[go: up one dir, main page]

CN112100592A - Authority management method, device, electronic equipment and storage medium - Google Patents

Authority management method, device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112100592A
CN112100592A CN202010982726.5A CN202010982726A CN112100592A CN 112100592 A CN112100592 A CN 112100592A CN 202010982726 A CN202010982726 A CN 202010982726A CN 112100592 A CN112100592 A CN 112100592A
Authority
CN
China
Prior art keywords
user
resource
authority
organization
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010982726.5A
Other languages
Chinese (zh)
Inventor
郝娟
黎彦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Gree Electric Appliances Inc of Zhuhai
Zhuhai Lianyun Technology Co Ltd
Original Assignee
Gree Electric Appliances Inc of Zhuhai
Zhuhai Lianyun Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gree Electric Appliances Inc of Zhuhai, Zhuhai Lianyun Technology Co Ltd filed Critical Gree Electric Appliances Inc of Zhuhai
Priority to CN202010982726.5A priority Critical patent/CN112100592A/en
Publication of CN112100592A publication Critical patent/CN112100592A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a method and a device for managing authority, electronic equipment and a storage medium, which belong to the technical field of information, and the method comprises the following steps: if the specified operation of the user is monitored, acquiring the organization information to which the user belongs; judging whether the organization of the user is changed according to the organization information; if so, recovering the first resource queue authority of the user, and distributing a second resource queue authority for the user; the first resource queue authority is a resource queue authority corresponding to an original organization of the user, and the second resource queue authority is a resource queue authority corresponding to an existing organization of the user. The method and the device can effectively guarantee the safety of the resources and can enable the resources to be more convenient to manage.

Description

权限管理方法、装置、电子设备和存储介质Rights management method, device, electronic device and storage medium

技术领域technical field

本申请属于信息技术领域,具体涉及权限管理方法、装置、电子设备和存储介质。The present application belongs to the field of information technology, and specifically relates to rights management methods, apparatuses, electronic devices and storage media.

背景技术Background technique

各行各业对于自身资源的安全性都很重视。诸如,电商行业利用大数据资源进行精准营销,金融行业借助大数据资源决定股权交易时间,安防行业在执法过程中也借助大数据资源进行捕捉罪犯。无论是何种应用场景,大多都会布设有用于进行大数据管理的平台(也可以称为大数据平台或资源管理平台),具有资源相关权限的人员可以执行相应的操作,诸如具有资源访问权限的人员可以对相关数据进行访问。但是业务场景复杂多变,业务人员也会变动频繁,导致难以对人员所拥有的资源相关权限进行有效管理,对于离职人员或者岗位调动人员而言,存在资源泄露等安全问题。All walks of life attach great importance to the security of their own resources. For example, the e-commerce industry uses big data resources for precision marketing, the financial industry uses big data resources to determine the timing of equity transactions, and the security industry also uses big data resources to capture criminals in the process of law enforcement. No matter what the application scenario is, most of them will have a platform for big data management (also called a big data platform or a resource management platform), and personnel with resource-related permissions can perform corresponding operations, such as those with resource access permissions. Personnel can access relevant data. However, business scenarios are complex and changeable, and business personnel change frequently, making it difficult to effectively manage resource-related permissions owned by personnel. For those who leave or transfer positions, there are security issues such as resource leakage.

发明内容SUMMARY OF THE INVENTION

为至少在一定程度上克服相关技术中存在的问题,本申请提供权限管理方法、装置、电子设备和存储介质,能够有效保障资源的安全性,且可以使资源更便于管理。In order to overcome the problems existing in the related art at least to a certain extent, the present application provides a rights management method, apparatus, electronic device and storage medium, which can effectively ensure the security of resources and make resources more convenient to manage.

为实现以上目的,本申请采用如下技术方案:To achieve the above purpose, the application adopts the following technical solutions:

第一方面,本申请提供一种权限管理方法,包括:如果监测到用户的指定操作,获取所述用户所属的组织信息;根据所述组织信息判断所述用户所在组织是否发生改变;如果是,回收所述用户的第一资源队列权限,并为所述用户分配第二资源队列权限;其中,所述第一资源队列权限为所述用户的原属组织对应的资源队列权限,所述第二资源队列权限为所述用户的现属组织对应的资源队列权限。In a first aspect, the present application provides a rights management method, comprising: if a designated operation of a user is monitored, acquiring information about an organization to which the user belongs; judging whether the organization to which the user belongs has changed according to the organization information; if so, Reclaim the user's first resource queue authority, and assign the user a second resource queue authority; wherein, the first resource queue authority is the resource queue authority corresponding to the user's original organization, and the second resource queue authority The resource queue authority is the resource queue authority corresponding to the current organization of the user.

进一步地,所述方法还包括:如果接收到所述用户针对目标资源的访问请求,将所述访问请求发送给所述目标资源的所属者进行审批;根据所述目标资源的所属者的审批结果确定所述用户对所述目标资源的访问权限。Further, the method further includes: if an access request from the user to the target resource is received, sending the access request to the owner of the target resource for approval; according to the approval result of the owner of the target resource Access rights of the user to the target resource are determined.

进一步地,所述根据所述目标资源的所属者的审批结果确定所述用户对所述目标资源的访问权限的步骤,包括:如果所述目标资源的所属者的审批结果为驳回访问请求,确定所述用户不具有所述目标资源的访问权限;如果所述目标资源的所属者的审批结果为同意访问请求,将所述访问请求发送给管理者进行审批,在所述管理者审批通过时确定所述用户具有所述目标资源的访问权限,在所述管理者审批驳回时确定所述用户不具有所述目标资源的访问权限。Further, the step of determining the access authority of the user to the target resource according to the approval result of the owner of the target resource includes: if the approval result of the owner of the target resource is that the access request is rejected, determining The user does not have the access right of the target resource; if the approval result of the owner of the target resource is to approve the access request, the access request is sent to the manager for approval, and it is determined when the manager's approval is passed The user has the access right to the target resource, and it is determined that the user does not have the access right to the target resource when the manager approves and rejects it.

进一步地,所述将所述访问请求发送给所述目标资源的所属者进行审批的步骤,包括:根据所述目标资源对应的所属者标签,查找所述目标资源的所属者;将所述访问请求发送给查找到的所述目标资源的所属者进行审批。Further, the step of sending the access request to the owner of the target resource for approval includes: searching for the owner of the target resource according to the owner tag corresponding to the target resource; The request is sent to the owner of the found target resource for approval.

进一步地,所述方法还包括:设定指定资源的权限组;将对所述指定资源具有访问权限的用户加入至所述权限组;通过所述权限组控制所述用户对所述指定资源的权限粒度大小;其中,所述权限粒度大小用于表征指定资源的访问范围。Further, the method further includes: setting a permission group for a specified resource; adding a user who has access permission to the specified resource to the permission group; controlling the user's access to the specified resource through the permission group Permission granularity size; wherein, the permission granularity size is used to represent the access scope of the specified resource.

进一步地,所述方法还包括:如果检测到当前处于离职状态的目标用户,将所述目标用户从其所在的权限组中剔除。Further, the method further includes: if a target user currently in a resignation state is detected, removing the target user from the permission group where the target user is located.

进一步地,所述权限组对应的权限种类包括资源增加权限、资源删除权限、资源修改权限和资源查找权限中的一种或多种。Further, the permission types corresponding to the permission group include one or more of resource addition permission, resource deletion permission, resource modification permission and resource search permission.

第二方面,本申请提供一种权限管理装置,包括:信息获取模块,用于如果监测到用户的指定操作,获取所述用户所属的组织信息;判断模块,用于根据所述组织信息判断所述用户所在组织是否发生改变;权限分配模块,用于在所述判断模块的判断结果为是时,回收所述用户的第一资源队列权限,并为所述用户分配第二资源队列权限;其中,所述第一资源队列权限为所述用户的原属组织对应的资源队列权限,所述第二资源队列权限为所述用户的现属组织对应的资源队列权限。In a second aspect, the present application provides an authority management device, comprising: an information acquisition module, configured to acquire information about an organization to which the user belongs if a designated operation of the user is monitored; Whether the organization where the user is located has changed; the authority assignment module is used to reclaim the first resource queue authority of the user when the judgment result of the judgment module is yes, and allocate the second resource queue authority to the user; wherein , the first resource queue authority is the resource queue authority corresponding to the user's original organization, and the second resource queue authority is the resource queue authority corresponding to the user's current organization.

第三方面,本申请提供一种电子设备,包括:处理器和存储装置;所述存储装置上存储有计算机程序,所述计算机程序在被所述处理器运行时执行如第一方面任一项所述的方法。In a third aspect, the present application provides an electronic device, comprising: a processor and a storage device; a computer program is stored on the storage device, and the computer program executes any one of the first aspect when executed by the processor the method described.

第四方面,本申请提供一种存储介质,所述存储介质上存储有计算机程序,所述计算机程序被处理器运行时执行上述第一方面任一项所述的方法的步骤。In a fourth aspect, the present application provides a storage medium, where a computer program is stored on the storage medium, and when the computer program is run by a processor, the steps of the method according to any one of the above-mentioned first aspects are executed.

本申请提供的上述权限管理方法、装置、电子设备和存储介质,在监测到用户的指定操作时获取用户所属的组织信息,并根据组织信息判断用户所在组织是否发生改变,如果是,则回收用户的第一资源队列权限,并为用户分配第二资源队列权限;其中,第一资源队列权限为用户的原属组织对应的资源队列权限,第二资源队列权限为用户的现属组织对应的资源队列权限。通过这种方式,可以自动为组织发生改变的用户调整资源队列权限,能够有效保障资源的安全性,且可以使资源更便于管理。The above-mentioned rights management method, device, electronic device and storage medium provided by the present application acquire the information of the organization to which the user belongs when monitoring the designated operation of the user, and judge whether the organization to which the user belongs has changed according to the organization information, and if so, the user is recovered. The first resource queue authority is assigned to the user, and the second resource queue authority is allocated to the user; wherein, the first resource queue authority is the resource queue authority corresponding to the user's original organization, and the second resource queue authority is the resource corresponding to the user's current organization. Queue permissions. In this way, resource queue permissions can be automatically adjusted for users whose organizations have changed, which can effectively ensure the security of resources and make resources easier to manage.

应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本申请。It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not limiting of the present application.

附图说明Description of drawings

为了更清楚地说明本申请实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the following briefly introduces the accompanying drawings required for the description of the embodiments or the prior art. Obviously, the drawings in the following description are only These are some embodiments of the present application. For those of ordinary skill in the art, other drawings can also be obtained based on these drawings without any creative effort.

图1是根据一示例性实施例示出的一种权限管理方法的流程图;1 is a flowchart of a method for rights management according to an exemplary embodiment;

图2是根据一示例性实施例示出的一种资源申请流程图;FIG. 2 is a flowchart showing a resource application according to an exemplary embodiment;

图3是根据一示例性实施例示出的一种权限自动授权及回收的流程示意图;3 is a schematic flowchart of automatic authorization and recovery of permissions according to an exemplary embodiment;

图4是根据一示例性实施例示出的一种权限管理装置的结构框图。Fig. 4 is a structural block diagram of an apparatus for rights management according to an exemplary embodiment.

具体实施方式Detailed ways

为使本申请的目的、技术方案和优点更加清楚,下面将对本申请的技术方案进行详细的描述。显然,所描述的实施例仅仅是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动的前提下所得到的所有其它实施方式,都属于本申请所保护的范围。In order to make the objectives, technical solutions and advantages of the present application clearer, the technical solutions of the present application will be described in detail below. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the examples in this application, all other implementations obtained by those of ordinary skill in the art without creative work fall within the scope of protection of this application.

考虑到业务场景复杂多变,业务人员也会变动频繁,导致难以对人员所拥有的资源相关权限进行有效管理,且存在资源泄露等安全问题,本申请提供了一种权限管理方法、装置、电子设备和存储介质,能够有效保障资源的安全性,且可以使资源更便于管理,为便于理解,以下对本申请进行详细介绍。Considering the complex and changeable business scenarios and frequent changes of business personnel, it is difficult to effectively manage the resource-related authority owned by personnel, and there are security issues such as resource leakage, the present application provides a authority management method, device, electronic The device and the storage medium can effectively guarantee the security of resources and make the resources easier to manage. For ease of understanding, this application is introduced in detail below.

首先参见图1所示的一种权限管理方法的流程图,主要包括如下步骤S102至步骤S106:First, refer to the flowchart of a rights management method shown in FIG. 1 , which mainly includes the following steps S102 to S106:

步骤S102,如果监测到用户的指定操作,获取用户所属的组织信息。该指定操作诸如可以为用户针对资源所在平台(诸如资源管理系统)的登录操作,然后根据用户在登录时输入的身份信息(诸如账号、邮箱等)获取用户所属的组织信息。在一种具体的实施方式中,为了保障资源安全性,任意用户在执行诸如登录操作等指定操作时都会触发执行本申请的权限管理方法。In step S102, if the designated operation of the user is monitored, the information of the organization to which the user belongs is acquired. The specified operation can be, for example, a user's login operation for the platform where the resource is located (such as a resource management system), and then obtains the organization information to which the user belongs according to the identity information (such as account number, mailbox, etc.) entered by the user when logging in. In a specific implementation manner, in order to ensure resource security, when any user performs a specified operation such as a login operation, the execution of the rights management method of the present application will be triggered.

上述组织信息具体可以是用户所属组织的信息,诸如是用户所在的部门或者科室的信息,又可称为组织架构信息。The above-mentioned organization information may specifically be information of the organization to which the user belongs, such as information of the department or department where the user is located, which may also be referred to as organizational structure information.

步骤S104,根据组织信息判断用户所在组织是否发生改变;如果是,执行步骤S106,如果否,执行步骤S108。Step S104, according to the organization information, determine whether the organization where the user is located has changed; if yes, go to step S106, if not, go to step S108.

诸如,用户A原属组织为大数据中心开发一室,之后调岗至大数据中心开发二室或者调度至其它部分,则可以理解为用户A所在组织发生改变。在实际应用中,可以调取用户上一次登录时的组织信息与该用户本次登录时的组织信息,通过比对两次组织信息来判断该用户所在组织是否发生改变。For example, if user A's original organization is the development room of the big data center, and then he is transferred to the second development room of the big data center or is dispatched to other parts, it can be understood that the organization of user A has changed. In practical applications, the organization information of the user's last login and the organization information of the user's current login can be retrieved, and whether the user's organization has changed is determined by comparing the two organization information.

步骤S106,回收用户的第一资源队列权限,并为用户分配第二资源队列权限;其中,第一资源队列权限为用户的原属组织对应的资源队列权限,第二资源队列权限为用户的现属组织对应的资源队列权限。Step S106, recovering the user's first resource queue authority, and assigning a second resource queue authority to the user; wherein, the first resource queue authority is the resource queue authority corresponding to the user's original organization, and the second resource queue authority is the user's current resource queue authority. The resource queue permission corresponding to the belonging organization.

用户访问大数据资源所需运行的程序通常都需要一定的计算资源,而资源队列可以为其提供计算资源,资源队列的具体实现方式可以参照资源调度器,在此不再赘述。不同组织对应的资源队列权限不同,相应的,可享受的计算资源大小不同。在实际应用中,可以预先为各个组织分配相应的资源队列,将各个组织与相应的资源队列绑定。在检测到用户所在组织发生改变时,也即证明用户具有的资源队列权限发生改变,因此需要重新确定用户可利用的资源队列,具体实施时,可删除原记录的该用户在原有组织时所对应的资源队列名,并记录该用户现有组织对应的新的资源队列名。The programs that users need to run to access big data resources usually require certain computing resources, and the resource queue can provide computing resources for them. The specific implementation of the resource queue can refer to the resource scheduler, which will not be repeated here. Different organizations have different resource queue permissions, and accordingly, the amount of computing resources that can be enjoyed is different. In practical applications, corresponding resource queues can be allocated to each organization in advance, and each organization can be bound to the corresponding resource queue. When it is detected that the user's organization has changed, it means that the resource queue authority that the user has has changed. Therefore, it is necessary to re-determine the resource queue available to the user. In the specific implementation, the original record corresponding to the user in the original organization can be deleted. and record the new resource queue name corresponding to the user's existing organization.

对于每个组织而言,只有属于该组织的用户才具有该组织绑定的资源队列的访问权限,并利用该组织绑定的资源队列,诸如在与该组织绑定的资源队列上提交任务。在用户所在组织发生变动时,用户无法在原来的资源队列上提交任务,只能在变动后的组织对应的资源队列上提交任务。在实际应用中,也可以在用户在原有组织对应的资源队列上提交任务失败时快速定位到用户现有组织对应的资源队列上。For each organization, only users belonging to the organization have access rights to the resource queue bound to the organization, and utilize the resource queue bound to the organization, such as submitting tasks on the resource queue bound to the organization. When the user's organization changes, the user cannot submit tasks on the original resource queue, but can only submit tasks on the resource queue corresponding to the changed organization. In practical applications, it is also possible to quickly locate the resource queue corresponding to the user's existing organization when the user fails to submit a task on the resource queue corresponding to the original organization.

步骤S108,保持用户的第一资源队列权限。Step S108, maintaining the user's first resource queue authority.

在检测到用户所在组织未改变时,用户具有的资源队列权限不变,可享受的计算资源大小不变。When it is detected that the user's organization has not changed, the user's resource queue permissions remain unchanged, and the amount of computing resources that can be enjoyed remains unchanged.

通过上述方式,可以自动为组织发生改变的用户调整资源队列权限,能够有效保障资源的安全性,且可以使资源更便于管理。In the above manner, the resource queue authority can be automatically adjusted for users whose organization has changed, which can effectively ensure the security of the resources, and can make the resources more convenient to manage.

为了进一步保障资源的访问安全性,本实施例还可以进一步对申请资源访问的用户参照如下步骤a和步骤b执行:In order to further ensure the access security of resources, this embodiment may further refer to the following steps a and b to perform the following steps for users who apply for resource access:

步骤a:如果接收到用户针对目标资源的访问请求,将访问请求发送给目标资源的所属者进行审批。Step a: If a user's access request for the target resource is received, the access request is sent to the owner of the target resource for approval.

在一种实施方式中,可以根据目标资源对应的所属者标签,查找目标资源的所属者;将访问请求发送给查找到的目标资源的所属者进行审批。在实际应用中,可以预先确定资源的所属者,并为资源的所属者(或者资源的发布者)贴附标签,以便于基于标签直接查找资源的所属者。In one embodiment, the owner of the target resource can be searched according to the owner tag corresponding to the target resource; the access request is sent to the found owner of the target resource for approval. In practical applications, the owner of the resource can be pre-determined, and a label is attached to the owner of the resource (or the publisher of the resource), so as to directly find the owner of the resource based on the label.

步骤b:根据目标资源的所属者的审批结果确定用户对目标资源的访问权限。通过目标资源的所属者审批用户申请访问的目标资源,可以有效控制敏感数据资源,提高数据的安全性。Step b: Determine the user's access authority to the target resource according to the approval result of the owner of the target resource. The owner of the target resource approves the target resource that the user applies to access, which can effectively control sensitive data resources and improve data security.

在一种实现方式中,目标资源的所属者的审批结果通过,即可确定用户对目标资源具有访问权限。In an implementation manner, if the approval result of the owner of the target resource is passed, it can be determined that the user has access rights to the target resource.

在另一种实现方式中,还可以在目标资源的所属者的审批结果通过后,交由上一级管理员进行进一步审批。也即,如果目标资源的所属者的审批结果为驳回访问请求,确定用户不具有目标资源的访问权限;如果目标资源的所属者的审批结果为同意访问请求,则进一步将访问请求发送给管理者进行审批,在管理者审批通过时确定用户具有目标资源的访问权限,在管理者审批驳回时确定用户不具有目标资源的访问权限。In another implementation manner, after the approval result of the owner of the target resource is passed, it may be sent to the upper-level administrator for further approval. That is, if the approval result of the owner of the target resource is that the access request is rejected, it is determined that the user does not have the access right to the target resource; if the approval result of the owner of the target resource is that the access request is approved, the access request is further sent to the manager. Approval is carried out, and when the manager's approval is approved, it is determined that the user has the access right to the target resource, and when the manager's approval is rejected, it is determined that the user does not have the access right to the target resource.

为便于理解,基于上述步骤a和步骤b,本实施例提供了一种具体的实施示例,参见图2所示的一种资源申请流程图,主要包括如下步骤S202~步骤S220:For ease of understanding, based on the above steps a and b, this embodiment provides a specific implementation example. Referring to a flowchart of a resource application shown in FIG. 2 , it mainly includes the following steps S202 to S220:

步骤S202:用户登录。诸如,用户登录大数据平台的资源管理系统。Step S202: the user logs in. For example, users log in to the resource management system of the big data platform.

步骤S204:用户申请集群账号。Step S204: The user applies for a cluster account.

步骤S206:判断账号申请请求是否审批通过。如果是,执行步骤S208和/或步骤S210;如果否,执行步骤S218;在实际应用中,部分资源可以是用户只要申请集群账号就可以访问,无需再进一步审批,从而保障业务的流畅性,部分资源的安全性较强,则需要走审批流程才可以访问,从而保障数据的安全性,通过这种方式,也可以有效平衡业务的流畅性和数据的安全性。Step S206: Determine whether the account application request is approved or not. If yes, go to step S208 and/or step S210; if no, go to step S218; in practical applications, some resources can be accessed by the user as long as the user applies for a cluster account without further approval, so as to ensure the smoothness of the business. If the security of the resource is strong, it needs to go through the approval process before it can be accessed, so as to ensure the security of the data. In this way, the fluency of the business and the security of the data can also be effectively balanced.

步骤S208:根据用户的组织信息自动为该用户开放相关资源。Step S208: Automatically open relevant resources for the user according to the user's organizational information.

步骤S210:用户申请集群资源。Step S210: The user applies for cluster resources.

步骤S212:判断资源所属者是否审批通过。如果是,执行步骤S214,如果否,执行步骤S220;Step S212: Determine whether the resource owner approves or not. If yes, go to step S214, if not, go to step S220;

步骤S214:判断管理员是否审批通过。如果是,执行步骤S216,如果否,执行步骤S220;Step S214: Determine whether the administrator approves or not. If yes, go to step S216, if not, go to step S220;

步骤S216:终止,该用户可以访问所申请的资源。Step S216: Terminate, the user can access the applied resource.

步骤S218:终止,该用户不能访问任何资源。Step S218: Terminate, the user cannot access any resources.

步骤S220:终止,该用户不能访问所申请的资源。Step S220: Terminate, the user cannot access the applied resource.

此外,现有技术中的资源访问权限的粗细粒度通常无法动态调整,导致业务的流畅性和数据的安全性无法达到较好的平衡,比如用户访问hive仓库数据,可以访问整个库的数据,也可以仅访问到某张表的数据或者可以仅访问到某几个字段的数据。如果权限的粒度粗,所有人都可以查看该数据资源,保证了业务的流畅性,但是数据的安全性无法保证;如果权限的粒度很细,每个人只有字段级别的访问权限,保证了数据的安全性,但是极大的降低了业务的流畅性。为改善此问题,本申请可进一步执行如下步骤1~步骤3:In addition, the coarse and fine granularity of resource access rights in the prior art cannot be dynamically adjusted, resulting in a failure to achieve a good balance between business fluency and data security. For example, when users access hive warehouse data, they can access the data in the entire database, and You can only access the data of a certain table or you can only access the data of a few fields. If the granularity of permissions is coarse, everyone can view the data resource, which ensures the smoothness of the business, but the security of the data cannot be guaranteed; if the granularity of permissions is very fine, everyone only has field-level access permissions, which ensures data security. Security, but greatly reduces the fluency of business. In order to improve this problem, the present application can further perform the following steps 1 to 3:

步骤1:设定指定资源的权限组;权限组对应的权限种类包括资源增加权限、资源删除权限、资源修改权限和资源查找权限中的一种或多种。权限组可以理解为指定资源的某种权限划分给该权限组,只要在该权限组的用户都有指定资源的该种权限。Step 1: Set a permission group for the specified resource; the permission types corresponding to the permission group include one or more of resource addition permission, resource deletion permission, resource modification permission and resource search permission. A permission group can be understood as a certain permission of the specified resource is divided into the permission group, as long as the users in the permission group have the permission of the specified resource.

步骤2:将对指定资源具有访问权限的用户加入至权限组。在实际应用中,还可以灵活确定加入权限组的用户,加入至权限组的用户也可以动态调整。用户可以仅是单独的个人,也可以是某个项目组的所有组员或者某个部门的所有部门人员,具体可以根据实际情况设定。Step 2: Add users who have access rights to the specified resources to the permission group. In practical applications, users who join the permission group can also be flexibly determined, and users who join the permission group can also be dynamically adjusted. The user can be only a single individual, or all members of a certain project group or all department personnel of a certain department, which can be set according to the actual situation.

步骤3:通过权限组控制用户对指定资源的权限粒度大小;其中,权限粒度大小用于表征指定资源的访问范围。诸如,粗粒度权限表征访问范围大,细粒度权限表征访问范围小。诸如,可以对整个库进行权限控制,也可以对表、字段进行权限控制。Step 3: Control the user's authority granularity to the specified resource through the authority group; wherein, the authority granularity is used to represent the access scope of the specified resource. For example, coarse-grained permissions represent a large access scope, while fine-grained permissions represent a small access scope. For example, permission control can be performed on the entire library, and permission control can be performed on tables and fields.

通过动态调整权限组的权限粗细粒度大小,可以根据实际情况对业务的流程性和数据的安全性之间进行平衡。By dynamically adjusting the coarse and fine-grained permissions of the permission group, it is possible to balance the flow of the business and the security of the data according to the actual situation.

本申请还进一步提供了自动回收权限机制,如果检测到当前处于离职状态的目标用户,将目标用户从其所在的权限组中剔除,从而有效保障了资源安全性,并防止非法人员进行违规操作。系统可以定期查询所有用户的状态,将处于离职状态的用户作为目标用户,并将目标用户自动从权限组中剔除并回收所有权限,以防止离职用户仍旧使用资源,或者防止他人窃取离职人员账号来操作数据,避免数据泄露,有效提升数据安全性。The application further provides an automatic reclaiming authority mechanism. If a target user who is currently resigned is detected, the target user will be removed from the authority group where the target user is located, thereby effectively ensuring resource security and preventing illegal personnel from conducting illegal operations. The system can regularly query the status of all users, take the user who is in the resignation state as the target user, and automatically remove the target user from the permission group and reclaim all permissions, so as to prevent the resigned user from still using resources, or to prevent others from stealing the account of the resigned employee. Operate data, avoid data leakage, and effectively improve data security.

为便于理解,可参照如图3所示的权限自动授权及回收的流程示意图,参照如下步骤S302~步骤S316:For ease of understanding, please refer to the schematic flowchart of automatic authorization and recovery of permissions as shown in FIG. 3, and refer to the following steps S302 to S316:

步骤S302:设置增、删、改、查等资源权限种类;Step S302: Set resource permission types such as adding, deleting, modifying, and checking;

步骤S310:将资源权限授予给权限组;Step S310: Grant the resource permission to the permission group;

步骤S312:将符合条件的用户添加至该权限组;Step S312: adding qualified users to the permission group;

步骤S314:定期自动查询集群中已离职的用户;Step S314: Periodically and automatically query the users who have left the cluster;

步骤S316:将已离职的用户从其已存在的所有权限组中剔除,以回收其所有权限。Step S316: Remove the resigned user from all existing permission groups to recover all their permissions.

以上步骤可以参照前述实施例的相关步骤实现,在此不再赘述。The above steps may be implemented with reference to the relevant steps in the foregoing embodiments, and details are not described herein again.

可以理解的是,现有的大数据平台通常组件较多,诸如有hive、kafka、hbase等组件,流程架构都比较复杂,权限管理没有统一入口,难以管理。而本申请实施例可以使诸如hive、hbase等平台组件都对接统一的权限管理入口,通过权限管理入口执行本申请的权限管理方法。It is understandable that the existing big data platform usually has many components, such as hive, kafka, hbase and other components. However, in the embodiment of the present application, platform components such as hive and hbase can be connected to a unified rights management portal, and the rights management method of the present application can be executed through the rights management portal.

对应于前述权限管理方法,本申请进一步提供了一种权限管理装置,参见图4所示的一种权限管理装置的结构框图,主要包括如下模块:Corresponding to the aforementioned rights management method, the present application further provides a rights management device. Referring to the structural block diagram of a rights management device shown in FIG. 4 , it mainly includes the following modules:

信息获取模块402,用于如果监测到用户的指定操作,获取用户所属的组织信息;The information acquisition module 402 is used to acquire the organization information to which the user belongs if the specified operation of the user is monitored;

判断模块404,用于根据组织信息判断用户所在组织是否发生改变;The judgment module 404 is used for judging whether the organization where the user is located has changed according to the organization information;

权限分配模块406,用于在判断模块的判断结果为是时,回收用户的第一资源队列权限,并为用户分配第二资源队列权限;其中,第一资源队列权限为用户的原属组织对应的资源队列权限,第二资源队列权限为用户的现属组织对应的资源队列权限。The authority allocation module 406 is used to reclaim the user's first resource queue authority when the judgment result of the judgment module is yes, and allocate the second resource queue authority to the user; wherein, the first resource queue authority corresponds to the user's original organization The resource queue permission of the user, the second resource queue permission is the resource queue permission corresponding to the user's current organization.

通过上述装置,可以自动为组织发生改变的用户调整资源队列权限,能够有效保障资源的安全性,且可以使资源更便于管理。Through the above device, the resource queue authority can be automatically adjusted for the user whose organization has changed, the security of the resource can be effectively guaranteed, and the management of the resource can be made more convenient.

在一种实施方式中,上述装置还包括审批模块和权限确定模块,其中:In one embodiment, the above-mentioned apparatus further includes an approval module and an authority determination module, wherein:

审批模块,用于如果接收到所述用户针对目标资源的访问请求,将所述访问请求发送给所述目标资源的所属者进行审批;an approval module, configured to send the access request to the owner of the target resource for approval if the user's access request for the target resource is received;

权限确定模块,用于根据所述目标资源的所属者的审批结果确定所述用户对所述目标资源的访问权限。A permission determination module, configured to determine the access permission of the user to the target resource according to the approval result of the owner of the target resource.

在一种具体的实施方式中,权限确定模块进一步用于:如果目标资源的所属者的审批结果为驳回访问请求,确定用户不具有目标资源的访问权限;如果目标资源的所属者的审批结果为同意访问请求,将访问请求发送给管理者进行审批,在管理者审批通过时确定用户具有目标资源的访问权限,在管理者审批驳回时确定用户不具有目标资源的访问权限。In a specific embodiment, the authority determination module is further configured to: if the approval result of the owner of the target resource is to reject the access request, determine that the user does not have the access authority to the target resource; if the approval result of the owner of the target resource is Approve the access request, send the access request to the manager for approval, determine that the user has the access right to the target resource when the manager approves it, and determine that the user does not have the access right to the target resource when the manager approves the rejection.

在一种具体的实施方式中,审批模块进一步用于:根据目标资源对应的所属者标签,查找目标资源的所属者;将访问请求发送给查找到的目标资源的所属者进行审批。In a specific embodiment, the approval module is further configured to: find the owner of the target resource according to the owner tag corresponding to the target resource; send the access request to the found owner of the target resource for approval.

在一种具体的实施方式中,上述装置还包括:In a specific embodiment, the above-mentioned device further includes:

权限组设定模块,用于设定指定资源的权限组;The permission group setting module is used to set the permission group of the specified resource;

权限组加入模块,用于将对指定资源具有访问权限的用户加入至权限组;The permission group adding module is used to add users who have access rights to the specified resources to the permission group;

权限组控制模块,用于通过权限组控制用户对指定资源的权限粒度大小;其中,权限粒度大小用于表征指定资源的访问范围。The authority group control module is used to control the authority granularity of the user to the specified resource through the authority group; wherein, the authority granularity is used to represent the access scope of the specified resource.

在一种具体的实施方式中,上述装置还包括:剔除模块,用于如果检测到当前处于离职状态的目标用户,将目标用户从其所在的权限组中剔除。In a specific embodiment, the above-mentioned apparatus further includes: an elimination module, configured to exclude the target user from the permission group where the target user is located if it is detected that the target user is currently in a resignation state.

在一种具体的实施方式中,权限组对应的权限种类包括资源增加权限、资源删除权限、资源修改权限和资源查找权限中的一种或多种。In a specific implementation manner, the permission types corresponding to the permission group include one or more of resource addition permission, resource deletion permission, resource modification permission and resource search permission.

进一步,本实施例还提供了一种电子设备,包括:处理器和存储装置;其中,存储装置上存储有计算机程序,计算机程序在被处理器运行时执行前述权限管理方法。Further, this embodiment also provides an electronic device, including: a processor and a storage device; wherein, a computer program is stored on the storage device, and the computer program executes the foregoing rights management method when executed by the processor.

进一步,本实施例还提供了一种存储介质,存储介质上存储有计算机程序,计算机程序被处理器运行时执行上述权限管理方法。Further, this embodiment also provides a storage medium, where a computer program is stored on the storage medium, and the computer program executes the above-mentioned rights management method when the computer program is run by the processor.

可以理解的是,上述各实施例中相同或相似部分可以相互参考,在一些实施例中未详细说明的内容可以参见其他实施例中相同或相似的内容。It can be understood that, the same or similar parts in the above embodiments may refer to each other, and the content not described in detail in some embodiments may refer to the same or similar content in other embodiments.

需要说明的是,在本申请的描述中,术语“第一”、“第二”等仅用于描述目的,而不能理解为指示或暗示相对重要性。此外,在本申请的描述中,除非另有说明,“多个”、“多”的含义是指至少两个。It should be noted that, in the description of the present application, the terms "first", "second" and the like are only used for the purpose of description, and should not be construed as indicating or implying relative importance. In addition, in the description of the present application, unless otherwise specified, the meanings of "plurality" and "multiple" refer to at least two.

应该理解,当元件被称为“固定于”或“设置于”另一个元件,它可以直接在另一个元件上或者可能同时存在居中元件;当一个元件被称为“连接”另一个元件,它可以是直接连接到另一个元件或者可能同时存在居中元件,此外,这里使用的“连接”可以包括无线连接;使用的措辞“和/或”包括一个或更多个相关联的列出项的任一单元和全部组合。It will be understood that when an element is referred to as being "fixed to" or "disposed to" another element, it can be directly on the other element or intervening elements may also be present; when an element is referred to as being "connected" to another element, it will be This may be directly connected to another element or intervening elements may be present at the same time, in addition, "connected" as used herein may include wireless connections; use of the word "and/or" includes any of one or more of the associated listed items. One unit and all combinations.

流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为:表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分,并且本申请的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被本申请的实施例所属技术领域的技术人员所理解。Any description of a process or method in the flowcharts or otherwise described herein may be understood to represent a module, segment or portion of code comprising one or more executable instructions for implementing a particular logical function or step of the process , and the scope of the preferred embodiments of the present application includes alternative implementations in which the functions may be performed out of the order shown or discussed, including performing the functions substantially concurrently or in the reverse order depending upon the functions involved, which should It is understood by those skilled in the art to which the embodiments of the present application belong.

应当理解,本申请的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。It should be understood that various parts of this application may be implemented in hardware, software, firmware, or a combination thereof. In the above-described embodiments, various steps or methods may be implemented in software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or a combination of the following techniques known in the art: Discrete logic circuits, application specific integrated circuits with suitable combinational logic gates, Programmable Gate Arrays (PGA), Field Programmable Gate Arrays (FPGA), etc.

本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组合。Those skilled in the art can understand that all or part of the steps carried by the methods of the above embodiments can be completed by instructing the relevant hardware through a program, and the program can be stored in a computer-readable storage medium, and the program can be stored in a computer-readable storage medium. When executed, one or a combination of the steps of the method embodiment is included.

此外,在本申请各个实施例中的各功能单元可以集成在一个处理模块中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。In addition, each functional unit in each embodiment of the present application may be integrated into one processing module, or each unit may exist physically alone, or two or more units may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware, and can also be implemented in the form of software function modules. If the integrated modules are implemented in the form of software functional modules and sold or used as independent products, they may also be stored in a computer-readable storage medium.

上述提到的存储介质可以是只读存储器,磁盘或光盘等。The above-mentioned storage medium may be a read-only memory, a magnetic disk or an optical disk, and the like.

在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本申请的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of this specification, description with reference to the terms "one embodiment," "some embodiments," "example," "specific example," or "some examples", etc., mean specific features described in connection with the embodiment or example , structure, material or feature is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

尽管上面已经示出和描述了本申请的实施例,可以理解的是,上述实施例是示例性的,不能理解为对本申请的限制,本领域的普通技术人员在本申请的范围内可以对上述实施例进行变化、修改、替换和变型。Although the embodiments of the present application have been shown and described above, it should be understood that the above embodiments are exemplary and should not be construed as limitations to the present application. Embodiments are subject to variations, modifications, substitutions and variations.

Claims (10)

1. A method of rights management, comprising:
if the specified operation of the user is monitored, acquiring the organization information to which the user belongs;
judging whether the organization of the user is changed according to the organization information;
if so, recovering the first resource queue authority of the user, and distributing a second resource queue authority for the user; the first resource queue authority is a resource queue authority corresponding to an original organization of the user, and the second resource queue authority is a resource queue authority corresponding to a current organization of the user.
2. The method of claim 1, further comprising:
if an access request of the user for a target resource is received, the access request is sent to a person to which the target resource belongs for approval;
and determining the access authority of the user to the target resource according to the approval result of the owner of the target resource.
3. The method according to claim 2, wherein the step of determining the access right of the user to the target resource according to the approval result of the owner of the target resource comprises:
if the approval result of the owner of the target resource is a refusal access request, determining that the user does not have the access authority of the target resource;
and if the approval result of the owner of the target resource is that the access request is approved, sending the access request to a manager for approval, determining that the user has the access authority of the target resource when the administrator approves, and determining that the user does not have the access authority of the target resource when the administrator approves.
4. The method of claim 2, wherein the step of sending the access request to the owner of the target resource for approval comprises:
searching the belonger of the target resource according to the belonger label corresponding to the target resource;
and sending the access request to the searched belonged to the target resource for approval.
5. The method of claim 1, further comprising:
setting an authority group of the appointed resource;
adding users having access rights to the specified resource to the rights group;
controlling the granularity of the authority of the user on the specified resource through the authority group; wherein the permission granularity size is used for characterizing the access range of the specified resource.
6. The method of claim 5, further comprising:
and if the target user in the current off-duty state is detected, removing the target user from the authority group in which the target user is located.
7. The method of claim 5, wherein the permission types corresponding to the permission groups include one or more of resource addition permission, resource deletion permission, resource modification permission, and resource search permission.
8. A rights management device, comprising:
the information acquisition module is used for acquiring organization information to which a user belongs if the specified operation of the user is monitored;
the judging module is used for judging whether the organization of the user is changed according to the organization information;
the authority distribution module is used for recovering the first resource queue authority of the user and distributing a second resource queue authority to the user when the judgment result of the judgment module is yes; the first resource queue authority is a resource queue authority corresponding to an original organization of the user, and the second resource queue authority is a resource queue authority corresponding to a current organization of the user.
9. An electronic device, comprising: a processor and a storage device;
the storage device has stored thereon a computer program which, when executed by the processor, performs the method of any one of claims 1 to 7.
10. A storage medium having a computer program stored thereon, wherein the computer program is adapted to perform the steps of the method according to any of the claims 1 to 7 when executed by a processor.
CN202010982726.5A 2020-09-17 2020-09-17 Authority management method, device, electronic equipment and storage medium Pending CN112100592A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010982726.5A CN112100592A (en) 2020-09-17 2020-09-17 Authority management method, device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010982726.5A CN112100592A (en) 2020-09-17 2020-09-17 Authority management method, device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN112100592A true CN112100592A (en) 2020-12-18

Family

ID=73760423

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010982726.5A Pending CN112100592A (en) 2020-09-17 2020-09-17 Authority management method, device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112100592A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113505362A (en) * 2021-07-16 2021-10-15 长鑫存储技术有限公司 System authority control method, data center, control device and storage medium
CN115174956A (en) * 2022-07-06 2022-10-11 海南乾唐视联信息技术有限公司 Video resource allocation method and device, electronic equipment and readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020184535A1 (en) * 2001-05-30 2002-12-05 Farah Moaven Method and system for accessing a resource in a computing system
KR20090000197A (en) * 2007-01-29 2009-01-07 에스케이 텔레콤주식회사 Enterprise Resource Management System
CN103078859A (en) * 2012-12-31 2013-05-01 普天新能源有限责任公司 Service system authority management method, equipment and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020184535A1 (en) * 2001-05-30 2002-12-05 Farah Moaven Method and system for accessing a resource in a computing system
KR20090000197A (en) * 2007-01-29 2009-01-07 에스케이 텔레콤주식회사 Enterprise Resource Management System
CN103078859A (en) * 2012-12-31 2013-05-01 普天新能源有限责任公司 Service system authority management method, equipment and system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113505362A (en) * 2021-07-16 2021-10-15 长鑫存储技术有限公司 System authority control method, data center, control device and storage medium
CN113505362B (en) * 2021-07-16 2023-09-22 长鑫存储技术有限公司 System authority management and control method, data center, management and control device and storage medium
CN115174956A (en) * 2022-07-06 2022-10-11 海南乾唐视联信息技术有限公司 Video resource allocation method and device, electronic equipment and readable storage medium

Similar Documents

Publication Publication Date Title
US9727439B2 (en) Tracking application deployment errors via cloud logs
US10585698B2 (en) Template-driven multi-tenant workflow processing
US8255355B2 (en) Adaptive method and system with automatic scanner installation
JP5243804B2 (en) Computer system, method and computer program for managing components
US11811839B2 (en) Managed distribution of data stream contents
CN112714018B (en) Gateway-based ElasticSearch search service method, system, medium and terminal
US7895332B2 (en) Identity migration system apparatus and method
US9799003B2 (en) Context-dependent transactional management for separation of duties
CA3103393A1 (en) Method and server for access verification in an identity and access management system
US8819231B2 (en) Domain based management of partitions and resource groups
US20230054904A1 (en) Layered-Infrastructure Blockchain-Based System for Software License Distribution
CN113626869A (en) Data processing method, system, electronic device and storage medium
US9971613B2 (en) Tag based permission system and method for virtualized environments
CN112100592A (en) Authority management method, device, electronic equipment and storage medium
US8019845B2 (en) Service delivery using profile based management
US20170206371A1 (en) Apparatus and method for managing document based on kernel
US11349930B2 (en) Identifying and deleting idle remote sessions in a distributed file system
US11204717B2 (en) Object storage system with access control quota status check
CN113407973B (en) Software function authority management method, system, server and storage medium
CN114065254A (en) Data processing methods, apparatus, electronic equipment, media and products
CN118368120B (en) Data management method and device of operation and maintenance platform, electronic equipment and medium
US12050609B1 (en) Discretization of continuous stream of data items using data dividers
JP2024108150A (en) Data record correlation and migration
US20230237186A1 (en) Access Control Framework For Graph Entities
US9467452B2 (en) Transferring services in a networked environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20201218