CN118070318A - User authority dynamic allocation method, device and storage medium - Google Patents
User authority dynamic allocation method, device and storage medium Download PDFInfo
- Publication number
- CN118070318A CN118070318A CN202410501305.4A CN202410501305A CN118070318A CN 118070318 A CN118070318 A CN 118070318A CN 202410501305 A CN202410501305 A CN 202410501305A CN 118070318 A CN118070318 A CN 118070318A
- Authority
- CN
- China
- Prior art keywords
- user
- vector
- authority
- task
- rights
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 39
- 239000013598 vector Substances 0.000 claims abstract description 266
- 238000013507 mapping Methods 0.000 claims abstract description 31
- 230000004927 fusion Effects 0.000 claims abstract description 25
- 239000011159 matrix material Substances 0.000 claims description 21
- 230000006870 function Effects 0.000 claims description 11
- 238000005457 optimization Methods 0.000 claims description 8
- 238000009825 accumulation Methods 0.000 abstract description 5
- 238000013475 authorization Methods 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 description 6
- 238000006243 chemical reaction Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 4
- 238000004364 calculation method Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 239000013307 optical fiber Substances 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 239000012633 leachable Substances 0.000 description 1
- 230000035515 penetration Effects 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000002441 reversible effect Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 201000009032 substance abuse Diseases 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Automation & Control Theory (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method, a device and a storage medium for dynamically distributing user rights, wherein the method comprises the following steps: fusing the identity information vector and the authority vector by utilizing a fusion model to generate a current state vector of the user; mapping the user task to form a user task vector; calculating a user authority vector according to the user current state vector and the user task vector so as to maximize mutual information between the user task vector and the user authority vector and minimize mutual information between the user authority vector and the user state vector; and obtaining a current task authority list according to the user authority vector, and adjusting the user authority according to the current task authority list. The system user can be ensured to be always in the minimum authorized state to operate, and the security event caused by excessive user authorization or user authority accumulation is effectively prevented.
Description
Technical Field
The present invention relates to the field of system security technologies, and in particular, to a method and apparatus for dynamically distributing user rights, and a storage medium.
Background
In recent years, with the development and application of a series of new technologies such as network communication technology, mobile computing technology, and edge computing technology, enterprises are facing a comprehensive and deep digital transformation. With the continued penetration of mobile computing technology applications, users can access systems anywhere and anytime. This model provides enterprise information security with new challenges while providing efficiency and cost reduction for enterprises and users.
User rights management is an important aspect in modern information systems, aimed at ensuring security of the system and confidentiality of data. The system is not only helpful to ensure the safety and compliance of the system, but also can improve the control and management capability of the organization on the data. Through reasonable authority allocation and strict authority management strategies, the organization can reduce security risks to the greatest extent, protect sensitive information and maintain the integrity and availability of data. It involves granting the appropriate rights to users in the system so that they can only access the resources and functions they need. The core goal of user rights management is to implement a minimum rights principle, i.e., to assign each user the lowest necessary rights to reduce potential security risks. This typically involves defining roles and permissions for the roles, and then assigning users to different roles. The traditional rights management mode is mostly implemented in static management and is mostly based on a packet mode. I.e. a group of users has the same rights and the granularity of management is relatively coarse.
In the current highly interconnected and dynamically accessed environment, user rights management faces new challenges. One of these is the problem of excessive authorization, i.e. some users may be granted more rights than they actually need, thus increasing the security risk of the system. Another problem is rights vulnerability, i.e. some users may acquire rights that they should not have in an improper way, resulting in data leakage and risk of abuse.
Disclosure of Invention
The embodiment of the invention provides a method, a device and a storage medium for dynamically distributing user rights, which are used for solving the technical problem that the system security risk generated by the fact that the system rights cannot be flexibly and dynamically set in the prior art.
In a first aspect, an embodiment of the present invention provides a method for dynamically allocating user rights, including:
Fusing the identity information vector and the authority vector by utilizing a fusion model to generate a current state vector of the user;
mapping the user task to form a user task vector;
Calculating a user authority vector according to the user current state vector and the user task vector so as to maximize mutual information between the user task vector and the user authority vector and minimize mutual information between the user authority vector and the user state vector;
And obtaining a current task authority list according to the user authority vector, and adjusting the user authority according to the current task authority list.
In a second aspect, an embodiment of the present invention further provides a device for dynamically allocating user rights, including:
the fusion module is used for fusing the identity information vector and the authority vector by utilizing the fusion model to generate a current state vector of the user;
the mapping module is used for mapping the user tasks to form user task vectors;
the computing module is used for computing a user authority vector according to the user current state vector and the user task vector so as to ensure that the mutual information between the user task vector and the user authority vector is maximum and the mutual information between the user authority vector and the user state vector is minimum;
And the adjusting module is used for obtaining a current task authority list according to the user authority vector and adjusting the user authority according to the current task authority list.
In a third aspect, embodiments of the present invention also provide a storage medium containing computer-executable instructions which, when executed by a computer processor, are adapted to carry out a user rights dynamic allocation method as provided by the above embodiments.
The user authority dynamic allocation method, the device and the storage medium provided by the embodiment of the invention are used for generating the current state vector of the user by fusing the identity information vector and the authority vector by utilizing the fusion model; mapping the user task to form a user task vector; calculating a user authority vector according to the user current state vector and the user task vector so as to maximize mutual information between the user task vector and the user authority vector and minimize mutual information between the user authority vector and the user state vector; and obtaining a current task authority list according to the user authority vector, and adjusting the user authority according to the current task authority list. And converting the identity information and the existing historical rights into a hidden space multidimensional vector through a vector conversion model. And the converted space vectors can be fused, conditional mutual information operation is carried out on the space vectors and the current task vectors, the most suitable user permission vector can be obtained according to the mutual information operation, and the current permission of the user can be dynamically adjusted according to the user permission vector. The mutual information between the user task list and the user dynamic authority allocation table is maximized to ensure that the user can be smoothly executed, and the mutual information between the dynamic authority allocation table and the user state is minimized, so that the system user is ensured to be always in the minimum authority state to operate, and the safety event caused by excessive authority or authority accumulation of the user is effectively prevented.
Drawings
Other features, objects and advantages of the present invention will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
FIG. 1 is a flow chart of a method for dynamically assigning user rights according to an embodiment of the present invention;
Fig. 2 is a flow chart of a method for dynamically allocating user rights according to a second embodiment of the present invention;
Fig. 3 is a schematic structural diagram of a dynamic user rights allocation apparatus according to a third embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
Example 1
Fig. 1 is a flowchart of a method for dynamically allocating user rights according to an embodiment of the present invention, where the embodiment is applicable to a situation where user rights are allocated reasonably and dynamically according to task information and user information, the method may be executed by a device for dynamically allocating user rights, and specifically includes the following steps:
and 110, fusing the identity information vector and the authority vector by using a fusion model to generate a current state vector of the user.
In order to not influence user experience, and give more accurate authority management and dynamic analysis for different users, the invention adopts a mode based on historical task and behavior characteristics of the users to realize authority distribution. The system collects the user task types and authority application conditions to form user historical behavior data. On the basis, the maximum authority requirement is counted by combining user identity information, user grouping and the like.
In this embodiment, the identity information vector is generated by using the identity information of the user. Illustratively, prior to the above steps, the method may further comprise the steps of: and acquiring the user ID, the identity information and the identity grouping information of the user, and converting the user ID, the identity information and the identity grouping information into an identity information vector.
For example, the user ID, identity information, and identity grouping information of the user may be obtained when the user logs in. Converting user ID, identity information and identity grouping information into structured data using a user identity list, and grouping information for user identity information (ID, grouping informationIdentity information/>) Performing embedded coding and then utilizing a mapping function/>These codes are mapped to identity information vectors in a low-dimensional space.
,/>Is a user identity vector.
Correspondingly, the authority information corresponding to the identity packet of the user and the authority of the previous login can be obtained, and the authority information corresponding to the identity packet and the authority of the previous login are converted into an authority vector.
If the user is a new user and logs in the system for the first time, the information such as the historical authority, the previous login and the like is missing. Based on this, the history authority is set as the normal user basic authority (minimum authority), and the previous login time is set as NULL. In addition, when the time interval between the previous login and the current login of the user exceeds the preset threshold value of the systemWhen the user is authorized to use the user identity, the historical authority is reset to the minimum authority of the common user, so that the system security event caused by the stealing of the user identity is prevented.
And generating a user authority list based on authority information corresponding to the user identity packet and the authority of the previous login, performing confusion mapping on the user authority list, and encoding different acquired authorities of the user as authority vectors.
,/>Representing user grouping information,/>Is the current authority list of the user,/>But is the time interval between the user and the last login time.
And fusing the identity information vector and the authority vector by using the existing fusion model, such as weighting fusion, feature fusion, or splicing.
Step 120, mapping the user task to form a user task vector.
Illustratively, the mapping the user task to form a user task vector may include: generating a user task list according to the user task, and generating a user task digital coding vector by utilizing the user task list; and embedding the user task digital vector codes into vectors mapped into the hidden space by using a vector coder and a multi-layer perceptron to form user task vectors.
The user authority dynamic allocation method provided by the embodiment aims to ensure that the user has the authority to only ensure that the user can successfully complete the task without redundant authority, thereby effectively preventing the system security problem caused by excessive authority allocation or authority accumulation. Therefore, mapping is needed to be performed on the user task, and a specific mapping process for forming the user task vector is defined as follows:
Wherein/> For the mapped user current task vector,/>On behalf of the user the current task list,Mapping functions for a user task list.
And 130, calculating a user authority vector according to the user current state vector and the user task vector so as to maximize mutual information between the user task vector and the user authority vector and minimize mutual information between the user authority vector and the user state vector.
In the present embodiment, maximizing user task vectors is utilizedMutual information between the user permission vector Z and the user permission vector Z so as to ensure that tasks of the user can be normally executed. At the same time, mutual information between the user permission vector Z and the user state vector s is minimized to remove currently unnecessary permissions, so that the user permissions are always in a minimum state. Based on this, it is necessary to construct a dynamic allocation table/>And performing embedded mapping on the allocation table so as to minimize mutual information between the allocation table and the original authority list of the user and maximize mutual information between the allocation table and the user task. Therefore, the user can be ensured to have no extra unnecessary authority on the premise of normally completing the task. The user is always in the minimum authority state, and the system can instantly recover the redundant authority. The mapping process is as follows:
wherein/> Dynamic allocation table for user rights (/ >)Initialized to user rights list/>) Z is the mapped dynamic rights vector, and/>To embed functions, one-Hot vector (One-Hot) encoder and multi-layer perceptron (MLP) implementations may be based, responsible for embedding discrete list data into vectors mapped to One hidden space.
The calculating of the user authority vector according to the user current state vector and the user task vector is realized by the following modes:
wherein/> Representing mutual information arithmetic functions, beta being Lagrangian multiplier, V t being user task vector, Z being user rights vector, s being user state vector,/>Is the user permission vector that satisfies the minimum permission state.
When the process is stable, the user authority vector which currently meets the minimum authority state can be obtained when the mutual information is maximized and the mutual information is minimized, and the dynamic control of the user authority is realized. By using the mode, the user permission vector meeting the minimum permission state can be obtained.
When the process is stable, both mutual informationMaximized and mutual information/>When minimized, the user authority vector/>, which currently satisfies the minimum authority state, can be obtainedDynamic control of user authority is realized. By adopting the mode, the user authority vector/>, which meets the minimum authority state, can be obtained。
And 140, obtaining a current task authority list according to the user authority vector, and adjusting the user authority according to the current task authority list.
When the user authority vector meeting the minimum authority state is calculated, the user authority vector can be converted into the authority list of the current user. The user rights can be updated according to the rights allocation situation in the list, new rights are allocated, and unused rights are recovered. Then, the user history authority list is updated. The rights management of this round is ended.
Illustratively, the obtaining the current task permission list according to the user permission vector, and adjusting the user permission according to the current task permission list may include: restoring the user authority vector into a current task authority list by utilizing a reflection function; converting the digital codes in the current task authority list into corresponding authorities; and updating the user rights according to the corresponding rights, distributing new rights and recovering unused rights. The current user's rights list may be calculated by using a reversible way of embedding a function:
。
Dynamic allocation and management of user rights are effectively handled in a rights mapping manner. Which can model all possible system user rights in a modern general purpose operating system as a mapping table. Specifically, the table is indexed by rows, each row corresponding to a particular system user right. In addition, to ensure versatility and availability, the index values of different system user permissions are fixed, i.e. different permissions are mapped to fixed positions in the table, and the authorization condition of the current user on the permissions can be obtained only by searching the fixed positions.
After the index is completed, the allocation situation of the user permission is filled in the corresponding row. Illustratively, the allocation of the corresponding rights may be marked with a number from 0 to 9. Wherein 0 is used to mark that the current user does not obtain the authorization, and can also be used to mark that the current system does not have the authorization. Through the mapping mode, different system user authorities can be expressed in a vector form, and subsequent feature extraction and dynamic allocation are facilitated. In addition, the mapping mode also improves the universality and usability of the mapping mode, and can be widely applied to different operating systems. The user authority allocation method provided by the embodiment can be suitable for various platforms, particularly suitable for various Linux platforms, particularly various domestic OSs, and the domestic OSs can operate the method in a TrustZone, so that the high operation safety can be ensured.
In the embodiment, the identity information vector and the authority vector are fused by utilizing the fusion model to generate the current state vector of the user; mapping the user task to form a user task vector; calculating a user authority vector according to the user current state vector and the user task vector so as to maximize mutual information between the user task vector and the user authority vector and minimize mutual information between the user authority vector and the user state vector; and obtaining a current task authority list according to the user authority vector, and adjusting the user authority according to the current task authority list. And converting the identity information and the existing historical rights into a hidden space multidimensional vector through a vector conversion model. And the converted space vectors can be fused, conditional mutual information operation is carried out on the space vectors and the current task vectors, the most suitable user permission vector can be obtained according to the mutual information operation, and the current permission of the user can be dynamically adjusted according to the user permission vector. The mutual information between the user task list and the user dynamic authority allocation table is maximized to ensure that the user can be smoothly executed, and the mutual information between the dynamic authority allocation table and the user state is minimized, so that the system user is ensured to be always in the minimum authority state to operate, and the safety event caused by excessive authority or authority accumulation of the user is effectively prevented.
Example two
Fig. 2 is a flow chart of a dynamic allocation method of user rights provided in a second embodiment of the present invention, where the optimization is performed based on the foregoing embodiment, and the identity information vector and the rights vector are fused by using a fusion model to generate a current state vector of the user, which is specifically optimized as follows: the identity information vector and the authority vector are fused by the following modes: where s is the user's current user state vector,/> And/>The user identity vector and the user authority vector after mapping are respectively obtained by random initialization, wherein M is a weight matrix which can be learned. And the following steps are added: according toIteratively optimizing the learnable weight matrix to obtain the operation result of (a)Maximum value/>。
Referring to fig. 2, the method for dynamically allocating user rights includes:
and 210, carrying out vector fusion on the identity information vector and the authority vector by utilizing the learnable weight matrix to generate a current state vector of the user.
Because the types and the numbers of the vectors in the identity information vector and the authority vector are different, the identity information vector and the authority vector need to be fused by using a matrix, and optionally, the matrix can be used for vector fusion aiming at different vector weights. And realizing fusion by using a random initial weight matrix.
Step 220, mapping the user task to form a user task vector.
And step 230, calculating a user authority vector according to the user current state vector and the user task vector.
And 240, performing iterative optimization on the learnable weight matrix according to the operation result of the user permission vector so as to minimize the operation result.
In this embodiment, the weight matrix M may be a set of randomly initialized parameters, and the calculation formula for calculating the user authority vector is utilizedAnd (5) performing iterative optimization on M. Illustratively, the initial random weight matrix M may be adjusted to generate a second weight matrix, and the user entitlement vector may be recalculated based on the second weight matrix, and the adjustment repeated until utilization/>Maximum value/>And obtaining an optimal weight matrix.
Step 250, calculating the user authority vector by using the iteratively optimized leachable matrix so as to maximize the mutual information between the user task vector and the user authority vector and minimize the mutual information between the user authority vector and the user state vector.
Step 260, obtaining a current task authority list according to the user authority vector, and adjusting the user authority according to the current task authority list.
In this embodiment, the identity information vector and the authority vector are fused by using the fusion model to generate the current state vector of the user, which is specifically optimized as follows: the identity information vector and the authority vector are fused by the following modes: where s is the user's current user state vector,/> And/>The user identity vector and the user authority vector after mapping are respectively obtained by random initialization, wherein M is a weight matrix which can be learned. And the following steps are added: according toAnd (3) carrying out iterative optimization on the learnable weight matrix. By using the method, the effective fusion of the identity information vector and the authority vector is realized by using the weight matrix, and the weight matrix can be subjected to iterative optimization by using the calculation mode of the user authority vector, so that the more accurate user authority vector is obtained.
Example III
Fig. 3 is a schematic structural diagram of a dynamic user right allocation device according to a third embodiment of the present invention, referring to fig. 3, where the dynamic user right allocation device includes:
The fusion module 310 is configured to fuse the identity information vector and the authority vector by using a fusion model, and generate a current state vector of the user;
The mapping module 320 is configured to map the user task to form a user task vector;
a calculating module 330, configured to calculate a user permission vector according to the user current state vector and the user task vector, so that mutual information between the user task vector and the user permission vector is maximum, and mutual information between the user permission vector and the user state vector is minimum;
And the adjustment module 340 is configured to obtain a current task permission list according to the user permission vector, and adjust the user permission according to the current task permission list.
The user authority dynamic allocation device provided by the embodiment fuses the identity information vector and the authority vector by utilizing the fusion model to generate a current state vector of the user; mapping the user task to form a user task vector; calculating a user authority vector according to the user current state vector and the user task vector so as to maximize mutual information between the user task vector and the user authority vector and minimize mutual information between the user authority vector and the user state vector; and obtaining a current task authority list according to the user authority vector, and adjusting the user authority according to the current task authority list. And converting the identity information and the existing historical rights into a hidden space multidimensional vector through a vector conversion model. And the converted space vectors can be fused, conditional mutual information operation is carried out on the space vectors and the current task vectors, the most suitable user permission vector can be obtained according to the mutual information operation, and the current permission of the user can be dynamically adjusted according to the user permission vector. The mutual information between the user task list and the user dynamic authority allocation table is maximized to ensure that the user can be smoothly executed, and the mutual information between the dynamic authority allocation table and the user state is minimized, so that the system user is ensured to be always in the minimum authority state to operate, and the safety event caused by excessive authority or authority accumulation of the user is effectively prevented.
On the basis of the above embodiments, the calculation module is implemented by using the following modes: wherein/> Representing mutual information arithmetic functions, beta being Lagrangian multiplier, V t being user task vector, Z being user rights vector, s being user state vector,/>Is the user permission vector that satisfies the minimum permission state.
On the basis of the above embodiments, the adjusting module includes:
The restoring unit is used for restoring the user authority vector into a current task authority list by utilizing a reflection function;
the conversion unit is used for converting the digital codes in the current task authority list into corresponding authorities;
And the updating unit is used for updating the user rights according to the corresponding rights, distributing new rights and recovering unused rights.
Based on the above embodiments, the fusion module uses the following manner to realize the fusion of the identity information vector and the authority vector:
where s is the user's current user state vector,/> And/>The user identity vector and the user authority vector after mapping are respectively obtained by random initialization, wherein M is a weight matrix which can be learned.
An iterative optimization module for according toAnd (3) carrying out iterative optimization on the learnable weight matrix.
On the basis of the above embodiments, the forming module includes:
The code generating unit is used for generating a user task list according to the user task and generating a user task digital code by utilizing the user task list;
and the forming unit is used for embedding the user task digital codes into the vectors mapped to the hidden space by using the vector encoder and the multi-layer perceptron to form user task vectors.
On the basis of the above embodiments, the device further includes:
The device comprises an acquisition unit, a storage unit and a storage unit, wherein the acquisition unit is used for acquiring user ID, identity information and identity grouping information of a user and converting the user ID, the identity information and the identity grouping information into identity information vectors;
And the permission vector conversion unit is used for acquiring the permission information corresponding to the identity packet of the user and the permission of the previous login, and converting the permission information corresponding to the identity packet and the permission of the previous login into a permission vector.
On the basis of the above embodiments, the device further includes:
And the synchronous updating module is used for synchronously updating the user history authority list.
The user authority dynamic allocation device provided by the embodiment of the invention can execute the user authority dynamic allocation method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
A fourth embodiment of the present invention also provides a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a user rights dynamic allocation method as provided in any of the above embodiments.
The computer storage media of embodiments of the invention may take the form of any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or device. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.
Claims (10)
1. A method for dynamically assigning user rights, comprising:
Fusing the identity information vector and the authority vector by utilizing a fusion model to generate a current state vector of the user;
mapping the user task to form a user task vector;
Calculating a user authority vector according to the user current state vector and the user task vector so as to maximize mutual information between the user task vector and the user authority vector and minimize mutual information between the user authority vector and the user state vector;
And obtaining a current task authority list according to the user authority vector, and adjusting the user authority according to the current task authority list.
2. The method of claim 1, wherein the calculating a user permission vector from the user current state vector and a user task vector is performed by:
,
wherein, Representing mutual information arithmetic functions, beta being Lagrangian multiplier, V t being user task vector, Z being user rights vector, s being user state vector,/>Is the user permission vector that satisfies the minimum permission state.
3. The method of claim 1, wherein the obtaining a current task permission list from the user permission vector, and adjusting the user permission from the current task permission list, comprises:
restoring the user authority vector into a current task authority list by utilizing a reflection function;
Converting the digital codes in the current task authority list into corresponding authorities;
And updating the user rights according to the corresponding rights, distributing new rights and recovering unused rights.
4. The method of claim 1, wherein the fusing the identity information vector and the permission vector using the fusion model to generate the user current state vector comprises:
the identity information vector and the authority vector are fused by the following modes:
where s is the user's current user state vector,/> And/>The user identity vector and the user authority vector after mapping are respectively obtained by random initialization, wherein M is a weight matrix which can be learned.
5. The method according to claim 4, wherein the method further comprises:
According to The learnable weight matrix is subjected to iterative optimization according to the operation result of (a) to finally obtain a formula/>Maximum value/>I.e. the minimum user rights.
6. The method of claim 1, wherein mapping the user tasks to form a user task vector comprises:
generating a user task list according to the user task, and generating a user task digital coding vector by utilizing the user task list;
And embedding the user task digital vector codes into vectors mapped into the hidden space by using a vector coder and a multi-layer perceptron to form user task vectors.
7. The method according to claim 1, wherein the method further comprises:
Acquiring user ID, identity information and identity grouping information of a user, and converting the user ID, the identity information and the identity grouping information into an identity information vector;
And acquiring authority information corresponding to the identity packet of the user and the authority of the previous login, and converting the authority information corresponding to the identity packet and the authority of the previous login into an authority vector.
8. A method according to claim 3, characterized in that the method further comprises:
And synchronously updating the user history authority list.
9. A user rights dynamic allocation apparatus, comprising:
the fusion module is used for fusing the identity information vector and the authority vector by utilizing the fusion model to generate a current state vector of the user;
the mapping module is used for mapping the user tasks to form user task vectors;
the computing module is used for computing a user authority vector according to the user current state vector and the user task vector so as to ensure that the mutual information between the user task vector and the user authority vector is maximum and the mutual information between the user authority vector and the user state vector is minimum;
And the adjusting module is used for obtaining a current task authority list according to the user authority vector and adjusting the user authority according to the current task authority list.
10. A storage medium containing computer executable instructions which, when executed by a computer processor, are for performing the user rights dynamic allocation method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410501305.4A CN118070318B (en) | 2024-04-25 | 2024-04-25 | User authority dynamic allocation method, device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410501305.4A CN118070318B (en) | 2024-04-25 | 2024-04-25 | User authority dynamic allocation method, device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN118070318A true CN118070318A (en) | 2024-05-24 |
| CN118070318B CN118070318B (en) | 2024-08-13 |
Family
ID=91111656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410501305.4A Active CN118070318B (en) | 2024-04-25 | 2024-04-25 | User authority dynamic allocation method, device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118070318B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11366793B1 (en) * | 2020-12-21 | 2022-06-21 | Dropbox, Inc. | Data model and data service for content management system |
| CN116126510A (en) * | 2021-11-12 | 2023-05-16 | 华为技术有限公司 | Method, related device and system for providing service based on multiple devices |
| CN117390648A (en) * | 2023-10-25 | 2024-01-12 | 腾讯科技(深圳)有限公司 | Resource access authority management method, device, equipment and storage medium |
| CN117499124A (en) * | 2023-11-14 | 2024-02-02 | 天翼安全科技有限公司 | Access control method and device |
-
2024
- 2024-04-25 CN CN202410501305.4A patent/CN118070318B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11366793B1 (en) * | 2020-12-21 | 2022-06-21 | Dropbox, Inc. | Data model and data service for content management system |
| CN116126510A (en) * | 2021-11-12 | 2023-05-16 | 华为技术有限公司 | Method, related device and system for providing service based on multiple devices |
| CN117390648A (en) * | 2023-10-25 | 2024-01-12 | 腾讯科技(深圳)有限公司 | Resource access authority management method, device, equipment and storage medium |
| CN117499124A (en) * | 2023-11-14 | 2024-02-02 | 天翼安全科技有限公司 | Access control method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN118070318B (en) | 2024-08-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3632080B1 (en) | Method for selecting digital certificates according to their issuance policy | |
| RU2637878C2 (en) | Authentication of processes and resource permission | |
| US11962694B2 (en) | Key pair generation based on environmental factors | |
| CN103530106A (en) | Method and system of context-dependent transactional management for separation of duties | |
| CN103369022A (en) | Method and system for communication with memory device | |
| CN113039542A (en) | Secure counting in cloud computing networks | |
| CN110390184A (en) | For executing the method, apparatus and computer program product of application in cloud | |
| US8612754B2 (en) | Digital fingerprinting via SQL filestream with common text exclusion | |
| CN111865869B (en) | Registration and authentication method and device based on random mapping, medium and electronic equipment | |
| CN113179285B (en) | High-performance password service method, device and system for video Internet of things | |
| CN114491451A (en) | Authority configuration and verification method and device, electronic equipment and storage medium | |
| CN118070318B (en) | User authority dynamic allocation method, device and storage medium | |
| Jiang et al. | An assessment model for cloud service security risk based on entropy and support vector machine | |
| US11558390B2 (en) | System to control access to web resources based on an internet of things authorization mechanism | |
| Utpala et al. | Authenticated IoT based online smart parking system with cloud | |
| EP3996327A1 (en) | Heuristic based authentication protocol for stateless protocol | |
| CN112351062B (en) | File authority control list management method and related components | |
| CN114266072A (en) | Authority distribution control method and device, electronic equipment and storage medium | |
| CN110929269B (en) | System authority management method, device, medium and electronic equipment | |
| US11431711B2 (en) | Method, device and computer program product for service access | |
| CN118394970B (en) | Data supervision method for data management process management | |
| CN116963274B (en) | Bluetooth AOA (automated optical inspection) based indoor positioning method and system | |
| CN214540763U (en) | On-line protection device of embedded software | |
| US20240111689A1 (en) | Cache service for providing access to secrets in containerized cloud-computing environment | |
| CN116992476B (en) | Control method, device, equipment and storage medium of application permission |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |