CN114595484A - Page permission control method and device - Google Patents
Page permission control method and device Download PDFInfo
- Publication number
- CN114595484A CN114595484A CN202210500914.9A CN202210500914A CN114595484A CN 114595484 A CN114595484 A CN 114595484A CN 202210500914 A CN202210500914 A CN 202210500914A CN 114595484 A CN114595484 A CN 114595484A
- Authority
- CN
- China
- Prior art keywords
- authority
- group
- permission
- point
- conflict
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a page authority control method and a device, and the method comprises the following steps: acquiring a first authority group and a second authority group; combining the first permission group and the second permission group to generate a third permission group; acquiring a user identifier of a right to be distributed; detecting whether a conflict authority point exists in the third authority group with the user identity corresponding to the user identification, and if so, rejecting the conflict authority point; and associating the user identification with the third permission group after the conflict permission points are removed, so that the user identity corresponding to the user identification has conflict-free information processing permission. According to the method and the device, the problem of conflict in permission setting can be avoided while the flexibility of permission setting is improved.
Description
Technical Field
The present application relates to the field of information management technologies, and in particular, to a method and an apparatus for controlling a page permission.
Background
In enterprise information management, an enterprise often has a variety of subsystems with large amounts of information within it for access and operation by enterprise employees. However, in order to ensure the security of information, it has become a normal state to set data processing authorities corresponding to different employees.
The traditional page authority control method is that firstly, one basic authority point is set, when the authority is distributed to users, the authority points are usually selected and combined from the individual authority points according to the identity and the role of the users, so as to formulate the authority which is in accordance with the identity of the staff.
When the identity of a worker such as a worker who performs an upgrade or adjusts the post is changed, or when some special workers need to customize and set the authority, the authority of the workers needs to be adjusted. In the traditional authority processing method, the authority processing related to the problems is very troublesome, and if reasonable authorities need to be allocated to employees, the authority allocation is very troublesome and the flexibility is poor; if the flexibility of authority processing is improved, improper authority distribution is easily caused, enterprise information is leaked, and both the flexibility and the difficulty are difficult to consider.
Disclosure of Invention
The embodiments of the present application aim to solve at least one of the technical problems in the prior art or the related art.
A first aspect of the present application provides a method for controlling page permissions, where the method includes:
acquiring a first authority group and a second authority group, wherein at least one of the first authority group and the second authority group comprises a combination of a function class authority point and a data class authority point;
combining the first permission group and the second permission group to generate a third permission group, wherein the third permission group comprises at least one permission point in the first permission group and/or the second permission group;
acquiring a user identifier of a right to be distributed;
detecting whether a conflict authority point exists in the third authority group with the user identity corresponding to the user identification, and if so, rejecting the conflict authority point;
and associating the user identification with the third permission group after the conflict permission points are removed, so that the user identity corresponding to the user identification has conflict-free information processing permission.
In one embodiment, the detecting whether there is a conflicting permission point in the third permission group with respect to the user identity corresponding to the user identifier, and if so, rejecting the conflicting permission point includes:
identifying data class permission points in the third permission group which are sensitive data relative to the user identification;
and eliminating all data type authority points which are relative to the sensitive data identified by the user.
In one embodiment, the combining the first permission group and the second permission group to generate a third permission group includes:
detecting whether a conflict authority point exists in the first authority group and the second authority group;
when conflict exists, matching a conflict solution according to conflict conditions;
and combining the first permission group and the second permission group according to the solution to generate the third permission group.
In one embodiment, the matching a conflict resolution according to a conflict situation, and combining the first permission group and the second permission group according to the resolution includes:
when the conflict is a data conflict, acquiring a permission point which needs to be added for solving the data conflict, and combining the added permission point with the first permission group and the second permission group, wherein the added permission point does not belong to the permission points in the first permission group and the second permission group; and/or
And when the conflict is a function conflict, identifying the authority points which need to be removed for eliminating the function conflict, and combining the first authority group and the second authority group according to the authority points which need to be removed, wherein the authority points which need to be removed belong to the authority points in the first authority group and/or the second authority group.
In one embodiment, the method further comprises:
acquiring a first authority point and a second authority point, wherein the first authority point belongs to the function class authority point, and the second authority point belongs to the data class authority point;
and combining the first authority point and the second authority point to generate a first authority group, so that the first authority group comprises all authorities in the first authority point and the second authority point.
In one embodiment, the combining the first permission group and the second permission group includes:
taking union set combination of all the authorities in the first authority group and the ownership limit points in the second authority group; or
Taking intersection combination of all the authorities in the first authority group and the ownership limit points in the second authority group; or
And receiving a selection instruction of at least one permission point in the first permission group and the second permission group, and combining the permission points selected according to the selection instruction.
In one embodiment, the obtaining the user identifier to which the right is to be assigned includes:
detecting whether corresponding user identifications exist in the first permission group and the second permission group, and taking all the existing user identifications as user identifications of permissions to be distributed when the corresponding user identifications exist; and/or
Receiving an authority application request associated with the third authority group, and taking a corresponding user identifier contained in the application request as a user identifier of the authority to be distributed; and/or
And actively selecting one or more user identifications as the user identifications to be distributed with the authority.
In one embodiment, the method further comprises:
setting authority point validity periods for one or more authority points in the third authority group, wherein when the current time is in the validity period, the state information of the authority point corresponding to the user identifier is in a valid state; or
And setting a validity period of the authority group in the third authority group, wherein when the current time is in the validity period, the state information of the third authority group corresponding to the user identifier is in a valid state.
In one embodiment, the permission points included in the third permission group include sources of permissions.
In one embodiment, the method further comprises:
in response to a splitting operation for the third permission group, splitting the third permission group into a fourth permission group and a fifth permission group according to the splitting operation.
In one embodiment, the method further comprises:
the function class authority point is an authority point related to system function access or operation; the data class permission point is a permission point that relates to access or operations related to data.
A second aspect of the present application provides a page permission control apparatus, including:
the system comprises a permission group acquisition module, a data type permission point acquisition module and a permission group acquisition module, wherein the permission group acquisition module is used for acquiring a first permission group and a second permission group, and at least one permission group in the first permission group and the second permission group comprises a combination of a function type permission point and a data type permission point;
the authority group generating module is used for combining the first authority group and the second authority group to generate a third authority group, and the third authority group comprises at least one authority point in the first authority group and/or the second authority group;
the user identifier acquisition module is used for acquiring the user identifier of the authority to be distributed;
the conflict processing module is used for detecting whether a conflict authority point exists in the third authority group corresponding to the user identity, and if so, rejecting the conflict authority point;
and the authority distribution module is used for associating the user identification with the third authority group from which the conflict authority points exist are removed, so that the user identity corresponding to the user identification has conflict-free information processing authority.
According to the page permission control method and device, the first permission group and the second permission group are set, at least one permission group of the first permission group and the second permission group comprises the combination of the function permission point and the data permission point, the permission groups are directly combined to generate the third permission group, the flexibility of permission combination is improved, and the flexibility of permission allocation for users in some complex scenes is improved. Meanwhile, in the process of distributing the user authority, whether a conflict exists between the formed authority group and the user to be distributed with the authority is further considered, and the authority points with the conflict are removed, so that the rationality of authority distribution is realized, and the risk of sensitive information leakage of enterprises is reduced.
Drawings
FIG. 1 is a schematic flow chart diagram illustrating a method for controlling page permissions in one embodiment;
fig. 2 is a schematic flowchart illustrating a process of combining a first permission group and a second permission group to generate a third permission group in an embodiment;
FIG. 3 is a flowchart illustrating a page permission control method according to another embodiment;
FIG. 4 is a schematic diagram of an interface for rights group generation;
FIG. 5 is a block diagram showing the structure of a page authority control apparatus according to an embodiment;
fig. 6 is a block diagram showing the structure of a page authority control apparatus in another embodiment.
Detailed Description
Hereinafter, embodiments of the present application will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present application. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present application.
In one embodiment, as shown in fig. 1, there is provided a page permission control method, including:
In this embodiment, at least one of the first permission group and the second permission group includes a combination of the function class permission point and the data class permission point. The authority groups such as the first authority group, the second authority group, the third authority group and the like are combinations of one or more authority points. The authority point is a processing authority of a resource entity in the enterprise information management, and the resource entity can be a minimum unit of resource entity. The permission points can be divided into function type permission points and data type permission points according to types. It is understood that the data class permission points and/or the function class permission points of different users are not necessarily the same.
The function class authority point is an authority point which relates to the access or operation of the system function authority function. The system functions may be function modules that can be displayed or accessed in the system, such as which function modules in the enterprise information management interface can be displayed and which function modules are not displayed. The functions may include financial management functions, human resources, sales management, order management, inventory management, supplier management, customer management, user management, organizational management, log management, etc. The function type permission points are embodied as what modules and pages can be seen after a user logs in the system. For example, there are a user a and a user B, the user a is assigned a financial management function, and the user B is assigned a log management function.
A data class permission point is a permission point that relates to an access or operation that is relevant to data. For example, the user may access specific data in the functional module corresponding to the enterprise information management interface after logging in the system. For example, the financial management function can check related financial data such as payroll, bonus, post allowance and the like of people, and the order management function can check related order data. The data type permission points are embodied in that a user can see or edit several pieces of data in a certain module and can see or edit which data. For example, there are some users a and B assigned with the financial management function module, but the user a can see 500 pieces of data in the financial management function module, and the user B can only see 50 pieces of data in the financial management function module, and the 500 pieces of data that the user a can see include 50 pieces of data that the user B can see.
In one embodiment, the function class permission points include one or more of a user permission point, a role permission point, an organization permission point, a form permission point, a menu permission point, and the like; the data class permission points are usually included in the user permission points or role permission points, such as controlling which range of data can be seen by one or more roles. The user and the role can be in many-to-many relation. Different roles correspond to different function class authority points, and different users can have different data class authority points in different enterprise architectures.
Wherein, the corresponding authority point specifically relates to the viewing authority of data or function, the authority whether to operate editing, the authority whether to allow the editing of term, and the like. For example, the user permission point includes permissions for viewing user data, editable operations, term management, and the like; the menu permission point comprises the permissions of hierarchy attribution, visibility and the like of the menu module.
The enterprise information management system can provide an operation selection interface of the authority points and the authority groups, and employees with authority management can log in the enterprise information management system and select a plurality of authority groups according to requirements, such as a first authority group and a second authority group, so as to flexibly combine the authorities and distribute the authorities for corresponding users. The electronic equipment can receive the operation information of the user and acquire the selected first permission group and the second permission group. At least one of the first permission group and the second permission group comprises a combination of a function class permission point and a data class permission point.
And 104, combining the first permission group and the second permission group to generate a third permission group.
In this embodiment, the user may perform a combination operation on the selected first permission group and the second permission group, so that the third permission group includes at least one permission point in the first permission group and/or the second permission group. And the electronic equipment combines the first permission group and the second permission group according to the detected operation of the user to generate a third permission group. Specifically, the combination between the two permission groups may include multiple combination manners, for example, ownership permission points in the first permission group and the second permission group may be selected to be combined, or only some permission points therein may be selected to be combined, and finally, the selected combined permission points are aggregated to form a third permission point.
And step 106, acquiring the user identification of the authority to be distributed.
In this embodiment, the user identifier is used to uniquely identify the user, for example, information such as a unique number of the user that can be created for the system or an identification number of the user. The user identification obtained by the electronic device may comprise one or more users, i.e. the third set of permissions may be assigned to one or more users at a time.
In one embodiment, the user identifier may be a user identifier selected by a user for performing a selection operation for the right assignment received by the electronic device, and may also be a user identifier included in the first right group and/or the second right group. The first permission group and/or the second permission group may include a user permission point, and a corresponding user identifier exists in the user permission point.
And 108, detecting whether a conflict authority point exists in the third authority group with the user identity corresponding to the user identification, and if so, rejecting the conflict authority point.
As mentioned above, there are corresponding permissions for different user identities, and therefore, among many permission points, there may be permission points that should not or strictly should not be granted with respect to one or more user identities, which may be considered to be conflicting with respect to a user identity.
In this embodiment, due to the identity of the user, a conflict may exist between the permission point in the third permission group and the identity of the user, and at this time, conflict detection needs to be performed. Specifically, the electronic device may determine, according to the obtained user identifier, which permissions are assigned to the user identifier and may generate a conflict, and remove identified permission points having a conflict.
The conflict authority point can be a data authority point or a function authority point. For example, there is a certain item of data or form information, which exists in the third permission group, but the user identity corresponding to the data or form information with respect to the user identifier is strictly prohibited from accessing or modifying, and at this time, it indicates that the permission point corresponding to the data or form conflicts with the user identifier, and the electronic device may identify all permission points that conflict with the user identifier. For another example, if there is a certain provider management module, which is also strictly confidential with respect to the user identifier to which the right is to be assigned, it may also be determined that the right point corresponding to the provider management module is conflicting with respect to the user identifier.
In one embodiment, data class permission points in the third permission group that are sensitive data relative to the user identification are identified; and eliminating all data class authority points which are identified as sensitive data relative to the user.
In the enterprise information management system, data which can be accessed or operated by different users are generally different, and some data are sensitive relative to some users and are not allowed to be opened to corresponding users, so that the identified sensitive data need to be removed.
In one embodiment, the sensitivity level of the data class permission points may be set within the system, and the highest sensitivity level of data accessible to each user may be set. For example, the sensitivity level may be divided into one level, two levels, three levels, four levels, five levels, and the like from high to low, when the user level is three levels, the data accessible to the user is data whose sensitivity level is not higher than three levels, and when an authority point of data whose sensitivity level exceeds three levels exists in the third authority group to be associated, the authority point may be determined to be a data class authority point which is identified as sensitive data with respect to the user, that is, the authority point is determined to be an authority point which conflicts with the user and needs to be removed.
For example, the data type permission points in the third permission group specifically include permission points such as positions, position types, job levels, personnel types, personnel identities, areas of the courtyard, dates of employment, compensation types (such as wages, bonuses, position allowances, various subsidies, and the like), personal privacy types (such as identification numbers, addresses, telephones, and the like), and different permission points have different sensitivity levels.
As shown in the following table, for some data class permission points in the third permission group, when it is detected that, for a certain user identifier of the acquired to-be-assigned permission, the acquired compensation class (such as wages, bonus, post allowance, various subsidies, and the like) and the personal privacy class (such as identification number, address, telephone, and the like) belong to permission points with higher sensitivity levels relative to the user identifier, the permission points of the compensation class and the personal privacy class may be removed, and the removed data class permission points are assigned to the user identifier, for example, the permission points of the post, the post class, the job level, the staff class, the staff identity, the area to which the institution belongs, and the date to which the user identifier belongs are assigned to the user identifier.
TABLE 1
In one embodiment, when a conflicting permission point is detected, the conflicting permission point and permission operation controls including operation controls for selecting, adding, deleting, etc. the permission point and the permission operation controls can be displayed on the display interface. The electronic equipment can receive an operation instruction of the authority distributor for the authority point, and the conflicting authority points are processed according to the operation instruction. For example, the operation instruction is to reserve the conflict-existing authority points, or only delete the partially selected conflict-existing authority points.
In one embodiment, when there are multiple user identities, the authority points in the third authority group with which there is a conflict with each user identity may be identified, and all identified authority points are eliminated.
And step 110, associating the user identification with the third permission group after the conflict permission points are removed.
Specifically, the enterprise information management system is provided with an authority association table, the electronic device can write data such as the user identifier and the authority group identifier of the third authority group or authority point information in the third authority group into the corresponding authority association table, so that association between the user identifier and the third authority group is realized, a user identity corresponding to the user identifier has conflict-free information processing authority, and thus, conflict-free authority points in the third authority group relative to the user are allocated to the corresponding user, so that the user can perform corresponding operation in the enterprise information management system. The authority identifier of the third authority group is a unique identifier which is automatically generated after the third authority group is created. Which may be a string of characters of a certain length formed by a preset number of numbers, letters, etc.
In one embodiment, when no conflict exists or after receiving a user selection to ignore or reserve a conflicting permission point, the user identification is directly associated with the third permission set.
In the embodiment, the third permission group from which the conflicting permission points are removed is associated with the user identifier, so that the conflict-free permission points are allocated to the corresponding user identifiers, and the risk of enterprise information leakage caused by improper permission allocation can be reduced while the flexibility of user permission allocation is ensured.
In one embodiment, the method further comprises: and marking the authority source for the authority points contained in the third authority group. The authority source indicates which authority group the corresponding authority point comes from, the authority point belongs to the authority point which is both in the first authority group and the second authority group, and the source of the authority point, namely the first authority group and the second authority group, is marked in the authority point information. For example, the authority point a, the authority point B and the authority point C in the first authority group are marked to be from the first authority group, and the authority point D and the authority point E in the second authority group are marked to be from the second authority group. The authority points G included in both the first and second authority groups are labeled as originating from the first and second authority groups. The labeled information may be a name of the permission group. By marking the source of the authority points, the authority management personnel can conveniently acquire the source information of the authority, and manage the authority points according to the mark.
In one embodiment, as shown in FIG. 2, step 104 comprises:
In this embodiment, there is also a conflict between the authority points in the process of forming a combination between the authority groups. The enterprise information management system presets the logic relationship among all the authority points, and detects whether conflicts exist among all the authority points to be combined according to the logic relationship.
In one embodiment, the two combined data type permission points a and B can be communicated only through the permission point C, and the first permission group and the second permission group do not contain the permission point C, so that it can be determined that a conflict exists between the permission point a and the permission point B. The authority point a may be a deletion operation for a certain data, the authority point B is an editing operation for a certain data, and the authority point C is a viewing operation for a corresponding data. When there is no viewing operation, subsequent operations such as editing and deleting cannot be realized. For example, if there are a function class permission point M and a function class permission point N to be combined, the function module corresponding to the permission point N is accessed from the function module corresponding to the permission point M, and it is necessary to have a permission point K. At this time, it may be determined that there is an authority conflict between the authority point M and the authority point N.
Step 204, when a conflict exists, matching a conflict solution according to a conflict situation; and combining the first permission group and the second permission group according to the solution to generate a third permission group.
In this embodiment, the electronic device may match a solution for resolving the conflict according to the corresponding rule. Wherein, the solution includes adding one or more new authority points or deleting one or more authority points to be combined to realize the resolution of the conflict.
The electronic device can propose one or more conflict permission points from the first permission group and the second permission group, and/or add one or more new permission points capable of eliminating conflicts, and combine the remaining permission points after being removed and/or added from the first permission group and the second permission group to form a third permission group.
In one implementation, similarly, when it is detected that there is a conflicting permission point in the first permission group and the second permission group, the conflicting permission point and a corresponding solution and permission operation control including an operation control for selecting, adding, deleting, etc. the permission point can also be displayed on the display interface. The electronic equipment can receive an operation instruction of the authority distributor for the authority point, and the conflicting authority points are processed according to the operation instruction to form a third authority group. For example, the operation command is to accept one of the solutions, or ignore the conflict, reserve the conflict-existing authority point, or delete only part of the selected conflict-existing authority points, etc.
In one embodiment, step 204 includes: when the conflict is a data conflict, acquiring the authority points which need to be added for solving the data conflict, and combining the added authority points with the first authority group and the second authority group, wherein the added authority points do not belong to the authority points in the first authority group and the second authority group; and when the conflict is a function conflict, identifying the authority points which need to be removed for eliminating the function conflict, and combining the first authority group and the second authority group according to the authority points which need to be removed, wherein the authority points which need to be removed belong to the authority points in the first authority group and/or the second authority group.
In this embodiment, the electronic device may detect the permission types to which the permission points generating the conflict belong, and the solutions corresponding to different permission types are different. When the authority type to which the authority point generating the conflict belongs is the data class, the authority point which needs to be added for solving the data class conflict can be obtained, for example, when the authority point A and the authority point B are detected to have the conflict, the authority point C which can solve the data class conflict can be obtained, and the authority point C is also used as the authority point which needs to be combined and is combined with the first authority group and the second authority group. When the authority type of the authority point generating the conflict is the function class, one or more authority groups with conflicts can be removed to eliminate the authority conflict. For example, the authority point M and the authority point N that have a conflict as described above may be eliminated by the electronic device, and the remaining authority points after elimination are combined to form a third authority point.
In the embodiment, by identifying the conflict type, different conflict schemes are adopted for different conflict types, and the reasonability of permission conflict resolution can be improved. When the data conflict exists, the function class permission points which generate the conflict are directly removed, and the reasonability of permission allocation is improved.
In one embodiment, the method further comprises: and acquiring a first authority point and a second authority point, combining the first authority point and the second authority point to generate a first authority group, and enabling the first authority group to comprise the first authority point and the second authority point.
In this embodiment, the electronic device may provide a combined interface of authority point combinations on an enterprise information management system interface, and a user may select a plurality of authority points of a main combination from the combined interface, where the selected authority point types may include a data-class authority point and a function-class authority point, for example, one or more of a user authority point, a role authority point, and the like may be selected; and one or more of the data authority points, the form authority points, the menu authority points and the like are selected and combined to finally form a first authority group. For example, 2 user authority points are simultaneously selected, and then 3 form authority points and 5 data authority points are selected and combined to generate an authority group. For example, the first permission point may be a permission point related to permissions of a role assignment menu and a function button, and the second permission point may be a permission point related to permissions of a user for data control.
Compared with the prior art that only one type of permission point can be selected, the present embodiment further improves the flexibility of permission combination by selecting the data type permission point and the function type permission point at the same time for combination, and further can improve the efficiency of permission allocation in a complex scene.
In one embodiment, step 104 includes: taking union set combination of all the authorities in the first authority group and the ownership limit points in the second authority group; or taking intersection combination of all the authorities in the first authority group and the ownership limit points in the second authority group; or receiving a selection instruction of at least one permission point in the first permission group and the second permission group, and combining the permission points selected according to the selection instruction.
In this embodiment, the union combination is superposition between the rights points or superposition of the rights points in the rights group, that is, a set of the rights points in the first rights group and the second rights group is taken; the intersection set is a set of the same authority points in the authority points or the authority groups to be combined. For example, a permission point 1, a permission point 2, a permission point 3, a permission point 4, and a permission point 5 exist in the first permission group; in the second authority group there are authority point 1, authority point 3, authority point 5, authority point 6, authority point 8 and authority point 9. Combining the access set, namely combining the authority point 1, the authority point 2, the authority point 3, the authority point 4, the authority point 5, the authority point 6, the authority point 8 and the authority point 9; and taking the intersection combination, namely taking the common authority point 1, the authority point 3 and the authority point 5 to combine. The electronic device may present the ownership limit points in the first permission group and the second permission group, receive a selection instruction of one or more permission points from the user, such as selecting permission point 1, permission point 5, and permission point 6, and combine permission point 1, permission point 5, and permission point 6 in response to the selection instruction.
For example, if one authority point A has the valid period of the operation data A of 2021.10.1-2021.10.5 and the other authority point B has the valid period of the operation data A of 2021.10.3-2021.10.10, the authority groups can be a union of the two authorities, that is, the valid period of the operation data A of 2021.10.1-2021.10.10, or an intersection of the two authorities, that is, the valid period of the operation data A of 2021.10.3-2021.10.5.
The combination between the first permission group and the second permission group may be various, such as taking the two together, or according to the manual combination of users. Specifically, in the enterprise information management system, a combination mode option between the permission groups may be provided, such as providing a union combination, an intersection combination, or other manual combinations. And when one combination mode is received, combining the authority groups according to the corresponding combination mode. The enterprise information management system can default the combination mode between the authority groups to be union combination. By setting combination modes such as intersection and union, the efficiency of authority allocation under complex scenes is further improved.
In one embodiment, step 106 includes: detecting whether corresponding user identifications exist in the first permission group and the second permission group, and taking all the existing user identifications as user identifications of permissions to be distributed when the corresponding user identifications exist; and/or receiving an authority application request associated with the third authority group, and taking a corresponding user identifier contained in the application request as a user identifier of the authority to be distributed; and/or actively selecting one or more user identifications as the user identifications to be assigned the right.
In this embodiment, the obtained user identifier to which the authority is to be allocated may be one or more of a user identifier included in the authority group, a manually selected user identifier, and a user identifier included in the authority application request. The first permission group and/or the second permission group may include one or more user identifiers, for example, the first permission group may include one or more user permission groups and/or organization permission groups, specific user information exists in the permission groups, the user information includes corresponding user identifiers, for example, the user identifiers of monday, tuesday, zhangsan, zhangsi, and wangwu in the table are included, and the electronic device may acquire the user identifiers therein as the user identifiers of the permissions to be allocated.
The electronic equipment can also receive an authority application request submitted by other user terminals which want to apply for the authority in advance, the authority application request carries a corresponding user identifier, and the user identifier is used as the user identifier of the authority to be distributed.
The electronic device may also actively select one or more user identifiers from the user list, for example, the user may select one or more users in the enterprise information management system, or select one or more departments, thereby implementing a response to the selection operation for all the selected users belonging to the department, and acquiring the user identifier of the selected user, which is used as the user identifier to be assigned with the right.
In the embodiment, by setting a plurality of user identification selection modes, the flexibility of user identification selection is improved, and further the flexibility of user permission allocation is also improved.
In one embodiment, the method further comprises: setting authority point validity periods for one or more authority points in the third authority group, wherein when the current time is in the validity period, the state information of the authority point corresponding to the user identifier is in a valid state; or setting the validity period of the authority group in the third authority group, and when the current time is in the validity period, the state information of the authority point corresponding to the user identifier is in a valid state.
In this embodiment, before or after the third permission group is created, a validity period of the third permission group or validity periods of one or more permission points in the third permission group may be set. When the validity period of the third permission group is set, the validity period is set for the ownership limit point in the third permission group.
Specifically, the electronic device may receive an expiration date setting operation of a user for one or more authority points or authority groups therein, for example, the expiration dates of one or several authority groups may be set to 18 at 1 month and 1 day 2021: 00: 12/month/3/20 from 00 to 2021: 00: 00 is in effect. When the corresponding authority is distributed to the user, whether the current time is in the corresponding validity period or not can be checked, if so, the state information is adjusted to be in a valid state, and if not, the current time is adjusted to be in a failure state or a non-valid state.
For example, the users to be assigned with the permissions are a "clinical coordinator CRC" and a "clinical inspector CRA", and the two roles are assigned with the access permission of the page related to the medicine research in the hospital a system and the data consulting permission and data operating permission of a certain medicine; and creating a third authority group of the clinical research, wherein the third authority group comprises user identifications of a clinical coordinator CRC and a clinical inspector CRA, the validity period of the third authority group is set to be 1 month and 1 day in 2021 year to 1 month and 1 day in 2022 year, and the third authority group is authorized to two users of the clinical coordinator CRC and the clinical inspector CRA in batches.
In one embodiment, the open source task scheduling framework can be used in combination with the cron expression to control the authority of each authority point, such as the authority between a user or a role and menu access and data, and the related technical scheme of automatically recovering the authority through a timing task. cron is a planning task, i.e., a task performs already planned work at an appointed time. For example, through the open source task scheduling framework, the setting server performs validity time check on the authority points corresponding to all the user identifiers every 1 hour, changes the state information of the authority points which are not in the validity period into a failure state, and maintains the state of the authority points which are in the validity period as a valid state. By the method, convenience of authority validity period check can be improved, and validity period check is not needed manually.
In one embodiment, the method further comprises: and in response to the splitting operation aiming at the third permission group, splitting the third permission group into a fourth permission group and a fifth permission group according to the splitting operation.
And the fourth authority group and the fifth authority group comprise at least one same or different authority point in the third authority group. That is, the fourth permission group and/or the fifth permission group may be a certain permission point, or may be a combination formed by a plurality of permission points, and the same permission point may be divided into a plurality of permission groups formed by splitting.
For example, the third authority group includes authority points 1 to 10, the splitting operation may be to split authority points 1 to 5 to form a fourth authority group, and split authority points 3 to 8 to form a fifth authority group, and after the fourth authority group and the fifth authority group are formed by splitting, the authority points 1 to 10 in the third authority group may still be completely retained and are consistent with those before splitting, or only the authority points 9 to 10 left after splitting are retained, so as to become the adjusted third authority point.
In an embodiment, in the splitting process of the third permission group, the third permission group may be classified according to one or more dimensions of the permission point, such as the type, the state information, and the source label, so as to facilitate selection of the permission point in the third permission group by the user, and further improve convenience of permission splitting.
In one embodiment, as shown in fig. 3, another page permission control method is provided, which includes:
In this embodiment, at least one of the first permission group and the second permission group includes a combination of the function class permission point and the data class permission point. A first permission group and a second permission group are created in advance in the enterprise information management system. The first permission group and the second permission group may be a combination formed by a plurality of permission points, or may be a combination formed by a permission point and a permission group, or a combination formed between a permission group and a permission group, similar to the third permission group. The number of permission points and/or permission groups forming a combination may be any suitable number, such as 1, 2, 3, 5, 10, etc.
In practical situations, when some complex authority control is required, a user with authority management may log in the enterprise information management system, and select the first authority and the second authority on the interface, for example, an administrator may check one or more authority points or authority groups that need to be combined on the interface, and may set validity period information or validity rules such as validity time or invalidation time of each authority point or authority group.
The electronic equipment can receive a selection instruction of a right management user aiming at the first right group and the second right group in a corresponding operation interface, and acquire the first right group and the second right group.
And step 304, performing union set combination on all the authorities in the first authority group and all the authorities in the second authority group.
In this embodiment, the electronic device may perform union combination based on the acquired first permission group and the acquired second permission group. For example, as shown in fig. 4, there are 4 permission points in the first permission group 410, which are respectively role permission point 1, role permission point 2, data permission point 1 and data permission point 2, and there are 5 permission points in the second permission group 420, which are respectively menu permission point 1, menu permission point 2, role permission point 3 and data permission point 1, and after detecting the combination operation for the first permission group and the second permission group, a union can be taken to obtain a preliminary third permission group, which includes role permission point 1, role permission point 2, role permission point 3, data permission point 1, data permission point 2, menu permission point 1 and menu permission point 2.
And step 306, detecting whether a conflict authority point exists in the authority points after union set combination.
In this embodiment, the conflict between the authority points may include multiple types of conflicts, such as the above-mentioned data type conflict, or function type conflict, and may also be a conflict of validity periods. For example, the data authority point 1 and the data authority point 2 are operation authorities for the same data, but the two have different validity periods and belong to two different authority points. If the validity period corresponding to the data authority point 1 is permanently valid and the validity period corresponding to the data authority point 2 is permanently invalid, it can be determined that a conflict exists between the two.
Taking the data class conflict as an example, in one or more data class permission points, if only the high-level permission operation for the corresponding data is existed and the basic permission for realizing the high-level permission operation is lacked, the data class conflict is determined to exist. The primary authority is a basic authority such as a viewing operation authority for data, and the high-level authority is an authority for operation editing of data, an operation set by a time limit, and the like. When the primary right is lacked, the data cannot be operated and edited because the data cannot be viewed, and then the data type conflict is determined to exist.
And 308, when a conflict exists, matching a conflict solution according to the conflict situation, and combining the first permission group and the second permission group according to the solution to generate a third permission group.
Specifically, different solutions are generated for different types of conflicts. When the conflict is a data conflict, acquiring the authority points which need to be added for solving the data conflict, and combining the added authority points with the first authority group and the second authority group, wherein the added authority points do not belong to the authority points in the first authority group and the second authority group; and/or when the conflict is a function conflict, identifying the authority points which need to be removed for eliminating the function conflict, combining the first authority group and the second authority group according to the authority points which need to be removed, wherein the authority points which need to be removed belong to the authority points in the first authority group and/or the second authority group, and the third authority group comprises at least one authority point in the first authority group and/or the second authority group. The authority points included in the third authority group also include the authority source.
In this embodiment, source labeling is further performed on the authority points in the third authority group, for example, the role authority point 1, the role authority point 2, and the data authority point 2 are respectively labeled to be derived from the first authority group, the menu authority point 1, the menu authority point 2, and the role authority point 3 are labeled to be derived from the second authority group, and the data authority point 1 and the role authority point 2 are labeled to be derived from the first authority group and the second authority group.
Specifically, the electronic device may detect whether a corresponding user identifier exists in the formed third permission group or the first permission group or the second permission group, and if so, extract the user identifier therein. For example, the role permission point 1 and the role permission point 2 set permissions of corresponding users correspondingly, where the permissions include user identifiers of the corresponding users, and the electronic device may search the user identifiers associated with the first permission group and the second permission group according to the corresponding permission association table.
In the embodiment, the formed authority group directly contains the user identifier, so that the selection of the user identifier and the authority distribution of the user can be completed in the process of establishing the authority group, and the flexibility of the authority distribution and the efficiency of the authority distribution are further improved.
In this embodiment, in addition to detecting the conflict of the authority point, it is further detected whether a conflict exists between the authority point and the user identifier, and specifically, a data-class authority point which is sensitive data relative to the user identifier in the third authority group may be identified; all data class authority points which are sensitive data relative to the user identification are removed, or one or more user identifications can be deleted to eliminate the conflict.
For example, the user identifier 1 and the user identifier 2 are obtained, and the permission point 1, the permission point 2, and the permission point 3 included in the third permission group are obtained. The authority point 1 and the authority point 2 belong to data in a sensitivity level range accessible by both the user identifier 1 and the user identifier 2, and the authority point 3 only belongs to data in a sensitivity level range accessible by the user identifier 1 and does not belong to data in a sensitivity level range accessible by the user identifier 2. The electronic device may delete the user identity 2 in addition to the solution of deleting the authority point 3, while preserving the authority point 1, the authority point 2 and the authority point 3. Specifically, the electronic device may provide an operation prompt corresponding to the processing scheme, detect an operation instruction of the user, and select a specific processing scheme according to the operation instruction.
And step 314, associating the user identification with the third permission group after the conflict permission points are removed.
Step 316, setting validity period of the permission group in the third permission group, and when the current time is in the validity period, the state information of the third permission group corresponding to the user identifier is in valid state.
Specifically, the electronic device may write data such as the user identifier and the identifier of the third authority group or the authority point information in the third authority group into the corresponding authority association table, so as to implement association between the user identifier and the third authority group, and may further set a validity period of the authority group in the third authority table. And setting validity period detection frequency through an open source task scheduling framework, for example, executing authority validity verification time once at a frequency of every 1 hour, and determining whether to change the authority state into a valid task or a invalid task according to a detection result.
For example, as shown in the following table, the authority distribution table of the users in the system, which is associated with the roles and the authorities, is one table, the user to be assigned the third authority group is zhang, whose user identifier is 001, and after the authority point in the third authority group is assigned zhang, the 6 th row of data is added in the following table. Wherein, the row records the authority group identification (contract employee authority group number) of the third authority group allocated for Zhang III, the allocation time, the allocator, the validity period of the third authority group, the valid state information, and the like.
According to the embodiment, a plurality of tables do not need to be created, and waste of system resources can be reduced by recording all relevant fields in one table.
TABLE 2
The following effects can be achieved in this embodiment:
1) permission control can be performed on any element in the system (including system resources such as system menus, page elements, data resources and the like), and enabling and disabling of the element, displaying and hiding of the element and the like are included. The system appoints a global filter, and performs authority control according to the authority identification of the element and the authority group or the authority point.
2) And issuing the authority at fixed time. And through a task scheduling framework and an expression, actively applying the authority to the system when the predefined authority is triggered by a specified condition.
3) And actively recovering the authority. When a specific authority is issued, an effective rule condition and a recovery rule condition are firstly appointed, an authority record is generated in the system, and when the appointed condition is triggered, a scheduling task of the system checks whether the authority record meets the condition, triggers a recovery event and actively cancels the corresponding authority.
In one embodiment, as shown in fig. 5, there is provided a page permission control apparatus including:
a permission group obtaining module 502, configured to obtain a first permission group and a second permission group, where at least one permission group in the first permission group and the second permission group includes a combination of a function-class permission point and a data-class permission point;
a permission group generating module 504, configured to combine the first permission group and the second permission group to generate a third permission group, where the third permission group includes at least one permission point in the first permission group and/or the second permission group;
a user identifier obtaining module 506, configured to obtain a user identifier to which a right is to be assigned;
a conflict processing module 508, configured to detect whether a conflict permission point exists in the third permission group for the user identity corresponding to the user identifier, and if so, reject the conflict permission point;
and the authority distributing module 510 is configured to associate the user identifier with the third authority group after the conflicting authority points are removed.
In one embodiment, the conflict handling module 508 is further configured to identify a data class permission point in the third permission group that is identified as sensitive data relative to the user; and eliminating all data class authority points which are identified as sensitive data relative to the user.
In one embodiment, the permission group generating module 504 is further configured to detect whether there is a conflicting permission point in the first permission group and the second permission group; when conflict exists, matching a conflict solution according to conflict conditions; and combining the first permission group and the second permission group according to the solution to generate a third permission group.
In one embodiment, the permission group generating module 504 is further configured to, when the conflict is a data type conflict, obtain a permission point that needs to be added to solve the data type conflict, and combine the added permission point with the first permission group and the second permission group, where the added permission point does not belong to a permission point in the first permission group and the second permission group; and/or
And when the conflict is a function conflict, identifying the authority points which need to be removed for eliminating the function conflict, and combining the first authority group and the second authority group according to the authority points which need to be removed, wherein the authority points which need to be removed belong to the authority points in the first authority group and/or the second authority group.
In one embodiment, the permission group generating module 504 is further configured to obtain a first permission point and a second permission point, where the first permission point belongs to the function class permission point, and the second permission point belongs to the data class permission point; and combining the first authority point and the second authority point to generate a first authority group, so that the first authority group comprises all authorities in the first authority point and the second authority point.
In one embodiment, the permission group generation module 504 is further configured to perform union set combination on all permissions in the first permission group and ownership limit points in the second permission group; or taking intersection combination of all the authorities in the first authority group and the ownership limit points in the second authority group; or receiving a selection instruction of at least one permission point in the first permission group and the second permission group, and combining the permission points selected according to the selection instruction.
In an embodiment, the user identifier obtaining module 506 is further configured to detect whether corresponding user identifiers exist in the first permission group and the second permission group, and when corresponding user identifiers exist, take all existing user identifiers as user identifiers to which permissions are to be allocated; and/or
Receiving an authority application request associated with the third authority group, and taking a corresponding user identifier contained in the application request as a user identifier of the authority to be distributed; and/or
And actively selecting one or more user identifications as the user identifications to be distributed with the authority.
In one embodiment, as shown in fig. 6, another page permission control apparatus is provided, the apparatus further comprising:
a validity period processing module 512, configured to set a validity period of authority points for one or more authority points in the third authority group, where when the current time is in the validity period, state information of the authority point corresponding to the user identifier is in a valid state; or setting the validity period of the authority group in the third authority group, and when the current time is in the validity period, the state information of the third authority group corresponding to the user identifier is in a valid state.
In one embodiment, the permission group generation module 504 is further configured to label the permission points included in the third permission group with the permission source.
In one embodiment, the permission group generation module 504 is further configured to, in response to the splitting operation for the third permission group, split the third permission group into a fourth permission group and a fifth permission group according to the splitting operation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent application shall be subject to the appended claims.
Claims (10)
1. A method for controlling page permission is characterized by comprising the following steps:
acquiring a first authority group and a second authority group, wherein at least one of the first authority group and the second authority group comprises a combination of a function class authority point and a data class authority point;
combining the first permission group and the second permission group to generate a third permission group, wherein the third permission group comprises at least one permission point in the first permission group and/or the second permission group;
acquiring a user identifier of a right to be distributed;
detecting whether a conflict authority point exists in the third authority group with the user identity corresponding to the user identification, and if so, rejecting the conflict authority point;
and associating the user identification with the third permission group after the conflict permission points are removed.
2. The method of claim 1, wherein combining the first set of permissions and the second set of permissions to generate a third set of permissions comprises:
detecting whether a conflict authority point exists in the first authority group and the second authority group;
when conflict exists, matching a conflict solution according to conflict conditions;
and combining the first permission group and the second permission group according to the solution to generate the third permission group.
3. The method of claim 2, wherein matching a conflict resolution based on a conflict condition, and wherein combining the first set of permissions and the second set of permissions based on the resolution comprises:
when the conflict is a data conflict, acquiring authority points which need to be added for solving the data conflict, and combining the added authority points with the first authority group and the second authority group, wherein the added authority points do not belong to the authority points in the first authority group and the second authority group; and/or
And when the conflict is a function conflict, identifying the authority points which need to be removed for eliminating the function conflict, and combining the first authority group and the second authority group according to the authority points which need to be removed, wherein the authority points which need to be removed belong to the authority points in the first authority group and/or the second authority group.
4. The method of claim 1, further comprising:
in response to a splitting operation for the third permission group, splitting the third permission group into a fourth permission group and a fifth permission group according to the splitting operation.
5. The method according to any one of claims 1 to 4, further comprising:
the function class authority point is an authority point related to system function access or operation; the data class permission point is a permission point that relates to access or operations related to data.
6. The method of claim 1, wherein combining the first set of permissions and the second set of permissions comprises:
taking union set combination of all the authorities in the first authority group and the ownership limit points in the second authority group; or
Taking intersection combination of all the authorities in the first authority group and the ownership limit points in the second authority group; or
And receiving a selection instruction of at least one permission point in the first permission group and the second permission group, and combining the permission points selected according to the selection instruction.
7. The method according to claim 1, wherein the obtaining the user identifier to which the right is to be assigned comprises:
detecting whether corresponding user identifications exist in the first permission group and the second permission group, and taking all the existing user identifications as user identifications of permissions to be distributed when the corresponding user identifications exist; and/or
Receiving an authority application request associated with the third authority group, and taking a corresponding user identifier contained in the application request as a user identifier of the authority to be distributed; and/or
And actively selecting one or more user identifications as the user identifications to be distributed with the authority.
8. The method of claim 1, further comprising:
setting authority point validity periods for one or more authority points in the third authority group, wherein when the current time is in the validity period, the state information of the authority point corresponding to the user identifier is in a valid state; or
And setting a validity period of the authority group in the third authority group, wherein when the current time is in the validity period, the state information of the third authority group corresponding to the user identifier is in a valid state.
9. The method according to any one of claims 1 to 8,
the permission points included in the third permission set include a source of permissions.
10. A page permission control apparatus, characterized in that the apparatus comprises:
the system comprises a permission group acquisition module, a data type permission point acquisition module and a permission group acquisition module, wherein the permission group acquisition module is used for acquiring a first permission group and a second permission group, and at least one permission group in the first permission group and the second permission group comprises a combination of a function type permission point and a data type permission point;
the authority group generating module is used for combining the first authority group and the second authority group to generate a third authority group, and the third authority group comprises at least one authority point in the first authority group and/or the second authority group;
the user identifier acquisition module is used for acquiring the user identifier of the authority to be distributed;
the conflict processing module is used for detecting whether a conflict authority point exists in the third authority group corresponding to the user identity, and if so, rejecting the conflict authority point;
and the authority distribution module is used for associating the user identification with the third authority group from which the conflict authority points exist are removed, so that the user identity corresponding to the user identification has conflict-free information processing authority.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210500914.9A CN114595484B (en) | 2022-05-10 | 2022-05-10 | Page permission control method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210500914.9A CN114595484B (en) | 2022-05-10 | 2022-05-10 | Page permission control method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114595484A true CN114595484A (en) | 2022-06-07 |
| CN114595484B CN114595484B (en) | 2022-08-16 |
Family
ID=81811578
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210500914.9A Active CN114595484B (en) | 2022-05-10 | 2022-05-10 | Page permission control method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114595484B (en) |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100251341A1 (en) * | 2009-03-31 | 2010-09-30 | Hitachi Software Engineering Co., Ltd. | Login process apparatus, login process method, and program |
| CN104573430A (en) * | 2013-10-21 | 2015-04-29 | 华为技术有限公司 | Data access rights control method and device |
| CN105809021A (en) * | 2016-03-04 | 2016-07-27 | 深圳市茁壮网络股份有限公司 | Method and device for distributing user permissions |
| CN110245499A (en) * | 2019-05-08 | 2019-09-17 | 深圳丝路天地电子商务有限公司 | Web application rights management method and system |
| CN110598380A (en) * | 2019-08-23 | 2019-12-20 | 浙江大搜车软件技术有限公司 | User right management method, device, computer equipment and storage medium |
| CN112597448A (en) * | 2020-12-18 | 2021-04-02 | 努比亚技术有限公司 | Authority granting method, mobile terminal and computer readable storage medium |
| CN112632578A (en) * | 2020-12-25 | 2021-04-09 | 平安银行股份有限公司 | Service system authority control method and device, electronic equipment and storage medium |
| US20210157631A1 (en) * | 2019-11-25 | 2021-05-27 | Live Nation Entertainment, Inc. | Automated queue shutdown for efficient resource management |
| CN113946837A (en) * | 2020-07-15 | 2022-01-18 | 奇安信科技集团股份有限公司 | Data access and data access authority configuration method, device and storage medium |
| CN114329503A (en) * | 2020-09-29 | 2022-04-12 | 伊姆西Ip控股有限责任公司 | Method, apparatus and computer program product for handling access management rights |
-
2022
- 2022-05-10 CN CN202210500914.9A patent/CN114595484B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100251341A1 (en) * | 2009-03-31 | 2010-09-30 | Hitachi Software Engineering Co., Ltd. | Login process apparatus, login process method, and program |
| CN104573430A (en) * | 2013-10-21 | 2015-04-29 | 华为技术有限公司 | Data access rights control method and device |
| CN105809021A (en) * | 2016-03-04 | 2016-07-27 | 深圳市茁壮网络股份有限公司 | Method and device for distributing user permissions |
| CN110245499A (en) * | 2019-05-08 | 2019-09-17 | 深圳丝路天地电子商务有限公司 | Web application rights management method and system |
| CN110598380A (en) * | 2019-08-23 | 2019-12-20 | 浙江大搜车软件技术有限公司 | User right management method, device, computer equipment and storage medium |
| US20210157631A1 (en) * | 2019-11-25 | 2021-05-27 | Live Nation Entertainment, Inc. | Automated queue shutdown for efficient resource management |
| CN113946837A (en) * | 2020-07-15 | 2022-01-18 | 奇安信科技集团股份有限公司 | Data access and data access authority configuration method, device and storage medium |
| CN114329503A (en) * | 2020-09-29 | 2022-04-12 | 伊姆西Ip控股有限责任公司 | Method, apparatus and computer program product for handling access management rights |
| CN112597448A (en) * | 2020-12-18 | 2021-04-02 | 努比亚技术有限公司 | Authority granting method, mobile terminal and computer readable storage medium |
| CN112632578A (en) * | 2020-12-25 | 2021-04-09 | 平安银行股份有限公司 | Service system authority control method and device, electronic equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 谢嘉华等: "基于角色权限管理方法的改进", 《现代计算机(专业版)》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114595484B (en) | 2022-08-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11196750B2 (en) | Fine-grained data masking according to classifications of sensitive data | |
| CN108694557B (en) | Workflow and method for setting form field operation authority of approval node thereof | |
| CN109032458B (en) | Form data authorization method based on role acquisition | |
| US8533168B2 (en) | Automatic policy generation based on role entitlements and identity attributes | |
| US7774365B2 (en) | Organizational reference data and entitlement system | |
| CN109104425B (en) | Method for setting operation record viewing authority based on time period | |
| US20110231364A1 (en) | Id management method, id management system, and computer-readable recording medium | |
| CN108921520B (en) | Statistical list operation authority authorization method | |
| KR20200029590A (en) | How to manage instant messaging accounts in the management system | |
| US20070043716A1 (en) | Methods, systems and computer program products for changing objects in a directory system | |
| CN107103228B (en) | Role-based one-to-one authorization method and system for user permission | |
| JPWO2011122366A1 (en) | Access control program, system and method | |
| US20100145997A1 (en) | User driven ad-hoc permission granting for shared business information | |
| US20190272386A1 (en) | Method of Integrating an Organizational Security System | |
| KR20200029029A (en) | How to set authority in the user's information exchange unit in the system | |
| CN108985659B (en) | Method for carrying out approval process and approval node authorization on user | |
| CN108920940B (en) | Method for authorizing field value of form field through third-party field | |
| CN108830565B (en) | Menu authorization method based on role | |
| CN108875324B (en) | Form authorization method based on form time property field | |
| CN109067736B (en) | Method for user/employee to obtain mailbox account in system | |
| CN114595484B (en) | Page permission control method and device | |
| US8290979B1 (en) | Software architecture for access control based on hierarchical characteristics | |
| JP2007226428A (en) | Management system, management device and management program for authority of utilization | |
| JPH07182289A (en) | Method and device for security management | |
| CN111368284A (en) | Method for distributing user authority in enterprise information management system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |