CN115017547A - Authority determining method, device, equipment and medium - Google Patents

Authority determining method, device, equipment and medium Download PDF

Info

Publication number
CN115017547A
CN115017547A CN202210867352.1A CN202210867352A CN115017547A CN 115017547 A CN115017547 A CN 115017547A CN 202210867352 A CN202210867352 A CN 202210867352A CN 115017547 A CN115017547 A CN 115017547A
Authority
CN
China
Prior art keywords
target
rule
request
path
target rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210867352.1A
Other languages
Chinese (zh)
Inventor
伍文韬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zitiao Network Technology Co Ltd
Original Assignee
Beijing Zitiao Network Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zitiao Network Technology Co Ltd filed Critical Beijing Zitiao Network Technology Co Ltd
Priority to CN202210867352.1A priority Critical patent/CN115017547A/en
Publication of CN115017547A publication Critical patent/CN115017547A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method, a device, equipment and a medium for determining authority, which are used for firstly obtaining an authority request aiming at target authority of target resources; acquiring a target rule matched with the permission request through the first path or the second path; if the target rule can be obtained through the first path, determining a request result of the permission request according to the target rule; and if the target rule can not be acquired through the first path, acquiring the target rule through the second path, and determining a request result of the permission request according to the acquired target rule. The first path is a path with a fast target rule. Therefore, the request result can be quickly determined based on the first path, and the speed of determining the request result and the efficiency of obtaining the requested system resource by the user are improved. And when the first path is unavailable, the request result is determined by using the second path, so that the request result of the permission request can be ensured to be obtained.

Description

Authority determining method, device, equipment and medium
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a medium for determining a permission.
Background
The authority system is used for auditing the authority for the access request requesting to acquire the system resource. And when the user applies for accessing the system resource, the authority is checked according to the specific condition of the system resource which the user applies for accessing. And if the permission result is determined to be passed, allowing the user to access the system resource.
At present, the speed of determining the authority result by the authority system is slow, so that the efficiency of obtaining system resources by a user is low.
Disclosure of Invention
In view of this, the present application provides a method, an apparatus, a device, and a medium for determining an authority, which can improve the speed of determining the authority result by the authority system.
In order to solve the above problems, the technical solution provided by the present application is as follows:
in a first aspect, an embodiment of the present application provides a method for determining a permission, where the method includes:
acquiring a permission request of a user for target operation of a target resource;
acquiring a target rule matched with the permission request through a first path or a second path;
responding to the target rule obtained through the first path, and determining a request result of the permission request according to the target rule; alternatively, the first and second electrodes may be,
and in response to the target rule not obtained in the first path, obtaining the target rule through the second path, and determining a request result of the permission request according to the target rule.
In a second aspect, an embodiment of the present application provides an authority determination apparatus, where the apparatus includes:
the first acquisition unit is used for acquiring a permission request of a target operation of a user for a target resource;
the second acquisition unit is used for acquiring a target rule matched with the permission request through the first path or the second path;
the determining unit is used for responding to the target rule obtained through the first path and determining a request result of the permission request according to the target rule; or, in response to the target rule not being acquired in the first path, acquiring the target rule through the second path, and determining a request result of the permission request according to the target rule.
In a third aspect, an embodiment of the present application provides an electronic device, including:
one or more processors;
a storage device having one or more programs stored thereon,
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement the method of determining permissions as described in the first aspect.
In a fourth aspect, an embodiment of the present application provides a computer-readable medium, on which a computer program is stored, where the program, when executed by a processor, implements the method for determining a permission according to the first aspect.
Therefore, the application has the following beneficial effects:
according to the method, the device, the equipment and the medium for determining the authority, an authority request aiming at the target authority of the target resource is firstly obtained; acquiring a target rule matched with the permission request through the first path or the second path; if the target rule can be obtained through the first path, determining a request result of the permission request according to the target rule; and if the target rule can not be acquired through the first path, acquiring the target rule through the second path, and determining a request result of the permission request according to the acquired target rule. The first path is a path with a fast target rule. Therefore, the request result can be quickly determined based on the first path, and the speed of determining the request result and the efficiency of obtaining the requested system resource by the user are improved. And when the first path is unavailable, the request result is determined by using the second path, so that the request result of the permission request can be ensured to be obtained.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic diagram of a framework of an exemplary application scenario provided in an embodiment of the present application;
fig. 2 is a flowchart of a method for determining a right according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a method for determining a right according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a method for determining a right according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of an authority determination apparatus according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
In order to facilitate understanding and explaining the technical solutions provided by the embodiments of the present application, the following description will first describe the background art of the present application.
The resource system comprises an authority system used for determining the authority of the user for acquiring the system resource. The permission system can judge whether the user has permission or not based on a permission request of the user for the target operation of the target resource. Currently, privilege systems can employ a privilege calculation model Based on Attribute-Based Access Control (ABAC) to achieve privilege determination. The authority calculation model of the ABAC can obtain a corresponding rule for judging whether the authority exists or not according to the requested user, the requested target resource and the requested target operation. And acquiring the computing resource for judging the authority by using the rule according to the determined rule. Based on the acquired computing resource and the determined rule, it can be determined whether the user has an authority request for a target operation of the target resource, that is, a request result. The resource system can determine whether the user has the authority according to the request result obtained by the authority system. However, the process of determining the rule by the current permission system is complicated, so that the speed of obtaining the request result is low, and the efficiency of obtaining the target resource by the user is influenced.
Based on this, the embodiment of the application provides a method, a device and a medium for determining an authority, which first obtain an authority request for a target authority of a target resource; acquiring a target rule matched with the permission request through the first path or the second path; if the target rule can be obtained through the first path, determining a request result of the permission request according to the target rule; and if the target rule can not be acquired through the first path, acquiring the target rule through the second path, and determining a request result of the permission request according to the acquired target rule. The first path is a path with a fast target rule. Therefore, the request result can be quickly determined based on the first path, and the speed of determining the request result and the efficiency of obtaining the requested system resource by the user are improved. And when the first path is unavailable, the request result is determined by using the second path, so that the request result of the permission request can be ensured to be obtained.
In order to facilitate understanding of an authority determining method provided in the embodiment of the present application, the following description is made with reference to a scenario example shown in fig. 1. Referring to fig. 1, the drawing is a schematic diagram of a framework of an exemplary application scenario provided in an embodiment of the present application.
In some embodiments, the permission system can determine a request result of the permission request based on the permission request of the user for the target operation of the target resource. And the authority system stores the result resource matched with the authority request in the target storage space in advance. When a user needs to perform target operation on a target resource, a permission request for generating the target operation of the target resource is triggered. After acquiring the permission request, the permission system acquires a target rule matched with the permission request through the first path or the second path. The first path is a path for acquiring the target rule through the target storage space. The second path is a path for obtaining the target rule through the rule base. The target rule is obtained through the first path. And if the target rule can be acquired from the first path, determining a request result of the permission request according to the target rule. And if the target rule can not be acquired from the first path, acquiring the target rule through the second path, and determining a request result of the permission request according to the target rule.
Those skilled in the art will appreciate that the block diagram shown in fig. 1 is only one example in which embodiments of the present application may be implemented. The scope of applicability of the embodiments of the present application is not limited in any way by this framework.
In order to facilitate understanding of the technical solutions provided by the embodiments of the present application, a method for determining a right provided by the embodiments of the present application is described below with reference to the accompanying drawings.
First, it should be noted that the method for determining a right provided by the embodiment of the present application can be applied to a right system for determining a right.
Referring to fig. 2, which is a flowchart of an authority determination method provided in an embodiment of the present application, as shown in fig. 2, the method may include S201 to S203:
s201: and acquiring a permission request of a target operation of a user for the target resource.
In some embodiments, before the user performs the target operation on the target resource, it is required to determine in advance whether the user has the right to perform the target operation on the target resource.
The embodiment of the application does not limit the specific implementation manner of the permission request generated by the user. In one possible implementation, the user can automatically implement triggering of the permission request by triggering a target operation on the target resource. In another possible implementation manner, the user can generate a permission request for the target operation of the target resource in advance to confirm whether the permission for the target operation of the target resource is provided.
In some embodiments, before user a needs to read the a document, a permission request can be generated for user a to read the a document. The document A is a target resource, and reading is a target operation.
S202: and acquiring a target rule matched with the permission request through the first path or the second path.
The first path and the second path are respectively different paths for acquiring a target rule matching the permission request. The first path and the second path have different speeds for acquiring the target rule. In some possible implementations, the target rule is obtained faster through the first path than through the second path.
In some embodiments, obtaining the target rule through the first path is obtaining the cached target rule from a target storage space, and obtaining the target rule through the second path is obtaining the target rule from a rule base. The target storage space is used for storing the matching relation between the permission request and the rule. In one possible implementation, the matching relationship between the historically determined permission request and the rule may be stored in the target storage space. In another possible implementation manner, the matching relation between the permission request and the rule is determined in advance, and the permission request and the rule are stored in the target storage space. Wherein, the target storage space may be a predetermined buffer space. The speed of acquiring the target rule matched with the permission request from the target storage space through the first path is higher, so that the speed of acquiring the target rule can be improved.
In some embodiments the target rule is a rule for determining a request result of the permission request. The embodiment of the application does not limit the specific implementation manner of obtaining the target rule. As an example, the target rule is obtained from the authority information included in the authority request. It should be noted that the target rule may include one or more rules. The number of rules that the target rule includes may be determined based on the number of rights information that the rights request includes.
In some embodiments, taking the above-mentioned permission request for user A to read the A document as an example, the permission request includes user A, A document and reads three pieces of permission information. In the target storage space, the rule for determining the authority of the user a and the rule for determining the authority of the reading of the a document can be obtained based on the query of the corresponding rule by the user A, A document and the reading respectively. Rules for permission determination for user a and rules for permission determination for reading of a document.
S203: responding to the target rule obtained through the first path, and determining a request result of the permission request according to the target rule; or, in response to the target rule not being acquired in the first path, acquiring the target rule through the second path, and determining a request result of the permission request according to the target rule.
In some embodiments, if the target rule can be obtained through the first path, the obtained target rule may be used to determine a request result of the permission request.
The embodiment of the application does not limit the specific implementation manner of determining the request result of the permission request by using the target rule. In one possible implementation, the request result of the permission request is determined by using the target rule and the permission information included in the permission request. In another possible implementation, the calculation resources can be determined first by using the target rule, and then the request result can be determined by using the calculation resources and the target rule. The embodiment of the present application provides a specific implementation manner for determining a computing resource first by using a target rule, and then determining a request result by using the computing resource and the target rule, which is specifically referred to below.
In some embodiments, if the target rule cannot be obtained from the first path, the target rule is obtained through the second path. And determining a request result of the permission request by using the target rule.
The embodiment of the application does not limit the specific implementation manner of determining the request result of the permission request by using the target rule. In one possible implementation, the request result of the permission request is determined by using the target rule and the permission information included in the permission request. In another possible implementation, the calculation resources can be determined first by using the target rule, and then the request result can be determined by using the calculation resources and the target rule. The embodiment of the present application provides a specific implementation manner for determining a calculation resource by using a target rule, and then determining a request result by using the calculation resource and the target rule, which is specifically referred to below.
In some embodiments, based on the related contents of the above S201 to S203, the target rule matching the permission request can be obtained faster through the first path, and the speed of determining the request result of the permission request is increased. In the case that the target rule cannot be acquired through the first path, the target rule can be acquired through the second path, and the request result of the permission request is ensured to be determined based on the target rule.
In some embodiments, the present application provides a specific implementation manner for determining the request result of the permission request according to the target rule, and specifically includes the following two steps.
Acquiring the computing resource of the target rule;
and determining a request result of the permission request by using the computing resource and the target rule.
The computing resources are resources for determining a request result according to a target rule. The computing resources may be provided by the privilege system from a downstream system. The downstream system is for example a business system or a management system. It should be noted that, in the embodiment of the present application, a source of the target rule is not limited, and the target rule may be obtained through the first path or the second path.
In some embodiments, refer to fig. 3, which is a schematic diagram of a method for determining a right provided in an embodiment of the present application. After an authority request of a user for target operation of a target resource is obtained, a target rule matched with the authority request is obtained through a first path. And if the target rule can be obtained through the first path, obtaining the computing resource of the target rule, and determining the request result of the permission request by using the computing resource and the target rule. And if the target rule can not be acquired through the first path, acquiring the target rule matched with the permission request from the second path. And acquiring the computing resource of the target rule. And determining a request result of the permission request by utilizing the computing resource and the target rule.
In some embodiments, still taking the above-mentioned permission request for the user a to read the a document as an example, the target rule includes a rule determined for the permission of the user a and a rule determined for the permission of the reading of the a document. For example, the rule determined for the authority of the user a is that the identity of the user a satisfies a preset identity and has the authority. And acquiring the identity information of the user A from the user management system as a computing resource. The rule determined for the reading authority of the A document is that the type of the A document is a specific type, and then the reading operation can be carried out. The document type of the A document is acquired from the document management system as a computing resource.
In some embodiments, the computing resources of the target rule include one or more of subject resources, guest resources, operational resources, and environmental resources. The main body resource is related to the main body triggering the authority request. The guest resource is a resource associated with the target resource. An operation resource is a resource associated with a target operation. The context resource is a resource that is relevant to the context in which the permission request is triggered. The environmental resources are, for example, time and location resources.
In some embodiments, after the computing resources are obtained, a request result of the permission request can be computed according to the computing resources and the target rule. Specifically, whether the permission request meets the target rule can be judged by using the computing resource. And if the permission request is determined to be in accordance with the target rule based on the computing resource, determining that the request result of the permission request is permission. If it is determined based on the computing resource that the permission request does not comply with the target rule, it is determined that the request result of the permission request is not having permission. In one possible implementation, the computation of the request result of the permission request by using the computation resource and the target rule can be implemented by using a permission computation model of the ABAC.
In some embodiments, the obtaining the target rule through the first path is obtaining a cached target rule from the target storage space. The target storage space may store a plurality of candidate rules matching the permission request. After a plurality of candidate rules matched with the permission request are obtained in the target storage space, the target rule is determined from the candidate rules, and then the request result is determined according to the target rule. In one possible implementation manner, the calculation request results of the candidate rules have different speeds, and the target rule can be determined according to the calculation speed of the candidate rules. And determining the candidate rule with the calculation speed larger than the threshold value as the target rule.
In some embodiments, candidate rules stored in the target storage space that match the permission request may have different computation speeds. And determining the candidate rule with the calculation speed larger than the threshold value as the target rule. The threshold may be a preset threshold for computing speed. The threshold value may also be determined according to the calculation speed of the candidate rule. For example, the threshold is set according to the maximum computation speed in the candidate rule.
In some embodiments, by taking the candidate rule with the calculation speed greater than the threshold as the target rule, the request result of the permission request can be determined based on the target rule with the higher calculation speed, and the efficiency of determining the request result of the permission request can be further improved.
In some embodiments, in another possible implementation, the candidate rules have a priority. And taking the candidate rule with the priority greater than the priority threshold as the target rule.
In some embodiments, candidate rules stored in the target storage space that match the permission request may have different priorities. The priority of the candidate rule may be predetermined. For example, the priority of a candidate rule is determined according to the candidate rule establishment time, the priority of a candidate rule with a later establishment time is higher, and the priority of a candidate rule with an earlier establishment time is lower. For another example, the priority of the candidate rule is determined according to the calculation speed of the candidate rule, the priority of the candidate rule with a higher calculation speed is higher, and the priority of the candidate rule with a lower calculation speed is lower.
In some embodiments, candidate rules with a priority greater than a priority threshold are determined as target rules. The priority threshold may be preset. The priority threshold may also be determined according to the priority of the candidate rule. For example, the priority threshold is set according to the highest priority in the candidate rule.
In some embodiments, based on the above, determining the target rule from the candidate rules according to the calculation speed or the priority can more flexibly determine the target rule meeting the requirement of determining the request result.
In some embodiments, after the request result of the permission request is obtained, the request result of the permission request can be stored, so that the subsequent request result of the permission request can be directly searched. As an example, the request result of the determined permission request can be stored in the target storage space. The target storage space is used for storing the request result of the permission request. The embodiment of the application is not limited to the specific implementation manner of the request result of the permission request stored in the target storage space. As one example, the permission request and the request result of the permission request may be stored in the form of a key-value pair.
In some embodiments, the request result of the permission request is stored in the target storage space, and after the permission request is subsequently acquired, the newly acquired request result of the permission request can be determined according to the request result stored in the target storage space, so that the request result of the permission request can be rapidly determined.
In some embodiments, the computing resources are obtained from a downstream system connected to the privilege system. When the downstream system is unavailable, the authority system cannot acquire the computing resources, and further cannot compute the request result.
In some embodiments, to solve the above problem, in one possible implementation manner, an embodiment of the present application provides an authority determination method, which includes the following steps in addition to the above steps:
in some embodiments, in response to determining that the downstream system is unavailable, obtaining a historical result of the permission request in the target storage space as a request result of the permission request.
The embodiments of the present application do not limit the specific implementation of determining that a downstream system is unavailable. In one possible implementation manner, if the computing resource provided by the downstream system cannot be acquired within a preset time period, it is determined that the downstream system is unavailable. In another possible implementation, if a disconnection from the downstream system is detected, it is determined that the downstream system is unavailable. In yet another possible implementation manner, if the fault information sent by the downstream system is obtained, it is determined that the downstream system is unavailable.
In some embodiments, upon determining that the downstream system is unavailable, historical results of the permission request are obtained in the target storage space. The historical result of the permission request is the request result of the previously determined permission request.
In some embodiments, the acquired historical result of the permission request is used as the request result of the permission request. The embodiment of the application is not limited to a specific implementation manner of obtaining the historical result of the permission request in the target storage space. As an example, the history result may be obtained using the authority information included in the authority request.
In some embodiments, refer to fig. 4, which is a schematic flowchart of an authority determination method provided in an embodiment of the present application. After an authority request of a user for target operation of a target resource is obtained, a target rule matched with the authority request is obtained through a first path. If the target rule can be obtained through the first path, the computing resource of the target rule is obtained from the downstream system. And if the downstream system is available and can acquire the computing resources of the target rule, determining the request result of the permission request by using the computing resources and the target rule. If the downstream system is not available, the historical result of the permission request can be obtained in the target storage space, and the historical result is used as the request result of the permission request. And if the target rule can not be acquired through the first path, acquiring the target rule matched with the permission request from the second path. And acquiring the computing resource of the target rule. And if the downstream system is available and can acquire the computing resources, determining the request result of the permission request by using the computing resources and the target rule. If the downstream system is not available, the historical result of the permission request can be obtained in the target storage space, and the historical result is used as the request result of the permission request.
In some embodiments, the availability of each downstream system can be obtained, and the availability of the authority system can be calculated by using the availability of the downstream system.
In some embodiments, as an example, the product of the availability of each downstream system is calculated to obtain the availability of the rights system.
For example, the availability of the downstream system i is obtained, where the value range of i is a positive integer less than or equal to n, and n is the number of the downstream systems. The availability of the authority system can be calculated by adopting formula (1).
Figure BDA0003759942400000101
For example, if the authority system is connected to 3 downstream systems, the availability of each downstream system is 99.9%. The availability of the rights system calculated according to equation (1) is 0.970299.
In some embodiments, as another example, on the basis of calculating the product of the availability rates of the downstream systems, the product of the availability rates of the downstream systems can be multiplied by the availability rate of the authority system itself to obtain the overall availability rate of the authority system.
Based on the method for determining the authority provided by the above method embodiment, an authority determining device is further provided in the embodiment of the present application, and the authority determining device will be described below with reference to the accompanying drawings.
Fig. 5 is a schematic structural diagram of an authority determination device according to an embodiment of the present application. As shown in the figure, the authority determination device includes:
a first obtaining unit 501, configured to obtain an authority request of a user for a target operation of a target resource;
a second obtaining unit 502, configured to obtain, through the first path or the second path, a target rule matched with the permission request;
a determining unit 503, configured to determine, in response to acquiring the target rule through the first path, a request result of the permission request according to the target rule; or, in response to the target rule not being acquired in the first path, acquiring the target rule through the second path, and determining a request result of the permission request according to the target rule.
In a possible implementation manner, the determining unit 503 is configured to determine a request result of the permission request according to the target rule, and includes:
the determining unit 503 is configured to obtain a computing resource of the target rule; and determining a request result of the permission request by using the computing resource and the target rule.
In a possible implementation manner, the obtaining the target rule through the first path is obtaining the cached target rule from a target storage space, and the obtaining the target rule through the second path is obtaining the target rule from a rule base.
In a possible implementation manner, the target storage space stores a plurality of candidate rules matched with the permission request, and the target rule is a candidate rule with a calculation speed greater than a speed threshold value.
In a possible implementation manner, the target storage space stores a plurality of candidate rules matched with the permission request, and the target rule is a candidate rule with a priority greater than a priority threshold.
In one possible implementation, the apparatus further includes:
and the storage unit is used for storing the request result of the permission request to the target storage space.
In one possible implementation, the permission request and the request result are stored in the target storage space in the form of a key-value pair.
In one possible implementation, the computing resource is obtained from a downstream system, and the apparatus further includes:
and the third acquisition unit is used for responding to the unavailability of the downstream system, acquiring a history result of the permission request in the target storage space, and using the history result as a request result of the permission request.
In one possible implementation, the device is applied to an authority system, and the availability of the authority system is a product of the availability of the downstream system.
Based on the method for determining the permission provided by the embodiment of the method, the application further provides an electronic device, which includes: one or more processors; a storage device, on which one or more programs are stored, which, when executed by the one or more processors, cause the one or more processors to implement the method for determining permission as described in any of the embodiments above. Referring now to FIG. 6, shown is a schematic diagram of an electronic device 600 suitable for use in implementing embodiments of the present application. The terminal device in the embodiment of the present application may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a Digital broadcast receiver, a PDA (Personal Digital Assistant), a PAD (Portable android device), a PMP (Portable multimedia Player), a car terminal (e.g., car navigation terminal), and the like, and a fixed terminal such as a Digital TV (television), a desktop computer, and the like. The electronic device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present application.
As shown in fig. 6, electronic device 600 may include a processing means (e.g., central processing unit, graphics processor, etc.) 601 that may perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)602 or a program loaded from storage 606 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data necessary for the operation of the electronic apparatus 600 are also stored. The processing device 601, the ROM602, and the RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
Generally, the following devices may be connected to the I/O interface 605: input devices 606 including, for example, a touch screen, touch pad, keyboard, mouse, camera, microphone, accelerometer, gyroscope, etc.; output devices 607 including, for example, a Liquid Crystal Display (LCD), a speaker, a vibrator, and the like; storage 606 including, for example, magnetic tape, hard disk, etc.; and a communication device 609. The communication means 609 may allow the electronic device 600 to communicate with other devices wirelessly or by wire to exchange data. While fig. 6 illustrates an electronic device 600 having various means, it is to be understood that not all illustrated means are required to be implemented or provided. More or fewer devices may alternatively be implemented or provided.
In particular, according to embodiments of the application, the processes described above with reference to the flow diagrams may be implemented as computer software programs. For example, embodiments of the present application include a computer program product comprising a computer program carried on a non-transitory computer readable medium, the computer program containing program code for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network through the communication device 609, or installed from the storage device 606, or installed from the ROM 602. When executed by the processing device 601, the computer program performs the above-described functions defined in the method of the embodiment of the present application.
The electronic device provided by the embodiment of the present application and the method for determining authority provided by the embodiment of the present application belong to the same inventive concept, and technical details that are not described in detail in the embodiment of the present application can be referred to the embodiment of the present application, and the embodiment of the present application have the same beneficial effects.
Based on the authority determination method provided by the above method embodiment, an embodiment of the present application provides a computer readable medium, on which a computer program is stored, where the program is executed by a processor to implement the authority determination method according to any one of the above embodiments.
It should be noted that the computer readable medium mentioned above in the present application may be a computer readable signal medium or a computer readable storage medium or any combination of the two. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present application, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In this application, however, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: electrical wires, optical cables, RF (radio frequency), etc., or any suitable combination of the foregoing.
In some embodiments, the clients, servers may communicate using any currently known or future developed network Protocol, such as HTTP (Hyper Text Transfer Protocol), and may interconnect with any form or medium of digital data communication (e.g., a communications network). Examples of communication networks include a local area network ("LAN"), a wide area network ("WAN"), the Internet (e.g., the Internet), and peer-to-peer networks (e.g., ad hoc peer-to-peer networks), as well as any currently known or future developed network.
The computer readable medium may be embodied in the electronic device; or may exist separately without being assembled into the electronic device.
The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to perform the method of determining permissions.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including but not limited to an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The units described in the embodiments of the present application may be implemented by software or hardware. Where the name of a unit/module does not in some cases constitute a limitation on the unit itself, for example, a voice data collection module may also be described as a "data collection module".
The functions described herein above may be performed, at least in part, by one or more hardware logic components. For example, without limitation, exemplary types of hardware logic components that may be used include: field Programmable Gate Arrays (FPGAs), Application Specific Integrated Circuits (ASICs), Application Specific Standard Products (ASSPs), systems on a chip (SOCs), Complex Programmable Logic Devices (CPLDs), and the like.
In the context of this application, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
According to one or more embodiments of the present application, [ example one ] there is provided a rights determination method, the method comprising:
acquiring a permission request of a user for target operation of a target resource;
acquiring a target rule matched with the permission request through a first path or a second path;
responding to the target rule obtained through the first path, and determining a request result of the permission request according to the target rule; alternatively, the first and second electrodes may be,
and in response to the target rule not obtained in the first path, obtaining the target rule through the second path, and determining a request result of the permission request according to the target rule.
According to one or more embodiments of the present application, an authority determination method is provided, where determining a request result of the authority request according to the target rule includes:
acquiring the computing resource of the target rule;
and determining a request result of the permission request by using the computing resource and the target rule.
According to one or more embodiments of the present application, in an example three, there is provided a permission determining method, where the obtaining of the target rule through the first path is obtaining the cached target rule from a target storage space, and the obtaining of the target rule through the second path is obtaining the target rule from a rule base.
According to one or more embodiments of the present application, an authority determination method is provided [ example four ], where the target storage space stores a plurality of candidate rules matching the authority request, and the target rule is a candidate rule whose computation speed is greater than a speed threshold.
According to one or more embodiments of the present application, an authority determination method is provided [ example five ], where the target storage space stores a plurality of candidate rules matching the authority request, and the target rule is a candidate rule having a priority greater than a priority threshold.
According to one or more embodiments of the present application, [ example six ] there is provided a rights determination method, the method further comprising:
and storing the request result of the permission request to the target storage space.
According to one or more embodiments of the present application, [ example seven ] there is provided a permission determination method, the permission request and request result being stored in the target storage space in the form of a key-value pair.
According to one or more embodiments of the present application, [ example eight ] there is provided a privilege determination method, the computing resource being acquired from a downstream system, the method further comprising:
and in response to determining that the downstream system is unavailable, obtaining a historical result of the permission request from a target storage space, and using the historical result as a request result of the permission request.
According to one or more embodiments of the present application, an authority determination method is provided [ example nine ], which is applied to an authority system whose availability is a product of availability of the downstream system.
According to one or more embodiments of the present application, [ example ten ] there is provided a rights determination apparatus comprising:
the first acquisition unit is used for acquiring a permission request of a target operation of a user for a target resource;
the second acquisition unit is used for acquiring a target rule matched with the permission request through the first path or the second path;
the determining unit is used for responding to the target rule obtained through the first path and determining a request result of the permission request according to the target rule; or, in response to the target rule not being acquired in the first path, acquiring the target rule through the second path, and determining a request result of the permission request according to the target rule.
According to one or more embodiments of the present application, [ example eleven ] there is provided a permission determination apparatus, the determination unit configured to determine a request result of the permission request according to the target rule, including:
the determining unit is used for acquiring the computing resource of the target rule; and determining a request result of the permission request by using the computing resource and the target rule.
According to one or more embodiments of the present application, in example twelve, there is provided an authority determination apparatus, where the obtaining of the target rule through the first path is obtaining the cached target rule from a target storage space, and the obtaining of the target rule through the second path is obtaining the target rule from a rule base.
According to one or more embodiments of the present application, [ example thirteen ] there is provided an authority determination device, wherein the target storage space stores a plurality of candidate rules matching the authority request, and the target rule is a candidate rule whose computation speed is greater than a speed threshold.
According to one or more embodiments of the present application, in [ example fourteen ] there is provided an authority determination apparatus, wherein the target storage space stores a plurality of candidate rules matching the authority request, and the target rule is a candidate rule having a priority greater than a priority threshold.
According to one or more embodiments of the present application, [ example fifteen ] there is provided a rights determination apparatus, further comprising:
and the storage unit is used for storing the request result of the permission request to the target storage space.
According to one or more embodiments of the present application, [ example sixteen ] there is provided an authority determination apparatus in which the authority request and request result are stored in the target storage space in the form of a key-value pair.
According to one or more embodiments of the present application, [ example seventeen ] there is provided a permission determination apparatus, the computing resource being acquired from a downstream system, the apparatus further comprising:
and the third acquisition unit is used for responding to the unavailability of the downstream system, acquiring a history result of the permission request in the target storage space, and using the history result as a request result of the permission request.
According to one or more embodiments of the present application, [ example eighteen ] there is provided an authority determination device applied to an authority system whose availability is a product of an availability of the downstream system.
According to one or more embodiments of the present application, there is provided an electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement a privilege determination method as any one of [ example one ] - [ example nine ].
According to one or more embodiments of the present application [ example twenty ] there is provided a computer readable medium having a computer program stored thereon, wherein the program, when executed by a processor, implements the rights determination method as any one of [ example one ] - [ example nine ].
It should be noted that, in the present specification, the embodiments are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the system or the device disclosed by the embodiment, the description is simple because the system or the device corresponds to the method disclosed by the embodiment, and the relevant points can be referred to the method part for description.
It should be understood that, in this application, "at least one" means one or more, "a plurality" means two or more. "and/or" for describing an association relationship of associated objects, indicating that there may be three relationships, e.g., "a and/or B" may indicate: only A, only B and both A and B are present, wherein A and B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of single item(s) or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", wherein a, b and c may be single or plural.
It is further noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (12)

1. A method for determining permissions, the method comprising:
acquiring a permission request of a user for target operation of a target resource;
acquiring a target rule matched with the permission request through a first path or a second path;
responding to the target rule obtained through the first path, and determining a request result of the permission request according to the target rule; alternatively, the first and second electrodes may be,
and in response to the target rule not obtained through the first path, obtaining the target rule through the second path, and determining a request result of the permission request according to the target rule.
2. The method of claim 1, wherein the determining the request result of the permission request according to the target rule comprises:
acquiring the computing resource of the target rule;
and determining a request result of the permission request by using the computing resource and the target rule.
3. The method of claim 1, wherein the obtaining the target rule via the first path is obtaining the cached target rule from a target storage space, and wherein the obtaining the target rule via the second path is obtaining the target rule from a rule base.
4. The method of claim 3, wherein the target storage space stores a plurality of candidate rules matching the permission request, and the target rule is a candidate rule having a computation speed greater than a speed threshold.
5. The method of claim 3, wherein the target storage space stores a plurality of candidate rules matching the permission request, and the target rule is a candidate rule with a priority greater than a priority threshold.
6. The method according to any one of claims 3-5, further comprising:
and storing the request result of the permission request to the target storage space.
7. The method of claim 6, wherein the permission request and request result are stored in the target storage space in the form of key-value pairs.
8. The method of claim 2, wherein the computing resource is obtained from a downstream system, the method further comprising:
and in response to determining that the downstream system is unavailable, obtaining a historical result of the permission request from a target storage space, and using the historical result as a request result of the permission request.
9. The method of claim 8, wherein the method is applied to an entitlement system, and wherein the availability of the entitlement system is a product of the availability of the downstream system.
10. An authority determination apparatus, characterized in that the apparatus comprises:
the first acquisition unit is used for acquiring a permission request of a target operation of a user for a target resource;
the second acquisition unit is used for acquiring a target rule matched with the permission request through the first path or the second path;
the determining unit is used for responding to the target rule obtained through the first path and determining a request result of the permission request according to the target rule; or, in response to the target rule not being acquired in the first path, acquiring the target rule through the second path, and determining a request result of the permission request according to the target rule.
11. An electronic device, comprising:
one or more processors;
a storage device having one or more programs stored thereon,
when executed by the one or more processors, cause the one or more processors to implement the method of determining rights as claimed in any of claims 1-9.
12. A computer-readable medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the method for determining rights according to any of claims 1-9.
CN202210867352.1A 2022-07-21 2022-07-21 Authority determining method, device, equipment and medium Pending CN115017547A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210867352.1A CN115017547A (en) 2022-07-21 2022-07-21 Authority determining method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210867352.1A CN115017547A (en) 2022-07-21 2022-07-21 Authority determining method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN115017547A true CN115017547A (en) 2022-09-06

Family

ID=83080298

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210867352.1A Pending CN115017547A (en) 2022-07-21 2022-07-21 Authority determining method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN115017547A (en)

Similar Documents

Publication Publication Date Title
CN110634047B (en) Method and device for recommending house resources, electronic equipment and storage medium
CN112637287B (en) Load balancing method and equipment
CN111163324B (en) Information processing method and device and electronic equipment
CN110390493B (en) Task management method and device, storage medium and electronic equipment
CN111209306A (en) Business logic judgment method and device, electronic equipment and storage medium
CN110781373A (en) List updating method and device, readable medium and electronic equipment
CN110650209A (en) Method and device for realizing load balance
CN112379982A (en) Task processing method and device, electronic equipment and computer readable storage medium
EP3879795A1 (en) Method and apparatus for acquiring information, device, medium and computer program product
CN111798251A (en) Verification method and device of house source data and electronic equipment
CN116483891A (en) Information prediction method, device, equipment and storage medium
CN115017547A (en) Authority determining method, device, equipment and medium
CN110941683B (en) Method, device, medium and electronic equipment for acquiring object attribute information in space
CN111756833B (en) Node processing method, node processing device, electronic equipment and computer readable medium
CN111680754B (en) Image classification method, device, electronic equipment and computer readable storage medium
CN113518183A (en) Camera calling method and device and electronic equipment
CN112767036A (en) Service processing method and device
CN112100211A (en) Data storage method and device, electronic equipment and computer readable medium
CN110633115A (en) Task distribution method and device, electronic equipment and storage medium
CN111625707B (en) Recommendation response method, device, medium and equipment
CN113297277B (en) Test statistic determining method and device, readable medium and electronic equipment
CN110532475B (en) Information estimation method and device, electronic equipment and storage medium
CN112084440B (en) Data verification method, device, electronic equipment and computer readable medium
CN111507734B (en) Method and device for identifying cheating request, electronic equipment and computer storage medium
CN111581305B (en) Feature processing method, device, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination