WO2024120316A1 - System operation permission method and apparatus, and computer device and storage medium - Google Patents

System operation permission method and apparatus, and computer device and storage medium Download PDF

Info

Publication number
WO2024120316A1
WO2024120316A1 PCT/CN2023/135936 CN2023135936W WO2024120316A1 WO 2024120316 A1 WO2024120316 A1 WO 2024120316A1 CN 2023135936 W CN2023135936 W CN 2023135936W WO 2024120316 A1 WO2024120316 A1 WO 2024120316A1
Authority
WO
WIPO (PCT)
Prior art keywords
permission
operator
information
user
login
Prior art date
Application number
PCT/CN2023/135936
Other languages
French (fr)
Chinese (zh)
Inventor
陈泉富
吴冬
陈凯浩
滕睿
黄旭
黄桢雄
Original Assignee
顺丰科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 顺丰科技有限公司 filed Critical 顺丰科技有限公司
Publication of WO2024120316A1 publication Critical patent/WO2024120316A1/en

Links

Definitions

  • the present application belongs to the field of computer technology, and in particular, relates to a system operation permission method, device, computer equipment and storage medium.
  • the embodiments of the present application provide a system operation permission method, apparatus, computer equipment and storage medium, which can adapt to the diverse access modes of the information system, thereby improving the user experience.
  • an embodiment of the present application provides a system operation permission method, comprising: obtaining login information when an operator logs into the system of the current login end, wherein the login information is used to characterize the terminal type of the current login end; determining the operator's permission authority based on the operator's identity information and login information; obtaining the operator's operation instructions, and in combination with the permission authority, permitting the operator's operation instructions.
  • the operator's permission rights are determined based on the operator's identity information and login information, including: determining the role type corresponding to the operator based on the identity information; determining the permission rights that the role type has for the current login based on the role type and login information through the correspondence between the role type, login information and permission rights.
  • the permission permissions possessed by the role type at the current login are determined through the correspondence between the role type, login information and permission permissions, including: according to the role type and login information, reading the role and permission correspondence table to obtain the permission ID of the role type at the current login; according to the permission ID, reading the query permission information table to obtain the permission name corresponding to the permission ID; based on the permission name, determining the permission permissions possessed by the role type at the current login.
  • the operator's permission rights are determined based on the operator's identity information and login information, including: determining the role type corresponding to the operator based on the identity information; determining the permission level corresponding to the role type at the current login based on the role type and login information through the correspondence between the role type, login information and permission level; and determining, based on the permission level, at least one permission below the permission level as the operator's permission.
  • the permission includes: at least one of function usage permission and data access permission, wherein function usage permission is the operator's permission to execute corresponding functions on the system page, and data access permission is the operator's permission to query data on the system page.
  • an embodiment of the present application provides a system operation permission device, including: an acquisition module, used to obtain the login terminal information when the operator logs into the system of the current login terminal, wherein the login terminal information is used to characterize the terminal type of the current login terminal; an authority determination module, used to determine the operator's permission according to the operator's identity information and login terminal information; an authority permission module, used to obtain the operator's operation instructions, and in combination with the permission authority, permit the operator's operation instructions.
  • an embodiment of the present application provides a computer device, including: a memory, a processor, and a computer program stored in the memory and running on the processor.
  • the processor executes the computer program, the system operation permission method described in the first aspect above is implemented.
  • an embodiment of the present application provides a computer-readable storage medium, which stores a computer program.
  • the computer program is executed by a processor, the system operation permission method described in the first aspect is implemented.
  • the user i.e., operator
  • the user's identity information and the user's login terminal information can be combined at the same time to flexibly permit the user's permissions at different login terminals. If the user does not have the requested operation instruction permission, the corresponding operation cannot be performed. Therefore, through the above-mentioned system operation permission method, the user's operations at different login terminals can be flexibly permitted to adapt to the diverse access methods of the information system, thereby improving the user's experience.
  • FIG1 is a schematic diagram of a scenario of a system operation permission system provided in an embodiment of the present application.
  • FIG2 is a flow chart of a system operation permission method provided in an embodiment of the present application.
  • FIG. 3 is a schematic diagram of a process for obtaining identity information provided by an embodiment of the present application.
  • FIG4 is a flow chart of a system operation permission method provided in another embodiment of the present application.
  • FIG5 is a schematic diagram of a permission management page provided in an embodiment of the present application.
  • FIG6 is a schematic diagram of the structure of a system operation permission device provided in an embodiment of the present application.
  • FIG. 7 is a schematic diagram of the structure of a computer device provided in an embodiment of the present application.
  • FIG8 is a schematic diagram of the structure of a computer storage medium provided in an embodiment of the present application.
  • the present application proposes a system operation permission method, which can flexibly permit users to operate at different login terminals, and can also avoid system risk problems caused by lack of permission control, thereby improving the flexibility and security of the system.
  • FIG. 1 is a schematic diagram of a scenario of a system operation permission system provided in an embodiment of the present application.
  • the system operation permission system may include a computer device 140 and multiple terminal devices 110 , 120 , and 130 .
  • the terminal devices 110, 120, 130 may be mobile terminal devices such as mobile phones, game consoles, tablet computers, or the terminal devices 110, 120, 130 may also be personal computers (PCs), such as laptop computers and desktop computers.
  • PCs personal computers
  • the types of the terminal devices 110, 120, 130 may be the same or different, and the number may be more or less.
  • the number of the terminals may be one each, or the number of the terminals may be dozens or hundreds, or more.
  • the embodiments of the present application do not limit the number of terminals and the type of devices.
  • the computer device 140 may be a server.
  • the computer device 140 may be an independent server, or a server network or server cluster composed of servers.
  • the computer device 100 includes but is not limited to a computer, a network host, a single network server, a plurality of network server sets, or a cloud server constructed by a plurality of servers.
  • a cloud server is constructed by a large number of computers or network servers based on cloud computing.
  • the terminal devices 110, 120, 130 and the computer device 140 are connected via a communication network.
  • the communication network is a wired network or a wireless network.
  • the terminal devices 110, 120, and 130 in the embodiment of the present application are mainly used for operators to initiate calls, for example, the operator initiates logging into the system of the current login terminal, or the operator initiates viewing the permission, or the operator initiates executing an operation instruction, etc.
  • the computer device 140 in the embodiment of the present application is mainly used to execute a system operation permission method when the operator at the terminal devices 110, 120, and 130 initiates a call.
  • the specific content of the system operation permission method can be found in the description below.
  • the system operation permission method can adapt to the diverse access methods of the information system, thereby improving the user experience.
  • a system operation permission device is integrated in the computer device 140 to execute the system operation permission method described below.
  • FIG. 1 is merely an application scenario of the present application scheme, and is not intended to constitute a limitation on the application scenario of the present application scheme.
  • Other application environments may also include more or fewer computer devices than those shown in FIG. 1 .
  • only one computer device is shown in FIG. 1 , and it is understandable that the system operation permission system may also include one or more other computer devices, which are not specifically limited here.
  • scenario diagram of the system operation permission system shown in Figure 1 is merely an example.
  • the risk warning system and scenario described in the embodiment of the present application are intended to more clearly illustrate the technical solution of the embodiment of the present application, and do not constitute a limitation on the technical solution provided in the embodiment of the present application.
  • Ordinary technicians in this field can know that with the evolution of the system operation permission system and the emergence of new business scenarios, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
  • the system operation permission method provided by the embodiment of the present application is described in more detail below in conjunction with Figures 2 to 5.
  • the system operation permission method provided by the embodiment of the present application can be executed by the computer device 100 (e.g., the system operation permission device) shown in Figure 1.
  • the execution subject will be omitted in the subsequent method embodiments.
  • FIG. 2 a flow chart of an embodiment of a system operation permission method is shown, which is used as an example but not as a limitation, and includes the following steps:
  • Step S1 obtaining the login terminal information when the operator logs into the system of the current login terminal, wherein the login terminal information is used to characterize the terminal type of the current login terminal;
  • Step S2 Determine the permission of the operator according to the identity information and login terminal information of the operator;
  • Step S3 Acquire the operation instruction of the operator, and authorize the operation instruction of the operator in combination with the permission authority.
  • the login terminal information refers to the terminal type used by the operator to log in to the system, for example, a mobile client or a computer client.
  • Obtaining the login terminal information when the operator logs in to the system means obtaining whether the operator logs in on a computer client or a mobile client.
  • the user's identity information and the user's login terminal information can be combined at the same time to flexibly grant permissions to the user at different login terminals. If the user does not have the permissions corresponding to the operation instructions requested by the user, the corresponding operation cannot be performed. Therefore, through the above-mentioned system operation permission method, the user's operations at different login terminals can be flexibly permitted to adapt to the diverse access methods of the information system, thereby improving the user's experience. In addition, through the above-mentioned system operation permission method, system risk problems caused by the lack of permission control can also be avoided, thereby improving the flexibility and security of the system.
  • the system operation permission method proposed in the present application can be used for a customer relationship management system with role-based permission control.
  • the Customer Relationship Management (CRM) system refers to an information system that uses software, hardware and network technology to establish an enterprise to collect, manage, analyze and utilize customer information. With the management of customer data as the core, it records the various interactive behaviors that occur between the enterprise and the customer during the marketing and sales process, as well as the status of various related activities, and provides various data models to provide support for subsequent analysis and decision-making.
  • Role-based permission control refers to indirectly granting user permissions by associating users with roles and roles with permissions. After a user is assigned a role, he or she will obtain all permissions under the role. With the addition of the role relationship, you only need to define permissions for the role and then assign users with the same permissions to the same role, which is convenient to use; and when you need to adjust the user's permissions, When making batch adjustments, you only need to adjust the permissions corresponding to the roles associated with the users. There is no need to adjust permissions for every user. This greatly improves the efficiency of permission adjustment and reduces the probability of missing permissions.
  • FIG. 3 a process of obtaining identity information provided in an embodiment of the present application is shown, which is provided as an example but not as a limitation, and includes the following contents.
  • the account information may be the user ID or user email address entered by the operator when logging into the system, and the login verification information may be the account password, dynamic email verification code or voice verification code entered by the operator when logging into the system.
  • S12 Verify the operator's login operation based on the account information and login verification information.
  • a preset user identity information table is read according to the account information to determine the operator's identity information.
  • the user identity information table includes the mapping relationship between the user's account information and the user's identity information. According to the user's account information, the unique corresponding user's identity information can be determined. By determining the user's identity information through the user's account information, the operator does not need to enter sensitive personal identity information, such as ID card number, when logging into the system, thereby avoiding the leakage of personal information.
  • the operator when the operator logs into the system, he can also directly enter his identity information for verification, for example, he can enter his ID number and verify it through fingerprint or face recognition.
  • identity information for verification, for example, he can enter his ID number and verify it through fingerprint or face recognition.
  • the user identity information table is shown in Table 1, which includes: user ID (USER ID), user work number (EMP CODE), user name (USER NAME), user email (EMAIL), user phone (PHONE), user ID number (ID NUM) and user organization (ORG).
  • USER ID user ID
  • EMP CODE user work number
  • USER NAME user name
  • EMAIL user email
  • PONE user phone
  • ID NUM user organization
  • USER ID According to the mobile phone number used by the operator to log in to the system, when reading the identity information of the current login account (i.e., the operator) in the user identity information table, only USER ID can be determined. It should be noted that USER ID and user have a one-to-one correspondence.
  • the USER ID corresponding to the mobile phone number 134xxxx5678 is read as 1 in the user identity information table.
  • the user ID corresponding to the mobile phone number used by the user to log into the system is read in the user identity information table, and the identity information of the user who logged into the system can be determined.
  • step S2 provided in an embodiment of the present application is shown, which is provided as an example but not as a limitation, and includes the following contents.
  • S21 Determine the role type corresponding to the operator according to the identity information of the operator.
  • the role type of the current operator is read from the identity-role correspondence table according to the operator's identity information.
  • the identity-role correspondence table includes the correspondence between the user's identity information and the role type.
  • the user role types include: system administrator, headquarters administrator, regional administrator, sales manager, account manager, branch salesperson or courier, etc.
  • the role type of the user can be configured in advance, or it can be flexibly configured as needed.
  • the flexible configuration of the role type of the user may include the following two methods: adding roles to users and adding users to roles.
  • adding roles to users means that the computer device (i.e., the backend) obtains the role granted to a certain user by the developer on the user management page.
  • the backend may obtain multiple roles added to the user at one time by the developer on the user management page.
  • Adding users to roles means that the backend obtains multiple users selected by the developer on the role management page for a certain role, thereby achieving the purpose of granting roles to batches of users.
  • the identity and role correspondence table is shown in Table 2, which includes: the mapping relationship between user ID (USER ID) and role ID (ROLE_ID). Exemplarily, according to the operator's USER ID, the operator's ROLE_ID is read in the identity and role correspondence table.
  • the user role information table is shown in Table 3, which includes: role ID (ROLE_ID) and role type (ROLE_TYPE). Exemplarily, according to ROLE_ID, the user role information table is read to determine the role type of the user.
  • ROLE_ID role ID
  • ROLE_TYPE role type
  • the role ID corresponding to the user ID of the current login person (i.e., operator) is read in the identity and role correspondence table, and through the role ID, the role type is read in the user role information table, thereby determining the role type of the current user (i.e., operator) who has logged into the system.
  • the correspondence between the role type, the login terminal information and the permission can be stored in the database in the form of at least one of a role-permission correspondence table and a query permission information table.
  • the table of roles and permissions is shown in Table 4, which includes: the mapping relationship between role ID (ROLE_ID), permission ID (PERMISSION_ID) and effective end (EFFECTIVE END).
  • the table of query permission information is shown in Table 5, which includes: permission ID (PERMISSION_ID), parent node ID (PARENT_ID), permission name (PERMISSION_NAME), resource type (SOURCE_TYPE) and module type (MODULE_TYPE).
  • the table of roles and permissions is read to determine the permission that the role type has at the current login end.
  • reading the role and permission correspondence table can only obtain the permission ID (PERMISSION_ID) of the permission that the role type has at the current login end. Therefore, in order to determine the specific content of the permission that the role type has at the current login end, you can also read the query permission information table.
  • ROLE_ID As an example, according to ROLE_ID, by reading the role and permission correspondence table, it can be obtained that if the current login end is the mobile end (that is, the effective end is the App end), then this role type has the permission permissions of PERMISSION_ID 1 and 2 on the App end. If the current login end is the computer end (that is, the effective end is the PC end), then this role type only has the permission permission of PERMISSION_ID 1 on the PC end.
  • the permission name corresponding to PERMISSION_ID 1 is View Customer File Management
  • the permission permissions possessed by this role type include the permission permission to view the menu of Customer File Management
  • the permission name corresponding to PERMISSION_ID 2 is View Customer List
  • the permission permissions possessed by this role type also include the permission permission to view the function of View Customer List.
  • the permissions owned by the role type with ROLE_ID 1 include: permission to use the customer profile management menu and permission to view the customer list on the App side, and only permission to view the customer list on the PC side.
  • the role is used as an intermediary to first determine the user's role type, and then determine the user's permissions based on the role type and login information.
  • the reason for this operation is that the RBAC permission model is based on five basic tables in the database, including: (1) User table (USER), used to store user identity information; (2) Role table (ROLE), used to store role information; (3) Permission table (PERMISSION), used to store permission information; (4) Permission and role association table (PERMISSION_ASSIGNMENT, PA), used to store the correspondence between roles and permissions; (5) User and role association table (USER_ASSIGNMENT, UA), used to store the correspondence between users and roles.
  • the advantage of such a configuration is that roles and permissions are in a many-to-many relationship, that is, a role can have multiple permissions, and the same permission can be granted to multiple roles. Therefore, the permission configuration process is simpler and more flexible.
  • roles can also be used to establish the relationship between users and permissions in the process of granting permissions.
  • granting permissions multiple permissions corresponding to the role can be granted at one time, without having to grant each permission separately, which makes the operation easier.
  • the permission can also be uniquely matched to the user's unique identifier or identity information, that is, the permission for each person can be the same or different.
  • the permission corresponds to the unique identifier or identity information, rather than the role type, so that the permission for each user can be uniquely customized, which is not described in detail in this application.
  • step S22 the permission rights possessed by the role type at the current login end can be obtained, that is, this is only the permission of the permission level corresponding to the role type at the current login end. Therefore, in order to obtain the permission rights of operators in batches, it is also possible to determine the permission level corresponding to the role type at the current login end based on the role type and login end information and the correspondence between the role type, login end information and the permission level; according to the permission level, determine at least one permission below the permission level as the operator's permission.
  • steps S21 and S22 are implementation methods for obtaining the operator's permission rights, and the above-mentioned determination of at least one permission below the permission level based on the permission level is also an implementation method for obtaining the operator's permission rights. These two implementation methods do not conflict, that is, these two implementation methods can exist at the same time.
  • each permission level includes at least one permission, and the permission levels are in an inclusive relationship, that is, the first permission level includes all permissions in the second permission level, the second permission level includes all permissions in the third permission level, and so on.
  • the permission level can be set as needed, and only the relationship between the two permission levels is used as an example here.
  • the two permission levels include a primary permission level and a secondary permission level.
  • the permission level of the operator at the current login terminal is the secondary permission level
  • the operator has the permission under the secondary permission level
  • the permission level of the operator at the current login terminal is the primary permission level
  • the operator has at least one permission under the secondary permission level (for example, all permissions under the secondary permission level) in addition to the permission under the primary permission level.
  • the permission permissions under the second-level permission level include the permission to view customer information
  • the permission permissions under the first-level permission level include the permission to create, modify and delete customer information
  • user A has the second-level permission level on the computer client, then when he logs into the system on the computer client, he will have the right to view customer information
  • user B has the first-level permission level on the computer client, then when he logs into the system on the computer client, he will have the right to view customer information and the right to create, modify and delete customer information
  • user C has the second-level permission level on the mobile client and the first-level permission level on the computer client, then when he logs into the system on the mobile client, he can only view customer information but cannot create, modify and delete user information. Modification and deletion. When they log in to the system on a computer client, they have the right to view customer information, and have the right to create, modify and delete customer information.
  • the permission includes at least one of function use permission and data access permission.
  • the function usage permission includes the permission to view the function menu.
  • the computer device i.e., the back end
  • the computer device can directly determine whether the user has the permission to view the function menu based on the identity information and the login terminal information. If the user has the permission to view the function menu, an instruction to display the function menu under the corresponding permission is sent to the terminal device (i.e., the front end), and accordingly, the front end displays the function menu under the corresponding permission for the user.
  • the backend can determine the permission that the role type corresponding to the operator has at the current login terminal through the correspondence between the role type, the login terminal information and the permission. If the permission is the permission to view the function menu, the backend sends an instruction to display the function menu under the corresponding permission to the frontend, and accordingly, the frontend displays the function menu under the corresponding permission for the user.
  • the frontend sends an instruction to display the customer management menu, and accordingly, the frontend displays the customer management menu for the user; if the backend determines that the role type of the user is a courier, and the courier has the permission to view the order management menu, then the frontend sends an instruction to display the order management menu, and accordingly, the frontend displays the order management menu for the user; if the backend determines that the role type of the user is a sales manager, and the sales manager has the permission to view the supplier management menu, then the frontend sends an instruction to display the supplier management menu, and accordingly, the frontend displays the supplier management menu for the user.
  • the function usage permission also includes the permission to use the function button.
  • the function button includes at least one of a view button, a new button, a modify button, a delete button, and an audit button.
  • the backend receives the click instruction sent by the frontend, and verifies whether the function usage permission of the user's role type at the current login end includes the permission to use the delete button.
  • the function usage permission of the role type at the current login end includes the permission to use the delete button
  • the user is permitted to execute the operation instruction of the delete button, and accordingly, the user can proceed to the next step
  • the function usage permission of the role type at the current login end does not include the permission to use the delete button
  • a prompt of no permission is sent to the frontend, and correspondingly, the frontend prompts the user that he does not have the permission to delete the button.
  • buttons on the system page after logging into the system, the user may not have the authority to perform corresponding operations on these buttons. Therefore, this can be optimized. That is, in another possible implementation, only an instruction to display the buttons for which the user has the authority is sent to the front end. That is, on the system page, the buttons for which the user does not have the authority will be hidden to achieve the purpose of "visible and operable". It should be understood that “visible and operable” means that if the user can see the button on the system page, the user can perform corresponding operations on the button. To achieve the purpose of "visible and operable", it can also be achieved through the cooperation of the front end.
  • the front end caches the user's authority information, and the back end determines whether the user has the corresponding authority based on the authority information. If the user has the corresponding authority, an instruction to display the button corresponding to the authority is sent to the front end. Correspondingly, the front end displays the button corresponding to the authority to the user; if the user does not have the authority, the back end determines whether the user has the corresponding authority. If there is corresponding permission, no instruction to display the button corresponding to the permission is sent to the front end, that is, the button corresponding to the permission will be hidden on the system page.
  • the data access permission includes at least one of permission to access a data type and permission to access a data range.
  • the data types include: at least one of customer data, business opportunity data, and contract data
  • the data range includes: at least one of data I created, data I collaborated with, data of my subordinates, data of my authorized area, and data of my authorized industry.
  • different role types have different data access permissions, so even on the same page of the system, users of different role types may see different data.
  • the front end when the courier, regional administrator and headquarters administrator request to view the customer list in the system, the front end will send an instruction to the back end requesting to view the customer category. Accordingly, the back end will send different data to the front end according to the different role types corresponding to each user, so as to display different data in the system. For example, the courier can see the customer list under his name, the regional administrator can see the customer list in the authorized area, and the headquarters administrator can see the customer list of all areas.
  • only function usage rights may be included.
  • all data related to the function are permitted to be operated by the user.
  • the permissions corresponding to each role type can be configured in advance or flexibly configured as needed.
  • flexibly configuring the correspondence between role types and permissions includes: configuring different permissions for different role types on the front-end permission management page, and configuring the corresponding effective end (i.e., App end or PC end) for the permissions.
  • the developer first selects the role type of the regional administrator.
  • the backend determines the role type as the regional administrator.
  • the developer checks the function usage permission to view the customer list, and selects the effective end as the mobile phone and the computer.
  • the backend determines that the function usage permission corresponding to the role type of the regional administrator is to view the customer list and determines the effective end as the mobile phone and the computer.
  • the developer selects the data range that can be viewed by the role type of the regional administrator as the customer information in the region, and selects the effective end as the mobile phone and the computer.
  • the backend determines that the data range that can be viewed by the role type of the regional administrator is the customer information in the region and the effective end is the mobile phone and the computer.
  • users with the role type of regional administrator can have the following permissions: they can view the customer list on the computer and mobile phone, and the scope of the customer list viewed is all customer information in the region.
  • the backend determines the role type as account manager and checks the view, modify and delete functions for customer data. At this time, the backend determines that the account manager can view, modify and delete customer data. For business opportunity data, check the view, modify and delete functions. At this time, the backend determines that the account manager Opportunity data can be viewed, modified, and deleted. For contract data, no function is selected. At this time, the backend determines that the account manager does not do anything with the contract data.
  • users with the account manager role type can have the following permissions: view, modify, and delete customer data, view, modify, and delete opportunity data, and do not have any operation permissions on contract data.
  • the permission of the operator is determined, including: according to the identity information, the role type of the operator is determined; according to the role type and the login terminal information, the corresponding function code and data field of the permission are determined through the correspondence between the preset role type, the login terminal information and the permission; according to the function code and the data field, the function use permission and data access permission of the operator are determined.
  • the correspondence between the preset role type, the login terminal information and the permission is stored in the database in the form of at least one of the role and permission correspondence table (i.e., Table 4) and the query permission information table (i.e., Table 5),
  • the function code can be understood as the PERMISSION_ID (permission ID) in Table 4 and Table 5, and the data field can be understood as the permission name (PERMISSION_NAME) in Table 5.
  • the function code can also be understood as generated by the back end after the user enters a function request on the system page.
  • PERMISSION_ID in Table 4 is 4, which corresponds to the function code, and the data field is "My" in Table 5, then the operator's permission is the data access right, that is, querying the data created by himself.
  • PERMISSION_ID in Table 4 is 2, which corresponds to the function code, and the data field is "View Customer List” in Table 5, then the operator's permission is the function use right, that is, the function of viewing the customer list.
  • the backend determines the user's role type based on the identity information.
  • the backend will generate a function code corresponding to the function request.
  • the backend reads the role and permission correspondence table through the function code to determine whether the user's role type has the permission corresponding to the function code, that is, whether the user has the permission to perform this function. If the user's role type has the permission corresponding to the function code, it means that the user has the permission to operate this function; if the user's role type does not have the permission corresponding to the function code, it means that the user does not have the permission to operate this function.
  • the backend uses the function code to read the role and permission correspondence table to determine whether the user's role type has the permission corresponding to the function code, that is, whether the user has the permission to access the data. If the user's role type has the permission corresponding to the function code, it means that the user has data access rights.
  • the backend then reads the query permission information table based on the function code to determine the data field. Finally, based on the relationship between the data resource table and the data field, it reads the data type and data range that the user is allowed to access, and sends the data type and data range to the front end for user access. If the user's role type does not have the permission corresponding to the function code, it means that the user has no data access rights.
  • the data resource table is used to store data of a certain data type and data range. For example, if the data field is "my" and the data type is customer data, the user's data access rights are my customer data.
  • step S3 may include: obtaining the function code corresponding to the operation instruction input by the operator, and determining whether there is function usage permission corresponding to the function code in the permission permissions; if there is function usage permission corresponding to the function code in the permission permissions, based on the function usage permission, permitting the operator's operation instruction.
  • step S3 may also include: obtaining the function code corresponding to the operation instruction input by the operator, and determining whether there is data access permission corresponding to the function code in the permission authority; if there is data access permission corresponding to the function code in the permission authority, based on the data access permission, reading the data resource table to permit the operator's operation instruction.
  • the data access permission There will be a data field in the data access permission. For example, if the data access permission is my customer data, the data field will be "my". Therefore, based on the data field in the data access permission, the data resource table can be read to obtain the data type (i.e., customer data) and data range (i.e., my) of the data access permission.
  • the data type i.e., customer data
  • data range i.e., my
  • the backend can also obtain the data field requested by the user, and then read the data resource permission table based on the data field to determine the user's data access permissions under the current function usage permissions.
  • the system operation permission device 600 includes: an acquisition module 601 , a permission determination module 602 , and a permission permission module 603 .
  • the acquisition module 601 is used to acquire the login terminal information when the operator logs into the system of the current login terminal, wherein the login terminal information is used to characterize the terminal type of the current login terminal.
  • the authority determination module 602 is used to determine the permission of the operator according to the identity information and login terminal information of the operator.
  • the permission module 603 is used to obtain the operation instruction of the operator and permit the operation instruction of the operator in combination with the permission authority.
  • the user's identity information and the user's login terminal information can be combined to flexibly grant permissions to the user at different login terminals. If the user does not have the permissions corresponding to the requested operation instruction, the corresponding operation cannot be performed. Therefore, through the above-mentioned system operation permission device, the user's operations at different login terminals can be flexibly permitted to adapt to the diverse access methods of the information system, thereby improving the user's experience. In addition, through the above-mentioned system operation permission device, system risk problems caused by the lack of permission control can also be avoided, thereby improving the flexibility and security of the system.
  • the authority determination module 602 is specifically used to: determine the role type corresponding to the operator based on identity information; determine the permission permissions that the role type has at the current login end based on the role type and login end information through the correspondence between the role type, login end information and permission permissions.
  • the authority determination module 602 determines the permission that the role type has for the current login terminal according to the role type and the login terminal information, through the correspondence between the role type, the login terminal information and the permission, Specifically used for: reading the role and permission correspondence table according to the role type and login information, and obtaining the permission ID of the role type at the current login; reading the query permission information table according to the permission ID, and obtaining the permission name corresponding to the permission ID; based on the permission name, determining the permission that the role type has at the current login.
  • the authority determination module 602 is specifically used to: determine the role type corresponding to the operator based on identity information; determine the authority level corresponding to the role type at the current login end through the correspondence between the role type, login end information and authority level based on the role type and login end information; and determine, based on the authority level, at least one authority below the authority level as the operator's permitted authority.
  • the permission includes: at least one of function usage permission and data access permission, wherein function usage permission is the permission of the operator to execute the corresponding function on the system page, and data access permission is the permission of the operator to query data on the system page.
  • the function usage permission includes at least one of the permission to use the function button and the permission to view the function menu.
  • the data access permission includes at least one of permission to access a data type and permission to access a data range.
  • the permission permission module 603 is specifically used to: obtain the function code corresponding to the operation instruction input by the operator; determine whether there is function usage permission corresponding to the function code in the permission permissions; if there is function usage permission corresponding to the function code in the permission permissions, based on the function usage permission, permit the operator's operation instruction.
  • the permission permission module 603 is specifically used to: obtain the function code corresponding to the operation instruction input by the operator; determine whether there is data access permission corresponding to the function code in the permission permission; if there is data access permission corresponding to the function code in the permission permission, based on the data access permission, read the data resource table to permit the operator's operation instruction, wherein the data resource table is used to store data.
  • the system operation permission device 600 also includes: a verification module, which is used to obtain the account information and login verification information entered by the operator in the system login interface, and verify the operator's login operation based on the account information and login verification information; if the operator's login operation verification is passed, the operator's identity information is determined based on the account information.
  • a verification module which is used to obtain the account information and login verification information entered by the operator in the system login interface, and verify the operator's login operation based on the account information and login verification information; if the operator's login operation verification is passed, the operator's identity information is determined based on the account information.
  • the system operation permission device shown in FIG. 6 may also exist in other module components, which are not limited here, as long as the corresponding functions can be achieved.
  • FIG. 6 is only one embodiment of the system operation permission device, not all embodiments. Based on the embodiment of the system operation permission device in this application, all other embodiments obtained by those skilled in the art without making any creative work are within the scope of protection of this application.
  • FIG7 is a schematic diagram of the structure of a computer device provided in an embodiment of the present application.
  • the computer device 700 includes: at least one processor 701 (only one processor is shown in FIG7 ), a memory 702, and a computer program 703 stored in the memory 702 and running on at least one processor 701.
  • the processor 701 executes the computer program 703, the above-mentioned system operation permission method is implemented.
  • the computer device may include, but is not limited to, a processor 701 and a memory 702.
  • FIG. 7 is merely an example of a computer device 700 and does not limit the computer device 700.
  • the computer device 700 may include more or fewer components than shown in the figure, or may combine certain components, or may include different components, such as an input/output device or a network access device.
  • the processor 701 may be a central processing unit (CPU), or other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), field-programmable gate arrays (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc.
  • a general-purpose processor may be a microprocessor or any conventional processor, etc.
  • the memory 702 may be an internal storage unit of the computer device 700, such as a hard disk or memory of the computer device 700. In other embodiments, the memory 702 may also be an external storage device of the computer device 700, such as a plug-in hard disk, a smart media card (SMC), a secure digital (SD) card or a flash card (Flash Card) equipped on the computer device 700. Further, the memory 702 may also include both an internal storage unit of the computer device 700 and an external storage device of the computer device 700.
  • the memory 702 is used to store an operating system, an application program, a boot loader (BootLoader), data and other programs, such as program code of a computer program.
  • the memory 702 may also be used to temporarily store data that has been output or is to be output.
  • FIG. 7 shows only one embodiment of a computer device, rather than all embodiments. All other embodiments obtained by those skilled in the art based on the computer device embodiment in this application without any creative work shall fall within the scope of protection of this application.
  • the above functions can be assigned to different modules as needed, that is, the internal structure of the device can be divided into different modules to complete all or part of the functions described above.
  • the modules in the above embodiments can be integrated into one processing module, or each module can exist physically separately, or two or more modules can be integrated into one module.
  • the above integrated modules can be implemented in the form of hardware or in the form of software functional units.
  • the specific names of the modules are only for the convenience of distinguishing each other, and are not used to limit the scope of protection of this application.
  • the specific working process of the modules in the above device can refer to the corresponding process in the aforementioned method embodiment, which will not be repeated here.
  • an embodiment of the present application further provides a computer-readable storage medium 800 , which stores a computer program 801 , and when the computer program 801 is executed by a processor, the above-mentioned system operation permission method is implemented.
  • the computer program 801 includes computer program code, which may be in source code form, object code form, executable file or some intermediate form.
  • the computer readable storage medium 800 may at least include: any entity or device capable of carrying the computer program code to a terminal device, a recording medium, a computer memory, a read-only memory (ROM), a random access memory (RAM), an electric carrier signal, a telecommunication signal and a software distribution medium, such as a USB flash drive, a mobile hard disk, a magnetic disk or an optical disk.
  • FIG. 8 shows only one embodiment of a computer-readable storage medium, rather than all embodiments. All other embodiments obtained by those skilled in the art based on the computer-readable storage medium embodiment in this application without any creative work shall fall within the scope of protection of this application.
  • An embodiment of the present application provides a computer program product.
  • the computer program product is executed on a mobile terminal, the mobile terminal executes the above-mentioned system operation permission method.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)

Abstract

A system operation permission method and apparatus, and a computer device and a storage medium. The system operation permission method comprises: acquiring login end information of an operator when logging in to a system of the current login end, wherein the login end information is used for representing the terminal type of the current login end; determining a permission authority of the operator according to identity information and the login end information of the operator; and acquiring an operation instruction of the operator, and on the basis of the permission authority, permitting the operation instruction of the operator. When authority permission for a user (i.e. an operator) is conducted, on the basis of both identity information of the user and login end information of the user, the authority possessed by the user at different login ends can be flexibly permitted, and if the user does not possess an operation instruction authority requested by the user, a corresponding operation cannot be performed. Therefore, operations of a user at different login ends can be flexibly permitted so as to adapt to diversified access modes of an information system, thereby improving the usage experience of the user.

Description

系统操作许可方法、装置、计算机设备及存储介质System operation permission method, device, computer equipment and storage medium 技术领域Technical Field
本申请属于计算机技术领域,尤其涉及一种系统操作许可方法、装置、计算机设备及存储介质。The present application belongs to the field of computer technology, and in particular, relates to a system operation permission method, device, computer equipment and storage medium.
发明背景Background of the Invention
目前人们对信息系统的访问方式变得多样化,过去对信息的处理多依靠电脑客户端,伴随着智能手机的普及,人们对信息处理的方式也从电脑端转移到了手机端。但是大多数情况下,用户仅在电脑客户端具有信息处理的权限,在手机端进行信息处理时,往往会因为手机端没有权限,而无法进行相应的信息处理,从而降低了用户的使用体验。At present, people's access to information systems has become more diverse. In the past, information processing mostly relied on computer clients. With the popularization of smart phones, people's way of processing information has also shifted from computers to mobile phones. However, in most cases, users only have the authority to process information on computer clients. When processing information on mobile phones, they often cannot process the corresponding information because the mobile phone does not have the authority, which reduces the user experience.
发明内容Summary of the invention
本申请实施例提供了一种系统操作许可方法、装置、计算机设备及存储介质,能够适应信息系统的多样化的访问方式,从而提高用户的使用体验。The embodiments of the present application provide a system operation permission method, apparatus, computer equipment and storage medium, which can adapt to the diverse access modes of the information system, thereby improving the user experience.
第一方面,本申请实施例提供了一种系统操作许可方法,包括:获取操作人员登录当前登录端的系统时的登录端信息,其中,登录端信息用于表征当前登录端的终端类型;根据操作人员的身份信息和登录端信息,确定操作人员的许可权限;获取操作人员的操作指令,并结合许可权限,许可操作人员的操作指令。In a first aspect, an embodiment of the present application provides a system operation permission method, comprising: obtaining login information when an operator logs into the system of the current login end, wherein the login information is used to characterize the terminal type of the current login end; determining the operator's permission authority based on the operator's identity information and login information; obtaining the operator's operation instructions, and in combination with the permission authority, permitting the operator's operation instructions.
在可选的实施例中,根据操作人员的身份信息和登录端信息,确定操作人员的许可权限,包括:根据身份信息,确定操作人员对应的角色类型;根据角色类型和登录端信息,通过角色类型、登录端信息与许可权限的对应关系,确定角色类型于当前登录端所拥有的许可权限。In an optional embodiment, the operator's permission rights are determined based on the operator's identity information and login information, including: determining the role type corresponding to the operator based on the identity information; determining the permission rights that the role type has for the current login based on the role type and login information through the correspondence between the role type, login information and permission rights.
在可选的实施例中,根据角色类型和登录端信息,通过角色类型、登录端信息与许可权限的对应关系,确定角色类型于当前登录端所拥有的许可权限,包括:根据角色类型和登录端信息,读取角色与权限对应关系表,得到角色类型于当前登录端的权限ID;根据权限ID,读取查询权限信息表,得到权限ID对应的权限名称;基于权限名称,确定角色类型于当前登录端所拥有的许可权限。In an optional embodiment, according to the role type and login information, the permission permissions possessed by the role type at the current login are determined through the correspondence between the role type, login information and permission permissions, including: according to the role type and login information, reading the role and permission correspondence table to obtain the permission ID of the role type at the current login; according to the permission ID, reading the query permission information table to obtain the permission name corresponding to the permission ID; based on the permission name, determining the permission permissions possessed by the role type at the current login.
在可选的实施例中,根据操作人员的身份信息和登录端信息,确定操作人员的许可权限,包括:根据身份信息,确定操作人员对应的角色类型;根据角色类型和登录端信息,通过角色类型、登录端信息与权限层级的对应关系,确定角色类型于当前登录端对应的权限层级;根据权限层级,确定处于权限层级之下的至少一个权限为操作人员的许可权限。 In an optional embodiment, the operator's permission rights are determined based on the operator's identity information and login information, including: determining the role type corresponding to the operator based on the identity information; determining the permission level corresponding to the role type at the current login based on the role type and login information through the correspondence between the role type, login information and permission level; and determining, based on the permission level, at least one permission below the permission level as the operator's permission.
在可选的实施例中,许可权限包括:功能使用权限和数据访问权限中的至少一种,其中,功能使用权限为操作人员在系统的页面执行相应功能的权限,数据访问权限为操作人员在系统的页面查询数据的权限。In an optional embodiment, the permission includes: at least one of function usage permission and data access permission, wherein function usage permission is the operator's permission to execute corresponding functions on the system page, and data access permission is the operator's permission to query data on the system page.
第二方面,本申请实施例提供了一种系统操作许可装置,包括:获取模块,用于获取操作人员登录当前登录端的系统时的登录端信息,其中,登录端信息用于表征当前登录端的终端类型;权限确定模块,用于根据操作人员的身份信息和登录端信息,确定操作人员的许可权限;权限许可模块,用于获取操作人员的操作指令,并结合许可权限,许可操作人员的操作指令。In the second aspect, an embodiment of the present application provides a system operation permission device, including: an acquisition module, used to obtain the login terminal information when the operator logs into the system of the current login terminal, wherein the login terminal information is used to characterize the terminal type of the current login terminal; an authority determination module, used to determine the operator's permission according to the operator's identity information and login terminal information; an authority permission module, used to obtain the operator's operation instructions, and in combination with the permission authority, permit the operator's operation instructions.
第三方面,本申请实施例提供了一种计算机设备,包括:存储器、处理器以及存储在存储器中并在处理器上运行的计算机程序,处理器执行计算机程序时,实现上述第一方面所述的系统操作许可方法。In a third aspect, an embodiment of the present application provides a computer device, including: a memory, a processor, and a computer program stored in the memory and running on the processor. When the processor executes the computer program, the system operation permission method described in the first aspect above is implemented.
第四方面,本申请实施例提供了一种计算机可读存储介质,计算机可读存储介质存储有计算机程序,计算机程序被处理器执行时,实现上述第一方面所述的系统操作许可方法。In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, which stores a computer program. When the computer program is executed by a processor, the system operation permission method described in the first aspect is implemented.
在本申请实施例提供的系统操作许可方法中,在进行用户(即,操作人员)权限许可时,可以同时结合用户的身份信息和用户的登录端信息,对用户在不同登录端具有的权限进行灵活许可,若用户不具有其所请求的操作指令权限,则无法进行相应操作。因此,通过上述系统操作许可方法,可以灵活地许可用户在不同登录端的操作,以适应信息系统的多样化的访问方式,从而提高用户的使用体验。In the system operation permission method provided in the embodiment of the present application, when the user (i.e., operator) permission is performed, the user's identity information and the user's login terminal information can be combined at the same time to flexibly permit the user's permissions at different login terminals. If the user does not have the requested operation instruction permission, the corresponding operation cannot be performed. Therefore, through the above-mentioned system operation permission method, the user's operations at different login terminals can be flexibly permitted to adapt to the diverse access methods of the information system, thereby improving the user's experience.
附图简要说明BRIEF DESCRIPTION OF THE DRAWINGS
为了更清楚地说明本申请实施例中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.
图1是本申请一实施例提供的系统操作许可系统的场景示意图。FIG1 is a schematic diagram of a scenario of a system operation permission system provided in an embodiment of the present application.
图2是本申请一实施例提供的系统操作许可方法的流程示意图。FIG2 is a flow chart of a system operation permission method provided in an embodiment of the present application.
图3是本申请一实施例提供的获取身份信息的流程示意图。FIG. 3 is a schematic diagram of a process for obtaining identity information provided by an embodiment of the present application.
图4是本申请另一实施例提供的系统操作许可方法的流程示意图。FIG4 is a flow chart of a system operation permission method provided in another embodiment of the present application.
图5是本申请一实施例提供的权限管理页面的示意图。FIG5 is a schematic diagram of a permission management page provided in an embodiment of the present application.
图6是本申请一实施例提供的系统操作许可装置的结构示意图。FIG6 is a schematic diagram of the structure of a system operation permission device provided in an embodiment of the present application.
图7是本申请一实施例提供的计算机设备的结构示意图。FIG. 7 is a schematic diagram of the structure of a computer device provided in an embodiment of the present application.
图8是本申请一实施例提供的计算机存储介质的结构示意图。 FIG8 is a schematic diagram of the structure of a computer storage medium provided in an embodiment of the present application.
实施本发明的方式Mode for Carrying Out the Invention
目前人们对信息系统的访问方式变得多样化,过去对信息的处理多依靠电脑客户端,伴随着智能手机的普及,人们对信息处理的方式也从PC端转移到了手机端。但多数系统在做权限许可时,并没有考虑到对不同登录端的权限进行灵活的许可,例如,多数权限鉴定方法在设计的时候并没有考虑到对手机端的权限鉴定,部分鉴权方法虽考虑到存在多端访问的情况,但也没有很好的对用户在不同登录端的权限做到灵活许可。At present, people's access to information systems has become more diverse. In the past, information processing mostly relied on computer clients. With the popularity of smart phones, people's way of processing information has also shifted from PC to mobile phones. However, when granting permissions, most systems do not consider flexible permissions for different login terminals. For example, most permission identification methods are not designed to consider permission identification for mobile phones. Although some authentication methods take into account the existence of multi-terminal access, they do not provide flexible permissions for users on different login terminals.
因此,本申请提出一种系统操作许可方法,可以灵活地许可用户在不同登录端的操作,还可以避免因权限控制缺失而引发系统风险问题,从而提升系统的灵活性和安全性。Therefore, the present application proposes a system operation permission method, which can flexibly permit users to operate at different login terminals, and can also avoid system risk problems caused by lack of permission control, thereby improving the flexibility and security of the system.
为了说明本申请的技术方案,下面通过具体实施例来说明。In order to illustrate the technical solution of the present application, specific embodiments are provided below.
如图1所示,图1是本申请一实施例提供的系统操作许可系统的场景示意图,该系统操作许可系统可以包括计算机设备140和多个终端设备110、120、130。As shown in FIG. 1 , FIG. 1 is a schematic diagram of a scenario of a system operation permission system provided in an embodiment of the present application. The system operation permission system may include a computer device 140 and multiple terminal devices 110 , 120 , and 130 .
终端设备110、120、130可以是手机、游戏主机、平板电脑等移动终端设备,或者,终端设备110、120、130也可以是个人计算机(Personal Computer,PC),比如膝上型便携计算机和台式计算机等等。本领域技术人员可以知晓,上述终端设备110、120、130的类型可以相同或者不同,其数量可以更多或更少。比如上述终端可以各为一个,或者上述终端为几十个或几百个,或者更多数量。本申请实施例对终端的数量和设备类型不加以限定。The terminal devices 110, 120, 130 may be mobile terminal devices such as mobile phones, game consoles, tablet computers, or the terminal devices 110, 120, 130 may also be personal computers (PCs), such as laptop computers and desktop computers. Those skilled in the art will appreciate that the types of the terminal devices 110, 120, 130 may be the same or different, and the number may be more or less. For example, the number of the terminals may be one each, or the number of the terminals may be dozens or hundreds, or more. The embodiments of the present application do not limit the number of terminals and the type of devices.
计算机设备140可以是服务器,例如,计算机设备140可以是独立的服务器,也可以是服务器组成的服务器网络或服务器集群,例如,计算机设备100包括但不限于计算机、网络主机、单个网络服务器、多个网络服务器集或多个服务器构建的云服务器。云服务器由基于云计算(Cloud Computing)的大量计算机或网络服务器构建。The computer device 140 may be a server. For example, the computer device 140 may be an independent server, or a server network or server cluster composed of servers. For example, the computer device 100 includes but is not limited to a computer, a network host, a single network server, a plurality of network server sets, or a cloud server constructed by a plurality of servers. A cloud server is constructed by a large number of computers or network servers based on cloud computing.
终端设备110、120、130与计算机设备140之间通过通信网络相连。可选的,通信网络是有线网络或无线网络。The terminal devices 110, 120, 130 and the computer device 140 are connected via a communication network. Optionally, the communication network is a wired network or a wireless network.
本申请实施例中的终端设备110、120、130主要用于操作人员发起调用,例如,操作人员发起登录当前登录端的系统,或者操作人员发起查看许可权限,或者操作人员发起执行操作指令等等。本申请实施例中的计算机设备140主要用于在终端设备110、120、130处的操作人员发起调用时,执行一种系统操作许可方法,该系统操作许可方法的具体内容可以参见下文的描述。该系统操作许可方法能够适应信息系统的多样化的访问方式,从而提高用户的使用体验。The terminal devices 110, 120, and 130 in the embodiment of the present application are mainly used for operators to initiate calls, for example, the operator initiates logging into the system of the current login terminal, or the operator initiates viewing the permission, or the operator initiates executing an operation instruction, etc. The computer device 140 in the embodiment of the present application is mainly used to execute a system operation permission method when the operator at the terminal devices 110, 120, and 130 initiates a call. The specific content of the system operation permission method can be found in the description below. The system operation permission method can adapt to the diverse access methods of the information system, thereby improving the user experience.
在一示例中,计算机设备140中集成有系统操作许可装置,用于执行下文描述的系统操作许可方法。In one example, a system operation permission device is integrated in the computer device 140 to execute the system operation permission method described below.
本领域技术人员可以理解,图1中示出的应用环境,仅仅是本申请方案的一种应用场景,并不以构建对本申请方案应用场景的限定,其他的应用环境还可以包括比图1中所示更多或更少的计算机设备,例如图1中仅示出1个计算机设备,可以理解的,该系统操作许可系统还可以包括一个或多个其他计算机设备,具体此处不作限定。 Those skilled in the art will appreciate that the application environment shown in FIG. 1 is merely an application scenario of the present application scheme, and is not intended to constitute a limitation on the application scenario of the present application scheme. Other application environments may also include more or fewer computer devices than those shown in FIG. 1 . For example, only one computer device is shown in FIG. 1 , and it is understandable that the system operation permission system may also include one or more other computer devices, which are not specifically limited here.
需要说明的是,图1所示的系统操作许可系统的场景示意图仅仅是一个示例,本申请实施例描述的风险预警系统以及场景是为了更加清楚的说明本申请实施例的技术方案,并不构成对于本申请实施例提供的技术方案的限定,本领域普通技术人员可知,随着系统操作许可系统的演变和新业务场景的出现,本申请实施例提供的技术方案对于类似的技术问题,同样适用。It should be noted that the scenario diagram of the system operation permission system shown in Figure 1 is merely an example. The risk warning system and scenario described in the embodiment of the present application are intended to more clearly illustrate the technical solution of the embodiment of the present application, and do not constitute a limitation on the technical solution provided in the embodiment of the present application. Ordinary technicians in this field can know that with the evolution of the system operation permission system and the emergence of new business scenarios, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
下面结合图2至5,对本申请实施例提供的系统操作许可方法进行更为详细的举例说明。本申请实施例提供的系统操作许可方法可以由图1所示的计算机设备100(例如,系统操作许可装置)来执行,为了简化与便于描述,后续方法实施例中将省略该执行主体。The system operation permission method provided by the embodiment of the present application is described in more detail below in conjunction with Figures 2 to 5. The system operation permission method provided by the embodiment of the present application can be executed by the computer device 100 (e.g., the system operation permission device) shown in Figure 1. For the sake of simplicity and ease of description, the execution subject will be omitted in the subsequent method embodiments.
参阅图2示出的系统操作许可方法的一个实施例的流程,作为示例而非限定,包括以下步骤:Referring to FIG. 2 , a flow chart of an embodiment of a system operation permission method is shown, which is used as an example but not as a limitation, and includes the following steps:
步骤S1:获取操作人员登录当前登录端的系统时的登录端信息,其中,登录端信息用于表征当前登录端的终端类型;Step S1: obtaining the login terminal information when the operator logs into the system of the current login terminal, wherein the login terminal information is used to characterize the terminal type of the current login terminal;
步骤S2:根据操作人员的身份信息和登录端信息,确定操作人员的许可权限;Step S2: Determine the permission of the operator according to the identity information and login terminal information of the operator;
步骤S3:获取操作人员的操作指令,并结合许可权限,许可操作人员的操作指令。Step S3: Acquire the operation instruction of the operator, and authorize the operation instruction of the operator in combination with the permission authority.
登录端信息是指操作人员登录系统时使用的终端类型,例如,手机客户端或电脑客户端,获取操作人员登录系统时的登录端信息是指获取操作人员是在电脑客户端登录还是在手机客户端登录。The login terminal information refers to the terminal type used by the operator to log in to the system, for example, a mobile client or a computer client. Obtaining the login terminal information when the operator logs in to the system means obtaining whether the operator logs in on a computer client or a mobile client.
在进行用户(即,操作人员)权限许可时,可以同时结合用户的身份信息和用户的登录端信息,对用户在不同登录端具有的权限进行灵活许可,若用户不具有其所请求的操作指令对应的权限,则无法进行相应的操作。因此,通过上述系统操作许可方法,可以灵活地许可用户在不同登录端的操作,以适应信息系统的多样化的访问方式,从而提高用户的使用体验。此外,通过上述系统操作许可方法,还可以避免因权限控制缺失而引发系统风险问题,从而提升系统的灵活性和安全性。When granting permissions to users (i.e., operators), the user's identity information and the user's login terminal information can be combined at the same time to flexibly grant permissions to the user at different login terminals. If the user does not have the permissions corresponding to the operation instructions requested by the user, the corresponding operation cannot be performed. Therefore, through the above-mentioned system operation permission method, the user's operations at different login terminals can be flexibly permitted to adapt to the diverse access methods of the information system, thereby improving the user's experience. In addition, through the above-mentioned system operation permission method, system risk problems caused by the lack of permission control can also be avoided, thereby improving the flexibility and security of the system.
在可选的实施例中,本申请提出的系统操作许可方法可用于基于角色的权限控制的客户关系管理系统。为了能够更好地理解本申请,首先,对客户关系管理系统进行简单的介绍。客户关系管理(Customer Relationship Management,CRM)系统,是指利用软件、硬件和网络技术,为企业建立一个客户信息收集、管理、分析和利用的信息系统。以客户数据的管理为核心,记录企业在市场营销和销售过程中,与客户发生的各种交互行为,以及各类有关活动的状态,提供各类数据模型,为后期的分析和决策提供支持。In an optional embodiment, the system operation permission method proposed in the present application can be used for a customer relationship management system with role-based permission control. In order to better understand the present application, first of all, a brief introduction to the customer relationship management system is given. The Customer Relationship Management (CRM) system refers to an information system that uses software, hardware and network technology to establish an enterprise to collect, manage, analyze and utilize customer information. With the management of customer data as the core, it records the various interactive behaviors that occur between the enterprise and the customer during the marketing and sales process, as well as the status of various related activities, and provides various data models to provide support for subsequent analysis and decision-making.
一个好用的客户关系管理系统,少不了对权限的灵活控制,因此,本申请提出的系统操作许可方法可以采用基于角色的权限控制(Role‐Based Access Control,RBAC),基于角色的权限控制是指通过用户关联角色,及角色关联权限的方式,间接赋予用户权限,用户被赋予某个角色后,将得到该角色下的所有权限。多了角色这一层关系,只需要为该角色制定好权限后,将相同权限的用户都指定为同一个角色即可,使用方便;并且当需要对用户的权限进 行批量调整时,只需调整用户关联的角色对应的权限,无需对每一个用户都进行权限调整,既大幅提升权限调整的效率,又降低了漏调权限的概率。A good customer relationship management system cannot do without flexible control of permissions. Therefore, the system operation permission method proposed in this application can adopt role-based permission control (RBAC). Role-based permission control refers to indirectly granting user permissions by associating users with roles and roles with permissions. After a user is assigned a role, he or she will obtain all permissions under the role. With the addition of the role relationship, you only need to define permissions for the role and then assign users with the same permissions to the same role, which is convenient to use; and when you need to adjust the user's permissions, When making batch adjustments, you only need to adjust the permissions corresponding to the roles associated with the users. There is no need to adjust permissions for every user. This greatly improves the efficiency of permission adjustment and reduces the probability of missing permissions.
参阅图3示出本申请一实施例提供的获取身份信息的流程,作为示例而非限定,包括以下内容。Referring to FIG. 3 , a process of obtaining identity information provided in an embodiment of the present application is shown, which is provided as an example but not as a limitation, and includes the following contents.
S11:获取操作人员于系统的登录界面输入的账户信息和登录验证信息。S11: Obtaining the account information and login verification information input by the operator on the system login interface.
账户信息可以是操作人员在登录系统时输入的用户工号或者用户邮箱号等,登录验证信息可以是操作人员在登录系统时输入的账户密码、动态邮箱验证码或语音验证码等。The account information may be the user ID or user email address entered by the operator when logging into the system, and the login verification information may be the account password, dynamic email verification code or voice verification code entered by the operator when logging into the system.
S12:根据账户信息和登录验证信息,验证操作人员的登录操作。S12: Verify the operator's login operation based on the account information and login verification information.
S13:在操作人员的登录操作验证通过时,根据账户信息,确定操作人员的身份信息。S13: When the operator's login operation verification is passed, the operator's identity information is determined based on the account information.
在一个可能的实施例中,操作人员的登录操作验证通过时,根据账户信息,读取预设的用户身份信息表,以确定操作人员的身份信息。In a possible embodiment, when the operator's login operation verification is passed, a preset user identity information table is read according to the account information to determine the operator's identity information.
用户身份信息表包括用户的账号信息与用户的身份信息的映射关系,根据用户的账号信息,可以确定唯一与之对应的用户的身份信息。通过用户的账户信息,确定用户的身份信息,不需要操作人员在登录系统时输入较为敏感的个人身份信息,例如身份证号码,从而可以避免个人信息的泄露。The user identity information table includes the mapping relationship between the user's account information and the user's identity information. According to the user's account information, the unique corresponding user's identity information can be determined. By determining the user's identity information through the user's account information, the operator does not need to enter sensitive personal identity information, such as ID card number, when logging into the system, thereby avoiding the leakage of personal information.
在其他可能的实施例中,操作人员登录系统时,也可以直接输入身份信息进行校验,例如可以输入身份证号码,并通过指纹或人脸识别进行验证,上述登录验证方式仅作为示例性的说明,本申请包括但不限于此。In other possible embodiments, when the operator logs into the system, he can also directly enter his identity information for verification, for example, he can enter his ID number and verify it through fingerprint or face recognition. The above login verification method is only for exemplary purposes, and this application includes but is not limited to this.
下面结合具体的使用场景,对上述过程进行说明。以用户输入手机号登录系统为例,针对用户而言,当用户在登录界面输入手机号时,可以选择密码验证的方式登录,或者选择动态手机验证码验证的方式登录,针对计算机设备而言,可以获取上述手机号码以及密码,或系统获取上述手机号码以及验证码,并进行验证,若验证通过,即,通过密码验证的方式或者通过动态手机验证码验证的方式,能够登录系统,则根据用户登录系统时的手机号,确定用户的身份信息,即,在用户身份信息表中,读取用户登录系统使用的手机号。The above process is explained below in conjunction with specific usage scenarios. Take the example of a user entering a mobile phone number to log in to the system. For the user, when the user enters the mobile phone number on the login interface, he or she can choose to log in by password verification or by dynamic mobile phone verification code verification. For the computer device, the above mobile phone number and password can be obtained, or the system obtains the above mobile phone number and verification code and performs verification. If the verification is successful, that is, the system can be logged in by password verification or by dynamic mobile phone verification code verification, the user's identity information is determined based on the mobile phone number when the user logs in to the system, that is, the mobile phone number used by the user to log in to the system is read from the user identity information table.
用户身份信息表如表1所示,其包括:用户ID(USER ID)、用户工号(EMP CODE)、用户姓名(USER NAME)、用户邮箱(EMAIL)、用户电话(PHONE)、用户身份证号(ID NUM)以及用户所在组织(ORG)。根据操作人员登录系统时使用的手机号,在用户身份信息表中,读取当前登录账号(即,操作人员)的身份信息时,可以仅确定USER ID,需要说明的是,USER ID与用户为一一对应的关系。The user identity information table is shown in Table 1, which includes: user ID (USER ID), user work number (EMP CODE), user name (USER NAME), user email (EMAIL), user phone (PHONE), user ID number (ID NUM) and user organization (ORG). According to the mobile phone number used by the operator to log in to the system, when reading the identity information of the current login account (i.e., the operator) in the user identity information table, only USER ID can be determined. It should be noted that USER ID and user have a one-to-one correspondence.
示例性的,若用户陈xx在登录系统时,使用其手机号码134xxxx5678进行登录,则根据手机号码134xxxx5678,在用户身份信息表中,读取与手机号码134xxxx5678对应的USER ID为1。For example, if user Chen xx uses his mobile phone number 134xxxx5678 to log in to the system, then based on the mobile phone number 134xxxx5678, the USER ID corresponding to the mobile phone number 134xxxx5678 is read as 1 in the user identity information table.
通过用户登录系统时使用的手机号码,在用户身份信息表中,读取用户登录系统使用的手机号对应的用户ID,能够确定登录系统的用户的身份信息。
By using the mobile phone number used by the user when logging into the system, the user ID corresponding to the mobile phone number used by the user to log into the system is read in the user identity information table, and the identity information of the user who logged into the system can be determined.
表1Table 1
参阅图4示出本申请一实施例提供的步骤S2的流程,作为示例而非限定,包括以下内容。Referring to FIG. 4 , a process of step S2 provided in an embodiment of the present application is shown, which is provided as an example but not as a limitation, and includes the following contents.
S21:根据操作人员的身份信息,确定操作人员对应的角色类型。S21: Determine the role type corresponding to the operator according to the identity information of the operator.
在一个可能的实施例中,根据操作人员的身份信息,在身份与角色对应关系表中,读取当前操作人员(即,操作人员)的角色类型。身份与角色对应关系表包括用户的身份信息与角色类型的对应关系。In a possible embodiment, the role type of the current operator (ie, the operator) is read from the identity-role correspondence table according to the operator's identity information. The identity-role correspondence table includes the correspondence between the user's identity information and the role type.
示例性的,用户的角色类型包括:系统管理员、总部管理员、地区管理员、销售经理、客户经理、网点营业员或快递员等。Exemplarily, the user role types include: system administrator, headquarters administrator, regional administrator, sales manager, account manager, branch salesperson or courier, etc.
在可选的实施例中,用户的角色类型可以提前配置好,也可以根据需要灵活配置。示例性的,灵活配置用户的角色类型可以包括以下两种方式:为用户添加角色和为角色添加用户。为用户添加角色就是计算机设备(即,后端)获取开发者在用户管理页面,针对某个用户所授予的角色,例如,可以后端获取开发者在用户管理页面,一次为用户添加的多个角色。为角色添加用户就是后端获取开发者在角色管理页面,针对某个角色所选择的多个用户,从而实现了为批量用户授予角色的目的。In an optional embodiment, the role type of the user can be configured in advance, or it can be flexibly configured as needed. Exemplarily, the flexible configuration of the role type of the user may include the following two methods: adding roles to users and adding users to roles. Adding roles to users means that the computer device (i.e., the backend) obtains the role granted to a certain user by the developer on the user management page. For example, the backend may obtain multiple roles added to the user at one time by the developer on the user management page. Adding users to roles means that the backend obtains multiple users selected by the developer on the role management page for a certain role, thereby achieving the purpose of granting roles to batches of users.
需要说明的是,上述提到的开发者具有代码开发能力,其在后端起到管理员的作用,为用户或者操作人员配置权限,而用户或者操作人员为在前端登录系统的使用者,根据对应权限执行相应操作。It should be noted that the above-mentioned developers have code development capabilities, and they play the role of administrators on the back end, configuring permissions for users or operators, and users or operators are users who log in to the system on the front end and perform corresponding operations according to corresponding permissions.
身份与角色对应关系表如表2所示,其包括:用户ID(USER ID)以及角色ID(ROLE_ID)的映射关系。示例性的,根据操作人员的USER ID,在身份与角色对应关系表中,读取操作人员的ROLE_ID。The identity and role correspondence table is shown in Table 2, which includes: the mapping relationship between user ID (USER ID) and role ID (ROLE_ID). Exemplarily, according to the operator's USER ID, the operator's ROLE_ID is read in the identity and role correspondence table.
进一步的,用户角色信息表如表3所示,其包括:角色ID(ROLE_ID)以及角色类型(ROLE_TYPE)。示例性的,根据ROLE_ID,读取用户角色信息表,以确定用户的角色类型。Further, the user role information table is shown in Table 3, which includes: role ID (ROLE_ID) and role type (ROLE_TYPE). Exemplarily, according to ROLE_ID, the user role information table is read to determine the role type of the user.
下面结合具体的使用场景,对上述过程进行说明。以USER ID为1的用户为例,根据USER ID,读取表2,可以得到USER ID为1的用户对应的ROLE_ID为1。进一步的,根据ROLE_ID,读取表3,可以得到ROLE_ID为1的ROLE_TYPE是地区管理员。通过上述过程,即可确定USER ID为1的用户对应的ROLE_TYPE为地区管理员。 The above process is explained below in conjunction with a specific usage scenario. Taking the user with USER ID 1 as an example, according to the USER ID, read Table 2, and you can get that the ROLE_ID corresponding to the user with USER ID 1 is 1. Further, according to the ROLE_ID, read Table 3, and you can get that the ROLE_TYPE of ROLE_ID 1 is the regional administrator. Through the above process, it can be determined that the ROLE_TYPE corresponding to the user with USER ID 1 is the regional administrator.
通过用户ID,在身份与角色对应关系表中,读取当前登录人员(即,操作人员)的用户ID对应的角色ID,并通过角色ID,在用户角色信息表中,读取角色类型,能够确定登录系统的当前用户(即,操作人员)的角色类型。
Through the user ID, the role ID corresponding to the user ID of the current login person (i.e., operator) is read in the identity and role correspondence table, and through the role ID, the role type is read in the user role information table, thereby determining the role type of the current user (i.e., operator) who has logged into the system.
表2
Table 2
表3table 3
S22:根据角色类型和登录端信息,通过角色类型、登录端信息与许可权限的对应关系,确定角色类型于当前登录端所拥有的许可权限。S22: According to the role type and the login terminal information, the permission permissions possessed by the role type at the current login terminal are determined through the correspondence between the role type, the login terminal information and the permission permissions.
角色类型、登录端信息与许可权限的对应关系可以以角色与权限对应关系表和查询权限信息表中的至少一种的形式存储在数据库中。The correspondence between the role type, the login terminal information and the permission can be stored in the database in the form of at least one of a role-permission correspondence table and a query permission information table.
角色与权限对应关系表如表4所示,其包括:角色ID(ROLE_ID)、权限ID(PERMISSION_ID)和生效端(EFFECTIVE END)之间的映射关系。查询权限信息表如表5所示,其包括:权限ID(PERMISSION_ID)、父节点ID(PARENT_ID)、权限名称(PERMISSION_NAME)、资源类型(SOURCE_TYPE)以及模块类型(MODULE_TYPE)。在可能的实施例中,根据用户的角色类型和登录端信息,读取角色与权限对应关系表,确定该角色类型于当前登录端所拥有的许可权限。The table of roles and permissions is shown in Table 4, which includes: the mapping relationship between role ID (ROLE_ID), permission ID (PERMISSION_ID) and effective end (EFFECTIVE END). The table of query permission information is shown in Table 5, which includes: permission ID (PERMISSION_ID), parent node ID (PARENT_ID), permission name (PERMISSION_NAME), resource type (SOURCE_TYPE) and module type (MODULE_TYPE). In a possible embodiment, according to the user's role type and login end information, the table of roles and permissions is read to determine the permission that the role type has at the current login end.
然而,读取角色与权限对应关系表只能够得到该角色类型于当前登录端所拥有的许可权限的权限ID(PERMISSION_ID),因此,为了确定该角色类型于当前登录端所拥有的许可权限的具体内容,还可以读取查询权限信息表。
However, reading the role and permission correspondence table can only obtain the permission ID (PERMISSION_ID) of the permission that the role type has at the current login end. Therefore, in order to determine the specific content of the permission that the role type has at the current login end, you can also read the query permission information table.
表4
Table 4
表5table 5
下面结合具体的使用场景,对上述过程进行说明。以ROLE_ID为1举例,根据ROLE_ID,读取角色与权限对应关系表,可以得到如果当前登录端为手机端(即,生效端为App端),则该角色类型在App端拥有PERMISSION_ID为1和2的许可权限,如果当前登录端为电脑端(即,生效端为PC端),则该角色类型在PC端仅具有PERMISSION_ID为1的许可权限。进一步的,根据PERMISSION_ID,读取查询权限信息表,可以得到PERMISSION_ID为1对应的权限名称为查看客户档案管理,即,该角色类型所拥有的许可权限包括查看客户档案管理这一菜单的许可权限,PERMISSION_ID为2对应的权限名称为查看客户列表,该角色类型所拥有的许可权限还包括查看客户列表这一功能的许可权限。通过上述过程,即可确定ROLE_ID为1的角色类型所拥有的许可权限包括:在App端使用客户档案管理菜单的许可权限和查看客户列表的许可权限,在PC端仅拥有查看客户列表的许可权限。The above process is explained below in conjunction with specific usage scenarios. Taking ROLE_ID as 1 as an example, according to ROLE_ID, by reading the role and permission correspondence table, it can be obtained that if the current login end is the mobile end (that is, the effective end is the App end), then this role type has the permission permissions of PERMISSION_ID 1 and 2 on the App end. If the current login end is the computer end (that is, the effective end is the PC end), then this role type only has the permission permission of PERMISSION_ID 1 on the PC end. Further, according to PERMISSION_ID, by reading the query permission information table, it can be obtained that the permission name corresponding to PERMISSION_ID 1 is View Customer File Management, that is, the permission permissions possessed by this role type include the permission permission to view the menu of Customer File Management, and the permission name corresponding to PERMISSION_ID 2 is View Customer List, and the permission permissions possessed by this role type also include the permission permission to view the function of View Customer List. Through the above process, it can be determined that the permissions owned by the role type with ROLE_ID 1 include: permission to use the customer profile management menu and permission to view the customer list on the App side, and only permission to view the customer list on the PC side.
在上述实施方式中,以角色作为中间媒介,首先确定用户的角色类型,再根据该角色类型和登录端信息,确定用户的权限。这样操作的原因是RBAC权限模型是基于数据库中的五张基础表建立的,五张基础表包括:(1)用户表(USER),用于存储用户的身份信息;(2)角色表(ROLE),用于存储角色信息;(3)权限表(PERMISSION),用于存储权限信息;(4)权限与角色关联表(PERMISSION_ASSIGNMENT,PA),用于存储角色与权限的对应关系;(5)用户与角色关联表(USER_ASSIGNMENT,UA),用于存储用户与角色的对应 关系。如此配置的好处是,角色和权限是多对多的关系,即,某个角色可以拥有多个权限,同一个权限也可以授给多个角色,因此,权限配置过程更简单和灵活。In the above implementation, the role is used as an intermediary to first determine the user's role type, and then determine the user's permissions based on the role type and login information. The reason for this operation is that the RBAC permission model is based on five basic tables in the database, including: (1) User table (USER), used to store user identity information; (2) Role table (ROLE), used to store role information; (3) Permission table (PERMISSION), used to store permission information; (4) Permission and role association table (PERMISSION_ASSIGNMENT, PA), used to store the correspondence between roles and permissions; (5) User and role association table (USER_ASSIGNMENT, UA), used to store the correspondence between users and roles. The advantage of such a configuration is that roles and permissions are in a many-to-many relationship, that is, a role can have multiple permissions, and the same permission can be granted to multiple roles. Therefore, the permission configuration process is simpler and more flexible.
由于计算机设备配置的过程就是将权限配置给角色、角色配置给用户,所以在许可权限的过程中,也可以依靠角色来建立起用户和权限之间的联系。在权限许可时,可以一次性许可与该角色对应的多个权限,不必对每个权限分别许可,操作更加简便。Since the process of computer equipment configuration is to configure permissions to roles and roles to users, roles can also be used to establish the relationship between users and permissions in the process of granting permissions. When granting permissions, multiple permissions corresponding to the role can be granted at one time, without having to grant each permission separately, which makes the operation easier.
在本申请其他可选的实施方式中,也可以通过用户的唯一标识或者用户的身份信息,唯一对应许可权限,即,每个人的许可权限可相同或不同。许可权限对应唯一标识或身份信息,而非角色类型,这样可以对每个用户的许可权限进行唯一定制,本申请对此不做详细赘述。In other optional implementations of the present application, the permission can also be uniquely matched to the user's unique identifier or identity information, that is, the permission for each person can be the same or different. The permission corresponds to the unique identifier or identity information, rather than the role type, so that the permission for each user can be uniquely customized, which is not described in detail in this application.
在本申请可实现的实施方式中,通过步骤S22,能够得到角色类型于当前登录端所拥有的许可权限,也就是说,这只是角色类型于当前登录端对应的权限层级的权限,因此,为了批量获取操作人员的许可权限,还可以根据角色类型和登录端信息,通过角色类型、登录端信息与权限层级的对应关系,确定该角色类型于当前登录端对应的权限层级;根据权限层级,确定处于该权限层级之下的至少一个权限为操作人员的许可权限。In the implementation mode that can be realized in the present application, through step S22, the permission rights possessed by the role type at the current login end can be obtained, that is, this is only the permission of the permission level corresponding to the role type at the current login end. Therefore, in order to obtain the permission rights of operators in batches, it is also possible to determine the permission level corresponding to the role type at the current login end based on the role type and login end information and the correspondence between the role type, login end information and the permission level; according to the permission level, determine at least one permission below the permission level as the operator's permission.
应理解,步骤S21和S22是获取操作人员的许可权限的实现方式,上述根据权限层级,确定处于该权限层级之下的至少一个权限也是获取操作人员的许可权限的实现方式,这两种实现方式并不冲突,也就是说,这两种实现方式可以同时存在。It should be understood that steps S21 and S22 are implementation methods for obtaining the operator's permission rights, and the above-mentioned determination of at least one permission below the permission level based on the permission level is also an implementation method for obtaining the operator's permission rights. These two implementation methods do not conflict, that is, these two implementation methods can exist at the same time.
在可选的实施例中,每个权限层级包括至少一个权限,权限层级之间为包含的关系,即,第一权限层级包括第二权限层级中的所有权限,第二权限层级包括第三权限层级中的所有权限,依次类推。In an optional embodiment, each permission level includes at least one permission, and the permission levels are in an inclusive relationship, that is, the first permission level includes all permissions in the second permission level, the second permission level includes all permissions in the third permission level, and so on.
因此,利用角色类型和登录端信息,确定用户的权限层级,就不需要对用户的权限逐一进行确定,只要确定了权限层级,就确定了该用户的所有权限,该方式高效快捷。Therefore, by using the role type and login information to determine the user's permission level, there is no need to determine the user's permissions one by one. As long as the permission level is determined, all permissions of the user are determined. This method is efficient and fast.
在可选的实施例中,权限层级可以根据需要设置,在此仅以两个权限层级之间的关系做示例性的说明。具体的,两个权限层级包括一级权限层级和二级权限层级,当操作人员在当前登录端所处于的权限层级为二级权限层级时,则操作人员具备二级权限层级下的许可权限;当操作人员在当前登录端所拥有的权限层级为一级权限层级时,操作人员除了具备一级权限层级下的许可权限外,还具备二级权限层级下的至少一个权限(例如,二级权限层级下的所有权限)。In an optional embodiment, the permission level can be set as needed, and only the relationship between the two permission levels is used as an example here. Specifically, the two permission levels include a primary permission level and a secondary permission level. When the permission level of the operator at the current login terminal is the secondary permission level, the operator has the permission under the secondary permission level; when the permission level of the operator at the current login terminal is the primary permission level, the operator has at least one permission under the secondary permission level (for example, all permissions under the secondary permission level) in addition to the permission under the primary permission level.
示例性的,二级权限层级下的许可权限包括查看客户信息的权限,一级权限层级下的许可权限包括创建、修改和删除客户信息的权限;若用户A具备在电脑客户端的二级权限层级,则当其在电脑客户端登录系统后,将有权查看客户信息;若用户B具备在电脑客户端的一级权限层级,则当其在电脑客户端登录系统后,将有权查看客户信息,并有权对客户信息进行创建、修改和删除;若用户C具备在手机客户端的二级权限层级和电脑客户端的一级权限层级时,则当其在手机客户端登录系统后,仅可以查看客户信息,而不能对用户信息进行创建、 修改和删除,当其在电脑客户端登录系统后,则有权查看客户信息,并有权对客户信息进行创建、修改和删除。For example, the permission permissions under the second-level permission level include the permission to view customer information, and the permission permissions under the first-level permission level include the permission to create, modify and delete customer information; if user A has the second-level permission level on the computer client, then when he logs into the system on the computer client, he will have the right to view customer information; if user B has the first-level permission level on the computer client, then when he logs into the system on the computer client, he will have the right to view customer information and the right to create, modify and delete customer information; if user C has the second-level permission level on the mobile client and the first-level permission level on the computer client, then when he logs into the system on the mobile client, he can only view customer information but cannot create, modify and delete user information. Modification and deletion. When they log in to the system on a computer client, they have the right to view customer information, and have the right to create, modify and delete customer information.
在本申请可实现的实施方式中,许可权限包括功能使用权限和数据访问权限中的至少一种。In an implementation manner that can be realized in the present application, the permission includes at least one of function use permission and data access permission.
例如,功能使用权限包括查看功能菜单的权限。在可选的实施例中,用户登录系统后,计算机设备(即,后端)可以直接根据身份信息和登录端信息,确定该用户是否具备查看功能菜单的权限,若该用户具备查看功能菜单的权限,向终端设备(即,前端)发送显示对应权限下的功能菜单的指令,相应地,前端为用户显示对应权限下的功能菜单。For example, the function usage permission includes the permission to view the function menu. In an optional embodiment, after the user logs in to the system, the computer device (i.e., the back end) can directly determine whether the user has the permission to view the function menu based on the identity information and the login terminal information. If the user has the permission to view the function menu, an instruction to display the function menu under the corresponding permission is sent to the terminal device (i.e., the front end), and accordingly, the front end displays the function menu under the corresponding permission for the user.
在其他可选的实施例中,用户登录系统后,后端可以通过角色类型、登录端信息与许可权限的对应关系,确定操作人员对应的角色类型于当前登录端所拥有的许可权限,该角色类型于当前登录端所拥有的许可权限,若该许可权限为查看功能菜单的权限,向前端发送显示对应许可权限下的功能菜单的指令,相应地,前端为用户显示对应许可权限下的功能菜单。示例性的,若后端确定用户的角色类型为客户经理,且客户经理具有查看客户管理菜单的权限,则向前端发送显示客户管理菜单的指令,相应地,前端为用户显示客户管理菜单;若后端确定用户的角色类型为快递员,且快递员具有查看订单管理菜单的权限,则向前端发送显示订单管理菜单的指令,相应地,前端为用户显示订单管理菜单;若后端确定用户的角色类型为销售经理,且销售经理具有查看供应商管理菜单的权限,则向前端发送显示供应商管理菜单的指令,相应地,前端为用户显示供应商管理菜单。In other optional embodiments, after the user logs in to the system, the backend can determine the permission that the role type corresponding to the operator has at the current login terminal through the correspondence between the role type, the login terminal information and the permission. If the permission is the permission to view the function menu, the backend sends an instruction to display the function menu under the corresponding permission to the frontend, and accordingly, the frontend displays the function menu under the corresponding permission for the user. Exemplarily, if the backend determines that the role type of the user is an account manager, and the account manager has the permission to view the customer management menu, then the frontend sends an instruction to display the customer management menu, and accordingly, the frontend displays the customer management menu for the user; if the backend determines that the role type of the user is a courier, and the courier has the permission to view the order management menu, then the frontend sends an instruction to display the order management menu, and accordingly, the frontend displays the order management menu for the user; if the backend determines that the role type of the user is a sales manager, and the sales manager has the permission to view the supplier management menu, then the frontend sends an instruction to display the supplier management menu, and accordingly, the frontend displays the supplier management menu for the user.
进一步的,在可选的实施例中,功能使用权限还包括使用功能按钮的权限。Furthermore, in an optional embodiment, the function usage permission also includes the permission to use the function button.
示例性的,功能按钮包括:查看按钮、新增按钮、修改按钮、删除按钮和审核按钮中的至少一种。例如,在使用时,用户点击删除按钮,后端接收前端发送的点击指令,并校验该用户的角色类型在当前登录端的功能使用权限是否包括使用删除按钮的权限。如果该角色类型在当前登录端的功能使用权限包括使用删除按钮的权限,许可用户删除按钮的操作指令,相应地,用户可以进行下一步操作;如果该角色类型在当前登录端的功能使用权限不包括使用删除按钮的权限,向前端发送无权限的提示,对应地,前端提示用户无权删除按钮。Exemplarily, the function button includes at least one of a view button, a new button, a modify button, a delete button, and an audit button. For example, when in use, the user clicks the delete button, the backend receives the click instruction sent by the frontend, and verifies whether the function usage permission of the user's role type at the current login end includes the permission to use the delete button. If the function usage permission of the role type at the current login end includes the permission to use the delete button, the user is permitted to execute the operation instruction of the delete button, and accordingly, the user can proceed to the next step; if the function usage permission of the role type at the current login end does not include the permission to use the delete button, a prompt of no permission is sent to the frontend, and correspondingly, the frontend prompts the user that he does not have the permission to delete the button.
在上述实施例中,虽然用户登录系统后,可以在系统的页面看到某些按钮,但是该用户可能没有权限对这些按钮进行相应操作,因此,可以对此进行优化,即,在另一种可能的实现方式中,仅向前端发送显示用户具备权限的按钮的指令,即,在系统页面,用户不具备权限的按钮会被隐藏,以达到“可见即可操作”的目的。应理解,“可见即可操作”是指如果用户在系统的页面上能够看到按钮,那么用户就可以对该按钮进行相应的操作。要达到“可见即可操作”的目的,还可以通过前端来配合完成,例如,前端将用户的权限信息缓存,后端根据该权限信息,判断用户是否具有相应的权限,如果用户具有相应的权限,向前端发送显示该权限对应的按钮的指令,对应地,前端为用户显示该权限对应的按钮;如果用户不具 有相应的权限,不向前端发送显示该权限对应的按钮的指令,即,在系统的页面上就会隐藏该权限对应的按钮。In the above embodiment, although the user can see certain buttons on the system page after logging into the system, the user may not have the authority to perform corresponding operations on these buttons. Therefore, this can be optimized. That is, in another possible implementation, only an instruction to display the buttons for which the user has the authority is sent to the front end. That is, on the system page, the buttons for which the user does not have the authority will be hidden to achieve the purpose of "visible and operable". It should be understood that "visible and operable" means that if the user can see the button on the system page, the user can perform corresponding operations on the button. To achieve the purpose of "visible and operable", it can also be achieved through the cooperation of the front end. For example, the front end caches the user's authority information, and the back end determines whether the user has the corresponding authority based on the authority information. If the user has the corresponding authority, an instruction to display the button corresponding to the authority is sent to the front end. Correspondingly, the front end displays the button corresponding to the authority to the user; if the user does not have the authority, the back end determines whether the user has the corresponding authority. If there is corresponding permission, no instruction to display the button corresponding to the permission is sent to the front end, that is, the button corresponding to the permission will be hidden on the system page.
在可选的实施例中,数据访问权限包括访问数据类型的权限和访问数据范围的权限中的至少一种。In an optional embodiment, the data access permission includes at least one of permission to access a data type and permission to access a data range.
示例性的,数据类型包括:客户数据、商机数据以及合同数据中的至少一种,数据范围包括:我创建的数据、我协同的数据、我下属的数据、我授权区域的数据和我授权行业的数据中的至少一种。Exemplarily, the data types include: at least one of customer data, business opportunity data, and contract data, and the data range includes: at least one of data I created, data I collaborated with, data of my subordinates, data of my authorized area, and data of my authorized industry.
在可选的实施例中,不同角色类型的数据访问权限不同,所以即使在系统的同一页面,不同角色类型的用户看到的数据也可能是不同的。In an optional embodiment, different role types have different data access permissions, so even on the same page of the system, users of different role types may see different data.
示例性的,比如快递员、地区管理员和总部管理员在系统请求查看客户列表时,前端会向后端发送用户请求查看客户类别的指令,相应地,后端根据各个用户对应的角色类型的不同,向前端发送不同的数据,以在系统显示不同的数据,例如,快递员能看到自己名下的客户列表,地区管理员能看到授权区域内的客户列表,总部管理员看到全部区域的客户列表。For example, when the courier, regional administrator and headquarters administrator request to view the customer list in the system, the front end will send an instruction to the back end requesting to view the customer category. Accordingly, the back end will send different data to the front end according to the different role types corresponding to each user, so as to display different data in the system. For example, the courier can see the customer list under his name, the regional administrator can see the customer list in the authorized area, and the headquarters administrator can see the customer list of all areas.
将许可权限分为功能使用权限和数据访问权限,可以灵活地分别许可功能使用权限和数据访问权限,以实现不同角色类型在不同的登录端拥有不同的功能使用权限和数据访问权限,因此,对权限的许可变得更加灵活。By dividing the permission into function usage permission and data access permission, you can flexibly permit function usage permission and data access permission separately, so that different role types have different function usage permission and data access permission at different login ends. Therefore, the permission of permissions becomes more flexible.
在其他可能的实现方式中,也可以仅包含功能使用权限,当用户被许可使用某个功能时,与该功能相关的所有数据都许可用户进行操作。In other possible implementations, only function usage rights may be included. When a user is permitted to use a certain function, all data related to the function are permitted to be operated by the user.
在可能的实现方式中,每个角色类型对应的权限可以提前配置好,也可以根据需要灵活地配置。例如,灵活地配置角色类型与权限的对应关系包括:在前端的权限管理页面,为不同的角色类型配置不同的权限,并且为权限配置对应的生效端(即,App端或者PC端)。In a possible implementation, the permissions corresponding to each role type can be configured in advance or flexibly configured as needed. For example, flexibly configuring the correspondence between role types and permissions includes: configuring different permissions for different role types on the front-end permission management page, and configuring the corresponding effective end (i.e., App end or PC end) for the permissions.
示例性的,在权限管理页面,开发者首先选择地区管理员的角色类型,此时,后端确定角色类型为地区管理员,接着,开发者勾选查看客户列表的功能使用权限,并且选择生效端为手机端和电脑端,此时,后端确定地区管理员的角色类型对应的功能使用权限为查看客户列表以及确定生效端为手机端和电脑端,再接着,开发者选择地区管理员的角色类型可以查看到的数据范围是所在地区的客户信息,并且选择生效端为手机端和电脑端,此时,后端确定地区管理员的角色类型可以查看到的数据范围是所在地区的客户信息以及生效端为手机端和电脑端。Exemplarily, on the permission management page, the developer first selects the role type of the regional administrator. At this time, the backend determines the role type as the regional administrator. Next, the developer checks the function usage permission to view the customer list, and selects the effective end as the mobile phone and the computer. At this time, the backend determines that the function usage permission corresponding to the role type of the regional administrator is to view the customer list and determines the effective end as the mobile phone and the computer. Next, the developer selects the data range that can be viewed by the role type of the regional administrator as the customer information in the region, and selects the effective end as the mobile phone and the computer. At this time, the backend determines that the data range that can be viewed by the role type of the regional administrator is the customer information in the region and the effective end is the mobile phone and the computer.
通过上述权限配置过程,可以使具有地区管理员的角色类型的用户具备以下权限:可以在电脑端和手机端查看客户列表,并且查看的客户列表范围为所在地区的全部客户信息。Through the above permission configuration process, users with the role type of regional administrator can have the following permissions: they can view the customer list on the computer and mobile phone, and the scope of the customer list viewed is all customer information in the region.
在权限管理页面中,也可以针对使用功能按钮的权限做灵活配置,如图5所示,在数据权限管理页面,开发者选择客户经理这一角色,此时,后端确定角色类型为客户经理,并针对客户数据,勾选查看、修改和删除功能,此时,后端确定客户经理针对客户数据可以进行查看、修改和删除,针对商机数据,勾选查看、修改和删除功能,此时,后端确定客户经理 针对商机数据可以进行查看、修改和删除,针对合同数据,不勾选任何功能,此时,后端确定客户经理针对合同数据不做任何处理。通过上述配置,可以使具有客户经理的角色类型的用户具备以下权限:查看、修改和删除客户数据,查看、修改和删除商机数据,且不具备任何对合同数据的操作权限。In the permission management page, you can also flexibly configure the permissions for using the function buttons. As shown in Figure 5, in the data permission management page, the developer selects the role of account manager. At this time, the backend determines the role type as account manager and checks the view, modify and delete functions for customer data. At this time, the backend determines that the account manager can view, modify and delete customer data. For business opportunity data, check the view, modify and delete functions. At this time, the backend determines that the account manager Opportunity data can be viewed, modified, and deleted. For contract data, no function is selected. At this time, the backend determines that the account manager does not do anything with the contract data. Through the above configuration, users with the account manager role type can have the following permissions: view, modify, and delete customer data, view, modify, and delete opportunity data, and do not have any operation permissions on contract data.
在本申请可实现的实施方式中,根据身份信息和登录端信息,确定操作人员的许可权限,包括:根据身份信息,确定操作人员的角色类型;根据角色类型和登录端信息,通过预设的角色类型、登录端信息与许可权限的对应关系,确定对应许可的功能编码和数据字段;根据功能编码和数据字段,确定操作人员的功能使用权限和数据访问权限。应理解,如上文所述,预设的角色类型、登录端信息与许可权限的对应关系以角色与权限对应关系表(即,表4)和查询权限信息表(即,表5)中的至少一种的形式存储在数据库中,功能编码可以理解为是表4和表5中的PERMISSION_ID(权限ID),数据字段可以理解为是表5中的权限名称(PERMISSION_NAME)。此外,功能编码也可以理解为是用户在系统页面输入一个功能请求后,由后端所生成的。In the implementation method that can be realized in the present application, according to the identity information and the login terminal information, the permission of the operator is determined, including: according to the identity information, the role type of the operator is determined; according to the role type and the login terminal information, the corresponding function code and data field of the permission are determined through the correspondence between the preset role type, the login terminal information and the permission; according to the function code and the data field, the function use permission and data access permission of the operator are determined. It should be understood that, as described above, the correspondence between the preset role type, the login terminal information and the permission is stored in the database in the form of at least one of the role and permission correspondence table (i.e., Table 4) and the query permission information table (i.e., Table 5), the function code can be understood as the PERMISSION_ID (permission ID) in Table 4 and Table 5, and the data field can be understood as the permission name (PERMISSION_NAME) in Table 5. In addition, the function code can also be understood as generated by the back end after the user enters a function request on the system page.
具体地,先根据角色类型和登录端信息,读取角色与权限对应关系表,确定对应许可的功能编码,再根据功能编码,读取查询权限信息表,确定数据字段,最后根据功能编码和数据字段,确定操作人员的功能使用权限或者数据访问权限。Specifically, first read the role and permission correspondence table based on the role type and login information to determine the corresponding permitted function code, then read the query permission information table based on the function code to determine the data field, and finally determine the operator's function usage permission or data access permission based on the function code and data field.
例如,表4中的PERMISSION_ID为4对应功能编码,数据字段为表5中的“我的”,那么操作人员的许可权限为数据访问权限,即,查询由自己创建的数据。又如,表4中的PERMISSION_ID为2对应功能编码,数据字段为表5中的“查看客户列表”,那么操作人员的许可权限为功能使用权限,即,查看客户列表这一功能。For example, if PERMISSION_ID in Table 4 is 4, which corresponds to the function code, and the data field is "My" in Table 5, then the operator's permission is the data access right, that is, querying the data created by himself. For another example, if PERMISSION_ID in Table 4 is 2, which corresponds to the function code, and the data field is "View Customer List" in Table 5, then the operator's permission is the function use right, that is, the function of viewing the customer list.
在本申请可实现的实施方式中,后端根据身份信息,确定用户的角色类型,当用户在系统页面输入一个功能请求时,相应地,后端会生成该功能请求对应的功能编码。对于功能使用权限,后端通过功能编码,读取角色与权限对应关系表,确定该用户所在角色类型是否存在该功能编码对应的权限,即,是否有权限执行这个功能,如果该用户所在角色类型存在该功能编码对应的权限,则表示该用户有权限操作这个功能;如果该用户所在角色类型不存在该功能编码对应的权限,则表示该用户无权操作这个功能。对于数据访问权限,后端通过功能编码,读取角色与权限对应关系表,确定该用户所在角色类型是否存在该功能编码对应的权限,即是否有权限对数据进行访问,如果该用户所在角色类型存在该功能编码对应的权限,则表示该用户有数据访问权限,后端再根据功能编码,读取查询权限信息表,确定数据字段,最后根据数据资源表与数据字段的关系,读取该用户允许访问的数据类型和数据范围,并将数据类型和数据范围发送至前端,以供用户访问;如果该用户所在角色类型不存在该功能编码对应的权限,则表示该用户无数据访问权限。应理解,数据资源表用于存储一定数据类型和数据范围的数据,例如,数据字段是“我的”,数据类型是客户数据,该用户的数据访问权限就是我的客户数据。 In the implementation method that can be realized in this application, the backend determines the user's role type based on the identity information. When the user enters a function request on the system page, the backend will generate a function code corresponding to the function request. For function usage permissions, the backend reads the role and permission correspondence table through the function code to determine whether the user's role type has the permission corresponding to the function code, that is, whether the user has the permission to perform this function. If the user's role type has the permission corresponding to the function code, it means that the user has the permission to operate this function; if the user's role type does not have the permission corresponding to the function code, it means that the user does not have the permission to operate this function. For data access rights, the backend uses the function code to read the role and permission correspondence table to determine whether the user's role type has the permission corresponding to the function code, that is, whether the user has the permission to access the data. If the user's role type has the permission corresponding to the function code, it means that the user has data access rights. The backend then reads the query permission information table based on the function code to determine the data field. Finally, based on the relationship between the data resource table and the data field, it reads the data type and data range that the user is allowed to access, and sends the data type and data range to the front end for user access. If the user's role type does not have the permission corresponding to the function code, it means that the user has no data access rights. It should be understood that the data resource table is used to store data of a certain data type and data range. For example, if the data field is "my" and the data type is customer data, the user's data access rights are my customer data.
在本申请可实现的实施方式中,步骤S3可以包括:获取操作人员输入操作指令对应的功能编码,在许可权限中确定是否存在功能编码对应的功能使用权限;在许可权限中存在功能编码对应的功能使用权限的情况下,基于功能使用权限,许可操作人员的操作指令。In an implementation method that can be implemented in the present application, step S3 may include: obtaining the function code corresponding to the operation instruction input by the operator, and determining whether there is function usage permission corresponding to the function code in the permission permissions; if there is function usage permission corresponding to the function code in the permission permissions, based on the function usage permission, permitting the operator's operation instruction.
在本申请可实现的实施方式中,步骤S3还可以包括:获取操作人员输入操作指令对应的功能编码,在许可权限中确定是否存在功能编码对应的数据访问权限;在许可权限中存在功能编码对应的数据访问权限的情况下,基于数据访问权限,读取数据资源表,以许可操作人员的操作指令。In an implementation method that can be realized in the present application, step S3 may also include: obtaining the function code corresponding to the operation instruction input by the operator, and determining whether there is data access permission corresponding to the function code in the permission authority; if there is data access permission corresponding to the function code in the permission authority, based on the data access permission, reading the data resource table to permit the operator's operation instruction.
数据访问权限中会存在数据字段,例如,数据访问权限是我的客户数据,数据字段则为“我的”,因此,可以基于数据访问权限中的数据字段,读取数据资源表,以得到该数据访问权限的数据类型(即,客户数据)和数据范围(即,我的)。There will be a data field in the data access permission. For example, if the data access permission is my customer data, the data field will be "my". Therefore, based on the data field in the data access permission, the data resource table can be read to obtain the data type (i.e., customer data) and data range (i.e., my) of the data access permission.
此外,在确定用户的功能使用权限之后,后端还可以获取用户请求的数据字段,然后后端根据该数据字段,读取数据资源权限表,确定用户在当前功能使用权限下的数据访问权限。In addition, after determining the user's function usage permissions, the backend can also obtain the data field requested by the user, and then read the data resource permission table based on the data field to determine the user's data access permissions under the current function usage permissions.
上文结合图1至5,详细描述了本申请的方法实施例,下面结合图6和7,详细描述本申请的装置实施例。应理解,方法实施例的描述与装置实施例的描述相互对应,因此,未详细描述的部分可以参见前面方法实施例。The method embodiment of the present application is described in detail above in conjunction with Figures 1 to 5, and the device embodiment of the present application is described in detail below in conjunction with Figures 6 and 7. It should be understood that the description of the method embodiment corresponds to the description of the device embodiment, so the part not described in detail can refer to the previous method embodiment.
如图6所示,系统操作许可装置600包括:获取模块601、权限确定模块602以及权限许可模块603。As shown in FIG. 6 , the system operation permission device 600 includes: an acquisition module 601 , a permission determination module 602 , and a permission permission module 603 .
获取模块601用于获取操作人员登录当前登录端的系统时的登录端信息,其中,登录端信息用于表征当前登录端的终端类型。The acquisition module 601 is used to acquire the login terminal information when the operator logs into the system of the current login terminal, wherein the login terminal information is used to characterize the terminal type of the current login terminal.
权限确定模块602用于根据操作人员的身份信息和登录端信息,确定操作人员的许可权限。The authority determination module 602 is used to determine the permission of the operator according to the identity information and login terminal information of the operator.
权限许可模块603用于获取操作人员的操作指令,并结合许可权限,许可操作人员的操作指令。The permission module 603 is used to obtain the operation instruction of the operator and permit the operation instruction of the operator in combination with the permission authority.
在进行用户(即,操作人员)权限许可时,可以同时结合用户的身份信息和用户的登录端信息,对用户在不同登录端具有的权限进行灵活许可,若用户不具有其所请求的操作指令对应的权限,则无法进行相应操作。因此,通过上述系统操作许可装置,可以灵活地许可用户在不同登录端的操作,以适应信息系统的多样化的访问方式,从而提高用户的使用体验。此外,通过上述系统操作许可装置,还可以避免因权限控制缺失而引发系统风险问题,从而提升系统的灵活性和安全性。When granting permissions to users (i.e., operators), the user's identity information and the user's login terminal information can be combined to flexibly grant permissions to the user at different login terminals. If the user does not have the permissions corresponding to the requested operation instruction, the corresponding operation cannot be performed. Therefore, through the above-mentioned system operation permission device, the user's operations at different login terminals can be flexibly permitted to adapt to the diverse access methods of the information system, thereby improving the user's experience. In addition, through the above-mentioned system operation permission device, system risk problems caused by the lack of permission control can also be avoided, thereby improving the flexibility and security of the system.
在本申请的一些实施例中,权限确定模块602具体用于:根据身份信息,确定操作人员对应的角色类型;根据角色类型和登录端信息,通过角色类型、登录端信息与许可权限的对应关系,确定角色类型于当前登录端所拥有的许可权限。In some embodiments of the present application, the authority determination module 602 is specifically used to: determine the role type corresponding to the operator based on identity information; determine the permission permissions that the role type has at the current login end based on the role type and login end information through the correspondence between the role type, login end information and permission permissions.
在本申请的一些实施例中,权限确定模块602在根据角色类型和登录端信息,通过角色类型、登录端信息与许可权限的对应关系,确定角色类型于当前登录端所拥有的许可权限时, 具体用于:根据角色类型和登录端信息,读取角色与权限对应关系表,得到角色类型于当前登录端的权限ID;根据权限ID,读取查询权限信息表,得到权限ID对应的权限名称;基于权限名称,确定角色类型于当前登录端所拥有的许可权限。In some embodiments of the present application, when the authority determination module 602 determines the permission that the role type has for the current login terminal according to the role type and the login terminal information, through the correspondence between the role type, the login terminal information and the permission, Specifically used for: reading the role and permission correspondence table according to the role type and login information, and obtaining the permission ID of the role type at the current login; reading the query permission information table according to the permission ID, and obtaining the permission name corresponding to the permission ID; based on the permission name, determining the permission that the role type has at the current login.
在本申请的一些实施例中,权限确定模块602具体用于:根据身份信息,确定操作人员对应的角色类型;根据角色类型和登录端信息,通过角色类型、登录端信息与权限层级的对应关系,确定角色类型于当前登录端对应的权限层级;根据权限层级,确定处于权限层级之下的至少一个权限为操作人员的许可权限。In some embodiments of the present application, the authority determination module 602 is specifically used to: determine the role type corresponding to the operator based on identity information; determine the authority level corresponding to the role type at the current login end through the correspondence between the role type, login end information and authority level based on the role type and login end information; and determine, based on the authority level, at least one authority below the authority level as the operator's permitted authority.
在本申请的一些实施例中,许可权限包括:功能使用权限和数据访问权限中的至少一种,其中,功能使用权限为操作人员在系统的页面执行相应功能的权限,数据访问权限为操作人员在系统的页面查询数据的权限。In some embodiments of the present application, the permission includes: at least one of function usage permission and data access permission, wherein function usage permission is the permission of the operator to execute the corresponding function on the system page, and data access permission is the permission of the operator to query data on the system page.
在本申请的一些实施例中,功能使用权限包括使用功能按钮的权限和查看功能菜单的权限中的至少一种。In some embodiments of the present application, the function usage permission includes at least one of the permission to use the function button and the permission to view the function menu.
在本申请的一些实施例中,数据访问权限包括访问数据类型的权限和访问数据范围的权限中的至少一种。In some embodiments of the present application, the data access permission includes at least one of permission to access a data type and permission to access a data range.
在本申请的一些实施例中,权限许可模块603具体用于:获取操作人员输入操作指令对应的功能编码;在许可权限中确定是否存在功能编码对应的功能使用权限;在许可权限中存在功能编码对应的功能使用权限的情况下,基于功能使用权限,许可操作人员的操作指令。In some embodiments of the present application, the permission permission module 603 is specifically used to: obtain the function code corresponding to the operation instruction input by the operator; determine whether there is function usage permission corresponding to the function code in the permission permissions; if there is function usage permission corresponding to the function code in the permission permissions, based on the function usage permission, permit the operator's operation instruction.
在本申请的一些实施例中,权限许可模块603具体用于:获取操作人员输入操作指令对应的功能编码;在许可权限中确定是否存在功能编码对应的数据访问权限;在许可权限中存在功能编码对应的数据访问权限的情况下,基于数据访问权限,读取数据资源表,以许可操作人员的操作指令,其中,数据资源表用于存储数据。In some embodiments of the present application, the permission permission module 603 is specifically used to: obtain the function code corresponding to the operation instruction input by the operator; determine whether there is data access permission corresponding to the function code in the permission permission; if there is data access permission corresponding to the function code in the permission permission, based on the data access permission, read the data resource table to permit the operator's operation instruction, wherein the data resource table is used to store data.
在本申请的一些实施例中,系统操作许可装置600还包括:验证模块,用于获取操作人员于系统的登录界面输入的账户信息和登录验证信息,并根据账户信息和登录验证信息,验证操作人员的登录操作;若操作人员的登录操作验证通过,根据账户信息,确定操作人员的身份信息。In some embodiments of the present application, the system operation permission device 600 also includes: a verification module, which is used to obtain the account information and login verification information entered by the operator in the system login interface, and verify the operator's login operation based on the account information and login verification information; if the operator's login operation verification is passed, the operator's identity information is determined based on the account information.
图6所示的系统操作许可装置还可以以别的模块组成方式存在,在此不做限制,只要能实现相应功能即可。The system operation permission device shown in FIG. 6 may also exist in other module components, which are not limited here, as long as the corresponding functions can be achieved.
此外,图6所示的仅是系统操作许可装置的一种实施例,而不是全部分实施例,基于本申请中的系统操作许可装置实施例,本领域技术人员再没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In addition, what is shown in FIG. 6 is only one embodiment of the system operation permission device, not all embodiments. Based on the embodiment of the system operation permission device in this application, all other embodiments obtained by those skilled in the art without making any creative work are within the scope of protection of this application.
图7为本申请一实施例提供的计算机设备的结构示意图。该计算机设备700包括:至少一个处理器701(图7中仅示出一个处理器)、存储器702以及存储在存储器702中并在至少一个处理器701上运行的计算机程序703,处理器701执行计算机程序703时实现上述系统操作许可方法。 FIG7 is a schematic diagram of the structure of a computer device provided in an embodiment of the present application. The computer device 700 includes: at least one processor 701 (only one processor is shown in FIG7 ), a memory 702, and a computer program 703 stored in the memory 702 and running on at least one processor 701. When the processor 701 executes the computer program 703, the above-mentioned system operation permission method is implemented.
计算机设备可包括,但不仅限于,处理器701和存储器702。本领域技术人员可以理解,图7仅仅是计算机设备700的举例,并不构成对计算机设备700的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件,例如还可以包括输入输出设备或网络接入设备等。The computer device may include, but is not limited to, a processor 701 and a memory 702. Those skilled in the art will appreciate that FIG. 7 is merely an example of a computer device 700 and does not limit the computer device 700. The computer device 700 may include more or fewer components than shown in the figure, or may combine certain components, or may include different components, such as an input/output device or a network access device.
所称处理器701可以是中央处理单元(Central Processing Unit,CPU),该处理器701还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)、现成可编程门阵列(Field-Programmable Gate Array,FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。The processor 701 may be a central processing unit (CPU), or other general-purpose processors, digital signal processors (DSP), application-specific integrated circuits (ASIC), field-programmable gate arrays (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. A general-purpose processor may be a microprocessor or any conventional processor, etc.
在一些实施例中,存储器702可以是计算机设备700的内部存储单元,例如计算机设备700的硬盘或内存。在另一些实施例中,存储器702也可以是计算机设备700的外部存储设备,例如,计算机设备700上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡或闪存卡(Flash Card)等。进一步地,存储器702还可以既包括计算机设备700的内部存储单元,也包括计算机设备700的外部存储设备。存储器702用于存储操作系统、应用程序、引导装载程序(BootLoader)、数据以及其他程序等,例如计算机程序的程序代码等。存储器702还可以用于暂时地存储已经输出或者将要输出的数据。In some embodiments, the memory 702 may be an internal storage unit of the computer device 700, such as a hard disk or memory of the computer device 700. In other embodiments, the memory 702 may also be an external storage device of the computer device 700, such as a plug-in hard disk, a smart media card (SMC), a secure digital (SD) card or a flash card (Flash Card) equipped on the computer device 700. Further, the memory 702 may also include both an internal storage unit of the computer device 700 and an external storage device of the computer device 700. The memory 702 is used to store an operating system, an application program, a boot loader (BootLoader), data and other programs, such as program code of a computer program. The memory 702 may also be used to temporarily store data that has been output or is to be output.
此外,图7所示的仅是计算机设备的一种实施例,而不是全部分实施例,基于本申请中的计算机设备实施例,本领域技术人员再没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In addition, FIG. 7 shows only one embodiment of a computer device, rather than all embodiments. All other embodiments obtained by those skilled in the art based on the computer device embodiment in this application without any creative work shall fall within the scope of protection of this application.
所属领域的技术人员可以清楚地了解到,为了描述的方便和简洁,仅以上述各模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的模块完成,即将装置的内部结构划分成不同的模块,以完成以上描述的全部或者部分功能。上述实施例中的各模块可以集成在一个处理模块中,也可以是各个模块单独物理存在,也可以两个或两个以上模块集成在一个模块中,上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。另外,各模块的具体名称也只是为了便于相互区分,并不用于限制本申请的保护范围。上述装置中模块的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and simplicity of description, only the division of the above modules is used as an example for illustration. In actual applications, the above functions can be assigned to different modules as needed, that is, the internal structure of the device can be divided into different modules to complete all or part of the functions described above. The modules in the above embodiments can be integrated into one processing module, or each module can exist physically separately, or two or more modules can be integrated into one module. The above integrated modules can be implemented in the form of hardware or in the form of software functional units. In addition, the specific names of the modules are only for the convenience of distinguishing each other, and are not used to limit the scope of protection of this application. The specific working process of the modules in the above device can refer to the corresponding process in the aforementioned method embodiment, which will not be repeated here.
参见图8,本申请实施例还提供了一种计算机可读存储介质800,计算机可读存储介质800存储有计算机程序801,计算机程序801被处理器执行时,实现上述系统操作许可方法。8 , an embodiment of the present application further provides a computer-readable storage medium 800 , which stores a computer program 801 , and when the computer program 801 is executed by a processor, the above-mentioned system operation permission method is implemented.
计算机程序801包括计算机程序代码,计算机程序代码可以为源代码形式、对象代码形式、可执行文件或某些中间形式等。计算机可读存储介质800至少可以包括:能够将计算机程序代码携带到终端设备的任何实体或装置、记录介质、计算机存储器、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、电载波信号、电信信号以及软件分发介质。例如U盘、移动硬盘、磁碟或者光盘等。 The computer program 801 includes computer program code, which may be in source code form, object code form, executable file or some intermediate form. The computer readable storage medium 800 may at least include: any entity or device capable of carrying the computer program code to a terminal device, a recording medium, a computer memory, a read-only memory (ROM), a random access memory (RAM), an electric carrier signal, a telecommunication signal and a software distribution medium, such as a USB flash drive, a mobile hard disk, a magnetic disk or an optical disk.
此外,图8所示的仅是计算机可读存储介质的一种实施例,而不是全部分实施例,基于本申请中的计算机可读存储介质实施例,本领域技术人员再没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In addition, FIG. 8 shows only one embodiment of a computer-readable storage medium, rather than all embodiments. All other embodiments obtained by those skilled in the art based on the computer-readable storage medium embodiment in this application without any creative work shall fall within the scope of protection of this application.
本申请实施例提供了一种计算机程序产品,当计算机程序产品在移动终端上运行时,使得移动终端执行上述系统操作许可方法。An embodiment of the present application provides a computer program product. When the computer program product is executed on a mobile terminal, the mobile terminal executes the above-mentioned system operation permission method.
在上述实施例中,对各个实施例的描述都各有侧重,某个实施例中没有详述或记载的部分,可以参见其它实施例的相关描述。In the above embodiments, the description of each embodiment has its own emphasis. For parts that are not described or recorded in detail in a certain embodiment, reference can be made to the relevant descriptions of other embodiments.
以上所述实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的精神和范围,均应包含在本申请的保护范围之内。 The embodiments described above are only used to illustrate the technical solutions of the present application, rather than to limit them. Although the present application has been described in detail with reference to the aforementioned embodiments, a person skilled in the art should understand that the technical solutions described in the aforementioned embodiments may still be modified, or some of the technical features may be replaced by equivalents. Such modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of the present application, and should all be included in the protection scope of the present application.

Claims (13)

  1. 一种系统操作许可方法,其特征在于,包括:A system operation permission method, characterized by comprising:
    获取操作人员登录当前登录端的系统时的登录端信息,其中,所述登录端信息用于表征所述当前登录端的终端类型;Acquire the login terminal information when the operator logs into the system of the current login terminal, wherein the login terminal information is used to characterize the terminal type of the current login terminal;
    根据所述操作人员的身份信息和所述登录端信息,确定所述操作人员的许可权限;Determining the permission of the operator according to the identity information of the operator and the login terminal information;
    获取所述操作人员的操作指令,并结合所述许可权限,许可所述操作人员的所述操作指令。The operation instruction of the operator is obtained, and the operation instruction of the operator is permitted in combination with the permission.
  2. 如权利要求1所述的系统操作许可方法,其特征在于,所述根据所述操作人员的身份信息和所述登录端信息,确定所述操作人员的许可权限,包括:The system operation permission method according to claim 1, wherein determining the permission authority of the operator according to the identity information of the operator and the login terminal information comprises:
    根据所述身份信息,确定所述操作人员对应的角色类型;Determining the role type corresponding to the operator according to the identity information;
    根据所述角色类型和所述登录端信息,通过角色类型、登录端信息与许可权限的对应关系,确定所述角色类型于所述当前登录端所拥有的许可权限。According to the role type and the login terminal information, the permission permissions possessed by the role type at the current login terminal are determined through the correspondence between the role type, the login terminal information and the permission permissions.
  3. 如权利要求2所述的系统操作许可方法,其特征在于,所述根据所述角色类型和所述登录端信息,通过角色类型、登录端信息与许可权限的对应关系,确定所述角色类型于所述当前登录端所拥有的许可权限,包括:The system operation permission method according to claim 2, characterized in that the determining the permission that the role type has at the current login terminal according to the role type and the login terminal information through the correspondence between the role type, the login terminal information and the permission includes:
    根据所述角色类型和所述登录端信息,读取角色与权限对应关系表,得到所述角色类型于所述当前登录端的权限ID;According to the role type and the login terminal information, read the role-authority correspondence table to obtain the authority ID of the role type at the current login terminal;
    根据所述权限ID,读取查询权限信息表,得到所述权限ID对应的权限名称;According to the permission ID, read the query permission information table to obtain the permission name corresponding to the permission ID;
    基于所述权限名称,确定所述角色类型于所述当前登录端所拥有的许可权限。Based on the permission name, the permission that the role type has at the current login terminal is determined.
  4. 如权利要求1至3中任一项所述的系统操作许可方法,其特征在于,所述根据所述操作人员的身份信息和所述登录端信息,确定所述操作人员的许可权限,包括:The system operation permission method according to any one of claims 1 to 3, characterized in that the step of determining the permission of the operator according to the identity information of the operator and the login terminal information comprises:
    根据所述身份信息,确定所述操作人员对应的角色类型;Determining the role type corresponding to the operator according to the identity information;
    根据所述角色类型和所述登录端信息,通过角色类型、登录端信息与权限层级的对应关系,确定所述角色类型于所述当前登录端对应的权限层级;According to the role type and the login terminal information, through the correspondence between the role type, the login terminal information and the permission level, determine the permission level corresponding to the role type at the current login terminal;
    根据所述权限层级,确定处于所述权限层级之下的至少一个权限为所述操作人员的许可权限。According to the authority level, at least one authority below the authority level is determined as the permitted authority of the operator.
  5. 如权利要求1至4中任一项所述的系统操作许可方法,其特征在于,所述许可权限包括:功能使用权限和数据访问权限中的至少一种,其中,所述功能使用权限为所述操作人员在所述系统的页面执行相应功能的权限,所述数据访问权限为所述操作人员在所述系统的页面查询数据的权限。The system operation permission method according to any one of claims 1 to 4 is characterized in that the permission includes: at least one of function usage permission and data access permission, wherein the function usage permission is the permission of the operator to execute the corresponding function on the page of the system, and the data access permission is the permission of the operator to query data on the page of the system.
  6. 根据权利要求5所述的系统操作许可方法,其特征在于,所述功能使用 权限包括使用功能按钮的权限和查看功能菜单的权限中的至少一种。The system operation permission method according to claim 5, characterized in that the function uses The permission includes at least one of a permission to use a function button and a permission to view a function menu.
  7. 根据权利要求5或6所述的系统操作许可方法,其特征在于,所述数据访问权限包括访问数据类型的权限和访问数据范围的权限中的至少一种。The system operation permission method according to claim 5 or 6 is characterized in that the data access permission includes at least one of the permission to access the data type and the permission to access the data range.
  8. 如权利要求1至7中任一项所述的系统操作许可方法,其特征在于,所述获取所述操作人员的操作指令,并结合所述许可权限,许可所述操作人员的所述操作指令,包括:The system operation permission method according to any one of claims 1 to 7, characterized in that the obtaining of the operation instruction of the operator and, in combination with the permission authority, permitting the operation instruction of the operator comprises:
    获取所述操作人员输入所述操作指令对应的功能编码;Obtaining a function code corresponding to the operation instruction input by the operator;
    在所述许可权限中确定是否存在所述功能编码对应的功能使用权限;Determining whether there is a function usage permission corresponding to the function code in the permission;
    在所述许可权限中存在所述功能编码对应的功能使用权限的情况下,基于所述功能使用权限,许可所述操作人员的所述操作指令。When the permission rights include the function usage rights corresponding to the function code, the operation instruction of the operator is permitted based on the function usage rights.
  9. 如权利要求1至8中任一项所述的系统操作许可方法,其特征在于,所述获取所述操作人员的操作指令,并结合所述许可权限,许可所述操作人员的所述操作指令,包括:The system operation permission method according to any one of claims 1 to 8, characterized in that the obtaining of the operation instruction of the operator and, in combination with the permission authority, permitting the operation instruction of the operator comprises:
    获取所述操作人员输入所述操作指令对应的功能编码;Obtaining a function code corresponding to the operation instruction input by the operator;
    在所述许可权限中确定是否存在所述功能编码对应的数据访问权限;Determining whether there is data access permission corresponding to the function code in the permission;
    在所述许可权限中存在所述功能编码对应的数据访问权限的情况下,基于所述数据访问权限,读取数据资源表,以许可所述操作人员的所述操作指令,其中,所述数据资源表用于存储数据。In the case that the permission includes data access rights corresponding to the function code, a data resource table is read based on the data access rights to permit the operation instruction of the operator, wherein the data resource table is used to store data.
  10. 如权利要求1至9中任一项所述的系统操作许可方法,其特征在于,还包括:The system operation permission method according to any one of claims 1 to 9, further comprising:
    获取所述操作人员于所述系统的登录界面输入的账户信息和登录验证信息,并根据所述账户信息和所述登录验证信息,验证所述操作人员的登录操作;Acquiring account information and login verification information input by the operator on the login interface of the system, and verifying the login operation of the operator based on the account information and the login verification information;
    若所述操作人员的登录操作验证通过,根据所述账户信息,确定所述操作人员的身份信息。If the operator's login operation verification is passed, the operator's identity information is determined based on the account information.
  11. 一种系统操作许可装置,其特征在于,包括:A system operation permission device, characterized by comprising:
    获取模块,用于获取操作人员登录当前登录端的系统时的登录端信息,其中,所述登录端信息用于表征所述当前登录端的终端类型;An acquisition module, used to acquire the login terminal information when the operator logs into the system of the current login terminal, wherein the login terminal information is used to characterize the terminal type of the current login terminal;
    权限确定模块,用于根据所述操作人员的身份信息和所述登录端信息,确定所述操作人员的许可权限;An authority determination module, used to determine the permission of the operator according to the identity information of the operator and the login terminal information;
    权限许可模块,用于获取所述操作人员的操作指令,并结合所述许可权限,许可所述操作人员的所述操作指令。The permission module is used to obtain the operation instruction of the operator and, in combination with the permission authority, permit the operation instruction of the operator.
  12. 一种计算机设备,其特征在于,包括存储器、处理器以及存储在所述存储器中并在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时,实现如权利要求1至10中任一项所述的系统操作许可方法。 A computer device, characterized in that it includes a memory, a processor, and a computer program stored in the memory and running on the processor, and when the processor executes the computer program, the system operation permission method according to any one of claims 1 to 10 is implemented.
  13. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质存储有计算机程序,所述计算机程序被处理器执行时,实现如权利要求1至10中任一项所述的系统操作许可方法。 A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program, and when the computer program is executed by a processor, the system operation permission method according to any one of claims 1 to 10 is implemented.
PCT/CN2023/135936 2022-12-05 2023-12-01 System operation permission method and apparatus, and computer device and storage medium WO2024120316A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211550441.X 2022-12-05
CN202211550441.XA CN118153010A (en) 2022-12-05 2022-12-05 System operation permission method, device, terminal equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2024120316A1 true WO2024120316A1 (en) 2024-06-13

Family

ID=91287490

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/135936 WO2024120316A1 (en) 2022-12-05 2023-12-01 System operation permission method and apparatus, and computer device and storage medium

Country Status (2)

Country Link
CN (1) CN118153010A (en)
WO (1) WO2024120316A1 (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101909298A (en) * 2010-07-15 2010-12-08 优视科技有限公司 Secure access control method and device for wireless network
CN104462937A (en) * 2014-12-17 2015-03-25 中国人民解放军国防科学技术大学 Operating system peripheral access permission control method based on users
CN105429966A (en) * 2015-11-04 2016-03-23 浙江宇视科技有限公司 Method and system of client for obtaining control authority of peripheral front-end equipment
CN105593866A (en) * 2013-10-03 2016-05-18 日本电气方案创新株式会社 Terminal authentication and registration system, method for authenticating and registering terminal, and storage medium
CN109409043A (en) * 2018-09-03 2019-03-01 中国平安人寿保险股份有限公司 Login method, terminal device and the medium of application system
US20190236304A1 (en) * 2017-03-31 2019-08-01 Ping An Technology (Shenzhen) Co., Ltd. Method, system, and device for managing database permissions, and computer-readable storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101909298A (en) * 2010-07-15 2010-12-08 优视科技有限公司 Secure access control method and device for wireless network
CN105593866A (en) * 2013-10-03 2016-05-18 日本电气方案创新株式会社 Terminal authentication and registration system, method for authenticating and registering terminal, and storage medium
CN104462937A (en) * 2014-12-17 2015-03-25 中国人民解放军国防科学技术大学 Operating system peripheral access permission control method based on users
CN105429966A (en) * 2015-11-04 2016-03-23 浙江宇视科技有限公司 Method and system of client for obtaining control authority of peripheral front-end equipment
US20190236304A1 (en) * 2017-03-31 2019-08-01 Ping An Technology (Shenzhen) Co., Ltd. Method, system, and device for managing database permissions, and computer-readable storage medium
CN109409043A (en) * 2018-09-03 2019-03-01 中国平安人寿保险股份有限公司 Login method, terminal device and the medium of application system

Also Published As

Publication number Publication date
CN118153010A (en) 2024-06-07

Similar Documents

Publication Publication Date Title
US11138300B2 (en) Multi-factor profile and security fingerprint analysis
WO2021218328A1 (en) Multi-tenant access service implementation method, apparatus and device, and storage medium
US10581919B2 (en) Access control monitoring through policy management
US10454975B1 (en) Conditional comptuing resource policies
CN109510849B (en) Cloud-storage account authentication method and device
CN107430666B (en) Tenant lock box
US10574699B1 (en) Load balancer request processing
US10740411B2 (en) Determining repeat website users via browser uniqueness tracking
US20160065555A1 (en) Accessing a cloud-based service platform using enterprise application authentication
US10673851B2 (en) Method and device for verifying a trusted terminal
US10931673B2 (en) Policy activation for client applications
CN105659558A (en) Multiple resource servers with single, flexible, pluggable OAuth server and OAuth-protected RESTful OAuth consent management service, and mobile application single sign on OAuth service
US11539707B2 (en) Dynamic security policy consolidation
US11681824B2 (en) Consent-driven privacy disclosure control processing
US10268477B1 (en) Modeling lifetime of hybrid software application using application manifest
CN107844698A (en) Financial APP authority setting method, device, equipment and storage medium
US9026456B2 (en) Business-responsibility-centric identity management
US10778664B1 (en) Software asset management of computer systems and virtual instances for reporting and optimization
US12001394B1 (en) User programmatic interface for supporting data access control in a database system
CN114218587A (en) Multi-application unified authority management system
CN114417278A (en) Interface unified management system and platform interface management system
WO2014043360A1 (en) Multi-factor profile and security fingerprint analysis
WO2024120316A1 (en) System operation permission method and apparatus, and computer device and storage medium
CN116305217A (en) Multi-tenant management method, device, computer equipment and storage medium
US20230077995A1 (en) Application Programming Interface (API) Automation Framework