CN117556446A

CN117556446A - Authority processing method and device, electronic equipment and storage medium

Info

Publication number: CN117556446A
Application number: CN202311610706.5A
Authority: CN
Inventors: 叶霖; 朱西华
Original assignee: Zhongdian Jinxin Digital Technology Group Co ltd
Current assignee: Zhongdian Jinxin Digital Technology Group Co ltd
Priority date: 2023-11-28
Filing date: 2023-11-28
Publication date: 2024-02-13

Abstract

The application provides a permission processing method, a permission processing device, electronic equipment and a storage medium, wherein the method comprises the following steps: determining at least one target right based on the business requirement, and determining at least one authorized subject based on the business requirement, wherein the target right characterizes the right which can be granted, and the authorized subject characterizes the subject which can be granted the right; responding to the authorization request, acquiring the rights to be authorized in at least one target right, acquiring the bodies to be authorized in at least one authorized body, and associating the rights to be authorized and the bodies to be authorized through the rights accepting middleware so as to complete the authorization. The method not only abstracts the deletable rights and the deletable subjects, but also introduces the concept of rights accepting middleware, and realizes multi-level rights management and flexible delegation modes. Meanwhile, the method also considers the requirements of rights management in terms of safety, traceability, expandability and the like.

Description

Authority processing method and device, electronic equipment and storage medium

Technical Field

The present disclosure relates to the field of rights technologies, and in particular, to a rights processing method, a device, an electronic device, and a storage medium.

Background

With the rapid development of informatization technology, rights management plays an increasingly important role in various systems. However, the existing rights management method often has the problems of single authorization method, limited application range, difficult adaptation to complex and changeable business requirements and the like. In addition, with the wide application of new technologies such as cloud computing and big data, the requirements of tenant level rights management are increasingly highlighted, and the requirements are difficult to meet by the traditional rights management mode.

In the existing rights management method, a role-based or user-based authorization method is generally adopted, and the method is difficult to realize tenant-level rights management and also difficult to meet complex and changeable business requirements.

Disclosure of Invention

In view of this, the embodiments of the present application provide a method, an apparatus, an electronic device, and a storage medium for processing rights, which not only abstracts a deletable right and a deletable main body, but also introduces a concept of a right receiving middleware (grantor), thereby implementing a multi-level rights management and a flexible delegation manner. Meanwhile, the method also considers the requirements of rights management in terms of safety, traceability, expandability and the like.

The technical scheme of the embodiment of the application is realized as follows:

In a first aspect, an embodiment of the present application provides a rights processing method, where the method includes:

determining at least one target right based on a business requirement, and determining at least one authorized subject based on the business requirement, wherein the target right characterizes a right which can be granted, and the authorized subject characterizes a subject which can be granted the right;

responding to the authorization request, acquiring the rights to be authorized in the at least one target right, acquiring the bodies to be authorized in the at least one authorized body, and associating the rights to be authorized with the bodies to be authorized through the rights accepting middleware to complete the authorization.

In a second aspect, an embodiment of the present application further provides an apparatus for processing rights, where the apparatus includes:

a determining module for determining at least one target right based on a business requirement, and at least one authorized subject based on the business requirement, wherein the target right characterizes a right which can be granted, and the authorized subject characterizes a subject which can be granted the right;

the association module is used for responding to the authorization request, acquiring the rights to be authorized in the at least one target right, acquiring the bodies to be authorized in the at least one authorized body, and associating the rights to be authorized with the bodies to be authorized through the rights accepting middleware so as to complete the authorization.

In a third aspect, embodiments of the present application further provide an electronic device, including: a processor, a storage medium storing machine-readable instructions executable by the processor, the processor and the storage medium communicating over a bus when the electronic device is running, the processor executing the machine-readable instructions to perform the rights processing method of any of the first aspects.

In a fourth aspect, embodiments of the present application further provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, performs the rights processing method of any of the first aspects.

The embodiment of the application has the following beneficial effects:

by defining a plurality of deletable rights and a plurality of delegates that can be authorized, finer rights control is achieved. Meanwhile, by introducing the concept of the grantor, the authority management can be divided into a plurality of layers, so that hierarchical management and control of the authority are realized, and the authorization process is simplified; in addition, security issues of rights management are also considered. By realizing a dynamic authority adjustment and revocation mechanism, abuse and misuse of authorities can be avoided, and the security of the system is improved. Meanwhile, traceability of authority management can be realized through audit and monitoring functions, and the reliability of the system is enhanced; finally, the system has good expandability and maintainability. Through the modularized design mode, the functions and the performances of the system can be conveniently expanded, and the ever-increasing business requirements are met. Meanwhile, through a unified authority management platform, the maintenance cost can be reduced, and the maintainability of the system is improved; in addition, the application also meets the permission requirements under different scenes through forward authorization and reverse authorization. The forward authorization allows an administrator to authorize the main body according to the existing rights, and the method is simple and direct and can quickly meet the basic rights requirements of the main body. The reverse authorization allows the rights to be customized for the specific requirements of the subject, so that the method is more personalized and can accurately meet the specific rights requirements of the subject. The two modes are combined, so that the authority management is more flexible and changeable, more complex practical application scenes are adapted, finally, the requirements of authority adjustment can be responded and processed in real time through a dynamic authorization mode, and the timeliness and the adaptability of the system are improved. Dynamic authorization allows the system to automatically adjust permissions according to real-time events or conditions, and the adjustment can be temporary or permanent and flexible according to actual requirements.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered limiting the scope, and that other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

FIG. 1 is a method flow diagram of a rights processing method provided by an embodiment of the present application;

FIG. 2 is a flowchart of a method for authorization based on a permission level provided by an embodiment of the present application;

FIG. 3 is a flow chart of a method of dynamic authorization provided by an embodiment of the present application;

fig. 4 is a schematic structural diagram of a rights processing apparatus according to an embodiment of the present application;

fig. 5 is a schematic diagram of a composition structure of an electronic device according to an embodiment of the present application.

Detailed Description

For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it should be understood that the accompanying drawings in the present application are only for the purpose of illustration and description, and are not intended to limit the protection scope of the present application. In addition, it should be understood that the schematic drawings are not drawn to scale. A flowchart, as used in this application, illustrates operations implemented according to some embodiments of the present application. It should be understood that the operations of the flow diagrams may be implemented out of order and that steps without logical context may be performed in reverse order or concurrently. Moreover, one or more other operations may be added to the flow diagrams and one or more operations may be removed from the flow diagrams as directed by those skilled in the art.

In the following description, reference is made to "some embodiments" which describe a subset of all possible embodiments, but it is to be understood that "some embodiments" can be the same subset or different subsets of all possible embodiments and can be combined with one another without conflict.

In addition, the described embodiments are only some, but not all, of the embodiments of the present application. The components of the embodiments of the present application, which are generally described and illustrated in the figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, as provided in the accompanying drawings, is not intended to limit the scope of the application, as claimed, but is merely representative of selected embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, are intended to be within the scope of the present application.

In the following description, the terms "first", "second", "third" and the like are merely used to distinguish similar objects and do not represent a particular ordering of the objects, it being understood that the "first", "second", "third" may be interchanged with a particular order or sequence, as permitted, to enable embodiments of the application described herein to be practiced otherwise than as illustrated or described herein.

It should be noted that the term "comprising" will be used in the embodiments of the present application to indicate the presence of the features stated hereinafter, but not to exclude the addition of other features.

Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein is for the purpose of describing embodiments of the present application and is not intended to be limiting of the present application.

Referring to fig. 1, fig. 1 is a flowchart of a method of rights processing method provided in an embodiment of the present application, and will be described with reference to steps S101 to S102 shown in fig. 1.

Step S101, determining at least one target authority based on service requirements, and determining at least one authorized entity based on the service requirements, wherein the target authority characterizes the authority which can be granted, and the authorized entity characterizes the entity which can be granted the authority;

step S102, responding to the authorization request, obtaining the rights to be authorized in the at least one target right, obtaining the bodies to be authorized in the at least one authorized body, and associating the rights to be authorized with the bodies to be authorized through the rights accepting middleware so as to complete the authorization.

The authority processing method realizes finer authority control by defining various deletable authorities and various delegated principals. Meanwhile, by introducing the concept of the grantor, the authority management can be divided into a plurality of layers, so that hierarchical management and control of the authority are realized, and the authorization process is simplified; in addition, security issues of rights management are also considered. By realizing a dynamic authority adjustment and revocation mechanism, abuse and misuse of authorities can be avoided, and the security of the system is improved. Meanwhile, traceability of authority management can be realized through audit and monitoring functions, and the reliability of the system is enhanced; finally, the system has good expandability and maintainability. Through the modularized design mode, the functions and the performances of the system can be conveniently expanded, and the ever-increasing business requirements are met. Meanwhile, through a unified authority management platform, the maintenance cost can be reduced, and the maintainability of the system is improved; in addition, the application also meets the permission requirements under different scenes through forward authorization and reverse authorization. The forward authorization allows an administrator to authorize the main body according to the existing rights, and the method is simple and direct and can quickly meet the basic rights requirements of the main body. The reverse authorization allows the rights to be customized for the specific requirements of the subject, so that the method is more personalized and can accurately meet the specific rights requirements of the subject. The two modes are combined, so that the authority management is more flexible and changeable, more complex practical application scenes are adapted, finally, the requirements of authority adjustment can be responded and processed in real time through a dynamic authorization mode, and the timeliness and the adaptability of the system are improved. Dynamic authorization allows the system to automatically adjust permissions according to real-time events or conditions, and the adjustment can be temporary or permanent and flexible according to actual requirements.

The following describes the above exemplary steps of the embodiments of the present application, respectively.

In step S101, at least one target right is determined based on the traffic demand, and at least one authorized principal is determined based on the traffic demand, wherein the target right characterizes the rights that can be granted and the authorized principal characterizes the principal that can be granted rights.

First, the business requirements are a key factor in determining the target rights and authorizing principals. The source of business requirements may be business requirements documents, user feedback, market requirements, etc. After specifying the business requirements, the business requirements need to be analyzed to determine which rights need to be granted, and which principals need these rights.

For example, the business requirement may be that an order management function needs to be implemented, then the target authority may be order viewing, order editing, order deletion, etc., and the authorized entity may be an employee or administrator having order management responsibilities.

In step S102, in response to the authorization request, the rights to be authorized in the at least one target right are acquired, and the subjects to be authorized in the at least one authorized subject are acquired, and the rights to be authorized and the subjects to be authorized are associated through the rights accepting middleware, so as to complete the authorization.

When an authorization request is received, the system needs to respond to the request and acquire the relevant rights to be authorized and the subject to be authorized. The authorization request may come from a user interface, an API call, etc.

For example, a user may select a role on the interface and grant order viewing rights thereto. After the system receives the request, the system acquires the order to check the right to be authorized, and the selected role is taken as the main body to be authorized.

And then, associating the rights to be authorized with the main body to be authorized through the rights accepting middleware. This middleware may be a service, a module or a piece of code that functions to implement the association of rights and principals. The particular implementation may be determined by the architecture and technology choice of the system.

For example, the association of roles and rights may be achieved by creating an association table in the database, storing the role ID and rights ID in the table. Thus, when it is necessary to check whether a certain character has a certain right, only the association table needs to be queried.

Through the steps, the authority granting process based on the service requirement and the authorization request can be completed, and finer and flexible authority management is realized.

In some embodiments, the authorization request includes a forward authorization request and a reverse authorization request, the forward authorization request is characterized by a process that the to-be-authorized entity grants the to-be-authorized right, the reverse authorization request is characterized by a process that the to-be-authorized right is granted to the to-be-authorized entity, the forward authorization request and the reverse authorization request respectively correspond to an authorization identifier, and the authorization identifier corresponding to the forward authorization request and the authorization identifier corresponding to the reverse authorization request are different.

The processing of the forward authorization request and the reverse authorization request in the authorization process is slightly different. A positive authorization request generally refers to a process of granting rights to a principal, and may be understood as "assigning" rights to a principal. In a specific implementation, the system may determine the request type according to the parameter or the identifier in the request, then obtain the rights to be authorized and the body to be authorized according to the request content, and complete the grant operation of the rights through the rights accepting middleware.

The reverse authorization request then generally represents the process of granting the principal with rights, which can be understood as "granting" the principal with rights. In a specific implementation, the system can judge the request type according to the parameters or the identifiers in the request, then acquire the rights to be authorized and the main body to be authorized, and complete the authorization operation of the main body through the rights accepting middleware.

It should be noted that the distinction between the forward authorization request and the reverse authorization request is not absolute, and the specific implementation will be determined according to the requirements and design of the system. For example, some systems may combine these two requests into one request, with the processing logic being differentiated by different parameters or identifications. In addition, the use of authorization identification may more clearly describe and understand the authorization process. By allocating different authorization identifiers for different authorization request types, the type and the object of the authorization operation can be more intuitively known, and the authority management and the audit are convenient.

The distinction between the forward authorization request and the reverse authorization request and the use of the authorization identifier can provide a finer and flexible control mode for the authority management, and improve the safety and maintainability of the system.

In some embodiments, the method further comprises:

and realizing the forward authorization request or the reverse authorization request through the association operation of the authorization identifier and the authority carrying middleware, wherein the authorization identifier corresponding to each association operation is unique, and the authorization identifier for realizing the forward authorization request is different from the authorization identifier for realizing the reverse authorization request.

Here, each association operation has a unique authorization identifier corresponding to it, and the authorization identifier for implementing the forward authorization request is different from the authorization identifier for implementing the reverse authorization request.

Specifically, the forward authorization request generally refers to authorizing the principal according to the existing rights, and the grant can be used as the authorization identifier, while the reverse authorization request is to assign corresponding rights to the principal according to the requirement of the principal, and the grant-to can be used as the authorization identifier. By using the authorization identifier, the two different authorization requests can be clearly distinguished, so that the system is ensured not to be confused or mistaken when processing the authorization requests.

The design can further improve the flexibility and accuracy of the system, so that the authority management is more refined. Meanwhile, by distributing unique authorization identification for each authorization request, the security of the system is enhanced, and potential permission leakage or abuse risk is prevented.

By adopting the mode, the forward and reverse authorization requests are realized through the association operation of the authorization identifier and the authority bearing middleware, and the unique authorization identifier is allocated for each request, so that the authority management of the system is more perfect, and the safety and the flexibility of the system are improved.

In some embodiments, referring to fig. 2, fig. 2 is a schematic flow chart of steps S201 to S203 provided in the embodiment of the present application, the number of rights accepting middleware is plural, and the rights to be authorized and the subject to be authorized are associated by the rights accepting middleware, which can be implemented through steps S201 to S203, and will be described in connection with each step.

In step S201, a permission level corresponding to the requester of the authorization request is determined.

Here, it is very critical to determine the permission level to which the requesting party of the authorization request corresponds. This needs to be set according to specific business needs and system designs. For example, different user roles may correspond to different levels of authority, with a system administrator having the highest level of authority and a normal user having a lower level of authority.

In step S202, a target rights-accepting middleware that matches or is lower than the rights level is determined from a plurality of rights-accepting middleware based on the rights level.

Here, based on the authority level of the requester, a target authority-accepting middleware that matches or is lower than the authority level is determined from among the plurality of authority-accepting middleware. This step needs to be implemented according to predefined rules or mapping tables. For example, a list of middleware may be defined, each corresponding to a range of authority levels, and then the corresponding middleware may be selected according to the authority level of the requestor.

In step S203, the rights to be authorized and the subject to be authorized are associated by the target rights accepting middleware.

Here, the rights to be authorized and the body to be authorized are associated by the target rights accepting middleware. The specific implementation of this step will be determined by the design and function of the middleware. For example, the target rights accepting middleware may provide an association interface that may be completed by invoking the interface and entering rights to be authorized and principals to be authorized as parameters.

It should be noted that the use of multiple rights-accepting middleware may provide a more flexible and extensible manner of rights management. Different middleware can realize different functions or strategies, and proper middleware is selected according to specific service requirements, so that the requirements of a system can be better met. Meanwhile, the middleware is selected according to the authority level of the requester, so that the security of the system can be further improved. By limiting the low level of rights to requesters using only low level middleware, rights boost or abuse conditions can be avoided.

According to the mode, through the process that the plurality of authority bearing middleware correlates the authority to be authorized and the main body to be authorized, finer and flexible authority management can be achieved, and the safety and maintainability of the system are improved.

In some embodiments, the method further comprises:

recording the associated operation of the authority bearing middleware, and storing the recorded associated operation as an authorization log.

The specific implementation of recording and storing the associated operations of the rights-accepting middleware may be determined according to the needs and design of the system. In general, the related information of the related operation can be recorded and stored to a designated location by adding a logging function to the rights accepting middleware.

Specifically, when the rights to be authorized and the main body to be authorized are associated through the rights accepting middleware, the middleware can automatically trigger a log recording function to record relevant information of the associated operation. Such information may include time of operation, operator, content of operation, etc. for subsequent query and analysis.

In order to ensure the security and traceability of the data, encryption and backup operations can be performed on the authorization log. For example, the log data can be encrypted by using an encryption algorithm, so that the security of the data is ensured; meanwhile, the log data can be backed up to a plurality of storage positions, and data loss or damage is prevented.

By recording and storing the authorization log, the comprehensive monitoring and auditing of the authority management process can be realized, and the safety and maintainability of the system are improved. Meanwhile, the authorization log also provides important data support for subsequent fault detection, data analysis and the like. For example, the authority management condition of the system can be known by analyzing the authorization log, potential security risks or problems are found, and corresponding measures are timely taken for processing.

The method is very necessary to record and store the associated operation of the authority bearing middleware, can improve the safety and maintainability of the system, and provides important data support for subsequent management and analysis.

In some embodiments, referring to fig. 3, fig. 3 is a schematic flow chart of steps S301 to S303 provided in the embodiments of the present application, and the method further includes steps S301 to S303, which will be described in connection with the steps.

In step S301, in response to a dynamic authorization request, at least one dynamic event included in the dynamic authorization request is determined.

Here, the dynamic authorization request may come from different sources, such as a user operation, a system event, etc., and the request includes event information that needs to be dynamically authorized. The system needs to be able to respond to these requests in time and extract the dynamic event information therein for subsequent processing.

In step S302, an authorization event is created for the rights uptake middleware based on the at least one dynamic event, wherein the authorization event matches the dynamic event.

Here, the authorization event is matched with the dynamic event, and is used for triggering the middleware to perform corresponding permission adjustment. The specific manner of creating the authorization event may be determined according to the design and function of the middleware, and may be implemented by defining an event type, setting an event parameter, and the like. Meanwhile, the matching and accuracy of the authorized event and the dynamic event need to be ensured, so that the middleware can correctly respond and carry out authority adjustment.

In step S303, the rights accepting middleware is adjusted based on the authorization event to implement dynamic authorization.

Here, through adjusting the middleware, dynamic management and control of the authorities can be realized, and the authority requirements under different scenes are met. The specific adjustment mode can be determined according to the design and the function of the middleware, and can be realized by calling the interface of the middleware, executing related functions or modifying the configuration of the middleware, and the like. In the adjustment process, the stability and the safety of the middleware need to be ensured, and the system problem or the safety risk caused by the permission adjustment is avoided.

By adopting the mode, a finer and flexible dynamic authorization process can be realized, so that the authority management of the system is more efficient and reliable. Meanwhile, the adaptability and the expandability of the system can be improved by dynamic authorization, and the permission requirements under different scenes can be better met.

In some embodiments, the rights accepting middleware corresponds to a graphical user interface that includes a first area for placing the rights to be authorized and a second area for placing the subject to be authorized.

The rights accepting middleware may correspond to a Graphical User Interface (GUI) for a user to more intuitively perform rights management operations. The graphical user interface may comprise a first area and a second area for placing rights to be authorized and principals to be authorized, respectively.

Specifically, the first area may display a list of currently available permissions or permission icons, to which the user may place the desired permissions by way of selection or dragging, etc. The second area may then display a list of currently available subjects or subject icons, to which the user may likewise place subjects to be authorized by means of selection or dragging, etc.

Through the design of the graphical user interface, a user can intuitively select and associate rights and a main body, and user experience and operation convenience are improved. Meanwhile, the graphic user interface can be customized according to different business requirements and designs so as to meet the rights management requirements in different scenes.

It should be noted that the specific implementation of the graphical user interface may be determined according to the design and development language of the system, and may be implemented using a common front-end framework or GUI library. Meanwhile, in order to ensure the safety and stability of the interface, corresponding safety measures and performance optimization are required to be carried out on the interface.

In some embodiments, the method further comprises:

recording the associated operation of the authority bearing middleware, and creating a rollback node for each record;

and in response to the rollback operation, determining a target rollback node from the rollback nodes, and rollback the associated operation according to the target rollback node.

Recording the associated operation of the authority bearing middleware and creating a rollback node, wherein a complete operation log can be formed in the system, and the log contains all associated operation information and the corresponding rollback node. Through the operation log, traceability and audit functions of system operation can be realized, and the safety and maintainability of the system are improved.

Specifically, when the association operation is performed, the system automatically records the relevant information of the operation, such as operation time, operator, operation content, etc., and creates a corresponding rollback node. The rollback node contains all information required for rollback, such as a pre-operation state, operation data, etc., so that the pre-operation state can be accurately restored.

When the rollback operation is needed, the system searches a target rollback node from the operation log according to the request of the user, and then rolls back the related operation according to the target rollback node. This process may be done automatically or manually by the user, and the specific implementation may be determined by the design and needs of the system.

By creating the rollback node, the system can be ensured to be recovered to a normal state in time when a problem or misoperation occurs, and risks such as data loss and system breakdown are avoided. Meanwhile, the use of the rollback node can also improve the maintainability and reliability of the system, and provides important support for subsequent fault investigation and data recovery.

It should be noted that, in order to ensure the security and integrity of the operation log, encryption and backup operations need to be performed on the operation log, so as to ensure the security and traceability of the data.

By the mode, the safety and maintainability of the system can be improved, and the system can be ensured to recover and normally operate in time when a problem occurs.

In summary, the embodiment of the application has the following beneficial effects:

Based on the same inventive concept, the embodiment of the present application further provides a rights processing device corresponding to the rights processing method in the first embodiment, and since the principle of solving the problem of the device in the embodiment of the present application is similar to that of the rights processing method described above, the implementation of the device may refer to the implementation of the method, and the repetition is omitted.

As shown in fig. 4, fig. 4 is a schematic structural diagram of an authority processing apparatus 400 provided in an embodiment of the present application. The rights processing apparatus 400 includes:

a determining module 401 for determining at least one target authority based on a service requirement, and at least one authorized entity based on the service requirement, wherein the target authority characterizes an authority that can be granted, and the authorized entity characterizes an entity that can be granted the authority;

the association module 402 is configured to obtain a right to be authorized in the at least one target right, and obtain a body to be authorized in the at least one authorized body, and associate the right to be authorized and the body to be authorized through a right receiving middleware, so as to complete authorization.

Those skilled in the art will appreciate that the implementation functions of the units in the rights processing device 400 shown in fig. 4 can be understood with reference to the foregoing description of the rights processing method. The functions of the units in the rights processing apparatus 400 shown in fig. 4 may be implemented by a program running on a processor or by a specific logic circuit.

In one possible implementation manner, the authorization request includes a forward authorization request and a reverse authorization request, the forward authorization request is characterized by a process that the to-be-authorized entity grants the to-be-authorized right, the reverse authorization request is characterized by a process that the to-be-authorized right is granted to the to-be-authorized entity, the forward authorization request and the reverse authorization request respectively correspond to an authorization identifier, and the authorization identifier corresponding to the forward authorization request and the authorization identifier corresponding to the reverse authorization request are different.

In a possible implementation manner, the rights accepting middleware is multiple, and the associating module 402 associates the rights to be authorized and the subjects to be authorized through the rights accepting middleware, including:

determining a permission level corresponding to a requester of the authorization request;

determining a target authority bearing middleware which is matched with or lower than the authority level from a plurality of authority bearing middleware based on the authority level;

and associating the rights to be authorized with the main body to be authorized through the target rights accepting middleware.

In one possible implementation, the association module 402 further includes:

in response to a dynamic authorization request, determining at least one dynamic event included in the dynamic authorization request;

creating an authorization event for the rights accepting middleware based on the at least one dynamic event, wherein the authorization event matches the dynamic event;

and adjusting the authority bearing middleware based on the authorization event so as to realize dynamic authorization.

In one possible implementation, the rights accepting middleware corresponds to a graphical user interface, and the graphical user interface includes a first area and a second area, where the first area is used for placing the rights to be authorized, and the second area is used for placing the subject to be authorized.

In one possible implementation, the association module 402 further includes:

The rights processing apparatus described above achieves finer rights control by defining a plurality of deletable rights and a plurality of delegated subjects. Meanwhile, by introducing the concept of the grantor, the authority management can be divided into a plurality of layers, so that hierarchical management and control of the authority are realized, and the authorization process is simplified; in addition, security issues of rights management are also considered. By realizing a dynamic authority adjustment and revocation mechanism, abuse and misuse of authorities can be avoided, and the security of the system is improved. Meanwhile, traceability of authority management can be realized through audit and monitoring functions, and the reliability of the system is enhanced; finally, the system has good expandability and maintainability. Through the modularized design mode, the functions and the performances of the system can be conveniently expanded, and the ever-increasing business requirements are met. Meanwhile, through a unified authority management platform, the maintenance cost can be reduced, and the maintainability of the system is improved; in addition, the application also meets the permission requirements under different scenes through forward authorization and reverse authorization. The forward authorization allows an administrator to authorize the main body according to the existing rights, and the method is simple and direct and can quickly meet the basic rights requirements of the main body. The reverse authorization allows the rights to be customized for the specific requirements of the subject, so that the method is more personalized and can accurately meet the specific rights requirements of the subject. The two modes are combined, so that the authority management is more flexible and changeable, more complex practical application scenes are adapted, finally, the requirements of authority adjustment can be responded and processed in real time through a dynamic authorization mode, and the timeliness and the adaptability of the system are improved. Dynamic authorization allows the system to automatically adjust permissions according to real-time events or conditions, and the adjustment can be temporary or permanent and flexible according to actual requirements.

As shown in fig. 5, fig. 5 is a schematic diagram of a composition structure of an electronic device 500 according to an embodiment of the present application, where the electronic device 500 includes:

the system comprises a processor 501, a storage medium 502 and a bus 503, wherein the storage medium 502 stores machine-readable instructions executable by the processor 501, and when the electronic device 500 is running, the processor 501 communicates with the storage medium 502 through the bus 503, and the processor 501 executes the machine-readable instructions to execute the steps of the rights processing method described in the embodiments of the present application.

In practice, the various components of the electronic device 500 are coupled together via a bus 503. It is understood that the bus 503 is used to enable connected communication between these components. The bus 503 includes a power bus, a control bus, and a status signal bus in addition to a data bus. But for clarity of illustration the various buses are labeled as bus 503 in fig. 5.

The electronic device realizes finer authority control by defining various deletable authorities and various delegated principals. Meanwhile, by introducing the concept of the grantor, the authority management can be divided into a plurality of layers, so that hierarchical management and control of the authority are realized, and the authorization process is simplified; in addition, security issues of rights management are also considered. By realizing a dynamic authority adjustment and revocation mechanism, abuse and misuse of authorities can be avoided, and the security of the system is improved. Meanwhile, traceability of authority management can be realized through audit and monitoring functions, and the reliability of the system is enhanced; finally, the system has good expandability and maintainability. Through the modularized design mode, the functions and the performances of the system can be conveniently expanded, and the ever-increasing business requirements are met. Meanwhile, through a unified authority management platform, the maintenance cost can be reduced, and the maintainability of the system is improved; in addition, the application also meets the permission requirements under different scenes through forward authorization and reverse authorization. The forward authorization allows an administrator to authorize the main body according to the existing rights, and the method is simple and direct and can quickly meet the basic rights requirements of the main body. The reverse authorization allows the rights to be customized for the specific requirements of the subject, so that the method is more personalized and can accurately meet the specific rights requirements of the subject. The two modes are combined, so that the authority management is more flexible and changeable, more complex practical application scenes are adapted, finally, the requirements of authority adjustment can be responded and processed in real time through a dynamic authorization mode, and the timeliness and the adaptability of the system are improved. Dynamic authorization allows the system to automatically adjust permissions according to real-time events or conditions, and the adjustment can be temporary or permanent and flexible according to actual requirements.

The present embodiment also provides a computer readable storage medium, where executable instructions are stored, and when the executable instructions are executed by at least one processor 501, the rights processing method described in the embodiments of the present application is implemented.

In some embodiments, the storage medium may be a magnetic random Access Memory (FRAM, ferromagneticRandom Access Memory), read Only Memory (ROM), programmable Read Only Memory (PROM, programmable Read Only Memory), erasable programmable Read Only Memory (EPROM, erasableProgrammable Read Only Memory), electrically erasable programmable Read Only Memory (EEPROM, electricallyErasable Programmable Read Only Memory), flash Memory (Flash Memory), magnetic surface Memory, optical disk, or compact disk Read Only Memory (CD ROM, compact Disc Read Only Memory), among others; but may be a variety of devices including one or any combination of the above memories.

In some embodiments, the executable instructions may be in the form of programs, software modules, scripts, or code, written in any form of programming language (including compiled or interpreted languages, or declarative or procedural languages), and they may be deployed in any form, including as stand-alone programs or as modules, components, subroutines, or other units suitable for use in a computing environment.

As an example, the executable instructions may, but need not, correspond to files in a file system, may be stored as part of a file that holds other programs or data, for example, in one or more scripts in a hypertext markup Language (HTML, hyperTextMarkup Language) document, in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more modules, sub-programs, or portions of code).

As an example, executable instructions may be deployed to be executed on one computing device or on multiple computing devices located at one site or, alternatively, distributed across multiple sites and interconnected by a communication network.

The above-described computer-readable storage medium enables finer rights control by defining a plurality of deletable rights and a plurality of delegates that can be authorized. Meanwhile, by introducing the concept of the grantor, the authority management can be divided into a plurality of layers, so that hierarchical management and control of the authority are realized, and the authorization process is simplified; in addition, security issues of rights management are also considered. By realizing a dynamic authority adjustment and revocation mechanism, abuse and misuse of authorities can be avoided, and the security of the system is improved. Meanwhile, traceability of authority management can be realized through audit and monitoring functions, and the reliability of the system is enhanced; finally, the system has good expandability and maintainability. Through the modularized design mode, the functions and the performances of the system can be conveniently expanded, and the ever-increasing business requirements are met. Meanwhile, through a unified authority management platform, the maintenance cost can be reduced, and the maintainability of the system is improved; in addition, the application also meets the permission requirements under different scenes through forward authorization and reverse authorization. The forward authorization allows an administrator to authorize the main body according to the existing rights, and the method is simple and direct and can quickly meet the basic rights requirements of the main body. The reverse authorization allows the rights to be customized for the specific requirements of the subject, so that the method is more personalized and can accurately meet the specific rights requirements of the subject. The two modes are combined, so that the authority management is more flexible and changeable, more complex practical application scenes are adapted, finally, the requirements of authority adjustment can be responded and processed in real time through a dynamic authorization mode, and the timeliness and the adaptability of the system are improved. Dynamic authorization allows the system to automatically adjust permissions according to real-time events or conditions, and the adjustment can be temporary or permanent and flexible according to actual requirements.

In several embodiments provided in the present application, it should be understood that the disclosed method and electronic device may be implemented in other manners. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.

The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical units, may be located in one place, or may be distributed over multiple network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a non-volatile computer readable storage medium executable by a processor. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a platform server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.

The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes or substitutions are covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims

1. A rights handling method, the method comprising:

2. The method of claim 1, wherein the authorization request includes a forward authorization request and a reverse authorization request, the forward authorization request is characterized by a process that the to-be-authorized subject grants the to-be-authorized rights, the reverse authorization request is characterized by a process that the to-be-authorized rights are granted to the to-be-authorized subject, the forward authorization request and the reverse authorization request respectively correspond to an authorization identifier, and the authorization identifier corresponding to the forward authorization request and the authorization identifier corresponding to the reverse authorization request are different.

3. The method according to claim 1, wherein the rights accepting middleware is plural, and the associating the rights to be authorized and the subjects to be authorized by the rights accepting middleware includes:

4. The method according to claim 2, wherein the method further comprises:

5. The method according to claim 1, wherein the method further comprises:

6. The method of claim 1, wherein the rights accepting middleware corresponds to a graphical user interface comprising a first area for placing the rights to be authorized and a second area for placing the subject to be authorized.

7. The method according to claim 1, wherein the method further comprises:

8. A rights handling apparatus, the apparatus comprising:

9. An electronic device, comprising: a processor, a storage medium and a bus, the storage medium storing machine-readable instructions executable by the processor, the processor and the storage medium communicating over the bus when the electronic device is running, the processor executing the machine-readable instructions to perform the rights handling method of any one of claims 1 to 7.

10. A computer-readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, performs the rights handling method according to any of claims 1 to 7.