multi-level tenant resource access management method, system, intelligent terminal and storage medium | |
| US20100185451A1 (en) | Business-responsibility-centric identity management | |
| CN111062028A (en) | Authority management method and device, storage medium and electronic equipment | |
| CN111008767B (en) | Internet financial technology architecture evaluation method, device, electronic equipment and medium | |
| US11238178B2 (en) | Blockchain network to protect identity data attributes using data owner-defined policies | |
| CN112100592A (en) | Authority management method, device, electronic equipment and storage medium | |
| US20230224304A1 (en) | Resource access control in cloud environments | |
| CN116488836A (en) | Kubernetes cluster resource management method and system based on multiple tenants | |
| US8046457B2 (en) | Apparatus, methods, and computer program products for managing network elements and associated network element resources by multiple management systems | |
| CN114844950B (en) | Service request response method, device, equipment and medium | |
| CN113765986B (en) | Flow control method of open platform and server | |
| US11936655B2 (en) | Identification of permutations of permission groups having lowest scores | |
| CN115001729B (en) | User authority control method, device, equipment and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230119 Address after: 571900 1001, Floor 3, Incubator Building, Hainan Ecological Software Park, Hi-tech Industrial Demonstration Zone, Chengmai County, Hainan Province Patentee after: Tianwei (Hainan) Technology Co.,Ltd. Address before: Room B1001, building 8, yard 1, Zhongguancun East Road, Haidian District, Beijing 100089 Patentee before: Beijing Tianwei Communication Technology Co.,Ltd. |