CN117390653A - Permission management method, system, electronic equipment and medium based on OC-ERP system - Google Patents
Permission management method, system, electronic equipment and medium based on OC-ERP system Download PDFInfo
- Publication number
- CN117390653A CN117390653A CN202311592628.0A CN202311592628A CN117390653A CN 117390653 A CN117390653 A CN 117390653A CN 202311592628 A CN202311592628 A CN 202311592628A CN 117390653 A CN117390653 A CN 117390653A
- Authority
- CN
- China
- Prior art keywords
- authority
- personnel
- target
- department
- rights
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000007726 management method Methods 0.000 title claims abstract description 103
- 230000035945 sensitivity Effects 0.000 claims description 57
- 238000003860 storage Methods 0.000 claims description 7
- 238000000034 method Methods 0.000 abstract description 28
- 238000012545 processing Methods 0.000 abstract description 10
- 230000000694 effects Effects 0.000 abstract description 4
- 230000006870 function Effects 0.000 description 12
- 230000008569 process Effects 0.000 description 11
- 238000004891 communication Methods 0.000 description 8
- 230000006399 behavior Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 230000009471 action Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 239000000284 extract Substances 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 238000013439 planning Methods 0.000 description 3
- 230000006978 adaptation Effects 0.000 description 2
- 230000009977 dual effect Effects 0.000 description 2
- 238000001914 filtration Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000001105 regulatory effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 201000009032 substance abuse Diseases 0.000 description 2
- 230000004931 aggregating effect Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000003908 quality control method Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000009877 rendering Methods 0.000 description 1
- 238000013068 supply chain management Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
A rights management method, a system, electronic equipment and a medium based on an OC-ERP system relate to the technical field of data processing. The method comprises the following steps: receiving an authority application sent by a target person to an OC-ERP system, and determining an access object in the authority application and a first personnel authority owned by the target person; determining a second personnel authority corresponding to the access object according to the data type of the access object; judging whether the first personnel authority and the second personnel authority are matched; if the first personnel authority and the second personnel authority are matched, distributing the authority of the access object to the target personnel; and if the first personnel authority and the second personnel authority are not matched, adjusting the authority of the target personnel according to the data type, and matching the corresponding access object according to the authority of the target personnel after adjustment. The effect of improving the authority management efficiency is achieved.
Description
Technical Field
The application relates to the technical field of rights management, in particular to a rights management method, a rights management system, electronic equipment and a rights management medium based on an OC-ERP system.
Background
With the increasing popularity of information-based management, enterprise Resource Planning (ERP) systems have become an important tool for enterprise operation management. Particularly, an open cloud ERP (OC-ERP) system is favored by a wide range of enterprises because of the advantages of openness, flexibility and cloud computing. However, as the complexity and data volume of systems increase, how to effectively and finely manage user rights, and prevent misoperation or malicious access of data, becomes an important but challenging task.
Currently, the existing rights management methods are usually static, i.e. the rights are determined when the staff applies, and after the department responsible person completes the approval, the rights are assigned to the staff. However, in practical application, due to the difference of position information such as departments of staff and the like and the different applied rights, the situation that the rights are not matched with the positions of the staff often exists, so that the rights distribution efficiency of enterprises is lower.
Disclosure of Invention
The application provides a rights management method, a rights management system, electronic equipment and a rights management medium based on an OC-ERP system, which have the effect of improving the rights management efficiency of enterprises.
In a first aspect, the present application provides an OC-ERP system-based rights management method, including:
Receiving an authority application sent by a target person to an OC-ERP system, and determining an access object in the authority application and a first personnel authority owned by the target person;
determining a second personnel authority corresponding to the access object according to the data type of the access object;
judging whether the first personnel authority and the second personnel authority are matched;
if the first personnel authority and the second personnel authority are matched, distributing the authority of the access object to the target personnel;
and if the first personnel authority and the second personnel authority are not matched, adjusting the authority of the target personnel according to the data type, and matching the corresponding access object according to the authority of the target personnel after adjustment.
By adopting the technical scheme, after receiving the permission application of the target person, the access object and the original first person permission of the target person in the application are determined. The system then matches the second person rights required to access the object based on the data type of the object. By judging whether the first personnel authority is matched with the second personnel authority, the system realizes refined authority control. And directly distributing access rights if the access rights are matched, and triggering intelligent rights adjustment if the access rights are not matched. The adjustment is performed by referring to the data type of the access object, new second permission of the target personnel is dynamically generated according to the service requirement, and the access permission is allocated after the judgment is performed again. The system realizes the refinement and the dynamics of the authority management, thereby improving the security and ensuring the service requirement. Meanwhile, manual intervention is reduced by flow automation. And the security controllability of the system is further enhanced by executing the permission monitoring and the regulated multilevel approval. The scheme realizes the fine, dynamic and automatic authority management, ensures the system safety and improves the working efficiency.
Optionally, determining departments and posts of the target personnel according to the authority application; matching the first personnel permission according to the departments and posts; determining a request access address in the authority application; and according to the request access address, matching corresponding department data as the access object.
By adopting the technical scheme, the department and post information of the target personnel is automatically determined according to the authority application, and the original authority of the personnel is matched and extracted according to the information to serve as the first personnel authority. And analyzing the access address in the authority application, and taking the corresponding department data as an access object according to the address matching. By the automatic determination of the technical means, the access object and the first personnel authority information can be quickly acquired without manual participation, and a foundation is established for subsequent authority matching and management. The setting reduces the use threshold of authority management, and the system can automatically acquire the required information by relying on technology without depending on additional input. This simplifies the rights management flow and improves the management efficiency. The automatic extraction also avoids errors possibly caused by manual assignment, and improves the accuracy and reliability of authority management.
Optionally, determining that the target person can access a department database with a corresponding label of the department in the enterprise database according to the department; determining a first sub-right for the target person to access the department database; determining a second sub-right that the target person can access the corresponding accessible post data in the department database according to the post; and determining the first personnel authority according to the first sub authority and the second sub authority.
By adopting the technical scheme, the department database and the corresponding first sub-right set are accessed according to the department tag matching. A second set of sub-rights that can access the data in the database is then further determined based on the post. And aggregating the first sub-right set and the second sub-right set to form a complete first personnel right. The technical means of determining the authority through the step-by-step filtering of departments and posts avoids the high complexity of manually configuring a large number of authorities. Meanwhile, accuracy of authority determination is improved, and two-stage filtering ensures that the acquired authority meets requirements of departments and posts. The scheme simplifies the rights acquisition process, improves the rights extraction efficiency and enhances the accuracy of the acquired results. Is an important technical link for realizing automatic and efficient authority management.
Optionally, determining a target department and a plurality of target posts in the target department according to the department parameters; determining each corresponding target post according to each target post, and determining a first data sensitivity of the corresponding viewable data according to each target post; judging whether each first data sensitivity is larger than the data sensitivity; and if at least one second data sensitivity greater than the data sensitivity exists in each first data sensitivity, determining the second personnel permission according to the target post and the target department corresponding to the second data sensitivity.
By adopting the technical scheme, the related target departments and posts are determined according to the department parameters. And then determining the corresponding sensitivity level based on the posts, and judging whether the sensitivity level is higher than the data sensitivity of the access object. If there is a higher level of second data sensitivity, then this matches the department and post as second personnel rights. The technical means based on dynamic matching of access rights of departments and posts realizes strict rights control, and only the lowest rights required by work can be allocated, so that the risk of data leakage or misuse is reduced from the source. The authority design with departments and posts as centers enables the authority management to be more fit with the actual needs of business scenes of enterprises, thereby ensuring the safety and improving the working efficiency.
Optionally, acquiring an execution authority corresponding to the execution operation of the target personnel in the OC-ERP system; judging whether the execution authority exceeds the authority of the access object; and if the execution authority exceeds the authority of the access object, the authority of the access object of the target person is recovered.
By adopting the technical scheme, the operation and the corresponding execution authority of the target personnel are obtained in real time, and are compared with the access object authority. If there is an execution right exceeding the right to access the object, the access right of the target person on the object is immediately retracted. This fine-grained execution rights monitoring, dual avoids the possibility of rights being abused. The target person cannot use the obtained access rights to perform out-of-range operations. The reclaiming of rights also enables the rights to maintain a high degree of dynamic, users must strictly follow the scope of authority to use the rights, and any unauthorized actions can be discovered and prevented by the system in time. The scheme strengthens the safety and the dynamic property of the authority management, is one of key innovations that the scheme can realize the refined authority control, and has an important role in guaranteeing the safety of the system.
Optionally, determining corresponding department readable data according to the data type; determining corresponding readable rights according to the department readable data; and determining a second authority of the target person according to the readable authority and the authority of the target person.
By adopting the technical scheme, the concepts of the readable data and the readable authority of departments are introduced, so that the intelligent adjustment of the authority of the target personnel is realized when the target personnel is not matched, the requirement of accessing the object is met, the original authority is reserved, and the smooth upgrading is realized. Specifically, the system determines the range of department readable data according to the data type of the access object, and matches the readable rights accordingly. And combining the readable right and the original right of the target person to generate a new second right. The technical means for intelligently adjusting the rights based on the data types avoids the complexity of manually judging and maintaining a large number of rights configuration, realizes the accuracy of rights adjustment, and completely meets the requirements of access objects on the readable range and rights. The original authority is reserved, so that the target personnel cannot have the phenomenon of weight breaking.
Optionally, generating application information of the second authority, and sending the application information to a department manager; acquiring first feedback information of the department manager based on the application information; if the approval result in the first feedback information is passed, the application information is sent to a manager end of a quality management department; acquiring second feedback information of the manager end of the quality management department based on the application information; and if the approval result in the second feedback information is passed, distributing the second authority to the target personnel.
By adopting the technical scheme, a multi-stage approval process is introduced after the authority is adjusted, so that reasonable compliance of adjustment decisions is ensured, and the safety of the system is further improved. Specifically, the system automatically generates application information of the second authority, and obtains approval feedback step by step at the manager ends of the departments and the quality control departments. And finally, formally authorizing after the double approval passes. The multi-stage approval technical means related to the authority adjustment avoids the random expansion or the non-compliance modification of the authority, and each adjustment needs to examine the necessity. Compliance of adjustment contents can be checked by each level of approval, and adjustment can be guaranteed from different angles without introducing potential safety hazards. The combination of manual approval and technical adjustment makes the authority management mechanism more sound and enhances the system security.
In a second aspect of the present application, a rights management system based on an OC-ERP system is provided.
The application receiving module is used for receiving an authority application sent by a target person to the OC-ERP system, and determining an access object in the authority application and a first person authority owned by the target person;
the right acquisition module is used for determining a second personnel right corresponding to the access object according to the data type of the access object;
The first authority matching module is used for judging whether the first personnel authority is matched with the second personnel authority; if the first personnel authority and the second personnel authority are matched, distributing the authority of the access object to the target personnel;
and the second permission matching module is used for adjusting the permission of the target personnel according to the data type if the first personnel permission and the second personnel permission are not matched, and matching the corresponding access object according to the permission adjusted by the target personnel.
In a third aspect of the present application, an electronic device is provided.
A rights management system based on an OC-ERP system comprises a memory, a processor and a program stored on the memory and capable of running on the processor, wherein the program can be loaded and executed by the processor to realize a rights management method based on the OC-ERP system.
In a fourth aspect of the present application, a computer-readable storage medium is provided.
A computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to implement a rights management method based on an OC-ERP system.
In summary, one or more technical solutions provided in the embodiments of the present application at least have the following technical effects or advantages:
1. after receiving the authority application of the target person, the method and the device firstly determine the access object and the original first personnel authority of the target person in the application. The system then matches the second person rights required to access the object based on the data type of the object. By judging whether the first personnel authority is matched with the second personnel authority, the system realizes refined authority control. And directly distributing access rights if the access rights are matched, and triggering intelligent rights adjustment if the access rights are not matched. The adjustment is performed by referring to the data type of the access object, new second permission of the target personnel is dynamically generated according to the service requirement, and the access permission is allocated after the judgment is performed again. The system realizes the refinement and the dynamics of the authority management, thereby improving the security and ensuring the service requirement. Meanwhile, manual intervention is reduced by flow automation. And the security controllability of the system is further enhanced by executing the permission monitoring and the regulated multilevel approval. The scheme realizes the fine, dynamic and automatic authority management, ensures the system safety and improves the working efficiency.
2. The method and the device automatically determine the department and post information of the target personnel according to the authority application, and then extract the original authority of the personnel as the authority of the first personnel according to the information matching. And analyzing the access address in the authority application, and taking the corresponding department data as an access object according to the address matching. By the automatic determination of the technical means, the access object and the first personnel authority information can be quickly acquired without manual participation, and a foundation is established for subsequent authority matching and management. The setting reduces the use threshold of authority management, and the system can automatically acquire the required information by relying on technology without depending on additional input. This simplifies the rights management flow and improves the management efficiency. The automatic extraction also avoids errors possibly caused by manual assignment, and improves the accuracy and reliability of authority management.
3. The method and the device can be used for comparing the operation of the target personnel and the corresponding execution permission with the access object permission in real time. If there is an execution right exceeding the right to access the object, the access right of the target person on the object is immediately retracted. This fine-grained execution rights monitoring, dual avoids the possibility of rights being abused. The target person cannot use the obtained access rights to perform out-of-range operations. The reclaiming of rights also enables the rights to maintain a high degree of dynamic, users must strictly follow the scope of authority to use the rights, and any unauthorized actions can be discovered and prevented by the system in time. The scheme strengthens the safety and the dynamic property of the authority management, is one of key innovations that the scheme can realize the refined authority control, and has an important role in guaranteeing the safety of the system.
Drawings
Fig. 1 is a flow chart of a rights management method based on an OC-ERP system according to an embodiment of the present application.
Fig. 2 is a schematic structural diagram of a rights management system based on an OC-ERP system according to an embodiment of the present application.
Fig. 3 is a schematic structural diagram of an electronic device according to the disclosure in an embodiment of the present application.
Reference numerals illustrate: 300. an electronic device; 301. a processor; 302. a communication bus; 303. a user interface; 304. a network interface; 305. a memory.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only some embodiments of the present application, but not all embodiments.
In the description of embodiments of the present application, words such as "for example" or "for example" are used to indicate examples, illustrations or descriptions. Any embodiment or design described herein as "such as" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "or" for example "is intended to present related concepts in a concrete fashion.
In the description of the embodiments of the present application, the term "plurality" means two or more. For example, a plurality of systems means two or more systems, and a plurality of screen terminals means two or more screen terminals. Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating an indicated technical feature. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include one or more such feature. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
In order to facilitate understanding of the methods and systems provided in the embodiments of the present application, a description of the background of the embodiments of the present application is provided before the description of the embodiments of the present application.
Currently, the existing rights management methods are usually static, i.e. the rights are determined when the staff applies, and after the department responsible person completes the approval, the rights are assigned to the staff. However, in practical application, due to the fact that the office of the staff and the like have different position information and different applied authorities, the condition that the authorities are inconsistent with the positions of the staff often exists, so that authority allocation is disordered, and therefore the authority management efficiency of enterprises is reduced.
The embodiment of the application discloses a permission management method based on an OC-ERP system, which is characterized in that a first personnel permission based on the identity of a target person is determined by receiving a permission application submitted by the target person in the OC-ERP system, a matched second personnel permission is determined according to an access object applied by the target person, the first personnel permission and the second personnel permission are compared, if the first personnel permission and the second personnel permission are matched, the application is passed, if the second personnel permission is not matched, adjustment is carried out according to the second personnel permission, and the access object is re-matched. The method is mainly used for solving the problems of confusing authority allocation and low authority management efficiency caused by the fact that the authority is often inconsistent with the position of the staff due to the fact that the position information of the departments of the staff and the like is different and the applied authorities are different.
Those skilled in the art will appreciate that the problems associated with the prior art are solved by the foregoing background description, and a detailed description of the technical solutions in the embodiments of the present application is provided below, with reference to the drawings in the embodiments of the present application, where the described embodiments are only some embodiments of the present application, but not all embodiments.
Referring to fig. 1, a rights management method based on an OC-ERP system includes S10 to S40, and specifically includes the steps of:
S10: and receiving a permission application sent by the target personnel to the OC-ERP system, and determining an access object in the permission application and a first personnel permission owned by the target personnel.
The OC-ERP system refers to an open cloud enterprise resource planning system. The main technical characteristics of the system comprise an open system, and the system adopts an open network system architecture and has high expandability, interoperability and integration. The system can be conveniently integrated with a third party system to realize information sharing and business coordination; the cloud architecture is based on a cloud computing technology, and service forms such as infrastructure as a service, a platform as a service, software as a service and the like are adopted, so that the system deployment is more flexible, and the resource utilization is more optimized; ERP function, namely providing enterprise resource planning management functions including production management, supply chain management, customer relationship management, financial management, human resource management and the like, and supporting enterprise internal management and decision-making; rights management, namely, fine and dynamic rights management is realized, rights are automatically allocated and retracted according to the identity and the behavior of a user, and the data security is improved.
The access object is content which needs to be precisely defined in rights management, and can be data or functions or operations, and the rights grant object is a target person. Precisely defining the access object is the basis for rights management.
Specifically, in the rights management process of the OC-ERP system, when a target person needs to access a new system resource, a rights application needs to be sent. After receiving the permission application of the target personnel, the system needs to start the permission management flow. The access object, i.e. the specific system resource that the target person wishes to be authorized to access, is parsed from the rights application, such as a certain department database, functional module or data object. Explicit access to objects is the basis for rights management. The authority, namely the first personnel authority, which is currently owned by the target personnel in the OC-ERP system is determined. The rights are typically assigned when the target person first logs into the system, and match the default rights based on his department, post, etc. After the two pieces of information are acquired, the system can carry out matching judgment on the authority requirement of the access object and the current authority capability of the target personnel, which is the core work of the next step. The scheme has the function of acquiring basic information required by rights management, including access objects and existing rights, and providing input data for subsequent rights allocation and matching. Therefore, the method can realize the fine and dynamic authority management, and adjust the authority of the target personnel in time according to the specific conditions of the target personnel, thereby ensuring the working requirements and improving the system safety.
On the basis of the above embodiment, the step of determining the first person right and accessing the object further includes S11 to S12:
s11: determining departments and posts of target personnel according to the authority application; the first personnel permissions are matched according to departments and posts.
Illustratively, after acquiring the rights application information, the system needs to further determine the department and post information of the target person. The department and post information of the target personnel needs to be acquired because the personnel authority can be matched and configured according to the departments and posts in the OC-ERP system. For a determined department, the system may query the personnel library for the department in which the target person is located. For determining the post, the system can acquire the post/position information of the target personnel, map the post/position information into a preset post template and determine the post to which the target personnel belongs. After the department and post information is acquired, the system can determine the authority, namely the first personnel authority, of the target personnel in the OC-ERP system according to the information. The system can preset the corresponding relation between the departments, the posts and the permission sets, and can determine the corresponding permission sets as the first personnel permission by directly searching the mapping relation after acquiring the departments and the posts. Therefore, the problem that the authority setting in the current system is not matched with the actual personnel situation can be avoided. The departments and posts are determined, and the system can automatically allocate corresponding authorities conforming to the responsibilities of the posts for personnel, so that the definition and dynamic management of authorities are realized. The department and post information of the target personnel are acquired, then the existing authority of the target personnel in the current system is matched according to the information, input is provided for the follow-up judgment of whether the authority application of the access object is matched with the existing authority of the access object, and the method is a key step in the authority management flow.
On the basis of the above embodiment, the specific step of determining the first personnel right according to the departments and posts further includes S111 to S113:
s111: and determining that the target personnel can access a department database with a department corresponding label in the enterprise database according to the departments.
Illustratively, after obtaining the department information of the target person, the system needs to determine the department database scope that the person can access according to the department. This is critical because enterprise-level OC-ERP systems often contain a large number of databases, which, if access scope is not limited, makes rights management difficult to perform effectively. Each department database in the system is pre-labeled with the corresponding department, such as "product department", "sales department", etc. After the department of the target person is obtained, the system can search all databases labeled with the department in the enterprise database. This portion of the database constitutes the range of the database of accessible departments of the target person. Therefore, a huge database system can be effectively divided into a plurality of related sub-ranges, and the processing complexity can be greatly reduced when authority management is carried out on each department personnel. For example, the staff of the product department only needs to judge the access right to the database related to the product. The authority management efficiency can be improved through division labels, and the authority minimization principle is realized, so that each person can only access the necessary division database, and the security of the system is improved. Otherwise if the rights are set too large, it may result in leakage or misuse of the data.
S112: determining a first sub-right for the target person to access the department database; and determining a second sub-right of the corresponding accessible post data in the target personnel accessible department database according to the post.
Illustratively, department rights, i.e., the basic access rights shared by the target person within the department database, except for the post, are determined. Such rights may include viewing department announcements, using department shared spaces, and so forth. The system can directly preset the department authority set according to the departments. The position authority is determined, which determines that the target person has access to the portion of the department database that is relevant to his position. If the salesman can see the customer information, the product manager can see the product specification. The system determines the corresponding authority set through the obtained mapping relation between the posts and the database access configuration. After the two levels of rights are obtained, the department database access rights of the target person can be combined and generated. The cascade control of the authorities is realized, and not only department requirements are considered, but also post requirements are considered. The personnel is prevented from acquiring the authority irrelevant to the work, and the system safety is improved. The step is used for finely generating the department database access rights and providing basis for subsequent access control.
S113: and determining the first personnel authority according to the first sub authority and the second sub authority.
Illustratively, after two sub-rights of the target person's department database access rights are obtained, the system needs to integrate them together to determine the target person's overall first person rights within the OC-ERP system. The first sub-rights reflect the shared access rights of the target personnel as the department members, and the second sub-rights are rights given according to the specific posts. The system needs to integrate the two parts of rights to form a unified rights set as the first personnel rights. And merging the first sub-rights and the second sub-rights in the rights library, and removing the duplicate reservation unique if the duplicate rights items exist. The two can be processed according to priority rules and the like and then combined to generate the data. After the first personnel authority is obtained, the system can be matched with the authority required by the access object based on the authority set, and whether the existing authority of the target personnel meets the working requirement is judged. This is the basis for implementing refined rights management. The step is to integrate the acquired access authority information to completely construct the existing authority condition of the target personnel in the system, and provide complete user authority information for subsequent authority allocation and control.
S12: determining a request access address in the authority application; and according to the request access address, matching the corresponding department data as an access object.
Illustratively, after acquiring the department and post information of the target person, the system further determines the specific address, such as a data table, a page, etc., of the access request from the rights application to determine the access object. The system analyzes the address information in the authority application, and extracts the information such as the name of the database, the name of the table, the data field and the like which are required to be accessed. These address information identify the specific system resources that the target person wishes to gain access to. And according to the request address, matching corresponding department data, such as a client information table in a certain product database, and determining that the data form an access object. The system maintains a department data catalog in advance, and can quickly determine departments and data according to addresses. Determining that the access object is a precondition for performing rights matching. If the access object cannot be accurately acquired, whether the access authority setting of the resources is suitable for the target personnel cannot be judged. And the access address can be analyzed to effectively acquire the access object information without manual participation in judgment. After the access object is obtained, the system can match the access object with the known existing authority of the target person, and whether the authority meets the working requirement is judged. This enables a fine-grained rights management, no longer a simple unified rights setting based on departments and posts. The step analyzes the application address by technical means, effectively and automatically acquires the access object information, which is a key link of the authority management flow.
S20: and determining the second personnel permission corresponding to the access object according to the data type of the access object.
The data type refers to the type attribute of the access object in the technical scheme, and comprises two aspects of department parameters and data sensitivity. The department parameters comprise the affiliated departments, and the departments to which the access objects belong; related post, post information related to the access object; department rights, shared access rights settings of the department, and the like. The department and corresponding rights information associated with the access object may be determined by the department parameters.
The data sensitivity comprises a sensitivity level, and the sensitivity level of the access object data is assessed; access rules, access control rules for different sensitivity data, and the like. The data sensitivity reflects the attribute of the access object and is the basis for making access control.
Specifically, after the current first personnel authority of the target personnel is obtained, the system also needs to determine the second personnel authority corresponding to the object for which access is applied. The second person's rights need to be determined because different access objects may differ in their access control rules. The system will check the type of access object, such as database, table, row level data, etc. Objects of different granularity may require different ways of rights control. Taking a database as an example, the system can determine rules such as department range, post level, corresponding access authority and the like which can access the database according to the department and sensitivity information of the database. This constitutes the second person right. For a data field, the authority control can be the access authority of the table, or an independent rule is formulated according to the sensitivity of the content of the field. The system may dynamically determine the second person's rights based on the type and related information. The second personnel authority is acquired for comparing with the first personnel authority to judge whether the first personnel authority is matched with the first personnel authority, if the first personnel authority is matched with the first personnel authority, the object can be authorized to be accessed, and otherwise, the authority needs to be adjusted. The step can realize fine and dynamic authority management and prevent potential safety hazards caused by simple unified authority setting based on personnel identity.
On the basis of the above embodiment, the step of specifically determining the second person right further includes S21 to S23:
s21: and determining the target department and a plurality of target posts in the target department according to the department parameters.
Illustratively, after obtaining the data type information of the access object, the system needs to further analyze and obtain the target department and target post information according to the department parameters. The system may examine the department parameters of the access object to determine the department to which the object belongs, i.e., the target department. A plurality of target post information related to the access object is extracted from the department parameters. Such as a database containing product plans, the relevant post may be a product manager, designer, etc. The purpose of obtaining target department and target post information is to determine the entitlement rules corresponding to the access objects. The system can use this information to query a configuration library to determine the set of permissions that the department and target posts can access the object. Thus, the fine dynamic authority management can be realized, and the access control rule matched with the access object is determined according to the attribute of the access object instead of the unified authority based on the personnel identity and the departments. The step is that the target department and the post are obtained by analyzing the department parameters, which is the basis for realizing the fine authority management later.
S22: and determining corresponding target post levels according to the target posts, and determining first data sensitivity of corresponding viewable data according to the target post levels.
Illustratively, after the target post information is obtained, the system needs to further determine the corresponding post level for each target post. The post level reflects the authority level of different posts. The system can determine the specific post level of each target post by querying the post information table. For example, the product manager is higher than the designer. And according to different levels of posts, searching a permission range of sensitive data which can be accessed by the corresponding permission level in a permission management rule table as a first data sensitivity. For example, a higher level post may view more sensitive and confidential information. After the first data sensitivity of each target post is obtained, the system can compare the sensitivity level of the target posts with the sensitivity level of the access object, and judge whether the target posts have the authority to access the object or not so as to determine the authority of a second person. According to the step, the authority level of the target post is determined, fine-granularity authority access control based on the post is realized, and potential safety hazards caused by overlarge authorities are prevented.
S23: judging whether each first data sensitivity is larger than the data sensitivity; and if at least one second data sensitivity greater than the data sensitivity exists in each first data sensitivity, determining second personnel permission according to the target post and the target department corresponding to the second data sensitivity.
Illustratively, after acquiring the first data sensitivity of each target post, the system needs to determine their relationship to the data sensitivity of the access object itself to determine the access rights. The system reads the first data sensitivity of each target post in turn and compares it with the data sensitivity of the access object. If there is more than the access object data sensitivity, these second data sensitivities are recorded. Data with a higher sensitivity level than the access object has access rights. The system extracts the target post and target department information corresponding to the portion of the second data sensitivity. And determining the range of personnel and authority rules which can access the object according to the target posts and departments which can be matched with the data sensitivity requirements, and forming a second personnel authority. This achieves strict access control based on data sensitivity, both meeting the job requirements and improving data security. Through the matching judgment of the sensitivity of the object data, the problem of potential safety hazard of overlarge authority possibly existing in the existing system is avoided, and the refined dynamic authority management is realized.
S30: judging whether the first personnel authority is matched with the second personnel authority; and if the first personnel authority and the second personnel authority are matched, distributing the authority for accessing the object to the target personnel.
Specifically, after the existing first personnel right of the target personnel and the second personnel right corresponding to the access object are obtained, the system needs to judge whether the first personnel right and the second personnel right are matched. The criterion for matching is whether the second person right contains the first person right. I.e. whether the existing rights of the target person meet the rights required for accessing the object. The system compares the rights item contents of the two items one by one, and judges that the two rights items are matched if all the first personnel rights exist in the second personnel rights at the same time. If the matching is successful, the current authority level of the target personnel can meet the requirement of the target personnel for accessing the object. The access rights of the object will be directly assigned to the target person, granting access thereto. The dynamic allocation of the authorities is realized, the working requirements are met, the safety control is also carried out, and the data safety is ensured and the service efficiency is improved. If the two are not matched, permission adjustment is needed, and the processing of the situation is carried out by the following flow steps.
In an alternative embodiment of the present application, there is also a process of rights retraction, specifically including: after the target person successfully obtains the access right of the access object, when the target person operates the object in the OC-ERP system, the system is required to dynamically obtain the execution right of the execution operation. The access right is only the first layer of right management, and the system also needs to judge whether the operations are in the right range according to the actual operation behaviors of the user. The system can monitor the operation of target personnel in the OC-ERP system in real time, such as activities of adding data, modifying configuration and the like, and extract the characteristic information of the operation. And according to the operation information, matching the configured execution authority rule, and determining the execution authority corresponding to the current operation of the target personnel. The execution rights define the type and scope of operations that are allowed to be performed. After the system acquires the execution authority, the operation behavior of the system is dynamically compared with that of the target personnel, and whether the operation exceeds the limit of the execution authority is judged. The multi-level authority management mechanism not only provides the authority required by the work, but also performs fine dynamic control on the user behavior, thereby maximally reducing the potential safety hazard of authority abuse.
After the system dynamically acquires the execution rights of the target personnel, whether the execution rights exceed the rights range of the personnel on the access object or not needs to be judged. The system compares the execution rights with the contents of the access object rights one by one, and if the execution rights contain operations which do not exist in the access object rights, the system determines that the operation is out of range. For example, access to the object rights only allows querying the data, but the operation of deleting the data occurs in the execution rights, which belongs to the behavior exceeding the rights. Once the execution authority is judged to be out of range, the system immediately withdraws the authority of the target personnel on the access object, and the target personnel is prevented from performing the overtaking operation in real time. The system also records the event as a reference basis for the later permission adjustment. The dynamic monitoring and real-time authority receiving mechanism can effectively prevent the risk of abused authorities, avoid the operation of exceeding authorities by utilizing system loopholes after personnel acquire access authorities, and ensure the safety of system operation. The recovery of rights also triggers a new rights application flow, keeping rights management dynamically updated.
S40: if the first personnel authority and the second personnel authority are not matched, the authority of the target personnel is adjusted according to the data type, and the corresponding access object is matched according to the authority adjusted by the target personnel.
Specifically, in the rights matching determination step, if the system determines that the first personnel rights of the target personnel do not match the second personnel rights required for accessing the object, rights adjustment is required. Data type information of the access object is acquired, including department parameters, data sensitivity and the like. These types of information reflect the rights rules for accessing the object. According to the rules, the authority of the target personnel in the OC-ERP system is automatically adjusted to meet the requirement of accessing the object. For example, the post authority level of the target person is improved, or the person is added into an access control list of the related departments of the object, and the like until the authority adjustment is completed, so that the requirement of the authority of the second person is met. After the adjustment is completed, the system can carry out matching between the first personnel authority and the second personnel authority again, and if the matching is successful, the authority for accessing the object is distributed to the target personnel. The method for intelligently adjusting the authority based on the data type of the access object realizes the refinement and the dynamics of the authority management, ensures the service requirement and improves the system security. Compared with the prior art, a large amount of authority information needs to be judged and maintained manually, and the scheme realizes automatic and intelligent authority management.
On the basis of the above embodiment, the specific step of adjusting the rights of the target person further includes S41 to S42:
s41: determining corresponding department readable data according to the data type; and determining corresponding readable rights according to the department readable data.
Illustratively, in performing the rights adjustment, the system needs to first determine the corresponding department-readable data range based on the data type of the access object. The system may retrieve department parameters in the data type and determine the department to which the access object belongs and related department information. These associated departments constitute a department scope in which the object data can be read. For example, a database containing staff information of a plurality of departments, the readable range of which should be all relevant personnel and administrative departments. After the readable range of departments is obtained, the system further determines a specific authority set which can read the object according to the authority rules of the departments as readable authorities. Such rights may include rights items for data read operations such as querying, exporting reports, and the like. This can be used to construct the rights of the target person to meet the requirements for accessing the object. The step realizes automatic determination of the read permission by utilizing the data type of the access object, is a key process of permission adjustment, avoids the complexity of manual configuration, and realizes rapid and efficient permission adjustment.
S42: and determining the second authority of the target personnel according to the readable authority and the authority of the target personnel.
For example, after obtaining the readable right corresponding to the access object, the system needs to integrate the existing right of the target person to generate a new second right. The original authority condition, namely the first personnel authority, of the target personnel currently owned in the OC-ERP system is obtained. The system combines the first personnel authority with the readable authority, de-duplicated the repeated authority items, and generates a new authority set as a second authority. The second authority contains the original authority of the target person and the readable authority necessary for the newly added read access object. By integrating with the original rights, the target personnel can be prevented from losing other original access rights due to the newly added access object rights. The second authority generated in this way can meet the requirement of accessing the object, also reserves the original authority of the target personnel, and realizes smooth authority upgrading. The step is a key link in the authority adjustment, and after the re-authority matching judgment, the target personnel can formally acquire the access authority of the access object.
In another optional embodiment of the present application, there is also an approval process of the second right, specifically including: after the system automatically adjusts and generates the second authority of the target personnel, an authority application flow needs to be started to obtain approval and authorization. And automatically generating a part of application information for adjusting the authority according to the second authority content. The application information can clearly show the rights difference before and after adjustment. And sending the application information to a department manager end corresponding to the target person. Department manager is in first order approval role, which requires approval of the application. The system can acquire first feedback information provided by the system based on the application information from a department manager, wherein the first feedback information comprises approval results. If the feedback result passes the application, the system will continue to push the application to the company's matter manager for a second level approval. If the request does not pass, the request is directly fed back to the target personnel for adjustment.
After the authority application passes the approval of the first-level department manager, the system can continuously acquire the feedback information of the quality management department manager as the second-level approver. The approval of the quality management department will judge the rights adjustment application from the overall compliance point of view of the company. The system can acquire second feedback information provided by the system based on the application information and analyze the approval result. If the matter management manager also passes the application, it marks that the new second right has completely passed the approval required by the right adjustment flow. And directly distributing the second authority to target personnel, and completing the authority lifting so that the target personnel have the authority for accessing the corresponding object. And feeding back the execution result of the process to each level of approvers and target personnel. If the approval of the quality management department is not passed, the approval process needs to be adjusted again and restarted. The authority adjustment mechanism of the multi-level approval ensures that the authority management has compliance and controllability, and avoids abuse risk.
Referring to fig. 2, a rights management system based on an OC-ERP system according to an embodiment of the present application includes: the system comprises an application receiving module, a permission obtaining module, a first permission matching module and a second permission matching module, wherein:
The application receiving module is used for receiving an authority application sent by a target person to the OC-ERP system, and determining an access object in the authority application and a first personnel authority owned by the target person;
the right acquisition module is used for determining a second personnel right corresponding to the access object according to the data type of the access object;
the first authority matching module is used for judging whether the first personnel authority is matched with the second personnel authority; if the first personnel authority is matched with the second personnel authority, distributing the authority for accessing the object to the target personnel;
and the second authority matching module is used for adjusting the authority of the target personnel according to the data type if the first personnel authority and the second personnel authority are not matched, and matching the corresponding access object according to the authority of the target personnel after adjustment.
On the basis of the embodiment, the application receiving module is further used for determining departments and posts of target personnel according to the authority application; matching a first personnel permission according to departments and posts; determining a request access address in the authority application; and according to the request access address, matching the corresponding department data as an access object.
On the basis of the embodiment, the application receiving module further comprises a department database which is used for determining that the target personnel can access the enterprise database and is attached with the corresponding labels of the departments according to the departments; determining a first sub-right for the target person to access the department database; determining a second sub-right of the corresponding accessible post data in the target personnel accessible department database according to the post; and determining the first personnel authority according to the first sub authority and the second sub authority.
On the basis of the embodiment, the permission acquisition module is further used for determining a target department and a plurality of target posts in the target department according to department parameters; determining corresponding target posts according to the target posts, and determining first data sensitivity of corresponding viewable data according to the target posts; judging whether each first data sensitivity is larger than the data sensitivity; and if at least one second data sensitivity greater than the data sensitivity exists in each first data sensitivity, determining second personnel permission according to the target post and the target department corresponding to the second data sensitivity.
On the basis of the embodiment, the first permission matching module further comprises an execution permission corresponding to the execution operation of the target personnel in the OC-ERP system; judging whether the execution authority exceeds the authority of the access object; and if the execution authority exceeds the authority for accessing the object, the authority for accessing the object of the target person is recovered.
On the basis of the embodiment, the second authority matching module is further configured to determine corresponding department readable data according to the data type; determining corresponding readable rights according to the department readable data; and determining the second authority of the target personnel according to the readable authority and the authority of the target personnel.
On the basis of the embodiment, the second authority matching module further comprises application information for generating the second authority, and the application information is sent to the department manager; acquiring first feedback information of a department manager based on application information; if the approval result in the first feedback information is passed, the application information is sent to a manager end of a quality management department; acquiring second feedback information of a manager end of a quality management department based on the application information; and if the approval result in the second feedback information is passed, distributing the second authority to the target personnel.
It should be noted that: in the device provided in the above embodiment, when implementing the functions thereof, only the division of the above functional modules is used as an example, in practical application, the above functional allocation may be implemented by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules, so as to implement all or part of the functions described above. In addition, the embodiments of the apparatus and the method provided in the foregoing embodiments belong to the same concept, and specific implementation processes of the embodiments of the method are detailed in the method embodiments, which are not repeated herein.
The application also discloses electronic equipment. Referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device according to the disclosure in an embodiment of the present application. The electronic device 300 may include: at least one processor 301, at least one network interface 304, a user interface 303, a memory 305, at least one communication bus 302.
Wherein the communication bus 302 is used to enable connected communication between these components.
The user interface 303 may include a Display screen (Display) interface and a Camera (Camera) interface, and the optional user interface 303 may further include a standard wired interface and a standard wireless interface.
The network interface 304 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), among others.
Wherein the processor 301 may include one or more processing cores. The processor 301 utilizes various interfaces and lines to connect various portions of the overall server, perform various functions of the server and process data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 305, and invoking data stored in the memory 305. Alternatively, the processor 301 may be implemented in hardware in at least one of digital signal processing (Digital Signal Processing, DSP), field programmable gate array (Field-Programmable Gate Array, FPGA), programmable logic array (Programmable Logic Array, PLA). The processor 301 may integrate one or a combination of several of a central processing unit (Central Processing Unit, CPU), an image processor (Graphics Processing Unit, GPU), and a modem etc. The CPU mainly processes an operating system, a user interface diagram, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It will be appreciated that the modem may not be integrated into the processor 301 and may be implemented by a single chip.
The Memory 305 may include a random access Memory (Random Access Memory, RAM) or a Read-Only Memory (Read-Only Memory). Optionally, the memory 305 includes a non-transitory computer readable medium (non-transitory computer-readable storage medium). Memory 305 may be used to store instructions, programs, code, sets of codes, or sets of instructions. The memory 305 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the above-described respective method embodiments, etc.; the storage data area may store data or the like involved in the above respective method embodiments. Memory 305 may also optionally be at least one storage device located remotely from the aforementioned processor 301. Referring to fig. 3, an operating system, a network communication module, a user interface module, and an application program of a rights management method based on an OC-ERP system may be included in the memory 305 as a computer storage medium.
In the electronic device 300 shown in fig. 3, the user interface 303 is mainly used for providing an input interface for a user, and acquiring data input by the user; and the processor 301 may be configured to invoke an application program in the memory 305 that stores an OC-ERP system-based rights management method, which when executed by the one or more processors 301, causes the electronic device 300 to perform the method as in one or more of the embodiments described above. It should be noted that, for simplicity of description, the foregoing method embodiments are all expressed as a series of action combinations, but it should be understood by those skilled in the art that the present application is not limited by the order of actions described, as some steps may be performed in other order or simultaneously in accordance with the present application. Further, those skilled in the art will also appreciate that the embodiments described in the specification are all preferred embodiments, and that the acts and modules referred to are not necessarily required in the present application.
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and for parts of one embodiment that are not described in detail, reference may be made to related descriptions of other embodiments.
In the several embodiments provided herein, it should be understood that the disclosed apparatus may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, such as a division of units, merely a division of logic functions, and there may be additional divisions in actual implementation, such as multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some service interface, device or unit indirect coupling or communication connection, electrical or otherwise.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution in the form of a software product stored in a memory, including several instructions for causing a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned memory includes: various media capable of storing program codes, such as a U disk, a mobile hard disk, a magnetic disk or an optical disk.
The above are merely exemplary embodiments of the present disclosure and are not intended to limit the scope of the present disclosure. That is, equivalent changes and modifications are contemplated by the teachings of this disclosure, which fall within the scope of the present disclosure. Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure.
This application is intended to cover any adaptations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a scope and spirit of the disclosure being indicated by the claims.
Claims (10)
1. The authority management method based on the OC-ERP system is characterized by comprising the following steps of:
receiving an authority application sent by a target person to an OC-ERP system, and determining an access object in the authority application and a first personnel authority owned by the target person;
determining a second personnel authority corresponding to the access object according to the data type of the access object;
judging whether the first personnel authority and the second personnel authority are matched;
if the first personnel authority and the second personnel authority are matched, distributing the authority of the access object to the target personnel;
and if the first personnel authority and the second personnel authority are not matched, adjusting the authority of the target personnel according to the data type, and matching the corresponding access object according to the authority of the target personnel after adjustment.
2. The OC-ERP system-based rights management method of claim 1, wherein the receiving the rights application sent by the target person to the OC-ERP system, determining the access object in the rights application, and the first person's rights owned by the target person, comprises:
determining departments and posts of the target personnel according to the authority application;
matching the first personnel permission according to the departments and posts;
determining a request access address in the authority application;
and according to the request access address, matching corresponding department data as the access object.
3. The OC-ERP system-based rights management method of claim 2, wherein said matching the first person rights according to the departments and posts comprises:
determining that the target personnel can access a department database with a corresponding label of the department in an enterprise database according to the department;
determining a first sub-right for the target person to access the department database;
determining a second sub-right that the target person can access the corresponding accessible post data in the department database according to the post;
And determining the first personnel authority according to the first sub authority and the second sub authority.
4. The OC-ERP system-based rights management method of claim 1, wherein the data type includes a department parameter and a data sensitivity, and the determining the second person right corresponding to the access object according to the data type of the access object includes:
determining a target department and a plurality of target posts in the target department according to the department parameters;
determining each corresponding target post according to each target post, and determining a first data sensitivity of the corresponding viewable data according to each target post;
judging whether each first data sensitivity is larger than the data sensitivity;
and if at least one second data sensitivity greater than the data sensitivity exists in each first data sensitivity, determining the second personnel permission according to the target post and the target department corresponding to the second data sensitivity.
5. The OC-ERP system-based rights management method of claim 1, wherein after the rights of the access object are assigned to the target person, further comprising:
Acquiring an execution authority corresponding to the execution operation of the target personnel in the OC-ERP system;
judging whether the execution authority exceeds the authority of the access object;
and if the execution authority exceeds the authority of the access object, the authority of the access object of the target person is recovered.
6. The OC-ERP system-based rights management method of claim 1, wherein the adjusting the rights of the target person according to the data type comprises:
determining corresponding department readable data according to the data type;
determining corresponding readable rights according to the department readable data;
and determining a second authority of the target person according to the readable authority and the authority of the target person.
7. The OC-ERP system-based rights management method of claim 6, wherein after determining the second rights of the target person according to the readable rights and the rights of the target person, further comprises:
generating application information of the second authority and sending the application information to a department manager;
acquiring first feedback information of the department manager based on the application information;
If the approval result in the first feedback information is passed, the application information is sent to a manager end of a quality management department;
acquiring second feedback information of the manager end of the quality management department based on the application information;
and if the approval result in the second feedback information is passed, distributing the second authority to the target personnel.
8. An OC-ERP system-based rights management system, the system comprising:
the application receiving module is used for receiving an authority application sent by a target person to the OC-ERP system, and determining an access object in the authority application and a first person authority owned by the target person;
the right acquisition module is used for determining a second personnel right corresponding to the access object according to the data type of the access object;
the first authority matching module is used for judging whether the first personnel authority is matched with the second personnel authority; if the first personnel authority and the second personnel authority are matched, distributing the authority of the access object to the target personnel;
and the second permission matching module is used for adjusting the permission of the target personnel according to the data type if the first personnel permission and the second personnel permission are not matched, and matching the corresponding access object according to the permission adjusted by the target personnel.
9. An electronic device comprising a processor, a memory, a user interface, and a network interface, the memory for storing instructions, the user interface and the network interface for communicating to other devices, the processor for executing the instructions stored in the memory to cause the electronic device to perform the OC-ERP system-based rights management method of any of claims 1-7.
10. A computer readable storage medium storing instructions that, when executed, perform the OC-ERP system-based rights management method steps of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311592628.0A CN117390653A (en) | 2023-11-27 | 2023-11-27 | Permission management method, system, electronic equipment and medium based on OC-ERP system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311592628.0A CN117390653A (en) | 2023-11-27 | 2023-11-27 | Permission management method, system, electronic equipment and medium based on OC-ERP system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117390653A true CN117390653A (en) | 2024-01-12 |
Family
ID=89441170
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311592628.0A Pending CN117390653A (en) | 2023-11-27 | 2023-11-27 | Permission management method, system, electronic equipment and medium based on OC-ERP system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117390653A (en) |
-
2023
- 2023-11-27 CN CN202311592628.0A patent/CN117390653A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10877974B2 (en) | Statistical identification of instances during reconciliation process | |
| CN108280367B (en) | Data operation authority management method and device, computing equipment and storage medium | |
| US20220327122A1 (en) | Performing data mining operations within a columnar database management system | |
| US9805209B2 (en) | Systems and methodologies for managing document access permissions | |
| US10248674B2 (en) | Method and apparatus for data quality management and control | |
| US20180373762A1 (en) | Data classification | |
| US20110231364A1 (en) | Id management method, id management system, and computer-readable recording medium | |
| CN112182619A (en) | Service processing method and system based on user permission, electronic device and medium | |
| US11720825B2 (en) | Framework for multi-tenant data science experiments at-scale | |
| CN110569298A (en) | data docking and visualization method and system | |
| US9842221B2 (en) | Role analyzer and optimizer in database systems | |
| US20230267387A1 (en) | Computer-Guided Corporate Relationship Management | |
| CN112150122A (en) | Agile network resource positioning and decision-making system | |
| US20070192323A1 (en) | System and method of access and control management between multiple databases | |
| US20220028008A1 (en) | Signals-based data syndication and collaboration | |
| CN106326760B (en) | It is a kind of for data analysis access control rule method is described | |
| CN112084021A (en) | Interface configuration method, device and equipment of education system and readable storage medium | |
| US8725521B2 (en) | System and method for designing secure business solutions using patterns | |
| CN112100592A (en) | Authority management method, device, electronic equipment and storage medium | |
| CN112149112A (en) | Enterprise information security management method based on authority separation | |
| CN117390653A (en) | Permission management method, system, electronic equipment and medium based on OC-ERP system | |
| US10331759B2 (en) | Methods and system for controlling user access to information in enterprise networks | |
| DE112022003063T5 (en) | DATA GOVERNANCE SYSTEMS AND PROCEDURES | |
| DE112021004121T5 (en) | IDENTIFYING SIEM EVENT TYPES | |
| CN109583907A (en) | A kind of checking method of electronic invoice, device, medium and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |