CN115292272A - Enterprise-level authority management method, system, electronic device and storage medium - Google Patents

Enterprise-level authority management method, system, electronic device and storage medium Download PDF

Info

Publication number
CN115292272A
CN115292272A CN202111661817.XA CN202111661817A CN115292272A CN 115292272 A CN115292272 A CN 115292272A CN 202111661817 A CN202111661817 A CN 202111661817A CN 115292272 A CN115292272 A CN 115292272A
Authority
CN
China
Prior art keywords
data
authority
user
model
enterprise
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111661817.XA
Other languages
Chinese (zh)
Other versions
CN115292272B (en
Inventor
彭永勇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Meiyun Zhishu Technology Co ltd
Original Assignee
Guangdong Meiyun Zhishu Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong Meiyun Zhishu Technology Co ltd filed Critical Guangdong Meiyun Zhishu Technology Co ltd
Priority to CN202111661817.XA priority Critical patent/CN115292272B/en
Publication of CN115292272A publication Critical patent/CN115292272A/en
Application granted granted Critical
Publication of CN115292272B publication Critical patent/CN115292272B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/211Schema design and management
    • G06F16/212Schema design and management with details for data modelling support
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/21Design, administration or maintenance of databases
    • G06F16/215Improving data quality; Data cleansing, e.g. de-duplication, removing invalid entries or correcting typographical errors
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/248Presentation of query results
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/25Integrating or interfacing systems involving database management systems
    • G06F16/254Extract, transform and load [ETL] procedures, e.g. ETL data flows in data warehouses
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02PCLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
    • Y02P90/00Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
    • Y02P90/30Computing systems specially adapted for manufacturing

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Computational Linguistics (AREA)
  • Quality & Reliability (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses a method, a system, an electronic device and a storage medium for enterprise-level authority management, wherein the method for enterprise-level authority management comprises the following steps: collecting first data related to enterprise-level rights management from different sources; filtering the first data to obtain second data; establishing a data model according to the second data; and generating a right relation representation and/or a user right consumption behavior image according to the data model and the second data, and taking the user right consumption behavior image as an enterprise right standard. According to the method and the device, the obtained user authority consumption behavior image is used as the input of enterprise authority standardization, the phenomenon that the authority setting is too large or too small is prevented, the confusion of authority data is effectively treated, and the standardization of the floor authority management is realized.

Description

Enterprise-level authority management method, system, electronic device and storage medium
Technical Field
The present application relates to the field of rights management, and in particular, to a method, a system, an electronic device, and a storage medium for enterprise-level rights management.
Background
With the continuous development of enterprise informatization, the enterprise information systems basically show the conditions of respective government and chimney forest stand, each system has a set of authority management, the authority management models are not uniform, the authority data are disordered and redundant, and the data are incomplete. Therefore, the centralization, standardization, automation and intellectualization of the authority management almost become a necessary path for the informatization development process of each enterprise.
In the prior art, operation modes for realizing data centralization are provided in an open API (application program interface) mode and are provided for external system calling, and external system data are centralized to a unified data center in an active reporting mode. And then, carrying out modeling analysis on the data of the data center to obtain a responsive business activity analysis report. And the normative and standard degree of the business activity is reversely deduced based on the analysis report. However, the technical scheme mainly has the problems of difficult data acquisition, difficult data association and difficult model construction in an enterprise-level application scene.
Disclosure of Invention
The application provides at least a method, a system, an electronic device and a storage medium for enterprise-level authority management.
A first aspect of the present application provides a method for enterprise-level rights management, the method comprising: collecting first data related to enterprise-level rights management from a different source; filtering the first data to obtain second data; establishing a data model according to the second data; and generating a right relation representation and/or a user right consumption behavior image according to the data model and the second data, and taking the user right consumption behavior image as an enterprise right standard.
Optionally, the step of building a data model from the second data comprises: acquiring a plurality of data analysis target models corresponding to a plurality of identity management dimensions; and constructing business activity analysis models with different dimensions according to the at least one data analysis target model so as to analyze the business activities with different dimensions.
Optionally, the step of constructing business activity analysis models with different dimensions according to the at least one data analysis target model to analyze business activities with different dimensions includes: establishing an authority behavior model and an access behavior model according to the user authority behavior and the authority consumption behavior; and training the authority behavior model and the access behavior model by adjusting the weight parameters.
Optionally, the step of constructing business activity analysis models with different dimensions according to the at least one data analysis target model to analyze business activities with different dimensions further includes: training a first correlation degree according to the authority behavior model, wherein the first correlation degree is the correlation degree between the user type and the authorization; training a second degree of correlation according to the access behavior model, wherein the second degree of correlation is the degree of correlation between the user type and the authority access; calculating a user authority access path dynamic track according to the first correlation degree and the second correlation degree so as to analyze and judge the user authority access path dynamic track; the training method of the first correlation and the second correlation comprises a correlation algorithm of a combined mode of cosine correlation and Pearson correlation coefficient.
Optionally, the step of generating the rights relation representation and/or the user rights consumption behavior image according to the data model and the second data includes: acquiring at least one first authority and one second authority of a user of the same type as the current user according to the dynamic track of the user authority access path; the first authority is a related commonly-used granted authority, and the second authority is a most frequently-accessed related authority; and generating a user authority consumption behavior image according to at least one first authority and at least one second authority.
Optionally, the step of generating the rights relation representation and/or the user rights consumption behavior image according to the data model and the second data includes: establishing a user label system model and an authority label system model according to the second data; and generating a permission relation portrait according to the user label system model and the permission label system model.
Optionally, the method further comprises: storing the second data; and performing complement calculation and data extraction processing on the second data.
A second aspect of the present application provides an enterprise-level rights management platform, comprising:
the system comprises a full-end acquisition engine, a full-end acquisition engine and a full-end permission management engine, wherein the full-end acquisition engine is used for acquiring first data related to full-end permission of an enterprise-level permission management system;
the conversion filtering engine is used for carrying out parallel filtering processing on the first data based on a filtering rule corresponding to multiple channels to obtain second data;
the model definition engine is used for establishing a data model according to the second data;
and the intelligent analysis engine is used for generating a user authority consumption behavior image and/or an authority relation representation according to the data model and the second data.
A third aspect of the present application provides an electronic device, which includes a memory and a processor coupled to each other, wherein the processor is configured to execute program instructions stored in the memory to implement the method for enterprise-level rights management in the first aspect.
A fourth aspect of the present application provides a computer readable storage medium having stored thereon program instructions which, when executed by a processor, implement the method of enterprise-level rights management of the first aspect described above.
The beneficial effect of this application is: different from the prior art, the method and the device have the advantages that the first data related to enterprise-level authority management are collected from different sources, the first data are filtered to obtain the second data, the data model is built according to the second data, and the authority relationship portrait and/or the user authority consumption behavior image are/is generated through the data model and the second data. According to the method and the device, the data integrity is higher by collecting the data of the enterprise-level authority management whole end; the second data is obtained by filtering the first data, so that errors and omissions in data statistics are reduced; the management of multiple targets and multiple rights is realized by establishing a data model according to the second data; the user authority consumption behavior image is used as the input of enterprise authority standardization, such as post standardization definition or other standardization, so that an authority standardization management suggestion report can be obtained, a corresponding adjustment strategy is added based on the report, the phenomenon that the authority setting is too large or too small is prevented, the confusion of authority data is effectively treated, and the intelligent and standardized landing of the authority is finally realized.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow diagram illustrating an embodiment of a method for enterprise-level rights management;
FIG. 2 is a schematic view of a detailed flow chart after step S12 in FIG. 1;
FIG. 3 is a detailed flowchart of step S13 in FIG. 1;
fig. 4 is a first specific flowchart of step S132 in fig. 3;
FIG. 5 is a second detailed flowchart of step S132 in FIG. 3;
FIG. 6 is a first flowchart illustrating step S14 of FIG. 1;
FIG. 7 is a second detailed flowchart of step S14 in FIG. 1;
FIG. 8 is a block diagram of a framework for one embodiment of the enterprise level rights management system of the present application;
FIG. 9 is a block diagram of a framework for another embodiment of the enterprise level rights management system of the present application;
FIG. 10 is a block diagram of an embodiment of an electronic device of the present application;
FIG. 11 is a block diagram of an embodiment of a computer-readable storage medium of the present application.
Detailed Description
In order to make those skilled in the art better understand the technical solution of the present application, the method, system, electronic device and storage medium for enterprise-level rights management provided by the present application are described in further detail below with reference to the accompanying drawings and detailed description. It is to be understood that the embodiments described are only a few embodiments of the present application and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first", "second", etc. in this application are used to distinguish between different objects and not to describe a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Referring to fig. 1, fig. 1 is a schematic flow chart diagram illustrating an embodiment of a method for enterprise-level rights management according to the present invention.
The main execution body of the method for enterprise-level rights management of the present application may be an enterprise-level rights management system, for example, the method for enterprise-level rights management may be executed by a terminal device or a server or other processing devices, where the enterprise-level rights management system may be a User Equipment (UE), a mobile device, a User terminal, a Personal Digital Assistant (PDA), a handheld device, a computing device, a vehicle-mounted device, a wearable device, or the like. In some possible implementations, the method of enterprise-level rights management may be implemented by a processor invoking computer-readable instructions stored in a memory.
Specifically, the method for enterprise-level rights management of the present embodiment may include the following steps:
step S11: first data relating to enterprise-level rights management is collected from different sources.
In the embodiment, the first data related to enterprise-level authority management is collected through a full-end collection engine of the enterprise-level authority management system.
Specifically, the full-end acquisition engine acquires data in an active proxy probe acquisition and passive acquisition mode. The active proxy probe acquisition is in a probe monitoring subscription mode, and the passive acquisition is in a message active reporting mode.
Further, the data collection range mainly includes reference organization system data, authority management data, authorization management data and authority consumption and use data. Optionally, the reference organization system data may specifically include a person, an organization, a group, or a post, etc., the authority management data may specifically include an application system, a service role, a system role, a resource authority, or a data authority, the authority management data may specifically include a user authority, an organization authority, a group authority, or a post authority, etc., and the authority consumption usage data may specifically be a user authority usage interaction log.
Optionally, the basic organization system data, the authority management data and the authorization management data are mainly acquired in an incremental manner in real time by using an ETL synchronous extraction tool, and the authority consumption data are acquired in an incremental manner by using a bypass probe.
Step S12: and filtering the first data to obtain second data.
In this embodiment, the first data is filtered by a conversion filtering engine of the enterprise-level rights management system.
Specifically, a conversion filtering engine of the enterprise-level authority management system is connected with a full-end acquisition engine of the enterprise-level authority management system through multiple channels, wherein the multiple channels can be different monitoring ports and processing logics, the conversion filtering engine processes first data flowing in from different ports in parallel, and performs corresponding filtering rule limitation on the first data acquired from different ports, that is, the first data is filtered according to a filtering rule corresponding to the channel to obtain second data.
Fig. 2 is a schematic flowchart of a specific process after step S12 in fig. 1, wherein specific processes continue to refer to fig. 2. Specifically, the method comprises the following steps:
step S15: the second data is stored.
In this embodiment, the second data is stored by a data storage engine of the enterprise-level authority management system, and specifically, the data storage engine is mainly used to store large-capacity authority management data, authorization management data, and authority consumption data collected by the full-end collection engine 11, and perform persistent storage and archive backup on the data by dynamically storing the data in cluster fragments.
Furthermore, the data storage engine adopts a data storage model of classified partition and slicing, realizes elastic expansion and dynamic expansion of data, and provides rapid data retrieval as data supply for real-time calculation and off-line calculation. Further, the data storage engine has automatic regular backup and archiving capacity, and based on the data storage model, the enterprise-level authority management system can reduce the complexity of data association mapping and completion.
Step S16: and performing complement calculation and data extraction processing on the second data.
In this embodiment, the second data stored in the data storage engine is complemented by the associated completion engine of the enterprise-level rights management system.
Specifically, the relevance completion engine completes completion calculation and data extraction by combining data sources such as main data or CRM (customer relationship management) and the like based on an existing data storage source model, completion of incomplete attributes of existing data and supplement of other relevance redundancy attributes. The correlation completion engine calculates and completes the data in a real-time streaming calculation and timing task calculation mode.
Step S13: and establishing a data model according to the second data.
In this embodiment, the data model is established according to the second data by the model definition engine of the enterprise-level rights management system.
Referring to fig. 3, the process of building a model specifically refers to, and fig. 3 is a schematic flowchart of step S13 in fig. 1. Specifically, the method comprises the following steps:
step S131: and acquiring a plurality of data analysis target models corresponding to a plurality of identity management dimensions.
Optionally, the identity management dimensions may specifically include a user, an organization, a group, a post, an application, a service role, a system role, a function authority, a data authority, zombie data, or silent data.
Specifically, the data analysis target model may be specifically shown in table one, table two, and table three.
Date Class of operation Model (III) Tissue of ID Organization name Balance Tissue knitting Code Organization name complete Route of travel Organization ID Route of travel Time of operation
2019- 10-17 Adding new 1001 XXX XXX XXX XXX 2019-10-17 12: 12:12
2019- 10-17 Adding new 1001 XXX XXX XXX XXX 2019-10-17 12: 12:13
2019- 10-17 Modifying 1002 XXX XXX XXX XXX 2019-10-17 12: 12:14
2019- 10-17 Modifying 1002 XXX XXX XXX XXX 2019-10-17 12: 12:15
2019- 10-17 Deleting 1003 XXX XXX XXX XXX 2019-10-17 12: 12:16
2019- 10-17 Activation of 1004 XXX XXX XXX XXX 2019-10-17 12: 12:17
2019- 10-17 Disable 1005 XXX XXX XXX XXX 2019-10-17 12: 12:18
2019- 10-17 Move 1006 XXX XXX XXX XXX 2019-10-17 12: 12:19
2019- 10-18 Adding new 1001 XXX XXX XXX XXX 2019-10-17 12: 12:20
2019- 10-18 Adding new 1001 XXX XXX XXX XXX 2019-10-17 12: 12:21
2019- 10-18 Modifying 1002 XXX XXX XXX XXX 2019-10-17 12: 12:22
2019- 10-18 Modifying 1002 XXX XXX XXX XXX 2019-10-17 12: 12:23
2019- 10-18 Deleting 1003 XXX XXX XXX XXX 2019-10-17 12: 12:24
2019- 10-18 Activation of 1004 XXX XXX XXX XXX 2019-10-17 12: 12:25
2019- 10-18 Disable 1005 XXX XXX XXX XXX 2019-10-17 12: 12:26
2019- 10-18 Moving 1006 XXX XXX XXX XXX 2019-10-17 12: 12:27
Watch 1
As shown in table one, the identity management dimension corresponding to the data analysis target model is organization, and the second data specifically includes date, operation type, organization ID, organization name, organization code, organization 15 name full path, organization ID full path, operation time, and the like, where the operation type may include addition, modification, deletion, enabling, disabling, moving, and the like.
Different organization IDs correspond to different organizations, and second data in the same row in a table I is data generated by corresponding operations of the same organization. For example, the organization with the organization ID of 1001 performs the new operation in 2019-10-17.
Figure BDA0003449838160000071
Figure BDA0003449838160000081
Watch two
As shown in table two, the identity management dimension corresponding to the data analysis target model is authentication, and the second data specifically includes a login type, a user ID, a user name, a user type, a mobile phone number, an organization name, a full organization name path, a full organization ID path, authentication time, a client IP, a server IP, a browser, an application system, a login state, a failure reason, and the like, where the login type may include an account number, a short message, an enterprise WeChat, and the like, the login state may include success and failure, and the failure reason includes a password error, an account number expiration, a verification code error, an account number absence, and the like.
Different user IDs correspond to different users, and second data in the same row in the second table are data generated when the same user performs login operation, wherein the login operations of different users can be the same or different. For example, the user with the user ID of 1001 and the name of Zhang III 1 logs in by means of an account number and a password at 2019-10-17.
Figure BDA0003449838160000082
Figure BDA0003449838160000091
Watch III
As shown in table three, the identity management dimension corresponding to the data analysis target model is authorization, and the second data specifically includes a user type, a mobile phone number, an organization name, an organization code, a full organization name path, a full organization ID path, authorization time, an application system, an authority code, an authority name, an HR state, an IDM state, a data source, an account, a mailbox, an employee code, a Person ID, and the like.
The users of different user types may be employees of different departments of the same organization or employees of different organizations, and the authorized persons of the authority may be the same or different.
Step S132: and constructing business activity analysis models with different dimensions according to the at least one data analysis target model so as to analyze the business activities with different dimensions.
In the embodiment, the model definition engine is used for constructing the business activity analysis models with different dimensions according to the at least one data analysis target model so as to analyze the business activities with different dimensions.
Please refer to fig. 4, wherein fig. 4 is a first specific flowchart of step S132 in fig. 3. Specifically, the method comprises the following steps:
step S1321: and establishing an authority behavior model and an access behavior model according to the user authority behavior and the authority consumption behavior.
The business activity analysis model comprises an authority behavior model and an access behavior model, and the data model definition engine generates the authority behavior model and the access behavior model according to the user authority behavior and the authority consumption behavior.
Specifically, the user right behavior may specifically include right viewing, right application, right renewal, right release, right creation, right destruction, right disabling, right enabling, right validity modification, personnel authorization, organization authorization, group authorization, or post authorization, and the like, and the right consumption behavior may specifically include system login, menu function access, data access, and the like.
Step S1322: and training the authority behavior model and the access behavior model by adjusting the weight parameters.
The data model definition engine trains the authority behavior model and the access behavior model by adjusting the weight parameters, and finally obtains accurate analysis and behavior prejudgment of the user authority access track by continuously training the authority behavior model and the access behavior model.
Please refer to fig. 5 again for the process of performing data analysis according to the rights behavior model and the access behavior model, where fig. 5 is a second specific flowchart of step S132 in fig. 3. Specifically, the method comprises the following steps:
step S1323: the first degree of correlation is trained according to the authority behavior model.
In this embodiment, the user type and the authorization correlation are trained according to the authority behavior model by an intelligent analysis engine of the enterprise-level authority management system.
Step S1324: the second degree of correlation is trained according to the access behavior model.
In this embodiment, the correlation between the user type and the access right is trained according to the access behavior model by an intelligent analysis engine of the enterprise-level authority management system.
Step S1325: and calculating the dynamic track of the user authority access path according to the first correlation degree and the second correlation degree so as to analyze and judge the dynamic track of the user authority access path.
In this embodiment, the dynamic trajectory of the user permission access path is calculated according to the user type and authorization correlation and the user type and permission access correlation by an intelligent analysis engine of the enterprise-level permission management system, and the dynamic trajectory of the user permission access path is analyzed and judged.
Optionally, the training method for the first correlation and the second correlation includes a correlation algorithm in a combination of cosine correlation and pearson correlation coefficient.
The optimal user authority access path dynamic track obtained through different personnel types can be used as an admission condition for authority operation risk control, and the user can be prevented from non-compliant authorization and access behaviors under certain conditions.
Step S14: and generating a right relation representation and/or a user right consumption behavior image according to the data model and the second data, and taking the user right consumption behavior image as an enterprise right standard.
In the embodiment, the authority relationship representation and/or the user authority consumption behavior image are generated according to the data model and the second data through an intelligent analysis engine of the enterprise-level authority management system.
In this regard, please refer to fig. 6 for the process of specifically generating the user right consumption behavior image, where fig. 6 is a first specific flowchart of step S14 in fig. 1. Specifically, the method comprises the following steps:
step S141: and acquiring at least one first authority and one second authority of the user of the same type as the current user according to the dynamic track of the user authority access path.
The first authority is a related commonly-used granted authority, and the second authority is a most frequently-accessed related authority.
Step S142: and generating a user authority consumption behavior image according to at least one first authority and at least one second authority.
In the embodiment, the intelligent analysis engine is used for completing the calculation of the first correlation degree and the second correlation degree according to the correlation degree algorithm, acquiring at least one first authority and one second authority of a user of the same type as the current user according to the dynamic track of the access path of the user authority, and generating the user authority consumption behavior image according to the first authority and the second authority.
Optionally, the at least one first right may be M first rights, and the at least one second right may be N second rights, where M and N are integers, and M may be equal to or not equal to N.
In the embodiment, the user authority consumption behavior image generated by the intelligent analysis engine is used as the input of the enterprise authority standardization, so that the phenomenon that the authority setting is too large or too small is prevented, the confusion of authority data and the standardization of the floor authority management are effectively managed.
Please refer to fig. 7, wherein fig. 7 is a second flowchart of step S14 in fig. 1. Specifically, the method comprises the following steps:
step S143: and establishing a user label system model and an authority label system model according to the second data.
The data model further comprises a user label system model and an authority label system model, the model definition engine generates the user label system model and the authority label system model according to the second data, and specifically, the user label system model and the authority label system model can be specifically shown in the fourth table and the fifth table.
Figure BDA0003449838160000111
Figure BDA0003449838160000121
Watch four
As shown in table four, the second data of the user tag hierarchy model specifically includes an object, a tag classification, a tag name, a tag value, a rule definition, and a remark. The label name specifically comprises a user type label, a user position label and a user organization label, and the label value corresponding to the user type label further comprises an internal user, an authentication user, an S type user, a class employee user, a public account, an administrator type, a platform user, a campus set administrator, an enterprise set administrator, a campus administrator, an enterprise administrator, a public service provider user and the like, which are respectively corresponding to different rule definitions.
Figure BDA0003449838160000122
Watch five
As shown in table five, the second data of the authority label system model specifically includes an authority number, an authority name, an authority behavior preference, an authorization behavior preference, a consumption behavior preference, an authority post preference, an affiliated application, and an affiliated service domain. The authority names specifically include news editing, news publishing, news submission, news archiving and the like; the authority behavior preference specifically comprises application, renewal, release, creation, destruction, enablement, disablement and the like; the authorization behavior preference specifically includes personnel authorization, post authorization, organization authorization, group authorization, and the like; the consumption behavior preference specifically comprises system login, menu access, data access and the like; the authority post preference specifically comprises research and development, market, business and the like; the application can be knowledge management or other; the business domain may be office informatization or other.
Step S144: and generating a rights relation portrait according to the user tag system model and the rights tag system model.
The intelligent analysis engine generates the rights relation sketch according to the user label system model and the rights label system model, and the enterprise-level rights management system can realize macro regulation and control on data with different weights through different rights relation drawings.
Specifically, the intelligent analysis engine can generate relational portraits of user departments, posts, functions, age stages, frequent stops, common authorities, applications frequently logged in, authorities not used, active time periods and the like according to the user label system model, and the intelligent analysis engine can generate relational portraits of applications to which the authorities belong, authority creation, authority forbidding, authority enabling, generally granted to post personnel, frequently used by people, how often the use is, authority importance degree and the like according to the authority label system model.
According to the method, the user authority consumption behavior image is used as the input of enterprise authority standardization, such as post standardization definition or other standardization, the authority standardization management suggestion report can be obtained, a corresponding adjustment strategy is added based on the report, the phenomenon that the authority setting is too large or too small is prevented, the authority data confusion is effectively managed, and the intelligent and standardized landing of the authority is finally realized.
Referring to fig. 8, fig. 8 is a block diagram of an embodiment of an enterprise-level rights management system according to the present application. As shown in fig. 8, the enterprise-level rights management system 20 of the present embodiment includes a full-end acquisition engine 21, a transformation filtering engine 22, a model definition engine 23, and an intelligent analysis engine 24.
The conversion filtering engine 22 is connected with the full-end acquisition engine 21 through multiple channels, the model definition engine 23 is connected with the conversion filtering engine 22, and the intelligent analysis engine 24 is connected with the model definition engine 23.
As shown in fig. 8, the full-end collection engine 21 is configured to collect first data related to full-end rights of the enterprise-level rights management system 20, the conversion filter engine 22 is configured to perform parallel filtering processing on the first data based on a filter rule corresponding to multiple channels to obtain second data, the model definition engine 23 is configured to build a data model according to the second data, and the intelligent analysis engine 24 is configured to generate a user rights consumption behavior image and/or a rights relation representation according to the data model.
With further reference to fig. 9 in conjunction with fig. 8, fig. 9 is a block diagram of another embodiment of the enterprise-level rights management system of the present application. On the basis of the foregoing embodiment, the enterprise-level rights management system 20 of this embodiment further includes a data storage engine 25 and an associated completion engine 26, where the data storage engine 25 is connected to the conversion filtering engine 22 and is configured to store the second data, and the associated completion engine 26 is respectively connected to the data storage engine 25 and the model definition engine 23 and is configured to complete the second data.
Referring to fig. 10, fig. 10 is a schematic diagram of a frame of an embodiment of an electronic device according to the present application. The electronic device 30 comprises a memory 31 and a processor 32 coupled to each other, the processor 32 being configured to execute program instructions stored in the memory 31 to implement the steps in any of the above-described method embodiments of enterprise-level rights management. In one particular implementation scenario, the electronic device 30 may include, but is not limited to: a microcomputer, a server, and the electronic device 30 may also include a mobile device such as a notebook computer, a tablet computer, and the like, which is not limited herein.
In particular, the processor 32 is configured to control itself and the memory 31 to implement the steps in any of the above described method embodiments of enterprise level rights management. Processor 32 may also be referred to as a CPU (Central Processing Unit). The processor 32 may be an integrated circuit chip having signal processing capabilities. The Processor 32 may also be a general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, discrete Gate or transistor logic, discrete hardware components. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. In addition, the processor 32 may be commonly implemented by an integrated circuit chip.
Referring to fig. 11, fig. 11 is a block diagram illustrating an embodiment of a computer readable storage medium according to the present application. The computer readable storage medium 40 stores program instructions 41 capable of being executed by a processor, the program instructions 41 for implementing the steps in any of the above-described method embodiments of enterprise-level rights management.
In some embodiments, the functions or modules included in the apparatus provided in this embodiment may be used to execute the method described in the above method embodiment, and specific implementation thereof may refer to the description of the above method embodiment, which is not described herein again for brevity.
The foregoing description of the various embodiments is intended to highlight different aspects of the various embodiments that are the same or similar, which can be referenced with one another and therefore are not repeated herein for brevity.
In the several embodiments provided in the present application, it should be understood that the disclosed method and apparatus may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a division of a module or a unit is merely one type of logical division, and an actual implementation may have another division, for example, a unit or a component may be combined or integrated with another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of devices or units through some interfaces, and may be in an electrical, mechanical or other form.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
The above embodiments are merely examples, and not intended to limit the scope of the present application, and all modifications, equivalents, and flow charts using the contents of the specification and drawings of the present application, or those directly or indirectly applied to other related arts, are included in the scope of the present application.

Claims (10)

1. A method of enterprise-level rights management, comprising:
collecting first data related to enterprise-level rights management from different sources;
filtering the first data to obtain second data;
establishing a data model according to the second data;
and generating a right relation representation and/or a user right consumption behavior image according to the data model and the second data, and taking the user right consumption behavior image as an enterprise right standard.
2. The method of claim 1, wherein the step of modeling data based on the second data comprises:
acquiring a plurality of data analysis target models corresponding to a plurality of identity management dimensions;
and constructing business activity analysis models with different dimensions according to at least one data analysis target model so as to analyze business activities with different dimensions.
3. The method of claim 2, wherein the step of constructing business activity analysis models of different dimensions according to at least one of the data analysis target models to analyze business activities of different dimensions comprises:
establishing an authority behavior model and an access behavior model according to the user authority behavior and the authority consumption behavior;
and training the authority behavior model and the access behavior model by adjusting weight parameters.
4. The method of claim 3, wherein the step of constructing business activity analysis models of different dimensions according to at least one of the data analysis target models to analyze business activities of different dimensions further comprises:
training a first correlation degree according to the authority behavior model, wherein the first correlation degree is a correlation degree between a user type and authorization;
training a second degree of correlation according to the access behavior model, wherein the second degree of correlation is the degree of correlation between the user type and the access authority;
calculating a user authority access path dynamic track according to the first correlation degree and the second correlation degree so as to analyze and judge the user authority access path dynamic track;
the training method of the first correlation and the second correlation comprises a correlation algorithm of a combination mode of cosine correlation and Pearson correlation coefficient.
5. The method of claim 4, wherein the step of generating an image of rights relation and/or rights consumption behavior of the user from the data model and the second data comprises:
acquiring at least one first authority and one second authority of a user of the same type as the current user according to the dynamic track of the user authority access path; the first authority is a related commonly-used granted authority, and the second authority is a most frequently-accessed related authority;
and generating the user authority consumption behavior image according to the at least one first authority and the at least one second authority.
6. The method of claim 1, wherein the step of generating an image of rights relationship representation and/or user rights consumption behavior from the data model and the second data comprises:
establishing a user label system model and an authority label system model according to the second data;
and generating the authority relationship portrait according to the user label system model and the authority label system model.
7. The method of claim 1, further comprising:
storing the second data;
and performing completion calculation and data extraction processing on the second data.
8. An enterprise-level rights management system, comprising:
the system comprises a full-end acquisition engine, a full-end management engine and a full-end management engine, wherein the full-end acquisition engine is used for acquiring first data related to the full-end authority of the enterprise-level authority management system;
the conversion filtering engine is used for carrying out parallel filtering processing on the first data based on a filtering rule corresponding to multiple channels to obtain second data;
the model definition engine is used for establishing a data model according to the second data;
and the intelligent analysis engine is used for generating a user authority consumption behavior image and/or an authority relation representation according to the data model and the second data.
9. An electronic device comprising a memory and a processor coupled to each other, the processor being configured to execute program instructions stored in the memory to implement the method of enterprise-level rights management of any of claims 1-7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program which, when executed by a processor, implements the method of enterprise-level rights management of any of claims 1-7.
CN202111661817.XA 2021-12-31 2021-12-31 Enterprise-level authority management method, system, electronic equipment and storage medium Active CN115292272B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111661817.XA CN115292272B (en) 2021-12-31 2021-12-31 Enterprise-level authority management method, system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111661817.XA CN115292272B (en) 2021-12-31 2021-12-31 Enterprise-level authority management method, system, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN115292272A true CN115292272A (en) 2022-11-04
CN115292272B CN115292272B (en) 2023-07-07

Family

ID=83818731

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111661817.XA Active CN115292272B (en) 2021-12-31 2021-12-31 Enterprise-level authority management method, system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115292272B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100325159A1 (en) * 2009-06-17 2010-12-23 Microsoft Corporation Model-based implied authorization
US20140181003A1 (en) * 2012-12-20 2014-06-26 Bank Of America Corporation Common data model for identity access management data
CN104537488A (en) * 2014-12-29 2015-04-22 中国南方电网有限责任公司 Enterprise-level information system function authority unified management method
CN109992982A (en) * 2019-04-11 2019-07-09 北京信息科技大学 Big data access authorization methods, device and big data platform
CN111767574A (en) * 2020-06-28 2020-10-13 北京天融信网络安全技术有限公司 User permission determining method and device, electronic equipment and readable storage medium
US20200403996A1 (en) * 2019-06-18 2020-12-24 Cloudknox Security Inc. Activity Based Authorization for Accessing and Operating Enterprise Infrastructure
CN112818377A (en) * 2019-11-18 2021-05-18 广东美云智数科技有限公司 Authority data recommendation method, authority setting method, authority data recommendation system, authority setting system, electronic device and medium
CN113326991A (en) * 2021-06-24 2021-08-31 深圳平安智汇企业信息管理有限公司 Automatic authorization method, device, computer equipment and storage medium
CN113326297A (en) * 2020-11-17 2021-08-31 单高峰 Data analysis method applied to big data positioning and cloud server

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100325159A1 (en) * 2009-06-17 2010-12-23 Microsoft Corporation Model-based implied authorization
US20140181003A1 (en) * 2012-12-20 2014-06-26 Bank Of America Corporation Common data model for identity access management data
CN104537488A (en) * 2014-12-29 2015-04-22 中国南方电网有限责任公司 Enterprise-level information system function authority unified management method
CN109992982A (en) * 2019-04-11 2019-07-09 北京信息科技大学 Big data access authorization methods, device and big data platform
US20200403996A1 (en) * 2019-06-18 2020-12-24 Cloudknox Security Inc. Activity Based Authorization for Accessing and Operating Enterprise Infrastructure
CN112818377A (en) * 2019-11-18 2021-05-18 广东美云智数科技有限公司 Authority data recommendation method, authority setting method, authority data recommendation system, authority setting system, electronic device and medium
CN111767574A (en) * 2020-06-28 2020-10-13 北京天融信网络安全技术有限公司 User permission determining method and device, electronic equipment and readable storage medium
CN113326297A (en) * 2020-11-17 2021-08-31 单高峰 Data analysis method applied to big data positioning and cloud server
CN113326991A (en) * 2021-06-24 2021-08-31 深圳平安智汇企业信息管理有限公司 Automatic authorization method, device, computer equipment and storage medium

Also Published As

Publication number Publication date
CN115292272B (en) 2023-07-07

Similar Documents

Publication Publication Date Title
US11138300B2 (en) Multi-factor profile and security fingerprint analysis
CN108681966B (en) Information supervision method and device based on block chain
US10140453B1 (en) Vulnerability management using taxonomy-based normalization
CN112714093B (en) Account abnormity detection method, device, system and storage medium
US10152608B2 (en) Healthcare privacy violation detection and investigation system and method
CN111291394B (en) False information management method, false information management device and storage medium
CN109241352A (en) The acquisition methods and server of Profile information
CN110933115B (en) Analysis object behavior abnormity detection method and device based on dynamic session
Kang et al. Using cache optimization method to reduce network traffic in communication systems based on cloud computing
Diamantopoulou et al. An assessment of privacy preservation in crowdsourcing approaches: Towards GDPR compliance
US11716201B2 (en) System and method for maintaining usage records in a shared computing environment
CN113434588B (en) Data mining analysis method and device based on mobile communication ticket
Bhuyan et al. Crime predictive model using big data analytics
EP2896005A1 (en) Multi-factor profile and security fingerprint analysis
CN110298178B (en) Trusted policy learning method and device and trusted security management platform
Liu et al. Smart hardware hybrid secure searchable encryption in cloud with IoT privacy management for smart home system
CN115292272A (en) Enterprise-level authority management method, system, electronic device and storage medium
Panda et al. Securing database integrity in intelligent government systems that employ fog computing technology
CN105956460A (en) Permission system for information security management
Chapple et al. Authentication anomaly detection: A case study on a virtual private network
CN115357657B (en) Data processing method and device, computer equipment and storage medium
CN114726617B (en) Device authentication method, device, computer device, storage medium, and program product
CN116980875A (en) Operator data acquisition system and method
Yan et al. Behavior sequence mining model based on local differential privacy
Lee et al. PCA in ERP environment using the misuse detection system design and implementation of RBAC permissions

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 528311 3rd Floor, Building 5, Midea Global Innovation Center, Industrial Avenue, Beijiao Town, Shunde District, Foshan City, Guangdong Province

Applicant after: Meiyun Zhishu Technology Co.,Ltd.

Address before: 528311 3rd Floor, Building 5, Midea Global Innovation Center, Industrial Avenue, Beijiao Town, Shunde District, Foshan City, Guangdong Province

Applicant before: Guangdong Meiyun Zhishu Technology Co.,Ltd.

GR01 Patent grant
GR01 Patent grant