WO2015058579A1 - Method and apparatus for controlling data access permissions - Google Patents

Method and apparatus for controlling data access permissions Download PDF

Info

Publication number
WO2015058579A1
WO2015058579A1 PCT/CN2014/084493 CN2014084493W WO2015058579A1 WO 2015058579 A1 WO2015058579 A1 WO 2015058579A1 CN 2014084493 W CN2014084493 W CN 2014084493W WO 2015058579 A1 WO2015058579 A1 WO 2015058579A1
Authority
WO
WIPO (PCT)
Prior art keywords
user
permission
group
permission group
dimension
Prior art date
Application number
PCT/CN2014/084493
Other languages
French (fr)
Chinese (zh)
Inventor
毕杰山
郭益君
徐礼锋
李超
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2015058579A1 publication Critical patent/WO2015058579A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2149Restricted operating environment

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a data access authority control method and apparatus. Background technique
  • data access rights of users may be obtained according to different dimensions of users, and definitions of data rights of different dimensions may be different. How to solve the combination of these rights is often a complicated one. problem.
  • information of different dimensions can be considered as different user attributes, such as user's department information, level information, and the like.
  • a multi-dimensional access control scheme for data tables defines a permission access policy for each field (or attribute) of the data table in each dimension, such as a column representing a dimension of a data table, and a row representing a field of the data table
  • Each field has an access policy set under each dimension; however, for a certain field, only users who have access rights under each dimension can access the field, so the multiple dimensions
  • the permission coordination relationship between them is too singular; and, each field needs to be configured separately, and in the case where the number of columns (that is, the dimension) is too much, the operation is too cumbersome.
  • the embodiment of the invention provides a data access authority control method and device for solving the multi-dimensional user permission control problem.
  • a first aspect of the present invention provides a data access authority control method, which may include:
  • the method further includes:
  • the method further includes:
  • the determining, according to the dimension value of the user, the permission set of the user in each permission group includes:
  • the privilege group includes a mutually exclusive privilege group or a non-exclusive privilege group, wherein one of the mutually exclusive privilege groups configures a privilege set, and the non-mutual A user in the privilege group configures multiple permission sets;
  • the combining, by the user, the permission set in each permission group includes:
  • the merge policy between the two merge policies is a merge policy configured for each user.
  • the merging includes merging or merging.
  • the second aspect of the present invention further provides a data access authority control apparatus, which may include:
  • a receiving module configured to receive an access request of the user
  • a first determining module configured to determine, according to the dimension information of the user, a permission group corresponding to the user; and a second determining module, configured to determine, according to the dimension value of the user, the user in each permission group Permission set
  • a merging module configured to merge the permission sets of the user in each of the permission groups to obtain the rights of the user.
  • the device further includes:
  • a configuration module is configured to configure a corresponding permission group for each dimension, where the permission group includes different permission sets corresponding to different dimension values.
  • the configuration module is further configured to: configure a corresponding permission domain for each user category, where the permission domain includes each permission group corresponding to each dimension;
  • the first determining module is configured to: determine, according to the category of the user, a rights domain corresponding to the user; and determine, according to the dimension information of the user, the user corresponding to the domain corresponding to the user Rights Groups.
  • the second determining module is configured to:
  • the privilege group includes a mutually exclusive privilege group or a non-exclusive privilege group, wherein one of the mutually exclusive privilege groups configures a privilege set, and the non-mutual A user in the privilege group configures multiple permission sets;
  • the merging module is specifically used to:
  • the merge policy is a merge policy between the rights groups configured according to the user's business logic
  • the second merge policy is a merge policy configured for each user.
  • the user's dimension information and dimension values are used to determine the user's corresponding permission group and the rights group. a permission set, and merging the permission sets to implement categorization of rights; further, defining a category of the privilege group according to the dimension value, and merging the privilege set according to the merging policy, so that the privilege classification is more targeted, better Solve the problem of multi-dimensional user permission control.
  • FIG. 1 is a schematic flowchart of a data access authority control method according to Embodiment 1 of the present invention
  • 2a is a schematic flowchart of a data access authority control method according to Embodiment 2 of the present invention
  • 2b is a schematic diagram of user rights analysis according to Embodiment 2 of the present invention
  • FIG. 2 is a schematic diagram of another user rights analysis according to Embodiment 2 of the present invention.
  • FIG. 3 is a schematic structural diagram of a data access authority control apparatus according to an embodiment of the present invention
  • FIG. 4 is another schematic structural diagram of a data access authority control apparatus according to an embodiment of the present invention.
  • the embodiment of the invention provides a data access authority control method and device for solving the multi-dimensional user permission control problem.
  • the user is a subject that can independently access data in the computer system or other resources represented by data; the authority is in the computer system.
  • Permission to access data or other resources represented by data It can be divided into object access control and data access control.
  • object access control is represented by a dual group (control object, access type).
  • the control object represents all resources in the system that need access control.
  • the access type refers to The access control of the corresponding control object, such as: read, modify, delete, etc.; data access control is used to ensure the security of the system. If the data access is not controlled, the security of the system is not guaranteed, and the data is prone to occur. The leak event, so the data accessible to the object must be protected in the permissions.
  • FIG. 1 is a schematic flowchart of a data access authority control method according to an embodiment of the present disclosure, where the rights control method includes:
  • Step 1 01 Receive a user's access request
  • the user's request for data access is received, and the rights of the user are detected, and the data rights that different types of users can access are different.
  • the user identity or user category
  • the internal user and the external user use two sets of completely different permission definition information. Taking the banking service as an example, the internal user It refers to the internal staff of the bank, and the external users refer to the personnel outside the bank.
  • Step 1 02 Determine, according to the dimension information of the user, a permission group corresponding to the user;
  • information of different dimensions may be considered as different user attributes, for example, may include department information, level information, academic information, and the like of the user; the dimensions and the permission groups correspond to each other.
  • Step 1 03 Determine, according to the dimension value of the user, a permission set of the user in each permission group; it may be understood that different dimensions may include different dimension values, for example, the department information may include a hardware department, The software department, the administrative department, and the like, the hardware department, the software department, and the administrative department are dimension values of the dimension; the dimension value corresponds to the permission set in each permission group.
  • Step 1 04 Combine the permission sets of the user in each permission group to obtain the rights of the user.
  • the data access authority control method determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Thereby realizing the classification of rights, solving the problem of multi-dimensional user permission control, and improving the user experience.
  • FIG. 2a is a schematic flowchart of a data access authority control method according to Embodiment 2 of the present invention, where the rights control method may include:
  • Step 201 Configure a corresponding permission domain for each user category, where the permission domain includes each permission group corresponding to each dimension;
  • the user category corresponds to the rights domain--in the embodiment of the present invention
  • the user category may include an internal user and an external user, and one user can only belong to one authority domain Doma in;
  • FIG. 2b is a schematic diagram of user rights analysis according to Embodiment 2 of the present invention.
  • an external user corresponds to a permission domain Doma inl
  • an internal user corresponds to a permission domain Doma in2.
  • Step 202 Configure a corresponding permission group for each dimension, where the permission group includes different dimension value pairs. Different sets of permissions should be;
  • the permission domain includes a thousand permission group PermGroup, and each dimension corresponds to one permission group; each of the permission groups includes a thousand permission set PermSe t , and each dimension value corresponds to one permission set, for example, in the permission Within the domain Doma i nl, PermGroupl is a permission group, and PermSe tlll is a permission set in PermGroup l.
  • Step 203 Receive an access request of the user.
  • Step 204 Determine, according to the category of the user, a permission domain corresponding to the user;
  • Step 205 Determine, according to the dimension information of the user, a permission group corresponding to the user from a permission domain corresponding to the user;
  • the category of the privilege group corresponding to the user may be determined according to the dimension information of the user.
  • the privilege group may include a mutually exclusive privilege group or a non-exclusive privilege group.
  • a user in the mutually exclusive permission group configures a permission set.
  • each user can belong to only one department, and the permission group corresponding to department information is a mutually exclusive permission group, and one user configuration in the non-exclusive permission group.
  • Multiple permission sets For example, a user can have more than two roles, so the permission group corresponding to the user role is a non-mutual permission group.
  • Step 206 Determine, according to the dimension value of the user, a permission set of the user in each permission group, where the user collects all the permission sets in the non-mutual permission group, and obtains the The set of permissions of the user in the non-exclusive permission group, or the unique permission set of the user in the mutually exclusive permission group.
  • Step 207 Combine the permission sets of the user in each permission group to obtain the rights of the user.
  • the rights set of the user in each of the rights groups may be merged according to a preset first merge policy or a second merge policy, and the rights of the user are obtained; wherein, the first merge The policy is a merge policy between the rights groups configured according to the user's business logic, and the second merge policy is a merge policy configured for each user.
  • the merging includes, but is not limited to, a union or intersection.
  • a plurality of first merge policies may be configured in the same permission domain, and the first merge policy is a cross-group merge policy; for example, if the permission group PermGroup1 and the permission group PermGroup2 are non-exclusive rights groups, The privilege group PermGroup 3 is a mutually exclusive privilege group, and the first merging policy can be: The privilege group PermGroupl and the privilege group PermGroup2 are merged, and then intersect with the privilege group PermGroup 3, and the single label is marked as PermGroupl and PermGroup2 PermGroup 3.
  • the data access authority control method determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Therefore, the classification of the rights is implemented; further, the categories of the permission groups are defined according to the dimension values, and the permission sets are merged according to the merge policy, so that the rights classification is more targeted, and the multi-dimensional user rights control problem is better solved. .
  • FIG. 2c is provided in the second embodiment of the present invention. Another schematic diagram of user rights analysis;
  • the permission set 1 (ie, the attribute 1 corresponds to the permission set 1); for the attribute 2, the user has the permission set 2; for the attribute 3, the user can be known Has permission set 3; for attribute 4, it can be known that the user has permission set 4; for attribute 5, it can be known that the user has permission set 5. That is, according to the attributes of the user, the permission set corresponding to the user may be determined, where each attribute represents information of each dimension, such as attribute 1, attribute 2, and attribute 3 may represent different user roles, and the same user may have One or more attributes;
  • Attribute 4 and Attribute 5 each have multiple different attribute values. Different attribute values may correspond to different permission sets, but each user can only have one attribute value. For example: Attribute 4 is used to indicate the user level, a user can only have one level of information, attribute 5 is used to represent the user department, and a user can only have one type of department information. Between the permission sets corresponding to different attributes, the final permission set can be obtained by merging:
  • the data access authority control method provided by the present invention is used for the permission control analysis:
  • step 201 respectively create a permission domain for the internal user and the external user respectively, such as the external user corresponding permission domain Doma i nl , the internal user corresponding permission domain Doma in2; the external user as an example, according to the foregoing For each dimension, configure a corresponding permission group for each dimension.
  • the permission group contains different permission sets corresponding to different dimension values.
  • PermGroupl creates three permission groups, respectively PermGroupl and PermGroup2. And PermGroup 3.
  • PermGroup l is a non-exclusive permission group
  • the configuration permission group PermGroupl contains different Different permission sets corresponding to the user role, that is, three permission sets are configured according to attribute 1, attribute 2, and attribute 3; PermGroup2 and PermGroup 3 are mutually exclusive permission groups, and the configuration permission group PermGroup2 includes permission sets corresponding to different levels, and configuration rights are configured.
  • Group PermGroup 3 contains permission sets corresponding to different departments;
  • the user sets the permission set of the non-exclusive permission group PermGroup1 to obtain the permission set of the user in the non-exclusive permission group.
  • PermGroup1 For the exclusive permission group, the user can obtain the mutual exclusion permission.
  • the user is merged in the permission set in each of the rights groups according to the preset first merge policy or the second merge policy, where the first merge policy is configured according to the user's service logic.
  • a merge policy between the rights groups, the second merge policy is a merge policy configured for each user, and the merge includes a union or intersection.
  • the first merge policy may be: PermGroup1 intersects PermGroup2
  • the PermGroup 3 is not specifically limited in this embodiment.
  • performing the merging operation includes, but is not limited to, merging or taking the privilege set of the user in each privilege group; it is also conceivable that the logged-in user is an internal user.
  • the privilege control operation can be implemented by referring to the above operation process.
  • the privilege merging method is described by taking only the logged-in user as an external user as an example, and does not constitute a limitation of the present invention.
  • the data access authority control method determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Therefore, the classification of the rights is implemented; further, the categories of the permission groups are defined according to the dimension values, and the permission sets are merged according to the merge policy, so that the rights classification is more targeted, and the multi-dimensional user rights control problem is better solved. .
  • the following is a description of the data access authority control method by using the permission access requirement of a certain business data of a bank as an actual application requirement, and taking the login user as an internal user as an example:
  • the service data table includes a total of 100 fields of cl, c2, c3, c4, ..., cl 00, and the field represents data information requested by the user;
  • the set of columns accessed consists of one or more fields.
  • Ro l el the accessible column set is ⁇ cl , c2 , c 3 ⁇
  • Role2 The accessible set of columns is ⁇ c3, c4, c5, c6 ⁇
  • Role3 The accessible column set is ⁇ c7, c8, c9, clO ⁇ Each user belongs to a department, and the column set accessible by each department is defined as follows:
  • the accessible set of columns is ⁇ c3, c4, c5, c6, c7, c8 ⁇
  • Each user belongs to a certain user level, and the set of columns accessible at each user level is defined as follows:
  • the accessible column set is ⁇ cl, c2, c3, c4, c5, c6 ⁇
  • Level2 The accessible set of columns is ⁇ cl, c2, c3, c4, c5, c6, c7, c8 ⁇ Then, if a role has the role of Rolel, Role2, belongs to the department Deptl and the user level is Level2, it can The set of columns accessed is:
  • the data access authority control method provided by the present invention is used to perform the permission control analysis:
  • a corresponding permission group is configured for each dimension, and the permission group contains different permission sets corresponding to different dimension values.
  • a corresponding privilege group is configured for the system user role, the name is SysRoleGroup, and the privilege group SysRoleGroup is a non-exclusive privilege group.
  • the privilege group is configured with the following permission set:
  • Role3 ⁇ c7, c8, c9, clO ⁇ configures a corresponding permission group DeptGroup for department information, which is a mutually exclusive permission group, where The following permission sets are configured in this permission group:
  • the permission group is a mutually exclusive permission group.
  • the permission group is configured with the following permission set:
  • Level2 ⁇ cl, c2, c3, c4, c5, c6, c7, c8 ⁇ combined with the above permission access control requirements (has the role of Rolel, Role2, the set of columns that users belonging to department Deptl and whose user level is Level2), according to The access request of the user, in the configured permission group and the permission set, determining the permission group corresponding to the user from the permission domain corresponding to the user according to the dimension information of the user; determining according to the dimension value of the user The permission set of the user in each permission group, and finally, combining the permission sets of the user in each permission group according to a preset first merge policy or a second merge policy, to obtain the The user's rights, wherein the first merge policy is a merge policy between the rights groups configured according to the user's business logic, the second merge policy is a merge policy configured for each user, and the merge includes a merge set Or seek intersection.
  • the first merge policy is a merge policy between the rights groups configured according to the user's business logic
  • the first merge policy may be: SysRoleGroup 3 DeptGroup 3 UserLevelGroup
  • the second merge policy is not specifically limited in this embodiment.
  • performing the merging operation includes, but is not limited to, merging or taking the privilege set of the user in each privilege group; it is also conceivable that the logged-in user is an internal user.
  • the privilege control operation can be implemented by referring to the above operation process.
  • the privilege merging method is described only by taking the login user as an internal user of the bank as an example, and does not constitute a limitation of the present invention.
  • the data access authority control method determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Therefore, the classification of the rights is implemented; further, the categories of the permission groups are defined according to the dimension values, and the permission sets are merged according to the merge policy, so that the rights classification is more targeted, and the multi-dimensional user rights control problem is better solved. .
  • the embodiment of the present invention further An apparatus based on the above data access authority control method is provided.
  • the meaning of the noun is the same as that in the above method.
  • FIG. 3 is a schematic structural diagram of a data access authority control apparatus 300 according to an embodiment of the present invention, where the rights control apparatus 300 may include:
  • the receiving module 301 is configured to receive an access request of the user.
  • the receiving module 301 receives the user's request for data access, detects the rights of the user, and different types of users can access different data rights. For example: After a user logs in to the system, it is necessary to determine whether the user identity (or user category) is an internal user or an external user.
  • the internal user and the external user use two sets of completely different permission definition information. Taking the banking service as an example, the internal user It refers to the internal staff of the bank, and the external users refer to the personnel outside the bank.
  • the first determining module 302 is configured to determine, according to the dimension information of the user, a permission group corresponding to the user; it may be understood that information of different dimensions may be considered as different user attributes, for example, may include department information of the user. Level information, academic information, and the like; the dimensions correspond to the permission groups.
  • a second determining module 303 configured to determine, according to the dimension value of the user, a permission set of the user in each permission group;
  • the different dimensions may include different dimension values.
  • the department information may include a hardware department, a software department, an administrative department, and the like, and the hardware department, the software department, and the administrative department are dimension values of the dimension;
  • the dimension value corresponds to the permission set in each permission group.
  • the merging module 304 is configured to combine the permission sets of the user in each of the permission groups to obtain the rights of the user.
  • the data access authority control method determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Thereby realizing the classification of rights, solving the problem of multi-dimensional user permission control, and improving the user experience.
  • the data access right control apparatus 300 may further include a configuration module, configured to configure a corresponding permission group for each dimension, where the permission group includes different permission sets corresponding to different dimension values.
  • the configuration module is further configured to: configure a corresponding permission domain for each user category, where the permission domain includes each permission group corresponding to each dimension;
  • the first determining module 302 is configured to: determine, according to the category of the user, a rights domain corresponding to the user; and determine, according to the dimension information of the user, the user corresponding to the user domain corresponding to the user Permission group. That is, the user category corresponds to the rights domain - the user class in the embodiment of the present invention may include an internal user and an external user, and one user can only belong to one rights domain; wherein, the rights domain Containing thousands of permission groups, each dimension corresponds to one permission group; each of the permission groups contains thousands of permission sets, and each dimension value corresponds to one permission set, for example, 3 ⁇ 4 port, 3 ⁇ 4 port, as shown in Figure 2b, in the permission i Or in Doma inl, PermGroupl is a permission group, and PermSe tlll is a permission set in PermGroupl.
  • the second determining module 303 can be used to:
  • the privilege group includes a mutually exclusive privilege group or a non-exclusive privilege group, wherein one of the mutually exclusive privilege groups configures a privilege set, and the non-mutual A user in the privilege group configures multiple permission sets;
  • the category of the privilege group corresponding to the user may be determined according to the dimension information of the user.
  • the category of the privilege group may include a mutually exclusive privilege group or a non-exclusive privilege group.
  • a user in a mutually exclusive privilege group is configured with a privilege set. For example, each user can belong to only one department, and the privilege group corresponding to the department information is a mutually exclusive privilege group.
  • a permission set for example, a user can have more than two roles, so the permission group corresponding to the user role is a non-mutual permission group.
  • the permission set of the user in each permission group is determined according to the dimension value of the user, where all the permission sets in the non-mutual permission group are collected and combined. Obtaining the permission set of the user in the non-exclusive permission group, or obtaining the unique permission set of the user in the mutually exclusive permission group.
  • the merging module 303 can be specifically configured to:
  • the merge policy is a merge policy between the rights groups configured according to the user's business logic
  • the second merge policy is a merge policy configured for each user.
  • the combining includes but is not limited to a union or intersection.
  • a plurality of first merging policies can be configured, and the first merging policy is a cross-group merging policy; for example, as shown in FIG. 2b, if the privilege group PermGroup1 and the privilege group PermGroup2 are non-interactive
  • the privilege group and the privilege group PermGroup 3 are mutually exclusive privilege groups.
  • the first merging policy may be: the privilege group PermGroupl and the privilege group PermGroup2 are merged, and then intersect with the privilege group PermGroup 3.
  • a data access authority control apparatus 300 determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Therefore, the classification of the rights is implemented; further, the categories of the permission groups are defined according to the dimension values, and the permission sets are merged according to the merge policy, so that the rights classification is more targeted, and the multi-dimensional user rights control is better solved. problem.
  • FIG. 4 is another schematic structural diagram of a data access authority control apparatus according to an embodiment of the present invention, which may include at least one processor 401 (eg, CPU, Cent ra l Proces s Un Un ), at least one network.
  • An interface or other communication interface, memory 402, and at least one communication bus are used to effect connection communication between the devices.
  • the processor 401 is configured to execute executable modules, such as computer programs, stored in a memory.
  • the memory 402 may include high speed random access memory and may also include non-volatile memory, such as at least one disk storage.
  • the communication connection between the system gateway and at least one other network element may be implemented through at least one network interface (which may be wired or wireless), and may use an Internet, a wide area network, a local area network, a metropolitan area network, or the like.
  • program instructions are stored in the memory 402, and the program instructions may be executed by the processor 401.
  • the processor 401 specifically performs the following steps:
  • Receiving an access request of the user determining, according to the dimension information of the user, a permission group corresponding to the user; determining, according to the dimension value of the user, a permission set of the user in each permission group; The permission sets in each permission group are merged to obtain the rights of the user.
  • the processor 401 further performs the following steps: configuring a corresponding permission group for each dimension, where the permission group includes different permission sets corresponding to different dimension values; configuring a corresponding permission for each user category a domain, the permission domain includes each permission group corresponding to each of the dimensions; determining a permission domain corresponding to the user according to the category of the user; and obtaining rights corresponding to the user according to the dimension information of the user The domain determines the permission group corresponding to the user.
  • the processor 401 is configured to determine, according to the dimension value of the user, the permission set of the user in each permission group, including: determining a category of the permission group corresponding to the user, where the category of the permission group includes A privilege group or a non-exclusive privilege group, wherein one user in the mutually exclusive privilege group configures a privilege set, and one user in the non-exclusive privilege group configures multiple privilege sets; according to the dimension value of the user Determining, by the user, a permission set in each permission group, where all the permission sets of the user in the non-exclusive permission group are combined, and the user is obtained in the non-exclusive permission group. Set, or, obtain the unique right of the user in the mutually exclusive permission group Limit set.
  • the processor 401 is configured to merge the permission set of the user in each permission group, including: according to the preset first merge policy or the second merge policy, the user is in each of the The privilege set in the privilege group performs the merging or merging, wherein the first merging policy is a merging policy between the privilege groups configured according to the user's business logic, and the second merging policy is configured for each user. Merge strategy.
  • the data access authority control apparatus 400 determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Therefore, the classification of the rights is implemented; further, the categories of the permission groups are defined according to the dimension values, and the permission sets are merged according to the merge policy, so that the rights classification is more targeted, and the multi-dimensional user rights control is better solved. problem.
  • the disclosed systems, devices, and methods may be implemented in other ways.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed.
  • the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
  • the units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, i.e., may be located in one place, or may be distributed over multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit.
  • the above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
  • the integrated unit if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium.
  • the technical solution of the present invention or the part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium.
  • Shield including thousands of instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the present invention All or part of the steps of the method described in the examples.
  • the foregoing storage medium shield includes: u disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, random access memory), disk or optical disk, and the like, which can store program codes. Shield.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

Embodiments of the present invention disclose a method and an apparatus for controlling data access permissions, so as to solve the problem of multi-dimensional user permission control. The embodiment of the present invention comprises: receiving an access request of a user; determining permission groups corresponding to the use according to dimensional information of the user; determining a permission set of the user in each of the permission groups according to a dimension value of the user; and combining the permission sets of the user in each of the permission groups, so as to obtain permissions of the user.

Description

一种数据访问权限控制方法及装置 技术领域  Data access authority control method and device
本发明涉及通信技术领域, 尤其是涉及一种数据访问权限控制方法及装置。 背景技术  The present invention relates to the field of communications technologies, and in particular, to a data access authority control method and apparatus. Background technique
在普通的业务应用系统中, 可能会根据用户的不同的维度的信息, 来获取用户的 数据访问权限, 不同维度的数据权限的定义可能不同, 如何解决这些权限的合并, 往 往是一个比较复杂的问题。  In a normal business application system, data access rights of users may be obtained according to different dimensions of users, and definitions of data rights of different dimensions may be different. How to solve the combination of these rights is often a complicated one. problem.
通常, 不同的维度的信息可以认为是不同的用户属性, 例如, 用户的部门信息, 级别信息等等。 目前, 一种针对数据表的多维度权限控制方案: 定义数据表的每一个 字段(或称属性)在每种维度下的权限访问策略, 如数据表的列代表维度, 数据表的 行代表字段, 每一个字段在每种维度下都对应设置有访问权限策略; 可是对于某一个 字段而言, 只有在各个维度下都拥有访问权限的用户才可以对该字段进行访问, 因此 这种多个维度之间的权限配合关系过于单一; 并且, 需要针对每一个字段进行单独的 配置, 在列数目 (即维度) 过多的情形下, 操作过于繁瑣。  Generally, information of different dimensions can be considered as different user attributes, such as user's department information, level information, and the like. Currently, a multi-dimensional access control scheme for data tables: defines a permission access policy for each field (or attribute) of the data table in each dimension, such as a column representing a dimension of a data table, and a row representing a field of the data table Each field has an access policy set under each dimension; however, for a certain field, only users who have access rights under each dimension can access the field, so the multiple dimensions The permission coordination relationship between them is too singular; and, each field needs to be configured separately, and in the case where the number of columns (that is, the dimension) is too much, the operation is too cumbersome.
发明内容  Summary of the invention
本发明实施例提供了一种数据访问权限控制方法及装置, 用于解决多维度的用户 的权限控制问题。  The embodiment of the invention provides a data access authority control method and device for solving the multi-dimensional user permission control problem.
本发明第一方面提供一种数据访问权限控制方法, 其中, 可包括:  A first aspect of the present invention provides a data access authority control method, which may include:
接收用户的访问请求;  Receiving a user's access request;
根据所述用户的维度信息, 确定所述用户对应的权限组;  Determining, according to the dimension information of the user, a permission group corresponding to the user;
根据所述用户的维度值, 确定所述用户在每个权限组中的权限集;  Determining, according to the dimension value of the user, a permission set of the user in each permission group;
将所述用户在所述每个权限组中的权限集进行合并, 获得所述用户的权限。 结合第一方面, 在第一种可能的实施方式中, 所述方法还包括:  Combining the permission sets of the user in each of the permission groups to obtain the rights of the user. With reference to the first aspect, in a first possible implementation, the method further includes:
为每个维度配置一个对应的权限组, 所述权限组包含不同的维度值对应的不同的 权限集。  Configure a corresponding permission group for each dimension, and the permission group contains different permission sets corresponding to different dimension values.
结合第一方面或第一方面的第一种可能的实施方式, 在第二种可能的实施方式 中, 所述方法还包括:  With reference to the first aspect or the first possible implementation manner of the first aspect, in a second possible implementation, the method further includes:
为每个用户类别配置一个对应的权限域, 所述权限域包含所述每个维度对应的每 个权限组; 则, 根据所述用户的维度信息, 确定所述用户对应的权限组, 包括: 根据所述用户的类别, 确定所述用户对应的权限域; Configuring a corresponding permission domain for each user category, where the permission domain includes each permission group corresponding to each dimension; Determining, according to the dimension information of the user, the permission group corresponding to the user, including: determining, according to the category of the user, a permission domain corresponding to the user;
根据所述用户的维度信息, 从所述用户对应的权限域中确定所述用户对应的权限 组。  Determining, according to the dimension information of the user, a permission group corresponding to the user from a permission domain corresponding to the user.
结合第一方面的第二种可能的实施方式, 在第三种可能的实施方式中, 所述根据 所述用户的维度值, 确定所述用户在每个权限组中的权限集, 包括:  With reference to the second possible implementation manner of the first aspect, in a third possible implementation, the determining, according to the dimension value of the user, the permission set of the user in each permission group includes:
确定所述用户对应的权限组的类别, 所述权限组的类别包括互斥权限组或非互斥 权限组, 其中, 所述互斥权限组中一个用户配置一种权限集, 所述非互斥权限组中一 个用户配置多种权限集;  Determining a category of the privilege group corresponding to the user, where the privilege group includes a mutually exclusive privilege group or a non-exclusive privilege group, wherein one of the mutually exclusive privilege groups configures a privilege set, and the non-mutual A user in the privilege group configures multiple permission sets;
根据所述用户的维度值, 确定所述用户在每个权限组中的权限集, 其中, 对所述 用户在非互斥权限组中的所有权限集进行取并集, 获得所述用户在非互斥权限组中的 权限集, 或者, 获得所述用户在互斥权限组中的唯一权限集。  Determining, according to the dimension value of the user, a permission set of the user in each permission group, where all the permission sets in the non-mutual permission group are combined and obtained, and obtaining the user in the non-distribution The set of permissions in the mutually exclusive permission group, or the unique permission set of the user in the mutually exclusive permission group.
结合第一方面或第一方面的第一种可能的实施方式, 在第四种可能的实施方式 中, 所述将所述用户在所述每个权限组中的权限集进行合并, 包括:  With reference to the first aspect or the first possible implementation manner of the first aspect, in a fourth possible implementation, the combining, by the user, the permission set in each permission group includes:
根据预置的第一合并策略或者第二合并策略, 将所述用户在所述每个权限组中的 权限集进行合并, 其中, 所述第一合并策略为根据用户的业务逻辑配置的权限组之间 的合并策略, 所述第二合并策略为每个用户配置的合并策略。  And merging the permission set of the user in each of the permission groups according to the preset first merge policy or the second merge policy, where the first merge policy is a permission group configured according to a service logic of the user The merge policy between the two merge policies is a merge policy configured for each user.
结合第一方面的第四种可能的实施方式, 在第五种可能的实施方式中, 所述合并 包括求并集或求交集。  In conjunction with the fourth possible implementation of the first aspect, in a fifth possible implementation, the merging includes merging or merging.
本发明第二方面还提供一种数据访问权限控制装置, 其中, 可包括:  The second aspect of the present invention further provides a data access authority control apparatus, which may include:
接收模块, 用于接收用户的访问请求;  a receiving module, configured to receive an access request of the user;
第一确定模块, 用于根据所述用户的维度信息, 确定所述用户对应的权限组; 第二确定模块, 用于根据所述用户的维度值, 确定所述用户在每个权限组中的权 限集;  a first determining module, configured to determine, according to the dimension information of the user, a permission group corresponding to the user; and a second determining module, configured to determine, according to the dimension value of the user, the user in each permission group Permission set
合并模块, 用于将所述用户在所述每个权限组中的权限集进行合并, 获得所述用 户的权限。  And a merging module, configured to merge the permission sets of the user in each of the permission groups to obtain the rights of the user.
结合第二方面, 在第一种可能的实施方式中, 所述装置还包括:  With reference to the second aspect, in a first possible implementation, the device further includes:
配置模块, 用于为每个维度配置一个对应的权限组, 所述权限组包含不同的维度 值对应的不同的权限集。  A configuration module is configured to configure a corresponding permission group for each dimension, where the permission group includes different permission sets corresponding to different dimension values.
结合第二方面或第二方面的第一种可能的实施方式, 在第二种可能的实施方式 中, 所述配置模块, 还用于: 为每个用户类别配置一个对应的权限域, 所述权限域包 含所述每个维度对应的每个权限组; In conjunction with the second aspect or the first possible implementation of the second aspect, in a second possible implementation The configuration module is further configured to: configure a corresponding permission domain for each user category, where the permission domain includes each permission group corresponding to each dimension;
则, 所述第一确定模块用于: 根据所述用户的类别, 确定所述用户对应的权限域; 根据所述用户的维度信息, 从所述用户对应的权限域中确定所述用户对应的权限组。  The first determining module is configured to: determine, according to the category of the user, a rights domain corresponding to the user; and determine, according to the dimension information of the user, the user corresponding to the domain corresponding to the user Rights Groups.
结合第二方面的第二种可能的实施方式, 在第三种可能的实施方式中, 所述第二 确定模块用于:  In conjunction with the second possible implementation of the second aspect, in a third possible implementation, the second determining module is configured to:
确定所述用户对应的权限组的类别, 所述权限组的类别包括互斥权限组或非互斥 权限组, 其中, 所述互斥权限组中一个用户配置一种权限集, 所述非互斥权限组中一 个用户配置多种权限集;  Determining a category of the privilege group corresponding to the user, where the privilege group includes a mutually exclusive privilege group or a non-exclusive privilege group, wherein one of the mutually exclusive privilege groups configures a privilege set, and the non-mutual A user in the privilege group configures multiple permission sets;
根据所述用户的维度值, 确定所述用户在每个权限组中的权限集, 其中, 对所述 用户在非互斥权限组中的所有权限集进行取并集, 获得所述用户在非互斥权限组中的 权限集, 或者, 获得所述用户在互斥权限组中的唯一权限集。  Determining, according to the dimension value of the user, a permission set of the user in each permission group, where all the permission sets in the non-mutual permission group are combined and obtained, and obtaining the user in the non-distribution The set of permissions in the mutually exclusive permission group, or the unique permission set of the user in the mutually exclusive permission group.
结合第二方面或第二方面的第一种可能的实施方式, 在第四种可能的实施方式 中, 所述合并模块, 具体用于:  With reference to the second aspect or the first possible implementation manner of the second aspect, in a fourth possible implementation, the merging module is specifically used to:
根据预置的第一合并策略或者第二合并策略, 将所述用户在所述每个权限组中的 权限集进行求并集或求交集, 获得所述用户的权限, 其中, 所述第一合并策略为根据 用户的业务逻辑配置的权限组之间的合并策略, 所述第二合并策略为每个用户配置的 合并策略。  And performing, according to the preset first merge policy or the second merge policy, the rights set of the user in each of the rights groups, and obtaining the rights of the user, where the first The merge policy is a merge policy between the rights groups configured according to the user's business logic, and the second merge policy is a merge policy configured for each user.
从以上技术方案可以看出, 本发明实施例提供的一种数据访问权限控制方法及装 置, 具有以下优点: 通过用户的维度信息和维度值, 确定出用户对应的权限组和在权 限组中的权限集, 并且对权限集进行合并, 从而实现权限的归类; 进一步地, 根据维 度值定义权限组的类别, 并根据合并策略对权限集进行合并, 以使得权限分类更有针 对性, 更好地解决多维度的用户的权限控制问题。  It can be seen from the above technical solution that the data access authority control method and apparatus provided by the embodiments of the present invention have the following advantages: The user's dimension information and dimension values are used to determine the user's corresponding permission group and the rights group. a permission set, and merging the permission sets to implement categorization of rights; further, defining a category of the privilege group according to the dimension value, and merging the privilege set according to the merging policy, so that the privilege classification is more targeted, better Solve the problem of multi-dimensional user permission control.
附图说明  DRAWINGS
为了更清楚地说明本发明实施例的技术方案, 下面将对实施例描述所需要使用的 附图作筒单地介绍, 显而易见地, 下面描述中的附图仅仅是本发明的一些实施例, 对 于本领域普通技术人员来讲, 在不付出创造性劳动的前提下, 还可以根据这些附图获 得其他的附图。  In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings to be used in the following description of the embodiments will be briefly described. It is obvious that the drawings in the following description are only some embodiments of the present invention. Those skilled in the art can also obtain other drawings based on these drawings without paying any creative work.
图 1为本发明实施例一提供的数据访问权限控制方法的流程示意图;  1 is a schematic flowchart of a data access authority control method according to Embodiment 1 of the present invention;
图 2a为本发明实施例二提供的数据访问权限控制方法的流程示意图; 图 2 b为本发明实施例二提供的一种用户权限分析示意图; 2a is a schematic flowchart of a data access authority control method according to Embodiment 2 of the present invention; 2b is a schematic diagram of user rights analysis according to Embodiment 2 of the present invention;
图 2 c为本发明实施例二提供的另一种用户权限分析示意图;  FIG. 2 is a schematic diagram of another user rights analysis according to Embodiment 2 of the present invention;
图 3为本发明实施例提供的一种数据访问权限控制装置的结构示意图; 图 4为本发明实施例提供的数据访问权限控制装置的另一结构示意图。  FIG. 3 is a schematic structural diagram of a data access authority control apparatus according to an embodiment of the present invention; FIG. 4 is another schematic structural diagram of a data access authority control apparatus according to an embodiment of the present invention.
具体实施方式  detailed description
本发明实施例提供了一种数据访问权限控制方法及装置, 用于解决多维度的用户 的权限控制问题。  The embodiment of the invention provides a data access authority control method and device for solving the multi-dimensional user permission control problem.
为使得本发明的发明目的、 特征、 优点能够更加的明显和易懂, 下面将结合本发 明实施例中的附图, 对本发明实施例中的技术方案进行清楚、 完整地描述, 显然, 下 面所描述的实施例仅仅是本发明一部分实施例, 而非全部的实施例。 基于本发明中的 实施例, 本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其它实施 例, 都属于本发明保护的范围。  In order to make the object, the features and the advantages of the present invention more obvious and easy to understand, the technical solutions in the embodiments of the present invention will be clearly and completely described in conjunction with the drawings in the embodiments of the present invention. The described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明的说明书和权利要求书及上述附图中的术语 "第一" 、 "第二,, 、 "第三" "第四" 等 (如果存在)是用于区别类似的对象, 而不必用于描述特定的顺序或先后 次序。 应该理解这样使用的数据在适当情况下可以互换, 以便这里描述的本发明的实 施例例如能够以除了在这里图示或描述的那些以外的顺序实施。 此外, 术语 "包括" 和 "具有,, 以及他们的任何变形, 意图在于覆盖不排他的包含, 例如, 包含了一系列 步骤或单元的过程、 方法、 系统、产品或设备不必限于清楚地列出的那些步骤或单元, 而是可包括没有清楚地列出的或对于这些过程、 方法、 产品或设备固有的其它步骤或 单元。  The terms "first", "second,", "third", "fourth", etc. (if present) in the specification and claims of the present invention and the above figures are used to distinguish similar objects without using To describe a particular order or order, it is to be understood that the data so used may be interchanged as appropriate, such that the embodiments of the invention described herein can be implemented, for example, in a sequence other than those illustrated or described herein. , the terms "including" and "having," and any variants thereof, are intended to cover a non-exclusive inclusion. For example, a process, method, system, product, or device that comprises a series of steps or units is not necessarily limited to the Those steps or units may include other steps or units not explicitly listed or inherent to such processes, methods, products or devices.
为了更加了解本发明技术方案, 以下筒单介绍一下与用户权限控制相关的概念, 首先用户就是一个可以独立访问计算机系统中的数据或者用数据表示的其它资源的 主体; 权限是对计算机系统中的数据或者用数据表示的其它资源进行访问的许可。 可 分为对象访问控制和数据访问控制两种; 其中, 对象访问控制用二元组 (控制对象, 访问类型) 来表示, 控制对象表示系统中一切需要进行访问控制的资源, 访问类型是 指对于相应的控制对象的访问控制, 如: 读取、 修改、 删除等等; 数据访问控制用于 保障系统的安全性, 如果不对数据访问加以控制, 则系统的安全性得不到保证, 容易 发生数据泄密事件, 因此在权限中必须对对象可访问的数据给予保护。  In order to better understand the technical solution of the present invention, the following list introduces the concept related to user authority control. First, the user is a subject that can independently access data in the computer system or other resources represented by data; the authority is in the computer system. Permission to access data or other resources represented by data. It can be divided into object access control and data access control. Among them, object access control is represented by a dual group (control object, access type). The control object represents all resources in the system that need access control. The access type refers to The access control of the corresponding control object, such as: read, modify, delete, etc.; data access control is used to ensure the security of the system. If the data access is not controlled, the security of the system is not guaranteed, and the data is prone to occur. The leak event, so the data accessible to the object must be protected in the permissions.
下面通过具体实施例, 分别进行详细说明。  The detailed description will be respectively made below through specific embodiments.
实施例一 请参考图 1 , 图 1为本发明实施例提供的一种数据访问权限控制方法的流程示意 图, 其中, 所述权限控制方法包括: Embodiment 1 Referring to FIG. 1 , FIG. 1 is a schematic flowchart of a data access authority control method according to an embodiment of the present disclosure, where the rights control method includes:
步骤 1 01、 接收用户的访问请求;  Step 1 01: Receive a user's access request;
即接收用户对数据访问的请求, 检测所述用户的权限, 不同类型的用户可访问的 数据权限不一样。 例如: 一个用户登录系统之后, 需要判断该用户身份(或称用户类 别)是内部用户还是外部用户, 内部用户与外部用户釆用两套完全不同的权限定义信 息; 以银行业务为例, 内部用户就是指银行内部人员, 外部用户则是指银行外部的人 员。  That is, the user's request for data access is received, and the rights of the user are detected, and the data rights that different types of users can access are different. For example: After a user logs in to the system, it is necessary to determine whether the user identity (or user category) is an internal user or an external user. The internal user and the external user use two sets of completely different permission definition information. Taking the banking service as an example, the internal user It refers to the internal staff of the bank, and the external users refer to the personnel outside the bank.
步骤 1 02、 根据所述用户的维度信息, 确定所述用户对应的权限组;  Step 1 02: Determine, according to the dimension information of the user, a permission group corresponding to the user;
可以理解的是, 不同的维度的信息可以认为是不同的用户属性, 例如可以包括用 户的部门信息、 级别信息、 学历信息等等; 所述维度与所述权限组相互对应。  It can be understood that information of different dimensions may be considered as different user attributes, for example, may include department information, level information, academic information, and the like of the user; the dimensions and the permission groups correspond to each other.
步骤 1 03、 根据所述用户的维度值, 确定所述用户在每个权限组中的权限集; 可以理解的是, 不同的维度可以包含不同的维度值, 例如, 部门信息可以包括硬 件部门、 软件部门、 行政部门等, 所述硬件部门、 软件部门、 行政部门为该维度的维 度值; 所述维度值与每个权限组中的权限集对应。  Step 1 03: Determine, according to the dimension value of the user, a permission set of the user in each permission group; it may be understood that different dimensions may include different dimension values, for example, the department information may include a hardware department, The software department, the administrative department, and the like, the hardware department, the software department, and the administrative department are dimension values of the dimension; the dimension value corresponds to the permission set in each permission group.
步骤 1 04、 将所述用户在所述每个权限组中的权限集进行合并, 获得所述用户的 权限。  Step 1 04: Combine the permission sets of the user in each permission group to obtain the rights of the user.
由上述可知, 本发明实施例提供的一种数据访问权限控制方法, 通过用户的维度 信息和维度值, 确定出用户对应的权限组和在权限组中的权限集, 并且对权限集进行 合并, 从而实现权限的归类, 解决多维度的用户的权限控制问题, 提高用户体验。  It can be seen from the above that the data access authority control method provided by the embodiment of the present invention determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Thereby realizing the classification of rights, solving the problem of multi-dimensional user permission control, and improving the user experience.
实施例二  Embodiment 2
请参考图 2 a , 图 2 a为本发明实施例二提供的数据访问权限控制方法的流程示意 图, 其中, 所述权限控制方法可以包括:  Referring to FIG. 2a, FIG. 2a is a schematic flowchart of a data access authority control method according to Embodiment 2 of the present invention, where the rights control method may include:
步骤 201、 为每个用户类别配置一个对应的权限域, 所述权限域包含所述每个维 度对应的每个权限组;  Step 201: Configure a corresponding permission domain for each user category, where the permission domain includes each permission group corresponding to each dimension;
即所述用户类别与所述权限域——对应; 本发明实施例中用户类别可以包括内部 用户和外部用户, 且一个用户只能从属于一个权限域 Doma in;  That is, the user category corresponds to the rights domain--in the embodiment of the present invention, the user category may include an internal user and an external user, and one user can only belong to one authority domain Doma in;
可一并参考图 2b , 图 2b为本发明实施例二提供的一种用户权限分析示意图, 例 如, 外部用户对应权限域 Doma inl , 内部用户对应权限域 Doma in2。  Referring to FIG. 2b, FIG. 2b is a schematic diagram of user rights analysis according to Embodiment 2 of the present invention. For example, an external user corresponds to a permission domain Doma inl and an internal user corresponds to a permission domain Doma in2.
步骤 202、 为每个维度配置一个对应的权限组, 所述权限组包含不同的维度值对 应的不同的权限集; Step 202: Configure a corresponding permission group for each dimension, where the permission group includes different dimension value pairs. Different sets of permissions should be;
其中, 所述权限域中包含若千权限组 PermGroup , 每个维度对应一个权限组; 每 个所述权限组中包含若千权限集 PermSe t , 每个维度值对应一个权限集, 例如, 在权 限域 Doma i nl 内, PermGroupl是一个权限组, PermSe t l l l为 PermGroup l中的一个权 限集。  The permission domain includes a thousand permission group PermGroup, and each dimension corresponds to one permission group; each of the permission groups includes a thousand permission set PermSe t , and each dimension value corresponds to one permission set, for example, in the permission Within the domain Doma i nl, PermGroupl is a permission group, and PermSe tlll is a permission set in PermGroup l.
步骤 203、 接收用户的访问请求;  Step 203: Receive an access request of the user.
步骤 204、 根据所述用户的类别, 确定所述用户对应的权限域;  Step 204: Determine, according to the category of the user, a permission domain corresponding to the user;
即在配置好所述用户对应的权限域、 权限组和权限集后, 当接收到用户对数据访 问的请求时, 检测所述用户的类别, 从而确定所述用户可访问的权限域;  That is, after the permission domain, the permission group, and the permission set corresponding to the user are configured, when the user requests for data access are received, the category of the user is detected, thereby determining a permission domain accessible by the user;
步骤 205、 根据所述用户的维度信息, 从所述用户对应的权限域中确定所述用户 对应的权限组;  Step 205: Determine, according to the dimension information of the user, a permission group corresponding to the user from a permission domain corresponding to the user;
优选地, 可以根据所述用户的维度信息, 先确定所述用户对应的权限组的类别, 本实施例中, 所述权限组的类别可以包括互斥权限组或非互斥权限组; 其中, 所述互 斥权限组中一个用户配置一种权限集, 例如, 每个用户只能属于一个部门, 则部门信 息对应的权限组为互斥权限组,所述非互斥权限组中一个用户配置多种权限集,例如, 一个用户可以存在两种以上角色, 因此用户角色对应的权限组为非互斥权限组。  Preferably, the category of the privilege group corresponding to the user may be determined according to the dimension information of the user. In this embodiment, the privilege group may include a mutually exclusive privilege group or a non-exclusive privilege group. A user in the mutually exclusive permission group configures a permission set. For example, each user can belong to only one department, and the permission group corresponding to department information is a mutually exclusive permission group, and one user configuration in the non-exclusive permission group. Multiple permission sets. For example, a user can have more than two roles, so the permission group corresponding to the user role is a non-mutual permission group.
步骤 206、 根据所述用户的维度值, 确定所述用户在每个权限组中的权限集; 其中, 对所述用户在非互斥权限组中的所有权限集进行取并集, 获得所述用户在 非互斥权限组中的权限集, 或者, 获得所述用户在互斥权限组中的唯一权限集。  Step 206: Determine, according to the dimension value of the user, a permission set of the user in each permission group, where the user collects all the permission sets in the non-mutual permission group, and obtains the The set of permissions of the user in the non-exclusive permission group, or the unique permission set of the user in the mutually exclusive permission group.
步骤 207、 将所述用户在所述每个权限组中的权限集进行合并, 获得所述用户的 权限。  Step 207: Combine the permission sets of the user in each permission group to obtain the rights of the user.
优选地, 可以根据预置的第一合并策略或者第二合并策略, 将所述用户在所述每 个权限组中的权限集进行合并, 获得所述用户的权限; 其中, 所述第一合并策略为根 据用户的业务逻辑配置的权限组之间的合并策略, 所述第二合并策略为每个用户配置 的合并策略。  Preferably, the rights set of the user in each of the rights groups may be merged according to a preset first merge policy or a second merge policy, and the rights of the user are obtained; wherein, the first merge The policy is a merge policy between the rights groups configured according to the user's business logic, and the second merge policy is a merge policy configured for each user.
可以理解的是,所述合并包括但不限于求并集或求交集。在同一个权限域范围内, 可支持配置多种第一合并策略, 所述第一合并策略为一种跨组的合并策略; 例如, 若 权限组 PermGroupl与权限组 PermGroup2为非互斥权限组, 权限组 PermGroup 3为互 斥权限组, 则所述第一合并策略可以是: 权限组 PermGroupl与权限组 PermGroup2做 并集, 再与权限组 PermGroup 3做交集, 可筒单标记为 PermGroupl并 PermGroup2 交 PermGroup 3。 It will be appreciated that the merging includes, but is not limited to, a union or intersection. A plurality of first merge policies may be configured in the same permission domain, and the first merge policy is a cross-group merge policy; for example, if the permission group PermGroup1 and the permission group PermGroup2 are non-exclusive rights groups, The privilege group PermGroup 3 is a mutually exclusive privilege group, and the first merging policy can be: The privilege group PermGroupl and the privilege group PermGroup2 are merged, and then intersect with the privilege group PermGroup 3, and the single label is marked as PermGroupl and PermGroup2 PermGroup 3.
由上述可知, 本发明实施例提供的一种数据访问权限控制方法, 通过用户的维度 信息和维度值, 确定出用户对应的权限组和在权限组中的权限集, 并且对权限集进行 合并, 从而实现权限的归类; 进一步地, 根据维度值定义权限组的类别, 并根据合并 策略对权限集进行合并, 以使得权限分类更有针对性, 更好地解决多维度的用户的权 限控制问题。  It can be seen from the above that the data access authority control method provided by the embodiment of the present invention determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Therefore, the classification of the rights is implemented; further, the categories of the permission groups are defined according to the dimension values, and the permission sets are merged according to the merge policy, so that the rights classification is more targeted, and the multi-dimensional user rights control problem is better solved. .
以下结合实际应用场景, 对该实施二提供的所述数据访问权限控制方法进行分析 说明:  The following describes the data access authority control method provided by the implementation 2 in combination with the actual application scenario:
首先, 在该实际应用场景中, 若登陆用户为外部用户, 则根据该外部用户的一些 用户基础信息来判断该用户拥有哪些权限, 可参考图 2c , 图 2 c为本发明实施例二提 供的另一种用户权限分析示意图;  First, in the actual application scenario, if the login user is an external user, it is determined according to some user basic information of the external user, which can be determined by reference to FIG. 2c, FIG. 2c is provided in the second embodiment of the present invention. Another schematic diagram of user rights analysis;
在该实施例中, 假设针对属性 1 , 可以获知该用户拥有权限集 1 (即属性 1对应 权限集 1 ) ; 针对属性 2 , 可以获知该用户拥有权限集 2 ; 针对属性 3 , 可以获知该用 户拥有权限集 3 ; 针对属性 4 , 可以获知该用户拥有权限集 4 ; 针对属性 5 , 可以获知 该用户拥有权限集 5。 即根据所述用户的属性, 可以确定所述用户对应的权限集, 其 中, 各属性代表各维度的信息, 如属性 1、 属性 2和属性 3可以代表不同的用户角色, 同一个用户有可能拥有一个或多个属性;  In this embodiment, it is assumed that for the attribute 1, the user has the permission set 1 (ie, the attribute 1 corresponds to the permission set 1); for the attribute 2, the user has the permission set 2; for the attribute 3, the user can be known Has permission set 3; for attribute 4, it can be known that the user has permission set 4; for attribute 5, it can be known that the user has permission set 5. That is, according to the attributes of the user, the permission set corresponding to the user may be determined, where each attribute represents information of each dimension, such as attribute 1, attribute 2, and attribute 3 may represent different user roles, and the same user may have One or more attributes;
属性 4与属性 5各拥有多个不同的属性值,不同的属性值可能对应不同的权限集, 但是每一个用户只能拥有某一种属性值。 例如: 属性 4用来表示用户级别, 一个用户 只能拥有一种级别信息,属性 5用来表示用户部门,一个用户只能拥有一种部门信息。 不同的属性所对应的权限集之间, 通过合并可以获取到最终的权限集合:  Attribute 4 and Attribute 5 each have multiple different attribute values. Different attribute values may correspond to different permission sets, but each user can only have one attribute value. For example: Attribute 4 is used to indicate the user level, a user can only have one level of information, attribute 5 is used to represent the user department, and a user can only have one type of department information. Between the permission sets corresponding to different attributes, the final permission set can be obtained by merging:
{ {权限集 1}并 {权限集 2}并 {权限集 3} }交 {权限集 4}交 {权限集 5}。  { {Permission Set 1} and {Permission Set 2} and {Permission Set 3} }Account {Permission Set 4}Receive {Permission Set 5}.
接着, 可结合参考图 2a和图 2b , 针对该实际应用, 釆用本发明提供的数据访问 权限控制方法进行权限控制分析:  Then, with reference to FIG. 2a and FIG. 2b, for the practical application, the data access authority control method provided by the present invention is used for the permission control analysis:
首先, 按照前述步骤 201的描述内容, 分别为内部用户和外部用户分别创建一个 权限域, 如外部用户对应权限域 Doma i nl , 内部用户对应权限域 Doma in2 ; 以外部用 户为例, 根据前述的各个维度的信息, 为每个维度配置一个对应的权限组, 所述权限 组包含不同的维度值对应的不同的权限集, 在权限域 Doma inl中, 创建 3个权限组, 分别为 PermGroupl , PermGroup2和 PermGroup 3。 然后, 为各权限组定义其包含的权 限集信息, 其中 PermGroup l为非互斥权限组, 配置权限组 PermGroupl中包含各不同 用户角色对应的不同权限集, 即根据属性 1、 属性 2和属性 3配置 3个权限集; PermGroup2和 PermGroup 3为互斥权限组,配置权限组 PermGroup2包含各不同的级别 对应的权限集, 配置权限组 PermGroup 3包含各不同的部门对应的权限集; First, according to the description content of the foregoing step 201, respectively create a permission domain for the internal user and the external user respectively, such as the external user corresponding permission domain Doma i nl , the internal user corresponding permission domain Doma in2; the external user as an example, according to the foregoing For each dimension, configure a corresponding permission group for each dimension. The permission group contains different permission sets corresponding to different dimension values. In the permission domain Doma inl, create three permission groups, respectively PermGroupl and PermGroup2. And PermGroup 3. Then, define the permission set information it contains for each permission group, where PermGroup l is a non-exclusive permission group, and the configuration permission group PermGroupl contains different Different permission sets corresponding to the user role, that is, three permission sets are configured according to attribute 1, attribute 2, and attribute 3; PermGroup2 and PermGroup 3 are mutually exclusive permission groups, and the configuration permission group PermGroup2 includes permission sets corresponding to different levels, and configuration rights are configured. Group PermGroup 3 contains permission sets corresponding to different departments;
其中, 对用户在非互斥权限组 PermGroupl中的所有权限集进行取并集, 获得所 述用户在非互斥权限组中的权限集; 对于互斥权限组, 用户可获得其在互斥权限组中 的唯一权限集。 最后, 根据预置的第一合并策略或者第二合并策略, 将所述用户在所 述每个权限组中的权限集进行合并, 其中, 所述第一合并策略为根据用户的业务逻辑 配置的权限组之间的合并策略, 所述第二合并策略为每个用户配置的合并策略, 所述 合并包括求并集或求交集。 本发明该实施例中, 结合实际应用场景, 若根据预置的第 一合并策略对所述用户在所述每个权限组中的权限集进行合并, 则第一合并策略可以 为: PermGroupl交 PermGroup2交 PermGroup 3 , 该实施例中对所述第二合并策略不作 具体限定。  The user sets the permission set of the non-exclusive permission group PermGroup1 to obtain the permission set of the user in the non-exclusive permission group. For the exclusive permission group, the user can obtain the mutual exclusion permission. The unique permission set in the group. Finally, the user is merged in the permission set in each of the rights groups according to the preset first merge policy or the second merge policy, where the first merge policy is configured according to the user's service logic. A merge policy between the rights groups, the second merge policy is a merge policy configured for each user, and the merge includes a union or intersection. In this embodiment of the present invention, in combination with the actual application scenario, if the permission set of the user in each permission group is merged according to the preset first merge policy, the first merge policy may be: PermGroup1 intersects PermGroup2 The PermGroup 3 is not specifically limited in this embodiment.
可以理解的是, 本发明实施例中, 进行合并操作包括但不限于将用户在所述每个 权限组中的权限集进行取并集或者取交集; 另容易想到的是, 登陆用户为内部用户时 的权限控制操作可参考上述操作过程进行实现, 该实施例二中仅以登陆用户是外部用 户为例子对权限合并方法进行说明, 并不构成对本发明的限定。  It can be understood that, in the embodiment of the present invention, performing the merging operation includes, but is not limited to, merging or taking the privilege set of the user in each privilege group; it is also conceivable that the logged-in user is an internal user. The privilege control operation can be implemented by referring to the above operation process. In the second embodiment, the privilege merging method is described by taking only the logged-in user as an external user as an example, and does not constitute a limitation of the present invention.
由上述可知, 本发明实施例提供的一种数据访问权限控制方法, 通过用户的维度 信息和维度值, 确定出用户对应的权限组和在权限组中的权限集, 并且对权限集进行 合并, 从而实现权限的归类; 进一步地, 根据维度值定义权限组的类别, 并根据合并 策略对权限集进行合并, 以使得权限分类更有针对性, 更好地解决多维度的用户的权 限控制问题。  It can be seen from the above that the data access authority control method provided by the embodiment of the present invention determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Therefore, the classification of the rights is implemented; further, the categories of the permission groups are defined according to the dimension values, and the permission sets are merged according to the merge policy, so that the rights classification is more targeted, and the multi-dimensional user rights control problem is better solved. .
实施例三  Embodiment 3
为了更好地理解本发明技术方案, 下面以某银行的某业务数据的权限访问需求为 实际应用需求, 且以登陆用户为内部用户作为例子, 对所述数据访问权限控制方法进 行分析说明:  In order to better understand the technical solution of the present invention, the following is a description of the data access authority control method by using the permission access requirement of a certain business data of a bank as an actual application requirement, and taking the login user as an internal user as an example:
首先, 在该实施例中, 假设该业务数据表包含 c l , c2 , c 3, c4, ... ... , cl 00共 100个 字段, 所述字段表示用户请求访问的数据信息; 用户可访问的列集由一个或多个字段 组成。  First, in this embodiment, it is assumed that the service data table includes a total of 100 fields of cl, c2, c3, c4, ..., cl 00, and the field represents data information requested by the user; The set of columns accessed consists of one or more fields.
在银行业务系统中, 定义了用户的不同的角色, 如下:  In the banking system, different roles for users are defined, as follows:
Ro l el : 可访问的列集为 {cl , c2 , c 3} Role2: 可访问的列集为 {c3, c4, c5, c6} Ro l el : the accessible column set is {cl , c2 , c 3} Role2: The accessible set of columns is {c3, c4, c5, c6}
Role3: 可访问的列集为 {c7, c8, c9, clO} 每一个用户属于某一个部门, 每一个部门可访问的列集定义如下:  Role3: The accessible column set is {c7, c8, c9, clO} Each user belongs to a department, and the column set accessible by each department is defined as follows:
Deptl: 可访问的列集为 {cl, c2, c3, c4}  Deptl: The accessible set of columns is {cl, c2, c3, c4}
Dept2: 可访问的列集为 { c3, c4, c5, c6, c7, c8} 每一个用户属于某一种用户级别, 每一种用户級别可访问的列集定义如 下:  Dept2: The accessible set of columns is { c3, c4, c5, c6, c7, c8} Each user belongs to a certain user level, and the set of columns accessible at each user level is defined as follows:
Levell: 可访问的列集为 {cl, c2, c3, c4, c5, c6}  Levell: The accessible column set is {cl, c2, c3, c4, c5, c6}
Level2: 可访问的列集为 { cl, c2, c3, c4, c5, c6, c7, c8} 那么, 如果一个拥有角色 Rolel, Role2, 属于部门 Deptl且用户级别为 Level2 的用户而言, 它能访问的列集为:  Level2: The accessible set of columns is { cl, c2, c3, c4, c5, c6, c7, c8} Then, if a role has the role of Rolel, Role2, belongs to the department Deptl and the user level is Level2, it can The set of columns accessed is:
( {cl, c2, c3}并 {c3, c4, c5, c6} )交 {cl, c2, c3, c4}交  ( {cl, c2, c3} and {c3, c4, c5, c6}) pay {cl, c2, c3, c4}
{cl, c2, c3, c4, c5, c6, c7, c8};  {cl, c2, c3, c4, c5, c6, c7, c8};
接下来, 针对该实际应用 (银行的某业务数据的权限访问) , 釆用本发明提供的 数据访问权限控制方法进行权限控制分析:  Next, for the actual application (permission access of a certain business data of the bank), the data access authority control method provided by the present invention is used to perform the permission control analysis:
首先, 按照前述步骤 201的描述内容, 为内部用户配置一个权限域  First, configure a permission domain for internal users according to the description of step 201 above.
Interna IDoma in; Interna IDoma in;
其次, 根据前述的各个维度的信息和前述步骤 202的描述内容, 在该权限域 InternalDomain中, 为每个维度配置一个对应的权限组, 所述权限组包含不同的维度 值对应的不同的权限集; 由此, 为系统用户角色配置一个对应的权限组, 名称为 SysRoleGroup, 该权限组 SysRoleGroup为非互斥权限组, 其中, 该权限组中配置如 下权限集:  Secondly, according to the foregoing information of each dimension and the description content of the foregoing step 202, in the authority domain InternalDomain, a corresponding permission group is configured for each dimension, and the permission group contains different permission sets corresponding to different dimension values. As a result, a corresponding privilege group is configured for the system user role, the name is SysRoleGroup, and the privilege group SysRoleGroup is a non-exclusive privilege group. The privilege group is configured with the following permission set:
Rolel: {cl, c2, c3}  Rolel: {cl, c2, c3}
Role2: {c3, c4, c5, c6}  Role2: {c3, c4, c5, c6}
Role3: {c7, c8, c9, clO} 为部门信息配置一个对应的权限组 DeptGroup, 该权限组为互斥权限组, 其中, 该权限组中配置如下权限集: Role3: {c7, c8, c9, clO} configures a corresponding permission group DeptGroup for department information, which is a mutually exclusive permission group, where The following permission sets are configured in this permission group:
Deptl: {cl, c2, c3, c4}  Deptl: {cl, c2, c3, c4}
Dept2: { c3, c4, c5, c6, c7, c8} 为用户级别信息配置一个对应的权限组 UserLevelGroup, 该权限组为互斥权限 组, 该权限组中配置如下权限集:  Dept2: { c3, c4, c5, c6, c7, c8} Configure a corresponding permission group UserLevelGroup for the user level information. The permission group is a mutually exclusive permission group. The permission group is configured with the following permission set:
Level 1: {cl, c2, c3, c4, c5, c6}  Level 1: {cl, c2, c3, c4, c5, c6}
Level2: { cl, c2, c3, c4, c5, c6, c7, c8} 结合上述权限访问控制需求(拥有角色 Rolel, Role2, 属于部门 Deptl且用户级 别为 Level2的用户能访问的列集) , 根据用户的访问请求, 在配置好的权限组和权 限集中, 根据所述用户的维度信息, 从所述用户对应的权限域中确定所述用户对应的 权限组; 根据所述用户的维度值, 确定所述用户在每个权限组中的权限集, 最后, 根 据预置的第一合并策略或者第二合并策略, 将所述用户在所述每个权限组中的权限集 进行合并, 获得所述用户的权限, 其中, 所述第一合并策略为根据用户的业务逻辑配 置的权限组之间的合并策略, 所述第二合并策略为每个用户配置的合并策略, 所述合 并包括求并集或求交集。 本发明该实施例中, 结合实际应用场景, 若根据预置的第一 合并策略对所述用户在所述每个权限组中的权限集进行合并, 则第一合并策略可以 为: SysRoleGroup 3 DeptGroup 3 UserLevelGroup, 该实施例中对所述第二合并策 略不作具体限定。  Level2: { cl, c2, c3, c4, c5, c6, c7, c8} combined with the above permission access control requirements (has the role of Rolel, Role2, the set of columns that users belonging to department Deptl and whose user level is Level2), according to The access request of the user, in the configured permission group and the permission set, determining the permission group corresponding to the user from the permission domain corresponding to the user according to the dimension information of the user; determining according to the dimension value of the user The permission set of the user in each permission group, and finally, combining the permission sets of the user in each permission group according to a preset first merge policy or a second merge policy, to obtain the The user's rights, wherein the first merge policy is a merge policy between the rights groups configured according to the user's business logic, the second merge policy is a merge policy configured for each user, and the merge includes a merge set Or seek intersection. In this embodiment of the present invention, in combination with the actual application scenario, if the permission set of the user in each permission group is merged according to the preset first merge policy, the first merge policy may be: SysRoleGroup 3 DeptGroup 3 UserLevelGroup, the second merge policy is not specifically limited in this embodiment.
可以理解的是, 本发明实施例中, 进行合并操作包括但不限于将用户在所述每个 权限组中的权限集进行取并集或者取交集; 另容易想到的是, 登陆用户为内部用户时 的权限控制操作可参考上述操作过程进行实现, 该实施例三中仅以登陆用户是银行内 部用户为例子对权限合并方法进行说明, 并不构成对本发明的限定。  It can be understood that, in the embodiment of the present invention, performing the merging operation includes, but is not limited to, merging or taking the privilege set of the user in each privilege group; it is also conceivable that the logged-in user is an internal user. The privilege control operation can be implemented by referring to the above operation process. In the third embodiment, the privilege merging method is described only by taking the login user as an internal user of the bank as an example, and does not constitute a limitation of the present invention.
由上述可知, 本发明实施例提供的一种数据访问权限控制方法, 通过用户的维度 信息和维度值, 确定出用户对应的权限组和在权限组中的权限集, 并且对权限集进行 合并, 从而实现权限的归类; 进一步地, 根据维度值定义权限组的类别, 并根据合并 策略对权限集进行合并, 以使得权限分类更有针对性, 更好地解决多维度的用户的权 限控制问题。  It can be seen from the above that the data access authority control method provided by the embodiment of the present invention determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Therefore, the classification of the rights is implemented; further, the categories of the permission groups are defined according to the dimension values, and the permission sets are merged according to the merge policy, so that the rights classification is more targeted, and the multi-dimensional user rights control problem is better solved. .
为便于更好的实施本发明实施例提供的数据访问权限控制方法, 本发明实施例还 提供一种基于上述数据访问权限控制方法的装置。 其中名词的含义与上述方法中相 同, 具体实现细节可以参考方法实施例中的说明。 In order to facilitate the implementation of the data access authority control method provided by the embodiment of the present invention, the embodiment of the present invention further An apparatus based on the above data access authority control method is provided. The meaning of the noun is the same as that in the above method. For specific implementation details, refer to the description in the method embodiment.
请参考图 3 , 图 3为本发明实施例提供的一种数据访问权限控制装置 300的结构 示意图, 其中, 所述权限控制装置 300可以包括:  Referring to FIG. 3, FIG. 3 is a schematic structural diagram of a data access authority control apparatus 300 according to an embodiment of the present invention, where the rights control apparatus 300 may include:
接收模块 301 , 用于接收用户的访问请求;  The receiving module 301 is configured to receive an access request of the user.
即所述接收模块 301接收用户对数据访问的请求, 检测所述用户的权限, 不同类 型的用户可访问的数据权限不一样。 例如: 一个用户登录系统之后, 需要判断该用户 身份(或称用户类别)是内部用户还是外部用户, 内部用户与外部用户釆用两套完全 不同的权限定义信息; 以银行业务为例, 内部用户就是指银行内部人员, 外部用户则 是指银行外部的人员。  That is, the receiving module 301 receives the user's request for data access, detects the rights of the user, and different types of users can access different data rights. For example: After a user logs in to the system, it is necessary to determine whether the user identity (or user category) is an internal user or an external user. The internal user and the external user use two sets of completely different permission definition information. Taking the banking service as an example, the internal user It refers to the internal staff of the bank, and the external users refer to the personnel outside the bank.
第一确定模块 302 , 用于根据所述用户的维度信息, 确定所述用户对应的权限组; 可以理解的是, 不同的维度的信息可以认为是不同的用户属性, 例如可以包括用 户的部门信息、 级别信息、 学历信息等等; 所述维度与所述权限组相互对应。  The first determining module 302 is configured to determine, according to the dimension information of the user, a permission group corresponding to the user; it may be understood that information of different dimensions may be considered as different user attributes, for example, may include department information of the user. Level information, academic information, and the like; the dimensions correspond to the permission groups.
第二确定模块 303 , 用于根据所述用户的维度值, 确定所述用户在每个权限组中 的权限集;  a second determining module 303, configured to determine, according to the dimension value of the user, a permission set of the user in each permission group;
可以理解的是, 不同的维度可以包含不同的维度值, 例如, 部门信息可以包括硬 件部门、 软件部门、 行政部门等, 所述硬件部门、 软件部门、 行政部门为该维度的维 度值; 所述维度值与每个权限组中的权限集对应。  It can be understood that the different dimensions may include different dimension values. For example, the department information may include a hardware department, a software department, an administrative department, and the like, and the hardware department, the software department, and the administrative department are dimension values of the dimension; The dimension value corresponds to the permission set in each permission group.
合并模块 304 , 用于将所述用户在所述每个权限组中的权限集进行合并, 获得所 述用户的权限。  The merging module 304 is configured to combine the permission sets of the user in each of the permission groups to obtain the rights of the user.
由上述可知, 本发明实施例提供的一种数据访问权限控制方法, 通过用户的维度 信息和维度值, 确定出用户对应的权限组和在权限组中的权限集, 并且对权限集进行 合并, 从而实现权限的归类, 解决多维度的用户的权限控制问题, 提高用户体验。  It can be seen from the above that the data access authority control method provided by the embodiment of the present invention determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Thereby realizing the classification of rights, solving the problem of multi-dimensional user permission control, and improving the user experience.
进一步地, 所述数据访问权限控制装置 300还可以包括配置模块, 用于为每个维 度配置一个对应的权限组,所述权限组包含不同的维度值对应的不同的权限集。并且, 所述配置模块还可以用于: 为每个用户类别配置一个对应的权限域, 所述权限域包含 所述每个维度对应的每个权限组;  Further, the data access right control apparatus 300 may further include a configuration module, configured to configure a corresponding permission group for each dimension, where the permission group includes different permission sets corresponding to different dimension values. And the configuration module is further configured to: configure a corresponding permission domain for each user category, where the permission domain includes each permission group corresponding to each dimension;
则, 所述第一确定模块 302用于: 根据所述用户的类别, 确定所述用户对应的权 限域; 根据所述用户的维度信息, 从所述用户对应的权限域中确定所述用户对应的权 限组。 也就是说, 所述用户类别与所述权限域——对应, 本发明实施例中用户类别可以 包括内部用户和外部用户, 且一个用户只能从属于一个权限域; 其中, 所述权限域中 包含若千权限组, 每个维度对应一个权限组; 每个所述权限组中包含若千权限集, 每 个维度值对应一个权限集, 例 ¾口, ¾口图 2b所示, 在权限 i或 Doma inl 内, PermGroupl 是一个权限组, PermSe t l l l为 PermGroupl中的一个权限集。 The first determining module 302 is configured to: determine, according to the category of the user, a rights domain corresponding to the user; and determine, according to the dimension information of the user, the user corresponding to the user domain corresponding to the user Permission group. That is, the user category corresponds to the rights domain - the user class in the embodiment of the present invention may include an internal user and an external user, and one user can only belong to one rights domain; wherein, the rights domain Containing thousands of permission groups, each dimension corresponds to one permission group; each of the permission groups contains thousands of permission sets, and each dimension value corresponds to one permission set, for example, 3⁄4 port, 3⁄4 port, as shown in Figure 2b, in the permission i Or in Doma inl, PermGroupl is a permission group, and PermSe tlll is a permission set in PermGroupl.
更进一步地, 所述第二确定模块 303可以用于:  Further, the second determining module 303 can be used to:
确定所述用户对应的权限组的类别, 所述权限组的类别包括互斥权限组或非互斥 权限组, 其中, 所述互斥权限组中一个用户配置一种权限集, 所述非互斥权限组中一 个用户配置多种权限集;  Determining a category of the privilege group corresponding to the user, where the privilege group includes a mutually exclusive privilege group or a non-exclusive privilege group, wherein one of the mutually exclusive privilege groups configures a privilege set, and the non-mutual A user in the privilege group configures multiple permission sets;
即可以根据所述用户的维度信息, 先确定所述用户对应的权限组的类别, 本实施 例中, 所述权限组的类别可以包括互斥权限组或非互斥权限组; 其中, 所述互斥权限 组中一个用户配置一种权限集, 例如, 每个用户只能属于一个部门, 则部门信息对应 的权限组为互斥权限组, 所述非互斥权限组中一个用户配置多种权限集, 例如, 一个 用户可以存在两种以上角色, 因此用户角色对应的权限组为非互斥权限组。  That is, the category of the privilege group corresponding to the user may be determined according to the dimension information of the user. In this embodiment, the category of the privilege group may include a mutually exclusive privilege group or a non-exclusive privilege group. A user in a mutually exclusive privilege group is configured with a privilege set. For example, each user can belong to only one department, and the privilege group corresponding to the department information is a mutually exclusive privilege group. A permission set, for example, a user can have more than two roles, so the permission group corresponding to the user role is a non-mutual permission group.
在该实施方式下, 根据所述用户的维度值, 确定所述用户在每个权限组中的权限 集, 其中, 对所述用户在非互斥权限组中的所有权限集进行取并集, 获得所述用户在 非互斥权限组中的权限集, 或者, 获得所述用户在互斥权限组中的唯一权限集。  In this embodiment, the permission set of the user in each permission group is determined according to the dimension value of the user, where all the permission sets in the non-mutual permission group are collected and combined. Obtaining the permission set of the user in the non-exclusive permission group, or obtaining the unique permission set of the user in the mutually exclusive permission group.
优选地, 所述合并模块 303 , 可以具体用于:  Preferably, the merging module 303 can be specifically configured to:
根据预置的第一合并策略或者第二合并策略, 将所述用户在所述每个权限组中的 权限集进行求并集或求交集, 获得所述用户的权限, 其中, 所述第一合并策略为根据 用户的业务逻辑配置的权限组之间的合并策略, 所述第二合并策略为每个用户配置的 合并策略。  And performing, according to the preset first merge policy or the second merge policy, the rights set of the user in each of the rights groups, and obtaining the rights of the user, where the first The merge policy is a merge policy between the rights groups configured according to the user's business logic, and the second merge policy is a merge policy configured for each user.
可以理解的是, 本发明实施例中, 所述合并包括但不限于求并集或求交集。 在同 一个权限域范围内, 可支持配置多种第一合并策略, 所述第一合并策略为一种跨组的 合并策略; 例如, 如图 2b , 若权限组 PermGroupl与权限组 PermGroup2为非互斥权限 组,权限组 PermGroup 3为互斥权限组,则所述第一合并策略可以是:权限组 PermGroupl 与权限组 PermGroup2做并集, 再与权限组 PermGroup 3做交集。  It can be understood that, in the embodiment of the present invention, the combining includes but is not limited to a union or intersection. In the same privilege domain, a plurality of first merging policies can be configured, and the first merging policy is a cross-group merging policy; for example, as shown in FIG. 2b, if the privilege group PermGroup1 and the privilege group PermGroup2 are non-interactive The privilege group and the privilege group PermGroup 3 are mutually exclusive privilege groups. The first merging policy may be: the privilege group PermGroupl and the privilege group PermGroup2 are merged, and then intersect with the privilege group PermGroup 3.
所属领域的技术人员可以清楚地了解到, 为描述的方便和筒洁, 上述描述的数据 访问权限控制装置 300和其单元模块的具体工作过程, 以及结合实际应用需求, 釆用 本发明方案对数据访问进行权限控制的过程, 可以参考前述方法实施例中的对应过程 进行具体实现, 在此不再赘述。 Those skilled in the art can clearly understand that for the convenience and cleanness of the description, the specific working process of the data access authority control device 300 and its unit module described above, and the practical application requirements, the data of the present invention is used for the data. For the process of performing the access control, refer to the corresponding process in the foregoing method embodiment. The specific implementation is not repeated here.
由上述可知, 本发明实施例提供的一种数据访问权限控制装置 300 , 通过用户的 维度信息和维度值, 确定出用户对应的权限组和在权限组中的权限集, 并且对权限集 进行合并, 从而实现权限的归类; 进一步地, 根据维度值定义权限组的类别, 并根据 合并策略对权限集进行合并, 以使得权限分类更有针对性, 更好地解决多维度的用户 的权限控制问题。  It can be seen from the above that a data access authority control apparatus 300 according to an embodiment of the present invention determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Therefore, the classification of the rights is implemented; further, the categories of the permission groups are defined according to the dimension values, and the permission sets are merged according to the merge policy, so that the rights classification is more targeted, and the multi-dimensional user rights control is better solved. problem.
请参考图 4 ,图 4为本发明实施例提供的数据访问权限控制装置另一结构示意图, 其中, 可包括至少一个处理器 401 (例如 CPU , Cent ra l Proces s ing Un i t ) , 至少一 个网络接口或者其它通信接口, 存储器 402 , 和至少一个通信总线, 用于实现这些装 置之间的连接通信。 所述处理器 401用于执行存储器中存储的可执行模块, 例如计算 机程序。 所述存储器 402可能包含高速随机存取存储器, 也可能还包括非不稳定的存 储器, 例如至少一个磁盘存储器。 通过至少一个网络接口 (可以是有线或者无线) 实 现该系统网关与至少一个其它网元之间的通信连接, 可以使用互联网, 广域网, 本地 网, 城域网等。  Referring to FIG. 4, FIG. 4 is another schematic structural diagram of a data access authority control apparatus according to an embodiment of the present invention, which may include at least one processor 401 (eg, CPU, Cent ra l Proces s Un Un ), at least one network. An interface or other communication interface, memory 402, and at least one communication bus are used to effect connection communication between the devices. The processor 401 is configured to execute executable modules, such as computer programs, stored in a memory. The memory 402 may include high speed random access memory and may also include non-volatile memory, such as at least one disk storage. The communication connection between the system gateway and at least one other network element may be implemented through at least one network interface (which may be wired or wireless), and may use an Internet, a wide area network, a local area network, a metropolitan area network, or the like.
如图 4所示, 在一些实施方式中, 所述存储器 402中存储了程序指令, 程序指令 可以被处理器 401执行, 所述处理器 401具体执行以下步骤:  As shown in FIG. 4, in some embodiments, program instructions are stored in the memory 402, and the program instructions may be executed by the processor 401. The processor 401 specifically performs the following steps:
接收用户的访问请求; 根据所述用户的维度信息, 确定所述用户对应的权限组; 根据所述用户的维度值, 确定所述用户在每个权限组中的权限集; 将所述用户在所述 每个权限组中的权限集进行合并, 获得所述用户的权限。  Receiving an access request of the user; determining, according to the dimension information of the user, a permission group corresponding to the user; determining, according to the dimension value of the user, a permission set of the user in each permission group; The permission sets in each permission group are merged to obtain the rights of the user.
优选地, 所述处理器 401还执行如下步骤: 为每个维度配置一个对应的权限组, 所述权限组包含不同的维度值对应的不同的权限集; 为每个用户类别配置一个对应的 权限域, 所述权限域包含所述每个维度对应的每个权限组; 根据所述用户的类别, 确 定所述用户对应的权限域; 根据所述用户的维度信息, 从所述用户对应的权限域中确 定所述用户对应的权限组。  Preferably, the processor 401 further performs the following steps: configuring a corresponding permission group for each dimension, where the permission group includes different permission sets corresponding to different dimension values; configuring a corresponding permission for each user category a domain, the permission domain includes each permission group corresponding to each of the dimensions; determining a permission domain corresponding to the user according to the category of the user; and obtaining rights corresponding to the user according to the dimension information of the user The domain determines the permission group corresponding to the user.
所述处理器 401用于根据所述用户的维度值, 确定所述用户在每个权限组中的权 限集, 包括: 确定所述用户对应的权限组的类别, 所述权限组的类别包括互斥权限组 或非互斥权限组, 其中, 所述互斥权限组中一个用户配置一种权限集, 所述非互斥权 限组中一个用户配置多种权限集; 根据所述用户的维度值, 确定所述用户在每个权限 组中的权限集, 其中, 对所述用户在非互斥权限组中的所有权限集进行取并集, 获得 所述用户在非互斥权限组中的权限集, 或者, 获得所述用户在互斥权限组中的唯一权 限集。 The processor 401 is configured to determine, according to the dimension value of the user, the permission set of the user in each permission group, including: determining a category of the permission group corresponding to the user, where the category of the permission group includes A privilege group or a non-exclusive privilege group, wherein one user in the mutually exclusive privilege group configures a privilege set, and one user in the non-exclusive privilege group configures multiple privilege sets; according to the dimension value of the user Determining, by the user, a permission set in each permission group, where all the permission sets of the user in the non-exclusive permission group are combined, and the user is obtained in the non-exclusive permission group. Set, or, obtain the unique right of the user in the mutually exclusive permission group Limit set.
所述处理器 401用于将所述用户在所述每个权限组中的权限集进行合并, 包括: 根据预置的第一合并策略或者第二合并策略, 将所述用户在所述每个权限组中的权限 集进行求并集或求交集, 其中, 所述第一合并策略为根据用户的业务逻辑配置的权限 组之间的合并策略, 所述第二合并策略为每个用户配置的合并策略。  The processor 401 is configured to merge the permission set of the user in each permission group, including: according to the preset first merge policy or the second merge policy, the user is in each of the The privilege set in the privilege group performs the merging or merging, wherein the first merging policy is a merging policy between the privilege groups configured according to the user's business logic, and the second merging policy is configured for each user. Merge strategy.
在上述实施例中, 对各个实施例的描述都各有侧重, 某个实施例中没有详述的部 分, 可以参见其他实施例的相关描述。  In the above embodiments, the descriptions of the various embodiments are different, and the parts that are not detailed in an embodiment can be referred to the related descriptions of other embodiments.
由上述可知, 本发明实施例提供的一种数据访问权限控制装置 400 , 通过用户的 维度信息和维度值, 确定出用户对应的权限组和在权限组中的权限集, 并且对权限集 进行合并, 从而实现权限的归类; 进一步地, 根据维度值定义权限组的类别, 并根据 合并策略对权限集进行合并, 以使得权限分类更有针对性, 更好地解决多维度的用户 的权限控制问题。  It can be seen from the above that the data access authority control apparatus 400 provided by the embodiment of the present invention determines the permission group corresponding to the user and the permission set in the permission group by using the dimension information and the dimension value of the user, and merges the permission set. Therefore, the classification of the rights is implemented; further, the categories of the permission groups are defined according to the dimension values, and the permission sets are merged according to the merge policy, so that the rights classification is more targeted, and the multi-dimensional user rights control is better solved. problem.
在本申请所提供的几个实施例中, 应该理解到, 所揭露的系统, 装置和方法, 可 以通过其它的方式实现。 例如, 以上所描述的装置实施例仅仅是示意性的, 例如, 所 述单元的划分, 仅仅为一种逻辑功能划分, 实际实现时可以有另外的划分方式, 例如 多个单元或组件可以结合或者可以集成到另一个系统, 或一些特征可以忽略, 或不执 行。 另一点, 所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些 接口, 装置或单元的间接耦合或通信连接, 可以是电性, 机械或其它的形式。  In the several embodiments provided herein, it should be understood that the disclosed systems, devices, and methods may be implemented in other ways. For example, the device embodiments described above are merely illustrative. For example, the division of the unit is only a logical function division. In actual implementation, there may be another division manner, for example, multiple units or components may be combined or Can be integrated into another system, or some features can be ignored, or not executed. In addition, the mutual coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection through some interface, device or unit, and may be electrical, mechanical or otherwise.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的, 作为单元显 示的部件可以是或者也可以不是物理单元, 即可以位于一个地方, 或者也可以分布到 多个网络单元上。 可以根据实际的需要选择其中的部分或者全部单元来实现本实施例 方案的目的。  The units described as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, i.e., may be located in one place, or may be distributed over multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the embodiment.
另外, 在本发明各个实施例中的各功能单元可以集成在一个处理单元中, 也可以 是各个单元单独物理存在, 也可以两个或两个以上单元集成在一个单元中。 上述集成 的单元既可以釆用硬件的形式实现, 也可以釆用软件功能单元的形式实现。  In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist physically separately, or two or more units may be integrated into one unit. The above integrated unit can be implemented in the form of hardware or in the form of a software functional unit.
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用 时, 可以存储在一个计算机可读取存储介盾中。 基于这样的理解, 本发明的技术方案 本盾上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件 产品的形式体现出来, 该计算机软件产品存储在一个存储介盾中, 包括若千指令用以 使得一台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行本发明各 个实施例所述方法的全部或部分步骤。 而前述的存储介盾包括: u盘、 移动硬盘、 只 读存储器 ( ROM, Read-Only Memory )、随机存取存储器 ( RAM, Random Access Memory )、 磁碟或者光盘等各种可以存储程序代码的介盾。 The integrated unit, if implemented in the form of a software functional unit and sold or used as a standalone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention or the part contributing to the prior art or all or part of the technical solution may be embodied in the form of a software product stored in a storage medium. Shield, including thousands of instructions for causing a computer device (which may be a personal computer, server, or network device, etc.) to perform the present invention All or part of the steps of the method described in the examples. The foregoing storage medium shield includes: u disk, mobile hard disk, read-only memory (ROM, Read-Only Memory), random access memory (RAM, random access memory), disk or optical disk, and the like, which can store program codes. Shield.
以上对本发明所提供的一种数据访问权限控制方法及装置进行了详细介 绍, 对于本领域的一般技术人员, 依据本发明实施例的思想, 在具体实施方 式及应用范围上均会有改变之处, 综上所述, 本说明书内容不应理解为对本 发明的限制。  The data access authority control method and apparatus provided by the present invention are described in detail above. For those skilled in the art, according to the idea of the embodiment of the present invention, there are some changes in the specific implementation manner and application scope. In conclusion, the contents of this specification are not to be construed as limiting the invention.

Claims

权利要求 书 claims
1、 一种数据访问权限控制方法, 其特征在于, 包括: 1. A data access permission control method, characterized by including:
接收用户的访问请求; Receive user access requests;
根据所述用户的维度信息, 确定所述用户对应的权限组; Determine the permission group corresponding to the user according to the user's dimension information;
根据所述用户的维度值, 确定所述用户在每个权限组中的权限集; 将所述用户在所述每个权限组中的权限集进行合并, 获得所述用户的 权限。 According to the dimension value of the user, the permission set of the user in each permission group is determined; and the permission sets of the user in each permission group are combined to obtain the permissions of the user.
2、 根据权利要求 1所述的方法, 其特征在于, 还包括: 2. The method according to claim 1, further comprising:
为每个维度配置一个对应的权限组, 所述权限组包含不同的维度值对 应的不同的权限集。 A corresponding permission group is configured for each dimension, and the permission group contains different permission sets corresponding to different dimension values.
3、 根据权利要求 1或 2所述的方法, 其特征在于, 还包括: 为每个用户类别配置一个对应的权限域, 所述权限域包含所述每个维 度对应的每个权限组; 3. The method according to claim 1 or 2, further comprising: configuring a corresponding authority domain for each user category, the authority domain including each authority group corresponding to each dimension;
则, 根据所述用户的维度信息, 确定所述用户对应的权限组, 包括: 根据所述用户的类别, 确定所述用户对应的权限域; Then, determining the authority group corresponding to the user according to the user's dimension information includes: determining the authority domain corresponding to the user according to the category of the user;
根据所述用户的维度信息, 从所述用户对应的权限域中确定所述用户 对应的权限组。 According to the dimension information of the user, the authority group corresponding to the user is determined from the authority domain corresponding to the user.
4、 根据权利要求 3所述的方法, 其特征在于, 所述根据所述用户的 维度值, 确定所述用户在每个权限组中的权限集, 包括: 4. The method of claim 3, wherein determining the user's permission set in each permission group based on the user's dimension value includes:
确定所述用户对应的权限组的类别, 所述权限组的类别包括互斥权限 组或非互斥权限组, 其中, 所述互斥权限组中一个用户配置一种权限集, 所述非互斥权限组中一个用户配置多种权限集; Determine the category of the permission group corresponding to the user. The category of the permission group includes a mutually exclusive permission group or a non-mutually exclusive permission group, wherein one user in the mutually exclusive permission group is configured with a permission set, and the non-mutually exclusive permission group Configure multiple permission sets for a user in a permission group;
根据所述用户的维度值, 确定所述用户在每个权限组中的权限集, 其 中, 对所述用户在非互斥权限组中的所有权限集进行取并集, 获得所述用 户在非互斥权限组中的权限集, 或者, 获得所述用户在互斥权限组中的唯 一权限集。 According to the dimension value of the user, the permission set of the user in each permission group is determined, wherein all the permission sets of the user in non-mutually exclusive permission groups are combined to obtain the permission set of the user in non-mutually exclusive permission groups. A set of permissions in a mutually exclusive permission group, or, obtaining the user's unique set of permissions in a mutually exclusive permission group.
5、 根据权利要求 1或 2所述的方法, 其特征在于, 所述将所述用户 在所述每个权限组中的权限集进行合并, 包括: 5. The method according to claim 1 or 2, characterized in that merging the user's permission sets in each permission group includes:
根据预置的第一合并策略或者第二合并策略, 将所述用户在所述每个 权限组中的权限集进行合并, 其中, 所述第一合并策略为根据用户的业务 逻辑配置的权限组之间的合并策略, 所述第二合并策略为每个用户配置的 合并策略。 Merge the user's permission sets in each permission group according to the preset first merging strategy or the second merging strategy, wherein the first merging strategy is based on the user's business A merging policy between logically configured permission groups, and the second merging policy is a merging policy configured for each user.
6、 根据权利要求 5所述的方法, 其特征在于, 所述合并包括求并集 或求交集。 6. The method according to claim 5, characterized in that the merging includes seeking a union or an intersection.
7、 一种数据访问权限控制装置, 其特征在于, 包括: 7. A data access authority control device, characterized by including:
接收模块, 用于接收用户的访问请求; Receiving module, used to receive user access requests;
第一确定模块, 用于根据所述用户的维度信息, 确定所述用户对应的 权限组; The first determination module is used to determine the permission group corresponding to the user according to the user's dimension information;
第二确定模块, 用于根据所述用户的维度值, 确定所述用户在每个权 限组中的权限集; The second determination module is used to determine the permission set of the user in each permission group according to the dimension value of the user;
合并模块, 用于将所述用户在所述每个权限组中的权限集进行合并, 获得所述用户的权限。 A merging module, configured to merge the user's permission sets in each permission group to obtain the user's permissions.
8、 根据权利要求 7所述的装置, 其特征在于, 还包括: 8. The device according to claim 7, further comprising:
配置模块, 用于为每个维度配置一个对应的权限组, 所述权限组包含 不同的维度值对应的不同的权限集。 The configuration module is used to configure a corresponding permission group for each dimension. The permission group includes different permission sets corresponding to different dimension values.
9、 根据权利要求 7或 8所述的装置, 其特征在于, 所述配置模块, 还用于: 为每个用户类别配置一个对应的权限域, 所述权限域包含所述每 个维度对应的每个权限组; 9. The device according to claim 7 or 8, characterized in that the configuration module is further configured to: configure a corresponding authority domain for each user category, and the authority domain includes the authority domain corresponding to each dimension. per permission group;
则, 所述第一确定模块用于: 根据所述用户的类别, 确定所述用户对 应的权限域; 根据所述用户的维度信息, 从所述用户对应的权限域中确定 所述用户对应的权限组。 Then, the first determination module is configured to: determine the authority domain corresponding to the user according to the category of the user; determine the authority domain corresponding to the user from the authority domain corresponding to the user according to the dimension information of the user. Rights Groups.
10、 根据权利要求 9所述的装置, 其特征在于, 所述第二确定模块用 于: 10. The device according to claim 9, characterized in that the second determination module is used to:
确定所述用户对应的权限组的类别, 所述权限组的类别包括互斥权限 组或非互斥权限组, 其中, 所述互斥权限组中一个用户配置一种权限集, 所述非互斥权限组中一个用户配置多种权限集; Determine the category of the permission group corresponding to the user. The category of the permission group includes a mutually exclusive permission group or a non-mutually exclusive permission group, wherein one user in the mutually exclusive permission group is configured with a permission set, and the non-mutually exclusive permission group Configure multiple permission sets for a user in a permission group;
根据所述用户的维度值, 确定所述用户在每个权限组中的权限集, 其 中, 对所述用户在非互斥权限组中的所有权限集进行取并集, 获得所述用 户在非互斥权限组中的权限集, 或者, 获得所述用户在互斥权限组中的唯 一权限集。 According to the dimension value of the user, the permission set of the user in each permission group is determined, where all the permission sets of the user in the non-mutually exclusive permission group are combined to obtain the permission set of the user in the non-mutually exclusive permission group. A set of permissions in a mutually exclusive permission group, or, obtaining the user's unique set of permissions in a mutually exclusive permission group.
11、 根据权利要求 7或 8所述的装置, 其特征在于, 所述合并模块, 具体用于: 11. The device according to claim 7 or 8, characterized in that the merging module is specifically used for:
根据预置的第一合并策略或者第二合并策略, 将所述用户在所述每个 权限组中的权限集进行求并集或求交集, 获得所述用户的权限, 其中, 所 述第一合并策略为根据用户的业务逻辑配置的权限组之间的合并策略, 所 述第二合并策略为每个用户配置的合并策略。 According to the preset first merging strategy or the second merging strategy, the user's permission sets in each permission group are combined or intersected to obtain the user's permissions, wherein, the first The merging policy is a merging policy between permission groups configured according to the user's business logic, and the second merging policy is a merging policy configured for each user.
PCT/CN2014/084493 2013-10-21 2014-08-15 Method and apparatus for controlling data access permissions WO2015058579A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310496792.1 2013-10-21
CN201310496792.1A CN104573430B (en) 2013-10-21 2013-10-21 A kind of data access authority control method and device

Publications (1)

Publication Number Publication Date
WO2015058579A1 true WO2015058579A1 (en) 2015-04-30

Family

ID=52992220

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/084493 WO2015058579A1 (en) 2013-10-21 2014-08-15 Method and apparatus for controlling data access permissions

Country Status (2)

Country Link
CN (1) CN104573430B (en)
WO (1) WO2015058579A1 (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106407832B (en) * 2015-08-03 2021-03-09 阿里巴巴集团控股有限公司 Method and equipment for data access control
CN106487770B (en) * 2015-09-01 2019-07-30 阿里巴巴集团控股有限公司 Method for authenticating and authentication device
CN105550340A (en) * 2015-12-23 2016-05-04 北京奇虎科技有限公司 Forum user permission control method and apparatus
CN106301940A (en) * 2016-08-25 2017-01-04 厦门易灵网络科技有限公司 A kind of authority configuring method
CN107545047B (en) * 2017-08-17 2019-07-19 平安科技(深圳)有限公司 The querying method and terminal device of user right data
CN110955882B (en) * 2018-09-26 2022-03-18 北京国双科技有限公司 User permission setting method and device
CN109522751B (en) * 2018-12-17 2021-08-03 泰康保险集团股份有限公司 Access right control method and device, electronic equipment and computer readable medium
CN111861203A (en) * 2020-07-20 2020-10-30 苏州易卖东西信息技术有限公司 Fine-grained authority control management method based on E-commerce new retail business design
CN112632492B (en) * 2020-12-18 2021-08-13 杭州新中大科技股份有限公司 Multidimensional authority model design method for matrixing management
CN112699407A (en) * 2020-12-31 2021-04-23 北京字跳网络技术有限公司 Service data access method, device, equipment and storage medium
CN112632511A (en) * 2020-12-31 2021-04-09 中国平安人寿保险股份有限公司 Authority management method, device and storage medium
CN114595484B (en) * 2022-05-10 2022-08-16 上海柯林布瑞信息技术有限公司 Page permission control method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299216A (en) * 2008-05-28 2008-11-05 华为技术有限公司 Authority management method, apparatus and system
CN101572630A (en) * 2009-05-22 2009-11-04 中兴通讯股份有限公司 Privilege management system and method based on objects
CN102236876A (en) * 2010-04-27 2011-11-09 兰州交通大学 Storage, monitoring and management method for airport freight station
CN102354356A (en) * 2011-09-29 2012-02-15 用友软件股份有限公司 Data authority management device and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101299216A (en) * 2008-05-28 2008-11-05 华为技术有限公司 Authority management method, apparatus and system
CN101572630A (en) * 2009-05-22 2009-11-04 中兴通讯股份有限公司 Privilege management system and method based on objects
CN102236876A (en) * 2010-04-27 2011-11-09 兰州交通大学 Storage, monitoring and management method for airport freight station
CN102354356A (en) * 2011-09-29 2012-02-15 用友软件股份有限公司 Data authority management device and method

Also Published As

Publication number Publication date
CN104573430A (en) 2015-04-29
CN104573430B (en) 2018-05-18

Similar Documents

Publication Publication Date Title
WO2015058579A1 (en) Method and apparatus for controlling data access permissions
US11962511B2 (en) Organization level identity management
CN107873129A (en) Security service for not managed device
US9639689B1 (en) User authentication
CN103795530B (en) A kind of method, device and the main frame of cross-domain controller certification
US10484433B2 (en) Virtual communication endpoint services
US20220103575A1 (en) System for Extracting, Classifying, and Enriching Cyber Criminal Communication Data
Ahsen The integration of quality, environmental and health and safety management by car manufacturers–a long‐term empirical study
US8676844B2 (en) Graph authorization
Kim et al. Resource management model based on cloud computing environment
Kumar et al. Improving security issues and security attacks in cloud computing
Kizza et al. Cloud computing and related security issues
US8972490B1 (en) User discovery in socially-aware data storage systems
Jewdokimow et al. Study of the heritage of dissolved monasteries in local collective memories
Hu et al. Education technology cloud platform framework establishment and security
Yu et al. The dissimilation of announcement effects of private placement between bull and bear markets—An empirical research in Chinese stock market
Davydenko et al. Cross-border cooperation in Ukraine: the economic aspect
Cheng et al. Network forum based on blockchain structure: a new anonymous community conception
Noga Information technologies in education
Sopińska Description of knowledge management in network organisations operating on the Polish market
Mennini et al. Economics of headache
Bodhani Voicing concerns
Scarrocchia Dvořák and the Trend in Monument Care
Yingchao et al. A novel compatible runtime infrastructure under complex environment
Yan-long et al. Accounting recognition, measurement and disclosure of Asset-Backed Securitization in China

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14855460

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14855460

Country of ref document: EP

Kind code of ref document: A1