CN117313051A

CN117313051A - Multi-tenant unified authority management method, system, device and storage medium

Info

Publication number: CN117313051A
Application number: CN202311178913.8A
Authority: CN
Inventors: 谭松荣; 谢光勇; 刁建伟; 刘伟
Original assignee: iMusic Culture and Technology Co Ltd
Current assignee: iMusic Culture and Technology Co Ltd
Priority date: 2023-09-12
Filing date: 2023-09-12
Publication date: 2023-12-29
Anticipated expiration: 2043-09-12
Also published as: CN117313051B

Abstract

The invention discloses a multi-tenant unified authority management method, a system, a device and a storage medium, comprising the following steps: matching in a preset user database according to tenant adding operation to obtain a first user, and further adding the first user as a tenant of an authentication and authorization center; creating a plurality of first applications according to the application configuration operation, and configuring corresponding authority information and role information for the first applications; matching in a user database according to user adding operation to obtain a second user, and further distributing the authority and the role of the first application to the second user according to the authority information and the role information to generate user authorization information; and logging in an application page of the first application according to the application login operation, and further determining the operation authority of the second user on the application page according to the user authorization information. The invention improves the efficiency of service development and application system management, enhances the safety of the application system, and can be widely applied to the technical field of application system management.

Description

Multi-tenant unified authority management method, system, device and storage medium

Technical Field

The invention relates to the technical field of application system management, in particular to a multi-tenant unified authority management method, system, device and storage medium.

Background

The current business development application systems all need to develop login permission modules, and the phenomena of repeated operation and workload redundancy of developers exist, so that human resources and system resources are wasted; each application system is provided with an independent login permission module, and a corresponding login permission module is required to be maintained for each application system, so that maintenance cost and safety risk are increased; in the existing service development flow, the reusability of the public application components is poor, and the sharing and multiplexing of the application components are difficult to realize, so that the efficiency of service development and application system management is affected.

Disclosure of Invention

The present invention aims to solve at least one of the technical problems existing in the prior art to a certain extent.

Therefore, an object of the embodiments of the present invention is to provide a multi-tenant unified rights management method, which improves the efficiency of service development and application system management, and enhances the security of an application system.

Another object of the embodiment of the invention is to provide a multi-tenant unified rights management system.

In order to achieve the technical purpose, the technical scheme adopted by the embodiment of the invention comprises the following steps:

in a first aspect, an embodiment of the present invention provides a multi-tenant unified rights management method, including the following steps:

Acquiring tenant adding operation of a system administrator in an authentication and authorization center, and matching the tenant adding operation in a preset user database to obtain a first user, so as to add the first user as a tenant of the authentication and authorization center;

acquiring application configuration operation of the tenant in the authentication and authorization center, creating a plurality of first applications according to the application configuration operation, and configuring corresponding authority information and role information for the first applications;

acquiring user adding operation of the tenant in the authentication and authorization center, matching the user adding operation in the user database to obtain a second user, and further distributing the authority and the role of the first application to the second user according to the authority information and the role information to generate user authorization information;

and acquiring an application login operation of the second user in the authentication and authorization center, logging in an application page of the first application according to the application login operation, and further determining the operation authority of the second user in the application page according to the user authorization information.

Further, in one embodiment of the present invention, the step of obtaining a tenant adding operation of the system administrator in the authentication and authorization center, and matching the tenant adding operation in a preset user database to obtain a first user, and further adding the first user as a tenant of the authentication and authorization center specifically includes:

Responding to tenant adding operation of the system administrator in the authentication and authorization center, and determining a first user ID according to the tenant adding operation;

and matching in the user database according to the first user ID to obtain a first user, further adding the first user as the tenant of the authentication and authorization center, generating corresponding tenant account information and sending the corresponding tenant account information to the tenant.

Further, in an embodiment of the present invention, the application configuration operation includes an application registration operation, an authority definition operation, and a role definition operation, and the step of obtaining an application configuration operation of the tenant at the authentication and authorization center, creating a plurality of first applications according to the application configuration operation, and configuring corresponding authority information and role information for the first applications specifically includes:

logging in the authentication and authorization center according to the tenant account information;

responding to the application registration operation of the tenant in the authentication and authorization center, determining a first application address and a first authentication scheme according to the application registration operation, further creating the first application according to the first application address and the first authentication scheme, and generating a first attribution relation between the first application and the tenant;

Responding to the authority definition operation of the tenant in the authentication and authorization center, determining a first authority name and a first authority description according to the authority definition operation, configuring the authority information for the first application according to the first authority name and the first authority description, and generating a second attribution relation between the authority information and the first application;

responding to role definition operation of the tenant in the authentication and authorization center, determining a first role name and a first role description according to the role definition operation, configuring the role information and the authority information corresponding to the role information for the first application according to the first role name and the first role description, and generating a third attribution relationship between the role information and the first application.

Further, in an embodiment of the present invention, the step of obtaining a user adding operation of the tenant in the authentication and authorization center, and matching the user adding operation in the user database to obtain a second user, and further distributing the authority and role of the first application to the second user according to the authority information and the role information, and generating user authorization information specifically includes:

Responding to user adding operation of the tenant in the authentication and authorization center, and determining a second user ID according to the user adding operation;

matching in the user database according to the second user ID to obtain a second user, further distributing the role of the first application to the second user according to the role information, and distributing the authority of the first application to the second user according to the authority information corresponding to the role;

generating user authorization information of the second user according to the second user ID, the corresponding first attribution relation, the second attribution relation and the third attribution relation, generating corresponding user account information and sending the user account information to the second user.

Further, in one embodiment of the present invention, the step of obtaining an application login operation of the second user at the authentication and authorization center, logging in an application page of the first application according to the application login operation, and further determining an operation authority of the second user at the application page according to the user authorization information specifically includes:

responding to the application login operation of the second user in the authentication and authorization center, logging in the first application according to the user account information, and returning to an application page of the first application through the authentication and authorization center;

Determining the first application currently logged in by the second user and the role information and the authority information corresponding to the second user according to the user authorization information;

and determining the operation authority of the second user on the application page according to the determined role information and the authority information, and endowing the second user with the corresponding function of accessing the first application.

Further, in one embodiment of the present invention, the multi-tenant unified rights management method further includes the steps of:

and acquiring tenant editing operation of the system administrator in the authentication and authorization center, and modifying or deleting the first application created by the tenant according to the tenant editing operation.

and acquiring user editing operation of the system administrator or the tenant in the authentication and authorization center, and modifying or deleting the authority information and the role information corresponding to the second user according to the user editing operation.

In a second aspect, an embodiment of the present invention provides a multi-tenant unified rights management system, including:

The tenant adding module is used for acquiring tenant adding operation of a system administrator in an authentication and authorization center, and matching the tenant adding operation in a preset user database to obtain a first user according to the tenant adding operation, so that the first user is added as the tenant of the authentication and authorization center;

the application configuration module is used for acquiring application configuration operation of the tenant in the authentication and authorization center, creating a plurality of first applications according to the application configuration operation, and configuring corresponding authority information and role information for the first applications;

the user adding module is used for acquiring user adding operation of the tenant in the authentication and authorization center, matching the user adding operation in the user database to obtain a second user, and further distributing the authority and the role of the first application to the second user according to the authority information and the role information to generate user authorization information;

the application login module is used for acquiring the application login operation of the second user at the authentication and authorization center, logging in the application page of the first application according to the application login operation, and further determining the operation authority of the second user at the application page according to the user authorization information.

In a third aspect, an embodiment of the present invention provides a multi-tenant unified rights management device, including:

at least one processor;

at least one memory for storing at least one program;

the at least one program, when executed by the at least one processor, causes the at least one processor to implement a multi-tenant unified rights management method as described above.

In a fourth aspect, an embodiment of the present invention further provides a computer readable storage medium, in which a processor executable program is stored, where the processor executable program is used to perform a multi-tenant unified rights management method as described above when executed by a processor.

The advantages and benefits of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

The embodiment of the invention can realize unified identity authentication and authorization management of multiple tenants, and an administrator can intensively manage each application and user identity authentication and authorization change at a central position, thereby improving the efficiency of service development and application system management; the manager can carry out authorization management on each user and each application based on role-based access control, application-based division and fine-granularity authorization management, so that the access security and privacy of an application system are enhanced.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the following description will refer to the drawings that are needed in the embodiments of the present invention, and it should be understood that the drawings in the following description are only for convenience and clarity to describe some embodiments in the technical solutions of the present invention, and other drawings may be obtained according to these drawings without any inventive effort for those skilled in the art.

Fig. 1 is a flowchart of steps of a multi-tenant unified rights management method according to an embodiment of the present invention;

fig. 2 is a schematic view of a scenario of a multi-tenant unified rights management method according to an embodiment of the present invention;

fig. 3 is a data flow chart of a multi-tenant unified rights management method according to an embodiment of the present invention;

fig. 4 is a block diagram of a multi-tenant unified rights management system according to an embodiment of the present invention;

fig. 5 is a block diagram of a multi-tenant unified rights management device according to an embodiment of the present invention.

Detailed Description

Embodiments of the present invention are described in detail below, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to like or similar elements or elements having like or similar functions throughout. The embodiments described below by referring to the drawings are illustrative only and are not to be construed as limiting the invention. The step numbers in the following embodiments are set for convenience of illustration only, and the order between the steps is not limited in any way, and the execution order of the steps in the embodiments may be adaptively adjusted according to the understanding of those skilled in the art.

In the description of the present invention, the plurality means two or more, and if the description is made to the first and second for the purpose of distinguishing technical features, it should not be construed as indicating or implying relative importance or implicitly indicating the number of the indicated technical features or implicitly indicating the precedence of the indicated technical features. Furthermore, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art.

Referring to fig. 1, an embodiment of the present invention provides a multi-tenant unified rights management method, which specifically includes the following steps:

s101, acquiring tenant adding operation of a system administrator in an authentication and authorization center, and matching in a preset user database according to the tenant adding operation to obtain a first user, so that the first user is added as a tenant of the authentication and authorization center;

s102, acquiring application configuration operation of a tenant in an authentication and authorization center, creating a plurality of first applications according to the application configuration operation, and configuring corresponding authority information and role information for the first applications;

s103, acquiring user adding operation of the tenant in the authentication and authorization center, matching in a user database according to the user adding operation to obtain a second user, and further distributing the authority and role of the first application to the second user according to the authority information and the role information to generate user authorization information;

S104, acquiring application login operation of the second user in the authentication and authorization center, logging in an application page of the first application according to the application login operation, and further determining the operation authority of the second user in the application page according to the user authorization information.

Specifically, the application system of the embodiment of the invention mainly comprises a system server side and a background management side. The system server is a core part of the application system and is responsible for processing the request of the registered application and providing corresponding functions and data, and comprises the following components and functions:

data storage layer: the server side interacts with the data storage layer to read and store the information and the calling authority of the calling party.

Authentication and authorization layer: the server side verifies the identity of the application and the corresponding user and manages the access right of the application and the corresponding user to the resource. The user authentication information and the authority information are stored in a database, and identity authentication and authorization operations are performed when a request is received.

Authorization operation: after the user information is verified, the server side can obtain corresponding tenant information and application authority information according to the logged-in service information and the user information, corresponding role information is obtained by matching the application and the user, and binding authority is obtained according to the corresponding role and the application and is set and returned to the client side.

The background management end is an independent interface or application program and is specially used for managing tasks such as system configuration, application configuration, authority configuration, data maintenance and the like, and the background management end provides the following functions:

user management: the background management end allows an administrator to create, edit and delete tenant users and to assign different rights and roles. Allowing tenants to create, edit and delete users, and assigning different rights and roles according to different applications.

And (3) data management: the tenant can use the background management end to manage and maintain personal information and call authority of the user, including operations such as checking, editing, deleting and the like.

The authentication and authorization center of the embodiment of the invention refers to a system for centralized management and control of user authentication and authorization inside enterprises or among organizations, and improves the safety and management efficiency of the enterprises by centralized management of user identity information, authority grant and access control, and specifically provides the following functions:

user identity authentication: the identity of the user is verified through various identity authentication modes, such as: user name/password, certificate, single sign-on, etc.

User rights management: the authorization management can be carried out on the user, and resources, modules, operation authorities and the like which can be accessed by the user in the system are defined.

Token: a token refers to a type of credential with specific access rights that helps a user to control access in multiple systems.

Identity provider: is responsible for authenticating the identity of the user and issuing a token. Common identity providers are AD, LDAP, etc.

Service provider: providing rights management and access control for services.

Authentication and authorization center login flow: the user logs in the client which is accessed to the authentication and authorization center, inputs an account number and a password, and the server checks service and account number and password information and returns the application authorization information and corresponding permission information to the client.

The embodiment of the invention solves the technical problems that the traditional identity verification system is complicated in managing the user rights and lacks centralized management for rights management among different application systems, provides centralized rights authentication and authorization centers for applications, and uniformly maintains application authorization and management rights information through the authentication and authorization centers.

Fig. 2 is a schematic diagram of a scenario of a multi-tenant unified rights management method according to an embodiment of the present invention. It can be appreciated that there are three types of users in the application system of the embodiments of the present invention:

1. the system manager manages the tenant of the platform and is responsible for carrying out security audit on the user accessing the digital application, and can carry out one-key shutdown on abnormal users or applications;

2. Tenant, tenant manages digital application accessed to unified authority management platform, defines authority and role for application, and distributes application role for user needing digital application;

3. and the user logs in through the platform by using the digital application to acquire the authority of accessing the application.

Further as an optional implementation manner, the step of obtaining a tenant adding operation of the system administrator in the authentication and authorization center, and matching the tenant adding operation in a preset user database to obtain a first user, and further adding the first user as a tenant of the authentication and authorization center specifically includes:

s1011, responding to the tenant adding operation of a system administrator in an authentication and authorization center, and determining a first user ID according to the tenant adding operation;

s1012, matching is carried out in a user database according to the first user ID to obtain a first user, the first user is further added as the tenant of the authentication and authorization center, and corresponding tenant account information is generated and sent to the tenant.

Specifically, a system administrator queries a user database at an authentication and authorization center management end, and selects a certain user to add a tenant which becomes an authentication and authorization center.

Further as an optional implementation manner, the application configuration operation includes an application registration operation, an authority definition operation and a role definition operation, and the steps of obtaining an application configuration operation of the tenant in the authentication and authorization center, creating a plurality of first applications according to the application configuration operation, and configuring corresponding authority information and role information for the first applications specifically include:

S1021, logging in an authentication and authorization center according to tenant account information;

s1022, responding to the application registration operation of the tenant in the authentication and authorization center, determining a first application address and a first authentication scheme according to the application registration operation, further creating a first application according to the first application address and the first authentication scheme, and generating a first attribution relation between the first application and the tenant;

s1023, responding to the authority definition operation of the tenant in the authentication and authorization center, determining a first authority name and a first authority description according to the authority definition operation, configuring authority information for a first application according to the first authority name and the first authority description, and generating a second attribution relation between the authority information and the first application;

s1024, responding to role definition operation of the tenant in the authentication and authorization center, determining a first role name and a first role description according to the role definition operation, further configuring role information and authority information corresponding to the role information for the first application according to the first role name and the first role description, and generating a third attribution relationship between the role information and the first application.

Fig. 3 is a data flow chart of a multi-tenant unified rights management method according to an embodiment of the present invention. In the embodiment of the invention, the tenant can log in the management end of the authentication and authorization center, register the digital application accessed by the tenant, and fill in the URL address and authentication scheme (such as multi-factor authentication, authentication UI style and the like) of the digital application. After submission, the system stores the application data, generates a unique identification of the application, and the attribution relationship of the application and the tenant. The tenant can only access the application created by itself, but cannot access the applications created by other tenants.

After the tenant registers the application, the tenant begins defining permissions for the application. The tenant selects a registered application, fills in the authority name and the authority description, and generates an authority unique identifier (UUID) and the attribution relation between the authority and the application after submitting.

After the tenant has defined all the rights of the application, a role may be defined for the application. The tenant selects a registered application, fills in a role name and a role description, the system displays all authority lists of the application, the tenant selects one or more authorities, and the system generates a role unique identifier (UUID) and a attribution relation between the role and the application after submitting the authority list.

Further as an optional implementation manner, the step of obtaining a user adding operation of the tenant in the authentication and authorization center, and obtaining a second user by matching in a user database according to the user adding operation, and further distributing the authority and role of the first application to the second user according to the authority information and the role information, and generating user authorization information specifically includes:

s1031, responding to user adding operation of the tenant in the authentication and authorization center, and determining a second user ID according to the user adding operation;

s1032, matching is carried out in a user database according to the second user ID to obtain a second user, then a role of the first application is allocated to the second user according to the role information, and the authority of the first application is allocated to the second user according to the authority information corresponding to the role;

S1033, generating user authorization information of the second user according to the second user ID, the corresponding first attribution relation, the second attribution relation and the third attribution relation, and generating corresponding user account information to send to the second user.

Specifically, after the tenant defines the role of the application, the role may be assigned to the user. The tenant finds out the user needing to be endowed with the access application through the data database, selects a certain digital application registered by the tenant, selects a certain role belonging to the application, and after submitting, the system generates the attribution relation between the user and the digital application and roles.

Further as an optional implementation manner, the step of obtaining an application login operation of the second user at the authentication and authorization center, logging in an application page of the first application according to the application login operation, and further determining an operation authority of the second user at the application page according to the user authorization information specifically includes:

s1041, responding to an application login operation of a second user in an authentication and authorization center, logging in a first application according to user account information, and returning to an application page of the first application through the authentication and authorization center;

s1042, determining a first application currently logged in by a second user and role information and authority information corresponding to the second user according to user authorization information;

S1043, determining the operation authority of the second user on the application page according to the determined role information and the authority information, and giving authority to the second user to access the corresponding function of the first application.

Specifically, the user accesses the authentication and authorization center through the integrated authentication and authorization center client. The user accesses the digital application through the browser, the authentication and authorization center client side integrated by the digital application detects that the user is not logged in, jumps to the authentication and authorization center production end, and displays a login page.

The user logs in the authentication and authorization center, and performs multi-factor verification such as account number and password or account number and password and short message verification code according to the information filled in during digital application registration. After the login is successful, the authentication and authorization center jumps back to the digital application, and returns the role and authority list owned by the current login user in the application to the digital application through the background. The role and authority list is obtained by inquiring the attribution relation of the user and the logged-in application and the role according to the current logged-in user and the digital application logged in by the user. The digital application grants the right user access to the specific function of the application according to the role and the authority list returned by the authentication and authorization center.

Further as an optional implementation manner, the multi-tenant unified rights management method further includes the following steps:

s105, acquiring tenant editing operation of a system administrator in an authentication and authorization center, and modifying or deleting a first application created by a tenant according to the tenant editing operation.

s106, acquiring user editing operation of a system administrator or tenant in the authentication and authorization center, and modifying or deleting authority information and role information corresponding to the second user according to the user editing operation.

In the embodiment of the invention, the tenant gives a role to the user, the role binds the authority and the authority binds the application, and after the user passes the verification, all operation authority information of the user under the application is returned, so that the dynamic binding is realized to carry out identity authentication and authorization management on the user.

The authentication and authorization center provides a right management function, and the tenant can create the right according to the requirement and carry out the authorization management for the application of the tenant. Determining rights names and descriptions: and defining a unique name and description for the newly added authority, generating a unique UUID, and determining the application program to which the authority belongs. For the user to bind roles, the roles bind the application, ensuring that only the user of the application can obtain the rights. The role of application binding ensures that only the application user of the authority can perform related operations and ensures the uniqueness of the authority.

The multi-tenant design allows a digital application responsible person to use the platform to manage own applications respectively, design specific authorities and roles for the respective applications, and does not need to design a set of user and authority management functions for each application. The tenant can modify part of information of the authority in the system, and check and protect important attributes of the authority, so that the authority allocation and revocation are effectively controlled, and the management efficiency and safety are improved.

The tenant can perform fine granularity configuration on account authorization, such as role assignment, binding authority, access authority control setting and the like for the account; and the functions of opening and closing certain authorities of the account by one key are supported, and the fast recovery and invalidation operation of authorities are carried out, so that the management efficiency and the security are improved.

The method steps of the embodiments of the present invention are described above. It can be understood that the embodiment of the invention can realize the unified identity authentication and authorization management of multiple tenants, and an administrator can intensively manage each application and user identity authentication and authorization change in a central position, thereby improving the efficiency of service development and application system management; the manager can carry out authorization management on each user and each application based on role-based access control, application-based division and fine-granularity authorization management, so that the access security and privacy of an application system are enhanced.

Compared with the prior art, the embodiment of the invention has the following advantages:

1. the cost of identity authentication and authorization management is reduced: the authentication and authorization center can reduce unnecessary repeated work when the enterprise performs identity authentication and authorization management, thereby reducing the related development and management cost;

2. the safety is improved: the authentication and authorization center can provide safer and more reliable identity authentication and authorization management service, thereby protecting sensitive information of enterprises and users from unauthorized access;

3. work efficiency is improved: the authentication and authorization center can provide a convenient login and authorization management interface for the enterprise, so that a user can quickly and conveniently access each application system of the enterprise, and the working efficiency is improved.

Referring to fig. 4, an embodiment of the present invention provides a multi-tenant unified rights management system, including:

the tenant adding module is used for acquiring tenant adding operation of a system administrator in the authentication and authorization center, and matching the tenant adding operation in a preset user database to obtain a first user, so that the first user is added as the tenant of the authentication and authorization center;

The user adding module is used for acquiring user adding operation of the tenant in the authentication and authorization center, matching the user adding operation in a user database to obtain a second user, and further distributing the authority and the role of the first application to the second user according to the authority information and the role information to generate user authorization information;

the application login module is used for acquiring the application login operation of the second user in the authentication and authorization center, logging in the application page of the first application according to the application login operation, and further determining the operation authority of the second user in the application page according to the user authorization information.

The content in the method embodiment is applicable to the system embodiment, the functions specifically realized by the system embodiment are the same as those of the method embodiment, and the achieved beneficial effects are the same as those of the method embodiment.

Referring to fig. 5, an embodiment of the present invention provides a multi-tenant unified rights management device, including:

at least one processor;

at least one memory for storing at least one program;

The content in the method embodiment is applicable to the embodiment of the device, and the functions specifically realized by the embodiment of the device are the same as those of the method embodiment, and the obtained beneficial effects are the same as those of the method embodiment.

The embodiment of the invention also provides a computer readable storage medium, in which a processor executable program is stored, the processor executable program being used for executing the above-mentioned multi-tenant unified rights management method when being executed by a processor.

The computer readable storage medium of the embodiment of the invention can execute the steps of the method embodiment of the invention, which are implemented by any combination of the method embodiments, and has the corresponding functions and beneficial effects.

Embodiments of the present invention also disclose a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The computer instructions may be read from a computer-readable storage medium by a processor of a computer device, and executed by the processor, to cause the computer device to perform the method shown in fig. 1.

In some alternative embodiments, the functions/acts noted in the block diagrams may occur out of the order noted in the operational illustrations. For example, two blocks shown in succession may in fact be executed substantially concurrently or the blocks may sometimes be executed in the reverse order, depending upon the functionality/acts involved. Furthermore, the embodiments presented and described in the flowcharts of the present invention are provided by way of example in order to provide a more thorough understanding of the technology. The disclosed methods are not limited to the operations and logic flows presented herein. Alternative embodiments are contemplated in which the order of various operations is changed, and in which sub-operations described as part of a larger operation are performed independently.

Furthermore, while the present invention has been described in the context of functional modules, it should be appreciated that, unless otherwise indicated, one or more of the functions and/or features described above may be integrated in a single physical device and/or software module or one or more of the functions and/or features may be implemented in separate physical devices or software modules. It will also be appreciated that a detailed discussion of the actual implementation of each module is not necessary to an understanding of the present invention. Rather, the actual implementation of the various functional modules in the apparatus disclosed herein will be apparent to those skilled in the art from consideration of their attributes, functions and internal relationships. Accordingly, one of ordinary skill in the art can implement the invention as set forth in the claims without undue experimentation. It is also to be understood that the specific concepts disclosed are merely illustrative and are not intended to be limiting upon the scope of the invention, which is to be defined in the appended claims and their full scope of equivalents.

The above functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied in essence or a part contributing to the prior art or a part of the technical solution in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the above-described method of the various embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.

Logic and/or steps represented in the flowcharts or otherwise described herein, e.g., a ordered listing of executable instructions for implementing logical functions, can be embodied in any computer-readable medium for use by or in connection with an instruction execution system, apparatus, or device, such as a computer-based system, processor-containing system, or other system that can fetch the instructions from the instruction execution system, apparatus, or device and execute the instructions. For the purposes of this description, a "computer-readable medium" can be any means that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.

More specific examples (a non-exhaustive list) of the computer-readable medium would include the following: an electrical connection (electronic device) having one or more wires, a portable computer diskette (magnetic device), a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber device, and a portable compact disc read-only memory (CDROM). In addition, the computer-readable medium may even be paper or other suitable medium upon which the program described above is printed, as the program described above may be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.

It is to be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, the various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, may be implemented using any one or combination of the following techniques, as is well known in the art: discrete logic circuits having logic gates for implementing logic functions on data signals, application specific integrated circuits having suitable combinational logic gates, programmable Gate Arrays (PGAs), field Programmable Gate Arrays (FPGAs), and the like.

In the foregoing description of the present specification, reference has been made to the terms "one embodiment/example", "another embodiment/example", "certain embodiments/examples", and the like, means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

While embodiments of the present invention have been shown and described, it will be understood by those of ordinary skill in the art that: many changes, modifications, substitutions and variations may be made to the embodiments without departing from the spirit and principles of the invention, the scope of which is defined by the claims and their equivalents.

While the preferred embodiment of the present invention has been described in detail, the present invention is not limited to the above embodiments, and various equivalent modifications and substitutions can be made by those skilled in the art without departing from the spirit of the present invention, and these equivalent modifications and substitutions are intended to be included in the scope of the present invention as defined in the appended claims.

Claims

1. The multi-tenant unified authority management method is characterized by comprising the following steps of:

2. The method for managing multi-tenant unified rights according to claim 1, wherein the step of obtaining a tenant adding operation of a system administrator in an authentication and authorization center, and matching the tenant adding operation in a preset user database to obtain a first user, and further adding the first user as a tenant in the authentication and authorization center, specifically comprises:

3. The method for managing unified rights of multiple tenants according to claim 2, wherein the application configuration operation includes an application registration operation, a rights definition operation, and a role definition operation, the step of obtaining the application configuration operation of the tenant at the authentication and authorization center, creating a plurality of first applications according to the application configuration operation, and configuring corresponding rights information and role information for the first applications specifically includes:

4. The method for managing multi-tenant unified rights in claim 3, wherein the step of obtaining the user adding operation of the tenant in the authentication and authorization center, and matching the user adding operation in the user database to obtain a second user, and further distributing the rights and roles of the first application to the second user according to the rights information and the roles information, and generating user authorization information specifically comprises:

5. The method for managing multi-tenant unified rights according to claim 4, wherein the step of obtaining an application login operation of the second user at the authentication and authorization center, logging in an application page of the first application according to the application login operation, and further determining an operation right of the second user at the application page according to the user authorization information specifically comprises:

6. A multi-tenant unified rights management method according to any of claims 1 to 5, characterized in that it further comprises the steps of:

7. A multi-tenant unified rights management method according to any of claims 1 to 5, characterized in that it further comprises the steps of:

8. A multi-tenant unified rights management system, comprising:

9. A multi-tenant unified rights management device, comprising:

at least one processor;

at least one memory for storing at least one program;

the at least one program, when executed by the at least one processor, causes the at least one processor to implement a multi-tenant unified rights management method as claimed in any one of claims 1 to 7.

10. A computer readable storage medium, in which a processor executable program is stored, characterized in that the processor executable program, when being executed by a processor, is for performing a multi-tenant unified rights management method according to any one of claims 1 to 7.