CN112632578A - Service system authority control method and device, electronic equipment and storage medium - Google Patents
Service system authority control method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112632578A CN112632578A CN202011564908.7A CN202011564908A CN112632578A CN 112632578 A CN112632578 A CN 112632578A CN 202011564908 A CN202011564908 A CN 202011564908A CN 112632578 A CN112632578 A CN 112632578A
- Authority
- CN
- China
- Prior art keywords
- service
- information
- authority
- user
- characteristic
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 34
- 238000013475 authorization Methods 0.000 claims abstract description 52
- 238000004590 computer program Methods 0.000 claims description 7
- 230000006399 behavior Effects 0.000 claims description 6
- 238000010276 construction Methods 0.000 claims description 5
- 238000007726 management method Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000011161 development Methods 0.000 description 4
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000013068 supply chain management Methods 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of information security, and provides a service system authority control method, a device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring service related information to form a service information body, wherein the service related information comprises a service code, a service description and a back-end service item, and the back-end service item comprises a service identifier and an access strategy; establishing authority association between each service information body and a user to form a service authority list; when a user accesses the service, determining an access strategy of the service under the accessed service according to the service information body, and calling the corresponding service by the accessed service according to the access strategy. The invention forms an authorization rule list through multi-class identity information data, generates characteristic information by using the identity information, and obtains the authority list by comparing the characteristic information with characteristic values in the authorization rule list. And setting the authority at a finer granularity, and preventing the conflict of the service authorities corresponding to the multi-class identity information combination by adopting the priority.
Description
Technical Field
The present invention relates to the field of information security, and in particular, to a method and an apparatus for controlling service system permissions, and a computer-readable storage medium.
Background
The authority management generally refers to management of access capability or access rule of different users to a predetermined resource according to a security rule or security policy set by a system, and generally, a user can access in a specific manner (for example, read, write, delete, etc.) and can only access a resource authorized by the user. Any multi-user system inevitably involves the problem of rights management, and the more users of the system, the more complicated the attribute or labor division of the users themselves, and the more complicated the rights management problem. Rights management technologies are emerging with a trend towards multi-staging and multi-dimensionality. Therefore, perfecting the unified rights management solution for multi-service systems is the first objective that commercial application system developers must achieve for data service integration.
Different identity information must be authorized for service on demand in the service system. The methods currently in common use include the following two:
(1) and marking the roles of the service allowed to be accessed by the service in the code, determining the roles of the service according to the user information, and judging whether the service is authorized to be accessed.
(2) Setting a blacklist, placing all users in the blacklist, and taking out the current user from the blacklist if the current user has the authority to access the service according to the authority list.
However, the two methods have single authority granularity, and cannot satisfy the service access control methods from multiple angles of the service, and no better solution exists until now.
Disclosure of Invention
The invention provides a service system authority control method, a service system authority control device, electronic equipment and a storage medium, and mainly aims to provide fine-grained authority management and meet multi-angle access control of services.
In order to achieve the above object, a method for controlling service system permission provided by the present invention includes:
acquiring service related information to form a service information body, wherein the service related information comprises a service code, a service description and a back-end service item, and the back-end service item comprises a service identifier and an access strategy;
establishing authority association between each service information body and a user to form a service authority list;
when a user accesses the service, the service corresponding to the user is displayed according to the service authority list, the access strategy of the service under the accessed service is determined according to the service information body, and the accessed service calls the corresponding service according to the access strategy.
Optionally, the establishing an authority association between each service information body and the user to form a service authority list includes:
obtaining the identity information of the user and carrying out the operation according to the identity information
To
Combining to form characteristic information, wherein n and m are integers more than 0, and m is less than or equal to n;
acquiring an authorization rule list, searching matched characteristic values in the authorization rule list according to the characteristic information, and determining service authority corresponding to the characteristic information according to the characteristic values, wherein the authorization rule list comprises characteristic types and at least one characteristic value corresponding to each characteristic type, and service authority is set corresponding to each characteristic value;
and generating a service authority list by combining the service information body according to the service authority corresponding to the characteristic information.
Optionally, the identity information includes name, age, gender, position, department number, user account, and experience value.
Optionally, if multiple pieces of authority information of the same service are found in the authorization rule list according to the feature information, the authority with a high priority is used as the authority of the user to the service, and if the number of prohibited authorities is greater than or equal to the number of permitted authorities under the condition that the priorities of the multiple pieces of authority information are the same, the authority of the service is prohibited, otherwise, the authority of the service is permitted.
Optionally, the access policy refers to a class encapsulated for an algorithm or a behavior in a policy mode.
Optionally, the feature value in the authorization rule list is compared with data of a personnel information base, and if the feature value is invalid, modification of the feature value is prompted, wherein the invalid feature value means that the feature value does not have a corresponding matching item in the personnel information base.
Optionally, the newly added category information of the personnel information base is combined with the feature types in the authorization rule list and added to the authorization rule list.
The invention also provides a service system authority control device, which comprises:
the service information body construction module is used for acquiring service related information to form a service information body, wherein the service related information comprises a service code, a service description and a back-end service item, and the back-end service item comprises a service identifier and an access strategy;
the service authority list building module is used for building authority association between each service information body and a user to form a service authority list;
and the service execution module is used for displaying the service corresponding to the user according to the service authority list when the user accesses the service, determining the access strategy of the service under the accessed service according to the service information body, and calling the corresponding service by the accessed service according to the access strategy.
The present invention also provides an electronic device, including:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the business system entitlement control method as described above.
The present invention also provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the service system entitlement control method as described above.
The embodiment of the invention forms an authorization rule list through multi-class identity information data, generates characteristic information by using the identity information, and obtains the authority list by comparing the characteristic information with characteristic values in the authorization rule list. The authority can be set in a finer granularity, and rich authority levels can be obtained;
the conflict of the service authorities corresponding to the multi-class identity information combination is prevented by adopting the priority;
because the service is used as the authority control object, the behaviors of the front-end authority and the back-end authority can be consistent, and the problems that the front-end operation interface authority does not have the background service authority or the background service authority does not have the front-end operation interface can be solved.
Drawings
Fig. 1 is a schematic flow chart of an embodiment of a service system permission control method provided in the present invention;
FIG. 2 is a diagram of the association between services, services and users provided by the present invention;
fig. 3 is a schematic block diagram of an embodiment of a service system permission control apparatus provided in the present invention;
fig. 4 is a schematic structural diagram of an embodiment of an electronic device for implementing a method for controlling service system permissions, provided by the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The invention provides a service system authority control method which is used for providing fine-grained authority management and meeting multi-angle access control of services.
Fig. 1 is a schematic flow chart of a method for controlling service system permissions according to an embodiment of the present invention. The method may be performed by an apparatus, which may be implemented by software and/or hardware.
In this embodiment, the method for controlling service system authority includes:
s10: and acquiring service related information to form a service information body, wherein the service related information comprises a service code, a service description and a back-end service item, and the back-end service item comprises a service identifier and an access strategy.
Specifically, there are a service code, a service name, and a service description describing the current completion in the development document. The development document also describes which services are used, i.e. the service identification, and the access policy includes what the service address of each service is and the service rules for using this service. As shown in table 1, the service 1 may be a scan, which includes at least two services, such as a scanned image recognition service and a scanned text translation service. Each service is associated with a request address for using the service, so that the service can be executed by establishing contact with the backend through the request address.
TABLE 1
The following code is in the form of a service body,
service 1 describes:
wherein id represents service code, name represents service name, refs represents service identification, uri represents service address, rule represents service rule,
s20: and establishing authority association between each service information body and the user to form a service authority list.
Therefore, after the user logs in, the user can have the service authority list corresponding to the user in the login state. The service authority refers to the authority for controlling and using the service system, and includes the authority for adding, deleting, modifying, updating, ordering, using and the like to the service system. The establishing authority association between each service information body and the user to form a service authority list comprises the following steps:
s21: obtaining the identity information of the user according to the identity informationShare information goes on
To
And combining to form the characteristic information, wherein n and m are integers more than 0, and m is less than or equal to n.
The identity information may include name, age, gender, position, department number, user account. According to each identity information
To
The combination of the characteristic information refers to the identity information is according to
Form some characteristic information, namely name, age, sex, position, department number, user account. Then according to
Form some characteristic information, i.e., { name, age }, { name, gender }, { name, position }, { name, department number }, etc. And so on until according to
Formed characteristic information { name, age, gender, position, department number, user account }. Thereby forming characteristic information containing different identity information. And different combinations of identity information of one user can correspond to the authorities of different service systems. And the user can have the authority of different service systems according to different characteristic information. For example, one employee's characteristic information may allow him to have more rights in one business system, while another employee's characteristic information may allow him to have less rights in another business system.
Further, the identity information may also include experience values, which may be, for example, working years, project experience. For example, over a few years of operation, and have participated in several related projects. For example, a project management system, does not allow access to the relevant services of the supply chain management module for users who have a project experience of less than 2 years. By setting the empirical value in the list of authorization rules described below, the user's business rights can be restricted based on a combination of the empirical value and other identity information.
S22: obtaining an authorization rule list, searching a characteristic value matched with the authorization rule list in the authorization rule list according to the characteristic information, and determining a service authority corresponding to the characteristic information according to the characteristic value, wherein the authorization rule list comprises characteristic types and at least one characteristic value corresponding to each characteristic type, and a service authority is set corresponding to each characteristic value.
Specifically, different feature values are set in the authorization rule list according to various feature types, and the same or different service permissions are respectively set corresponding to the different feature values.
For example, as shown in table 2:
TABLE 2
In table 2, the service a is provided with feature values corresponding to different feature types, for example, a feature type of "role", which may have feature values of a department leader, a division leader, a main director, a booknote, a general manager, and the like. And corresponding to different roles, the system is provided with different authorities. In addition, the corresponding form of the identity information combination and the corresponding feature type have multiple combination forms, and the corresponding feature combination form is respectively provided with feature values. For example, age + role is a feature type, which has two feature values, one is greater than 40 years + project manager, that is, the age is greater than 40 years, and it is the project manager that can have the right of this business E. The other is greater than 30 years + the general manager, that is, the general manager is older than 30 years and has the right of this service D.
After the characteristic information of the user is calculated through the identity information of the user, various service authorities corresponding to the characteristic information can be searched in the authorization rule list by utilizing the characteristic information.
S23: and generating a service authority list by combining a service information body according to the service authority corresponding to the characteristic information.
Specifically, the service authority list has all service authorities owned by the user, as shown in table 3.
TABLE 3
As can be seen from table 3, in the combination of the respective identity information of the user B, the two feature information of "total manager +45 years old" and "male +5 years of work + 50" have matching feature values, so that the authority of the user B to have the service D and the service F is determined according to the matching feature values.
The association relation among the service, the service and the user can be established through the service authority list. As shown in fig. 2, if the characteristic information 2 of the user a matches with the characteristic value 1, it has the service authority of the service 1, and accordingly, the service 1 invokes the service 1, the service 2, and the service 3 when executed. And if the characteristic information 6 of the user B is matched with the characteristic value 2, the user B has the authority of the service 2 and the service 3, wherein the service 2 calls the service 1, the service 3 and the service 4 when executed, and the service 3 calls the service 3 and the service 4 when executed.
S30, when the user accesses the service, the service corresponding to the user is displayed according to the service authority list, the access strategy of the service under the service is determined according to the service information body, and the service calls the corresponding service according to the access strategy.
For example, the operation interface has a button of "open credit card", and opening the credit card requires the credit score to reach a certain value to have the authority of opening the credit card. Therefore, the button can be clicked only by the user with the service authority for opening the credit card (otherwise, the click has no effect), and the method for controlling whether the button can be clicked is to judge whether the service authority list of the user contains the service information body corresponding to the service to which the button belongs. If so, the user has the service authority of the button.
The access strategy refers to that different services are called by the service according to different access strategies, and the service processing logic can carry out logic control according to the content of the access strategies. The access policy means that each algorithm or behavior is encapsulated into a class in a policy mode, one class is a service, the policy class corresponding to each service is listed in the service authority list, when the service submits data, for example, the service is scanned, the corresponding service name is searched from the back end according to the access policy, a specific policy class is obtained, and the service flow can be completed by using the algorithm or mode in the service according to the service requirement.
For example, the service information body mentioned above can obtain the association relationship between the service and the service address and the service rule, "demo.
As can be seen from the above association relationship, when accessing/app/service/foo service address in service demo.biz1, the rule that should be used is rule1 rule. Then, in case of accessing/app/service/foo service under the condition of having right to use the service demo.biz1, the rule1 rule name is passed in the service code, and the service code can be logically controlled according to the rule name. The pseudo code of the logic control is as follows:
if(ruleName=='rule1'){
a logic
}else if(ruleName=='rule2'){
// another logic
}
Furthermore, the authorization rule list is also provided with priority of authority, and for the same service, if a plurality of pieces of authority information are found in the authorization rule list according to the characteristic information, the authority with high priority is used as the authority of the user to the service. If the priority is the same, if the number of the forbidden authorities is larger than or equal to the number of the allowed authorities, the authority of the service is forbidden, otherwise, the authority of the service is allowed.
Specifically, the examples are shown in table 4.
| User' s | Characteristic information | Matched eigenvalues | Authority | Priority level | Business |
| User B | General manager +45 years old | Greater than 30 years + general manager | Allow for | 1 | Service A |
| User B | Experience 1 year | Characteristic value without matching | Inhibit | 2 | Service A |
| User B | Male +45 years old | Male greater than 40 years old | Allow for | 2 | Service A |
As in table 4 above, user B finds 3 service entitlements, where priority 1 is higher than priority 2, so it has the authority of service a. If the feature information of the user B only finds the lower two rows of the table 4, one is allowed and the other is forbidden, the forbidden right is taken as the standard.
Furthermore, the feature types and at least one corresponding feature value are added according to the service requirements, the service authority is set according to the feature values, and the authorization rule list is updated. For example, if the newly added required service a has no use right for the service older than 25 years, the corresponding right setting is added to the authorization rule list.
TABLE 5
| Resource identification | Type of feature | Characteristic value | Behavior | Priority level |
| Service A | Character | Branch and run length | Allow for | 1 |
| Service A | Departments and roles | 057&Branch and run length | Inhibit | 2 |
| Service A | Sex and age | For male&29 | Inhibit | 2 |
| Service A | Age (age) | >25 | Inhibit | 2 |
And further, comparing the characteristic value with a personnel information base, and if the characteristic value is invalid, automatically prompting to modify the characteristic value, wherein the invalid characteristic value means that the characteristic value does not have a corresponding coincidence item in the personnel information base.
For example, due to the high mobility of people, the initially set authorization rule list may be changed after people replacement, although the information of position and department may be unchanged, but the gender and age of the people are changed, for example, the characteristic value of the authorization rule list is "35 years or more" with the authority of service a. However, when people are replaced, if no user is present at age higher than 35, the corresponding item is not matched, the characteristic value is invalid, and the characteristic value is automatically prompted to be modified.
For example, the feature value is "greater than 50 years + director", but through comparison, if the role of director is found to be unavailable in the staff information base, the feature value is invalid, and modification of the feature value is automatically prompted.
The comparison means that the feature value is divided into a plurality of features, for example, "more than 50 years old + president" is divided into "more than 50 years old" and "president", then the "more than 50 years old" is compared with a list of ages in the staff information base, whether the condition that the condition is more than 50 years old exists is checked, if one condition is met, the part of feature value is considered to be valid, and if the condition is less than 50 years old, the part of feature value "more than 50 years old" is invalid, and the feature value is automatically prompted to be modified. And comparing the term "chief deputy" with a column of positions, and if the column has the position of "chief deputy", the part of characteristic values are satisfied. As long as one of the split features is invalid, the entire feature value is invalid.
For example, the ages of the first two general managers in the user are 56 years old and 52 years old, and the authority for role + age listed in the authorization rule list is greater than 50+ general managers. If the age of the general manager is 43 years and 46 years at present in the staff information base, modification of the characteristic value is automatically prompted.
Further, the feature type is automatically updated according to the newly added category information of the personnel information base, for example, the category of the newly added experience value in the personnel information base is combined with the feature type in the authorization rule list and added into the authorization rule list, and the setting of the feature value is prompted.
Fig. 3 is a schematic functional module diagram of an embodiment of a service system permission control apparatus according to the present invention.
The service system authority control device 100 of the present invention may be installed in an electronic device. According to the implemented functions, the service system authority control device 100 may include a service information body construction module 101, a service authority list construction module 102, and a service execution module 103, where the module of the present invention refers to a series of computer program segments that can be executed by a processor of an electronic device and can perform fixed functions, and the computer program segments are stored in a memory of the electronic device.
In the present embodiment, the functions of the modules are as follows:
the service information body construction module 101 is configured to acquire service related information to form a service information body, where the service related information includes a service code, a service description, and a backend service item, and the backend service item includes a service identifier and an access policy.
Specifically, there are a service code, a service name, and a service description describing the current completion in the development document. The development document also describes which services are used, i.e. the service identification, and the access policy includes what the service address of each service is and the service rules for using this service. As shown in table 1, the service 1 may be a scan, which includes at least two services, such as a scanned image recognition service and a scanned text translation service. Each service is associated with a request address for using the service, so that the service can be executed by establishing contact with the backend through the request address.
The following code is in the form of a service body,
service 1 describes:
wherein id represents service code, name represents service name, refs represents service identification, uri represents service address, rule represents service rule,
and the service authority list building module 102 is configured to build authority association between each service information body and the user to form a service authority list.
Therefore, after the user logs in, the user can have the service authority list corresponding to the user in the login state. The service authority refers to the authority for controlling and using the service system, and includes the authority for adding, deleting, modifying, updating, ordering, using and the like to the service system.
The service authority list building module 102 includes a feature information forming unit 1021 for obtaining the identity information of the user and performing the operation according to the identity information
To
And combining to form the characteristic information, wherein n and m are integers more than 0, and m is less than or equal to n.
The identity information may include name, age, gender, position, department number, user account. According to each identity information
To
The combination of the characteristic information refers to the identity information is according to
Form some characteristic information, namely name, age, sex, position, department number, user account. Then according to
Form some characteristic information, i.e., { name, age }, { name, gender }, { name, position }, { name, department number }, etc. And so on until according to
Formed characteristic information { name, age, gender, position, department number, user account }. Thereby forming characteristic information containing different identity information. And different combinations of identity information of one user can correspond to the authorities of different service systems. And the user can have the authority of different service systems according to different characteristic information. E.g. a certain characteristic information of a staff member to enable it to be in a certain business systemThe system has more rights and the employee's other characteristic information makes it less rights in another business system.
Further, the identity information may also include experience values, which may be, for example, working years, project experience. For example, over a few years of operation, and have participated in several related projects. For example, a project management system, does not allow access to the relevant services of the supply chain management module for users who have a project experience of less than 2 years. By setting the empirical value in the list of authorization rules described below, the user's business rights can be restricted based on a combination of the empirical value and other identity information.
The service authority list building module 102 includes a feature value matching unit 1022, configured to obtain an authorization rule list, search a feature value matched with the authorization rule list according to the feature information, and determine a service authority corresponding to the feature information according to the feature value, where the authorization rule list includes feature types and at least one feature value corresponding to each feature type, and a service authority is set corresponding to each feature value.
Specifically, different feature values are set in the authorization rule list according to various feature types, and the same or different service permissions are respectively set corresponding to the different feature values.
In table 2, the service a is provided with feature values corresponding to different feature types, for example, a feature type of "role", which may have feature values of a department leader, a division leader, a main director, a booknote, a general manager, and the like. And corresponding to different roles, the system is provided with different authorities. In addition, the corresponding form of the identity information combination and the corresponding feature type have multiple combination forms, and the corresponding feature combination form is respectively provided with feature values. For example, age + role is a feature type, which has two feature values, one is greater than 40 years + project manager, that is, the age is greater than 40 years, and it is the project manager that can have the right of this business E. The other is greater than 30 years + the general manager, that is, the general manager is older than 30 years and has the right of this service D.
After the characteristic information of the user is calculated through the identity information of the user, various service authorities corresponding to the characteristic information can be searched in the authorization rule list by utilizing the characteristic information.
The service authority list building module 102 includes a service authority list generating unit 1023, which is used for generating a service authority list according to the service authority corresponding to the feature information by combining with the service information body.
Specifically, the service authority list has all service authorities owned by the user, and as can be seen from table 3, in the combination of the respective identity information of the user B, the two feature information, i.e., "total manager +45 years old" and "male +5 years of work + 50", have matching feature values, so that the authority of the user B to have the service D and the service F is determined according to the matching feature values.
The association relation among the service, the service and the user can be established through the service authority list. As shown in fig. 2, if the characteristic information 2 of the user a matches with the characteristic value 1, it has the service authority of the service 1, and accordingly, the service 1 invokes the service 1, the service 2, and the service 3 when executed. And if the characteristic information 6 of the user B is matched with the characteristic value 2, the user B has the authority of the service 2 and the service 3, wherein the service 2 calls the service 1, the service 3 and the service 4 when executed, and the service 3 calls the service 3 and the service 4 when executed.
And the service execution module 103 is configured to, when a user accesses a service, display a service corresponding to the user according to the service authority list, determine an access policy of the service under the service according to the service information body, and invoke the corresponding service according to the access policy by the service.
For example, the operation interface has a button of "open credit card", and opening the credit card requires the credit score to reach a certain value to have the authority of opening the credit card. Therefore, the button can be clicked only by the user with the service authority for opening the credit card (otherwise, the click has no effect), and the method for controlling whether the button can be clicked is to judge whether the service authority list of the user contains the service information body corresponding to the service to which the button belongs. If so, the user has the service authority of the button.
The access strategy refers to that different services are called by the service according to different access strategies, and the service processing logic can carry out logic control according to the content of the access strategies. The access policy means that each algorithm or behavior is encapsulated into a class in a policy mode, one class is a service, the policy class corresponding to each service is listed in the service authority list, when the service submits data, for example, the service is scanned, the corresponding service name is searched from the back end according to the access policy, a specific policy class is obtained, and the service flow can be completed by using the algorithm or mode in the service according to the service requirement.
For example, the service information body mentioned above can obtain the association relationship between the service and the service address and the service rule, "demo.
As can be seen from the above association relationship, when accessing/app/service/foo service address in service demo.biz1, the rule that should be used is rule1 rule. Then, in case of accessing/app/service/foo service under the condition of having right to use the service demo.biz1, the rule1 rule name is passed in the service code, and the service code can be logically controlled according to the rule name. The pseudo code of the logic control is as follows:
if(ruleName=='rule1'){
a logic
}else if(ruleName=='rule2'){
// another logic
}
Further, the system further includes a priority comparison module 104, configured to, according to the priority of the authority set in the authorization rule list, for the same service, if multiple pieces of authority information are found in the authorization rule list according to the feature information, use the authority with the higher priority as the authority of the user on the service. If the priority is the same, if the number of the forbidden authorities is larger than or equal to the number of the allowed authorities, the authority of the service is forbidden, otherwise, the authority of the service is allowed.
Specifically, the examples are shown in table 4.
As in table 4 above, user B finds 3 service entitlements, where priority 1 is higher than priority 2, so it has the authority of service a. If the feature information of the user B only finds the lower two rows of the table 4, one is allowed and the other is forbidden, the forbidden right is taken as the standard.
Further, the system further comprises a characteristic value prompting module 105, configured to compare the characteristic value with the personnel information base, and if the characteristic value is invalid, automatically prompt to modify the characteristic value, where the invalid characteristic value means that the characteristic value does not have a corresponding matching item in the personnel information base.
For example, due to the high mobility of people, the initially set authorization rule list may be changed after people replacement, although the information of position and department may be unchanged, but the gender and age of the people are changed, for example, the characteristic value of the authorization rule list is "35 years or more" with the authority of service a. However, when people are replaced, if no user is present at age higher than 35, the corresponding item is not matched, the characteristic value is invalid, and the characteristic value is automatically prompted to be modified.
For example, the feature value is "greater than 50 years + director", but through comparison, if the role of director is found to be unavailable in the staff information base, the feature value is invalid, and modification of the feature value is automatically prompted.
The comparison means that the feature value is divided into a plurality of features, for example, "more than 50 years old + president" is divided into "more than 50 years old" and "president", then the "more than 50 years old" is compared with a list of ages in the staff information base, whether the condition that the condition is more than 50 years old exists is checked, if one condition is met, the part of feature value is considered to be valid, and if the condition is less than 50 years old, the part of feature value "more than 50 years old" is invalid, and the feature value is automatically prompted to be modified. And comparing the term "chief deputy" with a column of positions, and if the column has the position of "chief deputy", the part of characteristic values are satisfied. As long as one of the split features is invalid, the entire feature value is invalid.
For example, the ages of the first two general managers in the user are 56 years old and 52 years old, and the authority for role + age listed in the authorization rule list is greater than 50+ general managers. If the age of the general manager is 43 years and 46 years at present in the staff information base, modification of the characteristic value is automatically prompted.
Further, the system further comprises a feature type updating module 106, configured to automatically update the feature type according to the newly added category information of the personal information base, for example, the category of the newly added "experience value" in the personal information base, combine the new category with the feature type in the authorization rule list, add the new category to the authorization rule list, and prompt to set the feature value.
Fig. 4 is a schematic structural diagram of an embodiment of an electronic device implementing a method for controlling service system permissions according to the present invention.
The electronic device 1 may comprise a processor 10, a memory 11 and a bus, and may further comprise a computer program, such as a business system entitlement control program 12, stored in the memory 11 and executable on the processor 10.
The memory 11 includes at least one type of readable storage medium, which includes flash memory, removable hard disk, multimedia card, card-type memory (e.g., SD or DX memory, etc.), magnetic memory, magnetic disk, optical disk, etc. The memory 11 may in some embodiments be an internal storage unit of the electronic device 1, such as a removable hard disk of the electronic device 1. The memory 11 may also be an external storage device of the electronic device 1 in other embodiments, such as a plug-in mobile hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), and the like, which are provided on the electronic device 1. Further, the memory 11 may also include both an internal storage unit and an external storage device of the electronic device 1. The memory 11 may be used not only to store application software installed in the electronic device 1 and various types of data, such as codes of service system authority control programs, etc., but also to temporarily store data that has been output or is to be output.
The processor 10 may be composed of an integrated circuit in some embodiments, for example, a single packaged integrated circuit, or may be composed of a plurality of integrated circuits packaged with the same or different functions, including one or more Central Processing Units (CPUs), microprocessors, digital Processing chips, graphics processors, and combinations of various control chips. The processor 10 is a Control Unit (Control Unit) of the electronic device, connects various components of the electronic device by using various interfaces and lines, and executes various functions and processes data of the electronic device 1 by running or executing programs or modules (e.g., service system authority Control programs, etc.) stored in the memory 11 and calling data stored in the memory 11.
The bus may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. The bus is arranged to enable connection communication between the memory 11 and at least one processor 10 or the like.
Fig. 4 only shows an electronic device with components, and it will be understood by those skilled in the art that the structure shown in fig. 4 does not constitute a limitation of the electronic device 1, and may comprise fewer or more components than those shown, or some components may be combined, or a different arrangement of components.
For example, although not shown, the electronic device 1 may further include a power supply (such as a battery) for supplying power to each component, and optionally, the power supply may be logically connected to the at least one processor 10 through a power management device, so as to implement functions of charge management, discharge management, power consumption management, and the like through the power management device. The power supply may also include any component of one or more dc or ac power sources, recharging devices, power failure detection circuitry, power converters or inverters, power status indicators, and the like. The electronic device 1 may further include various sensors, a bluetooth module, a Wi-Fi module, and the like, which are not described herein again.
Further, the electronic device 1 may further include a network interface, and optionally, the network interface may include a wired interface and/or a wireless interface (such as a WI-FI interface, a bluetooth interface, etc.), which are generally used for establishing a communication connection between the electronic device 1 and other electronic devices.
Optionally, the electronic device 1 may further comprise a user interface, which may be a Display (Display), an input unit (such as a Keyboard), and optionally a standard wired interface, a wireless interface. Alternatively, in some embodiments, the display may be an LED display, a liquid crystal display, a touch-sensitive liquid crystal display, an OLED (Organic Light-Emitting Diode) touch device, or the like. The display, which may also be referred to as a display screen or display unit, is suitable for displaying information processed in the electronic device 1 and for displaying a visualized user interface, among other things.
It is to be understood that the described embodiments are for purposes of illustration only and that the scope of the appended claims is not limited to such structures.
The service system entitlement control program 12 stored in the memory 11 of the electronic device 1 is a combination of instructions that, when executed in the processor 10, enable:
s10, obtaining service related information to form a service information body, wherein the service related information comprises a service code, a service description and a back-end service item, and the back-end service item comprises a service identifier and an access strategy;
s20, establishing authority association between each service information body and the user to form a service authority list;
s30, when the user accesses the service, the service corresponding to the user is displayed according to the service authority list, the access strategy of the service under the accessed service is determined according to the service information body, and the accessed service calls the corresponding service according to the access strategy.
The specific operation flow is the flow type of the service system permission control method shown in fig. 1, and specific reference may be made to the description of the service system permission control method shown in fig. 1, which is not described herein again.
Further, the integrated modules of the electronic device 1 may be stored in a computer-readable storage medium if they are implemented in the form of software functional units and sold or used as independent products. The computer-readable medium may include: any entity or device capable of carrying said computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM).
In the embodiments provided by the present invention, it should be understood that the disclosed apparatus, device and method can be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the modules is only one logical functional division, and other divisions may be realized in practice.
The modules described as separate parts may or may not be physically separate, and parts displayed as modules may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
In addition, functional modules in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional module.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof.
The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference signs in the claims shall not be construed as limiting the claim concerned.
Finally, it should be noted that the above embodiments are only for illustrating the technical solutions of the present invention and not for limiting, and although the present invention is described in detail with reference to the preferred embodiments, it should be understood by those skilled in the art that modifications or equivalent substitutions may be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions of the present invention.
Claims (10)
1. A service system authority control method is characterized by comprising the following steps:
acquiring service related information to form a service information body, wherein the service related information comprises a service code, a service description and a back-end service item, and the back-end service item comprises a service identifier and an access strategy;
establishing authority association between each service information body and a user to form a service authority list;
when a user accesses the service, the service corresponding to the user is displayed according to the service authority list, the access strategy of the service under the accessed service is determined according to the service information body, and the accessed service calls the corresponding service according to the access strategy.
2. The service system authority control method according to claim 1, wherein said establishing authority association between each service information body and the user to form a service authority list comprises:
obtaining the identity information of the user and carrying out the operation according to the identity information
To
Combining to form characteristic information, wherein n and m are integers more than 0, and m is less than or equal to n;
acquiring an authorization rule list, searching matched characteristic values in the authorization rule list according to the characteristic information, and determining service authority corresponding to the characteristic information according to the characteristic values, wherein the authorization rule list comprises characteristic types and at least one characteristic value corresponding to each characteristic type, and service authority is set corresponding to each characteristic value;
and generating a service authority list by combining the service information body according to the service authority corresponding to the characteristic information.
3. The business system privilege control method of claim 2, wherein the identity information comprises name, age, gender, job title, department number, user account, experience value.
4. The method as claimed in claim 2, wherein if multiple pieces of authorization information of the same service are found in the authorization rule list according to the feature information, the authorization with the highest priority is used as the authorization of the user for the service, and if the number of prohibited permissions is greater than or equal to the number of allowed permissions, the authorization of the service is prohibited if the number of prohibited permissions is the same as the number of allowed permissions, otherwise, the authorization of the service is allowed.
5. The business system entitlement control method of claim 2 wherein the access policy refers to a class for an algorithm or a behavior package in a policy mode.
6. The business system entitlement control method of claim 2,
and comparing the characteristic value in the authorization rule list with the data of the personnel information base, and prompting to modify the characteristic value if the characteristic value is invalid, wherein the invalid characteristic value means that the characteristic value does not have a corresponding coincidence item in the personnel information base.
7. The business system entitlement control method of claim 2,
and combining the newly added category information of the personnel information base with the characteristic types in the authorization rule list and adding the combined category information into the authorization rule list.
8. A business system entitlement control device, characterized in that said device comprises:
the service information body construction module is used for acquiring service related information to form a service information body, wherein the service related information comprises a service code, a service description and a back-end service item, and the back-end service item comprises a service identifier and an access strategy;
the service authority list building module is used for building authority association between each service information body and a user to form a service authority list;
and the service execution module is used for displaying the service corresponding to the user according to the service authority list when the user accesses the service, determining the access strategy of the service under the accessed service according to the service information body, and calling the corresponding service by the accessed service according to the access strategy.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to perform a business system entitlement control method in accordance with any one of claims 1 to 7.
10. A computer-readable storage medium, storing a computer program, wherein the computer program, when executed by a processor, implements the business system entitlement control method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011564908.7A CN112632578B (en) | 2020-12-25 | 2020-12-25 | Business system authority control method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011564908.7A CN112632578B (en) | 2020-12-25 | 2020-12-25 | Business system authority control method and device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112632578A true CN112632578A (en) | 2021-04-09 |
| CN112632578B CN112632578B (en) | 2024-05-17 |
Family
ID=75325024
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011564908.7A Active CN112632578B (en) | 2020-12-25 | 2020-12-25 | Business system authority control method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112632578B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113190829A (en) * | 2021-05-18 | 2021-07-30 | 京东数科海益信息科技有限公司 | Authority data identification method, device, equipment and medium |
| CN114066660A (en) * | 2021-11-20 | 2022-02-18 | 北京优全智汇信息技术有限公司 | Insurance client resource development management system and management method |
| CN114595484A (en) * | 2022-05-10 | 2022-06-07 | 上海柯林布瑞信息技术有限公司 | Page permission control method and device |
| WO2023221920A1 (en) * | 2022-05-16 | 2023-11-23 | 卡奥斯工业智能研究院(青岛)有限公司 | Access relationship establishment method and apparatus, electronic device, and storage medium |
| CN117633766A (en) * | 2024-01-25 | 2024-03-01 | 北京谷器数据科技有限公司 | Service data authority granting method based on tree structure |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1967560A (en) * | 2006-11-09 | 2007-05-23 | 华为技术有限公司 | Controlling method of business operations competence and generating method of relational database |
| CN104967620A (en) * | 2015-06-17 | 2015-10-07 | 中国科学院信息工程研究所 | An Access Control Method Based on Attribute Access Control Policy |
| CN109670768A (en) * | 2018-09-27 | 2019-04-23 | 深圳壹账通智能科技有限公司 | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain |
| CN110727929A (en) * | 2019-10-12 | 2020-01-24 | 北京明略软件系统有限公司 | AOP-based line-level authority control method, device and client |
| CN110866243A (en) * | 2019-10-25 | 2020-03-06 | 北京达佳互联信息技术有限公司 | Login authority verification method, device, server and storage medium |
| US20200097673A1 (en) * | 2018-09-26 | 2020-03-26 | Fu Tai Hua Industry (Shenzhen) Co., Ltd. | Data privilage control method and system |
| CN111191221A (en) * | 2019-12-30 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Method and device for configuring authority resources and computer readable storage medium |
| KR102108125B1 (en) * | 2019-04-15 | 2020-05-28 | 한국과학기술정보연구원 | A method for allocating a service and an apparatus for allocating a service |
| CN111475784A (en) * | 2020-04-03 | 2020-07-31 | 深圳集智数字科技有限公司 | Authority management method and device |
-
2020
- 2020-12-25 CN CN202011564908.7A patent/CN112632578B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1967560A (en) * | 2006-11-09 | 2007-05-23 | 华为技术有限公司 | Controlling method of business operations competence and generating method of relational database |
| CN104967620A (en) * | 2015-06-17 | 2015-10-07 | 中国科学院信息工程研究所 | An Access Control Method Based on Attribute Access Control Policy |
| US20200097673A1 (en) * | 2018-09-26 | 2020-03-26 | Fu Tai Hua Industry (Shenzhen) Co., Ltd. | Data privilage control method and system |
| CN109670768A (en) * | 2018-09-27 | 2019-04-23 | 深圳壹账通智能科技有限公司 | Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain |
| KR102108125B1 (en) * | 2019-04-15 | 2020-05-28 | 한국과학기술정보연구원 | A method for allocating a service and an apparatus for allocating a service |
| CN110727929A (en) * | 2019-10-12 | 2020-01-24 | 北京明略软件系统有限公司 | AOP-based line-level authority control method, device and client |
| CN110866243A (en) * | 2019-10-25 | 2020-03-06 | 北京达佳互联信息技术有限公司 | Login authority verification method, device, server and storage medium |
| CN111191221A (en) * | 2019-12-30 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Method and device for configuring authority resources and computer readable storage medium |
| CN111475784A (en) * | 2020-04-03 | 2020-07-31 | 深圳集智数字科技有限公司 | Authority management method and device |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113190829A (en) * | 2021-05-18 | 2021-07-30 | 京东数科海益信息科技有限公司 | Authority data identification method, device, equipment and medium |
| CN113190829B (en) * | 2021-05-18 | 2024-04-09 | 京东科技信息技术有限公司 | Authority data identification method, device, equipment and medium |
| CN114066660A (en) * | 2021-11-20 | 2022-02-18 | 北京优全智汇信息技术有限公司 | Insurance client resource development management system and management method |
| CN114595484A (en) * | 2022-05-10 | 2022-06-07 | 上海柯林布瑞信息技术有限公司 | Page permission control method and device |
| WO2023221920A1 (en) * | 2022-05-16 | 2023-11-23 | 卡奥斯工业智能研究院(青岛)有限公司 | Access relationship establishment method and apparatus, electronic device, and storage medium |
| CN117633766A (en) * | 2024-01-25 | 2024-03-01 | 北京谷器数据科技有限公司 | Service data authority granting method based on tree structure |
| CN117633766B (en) * | 2024-01-25 | 2024-04-26 | 北京谷器数据科技有限公司 | A method for granting business data permissions based on tree structure |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112632578B (en) | 2024-05-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112632578A (en) | Service system authority control method and device, electronic equipment and storage medium | |
| CN109409121B (en) | Desensitization processing method and device and server | |
| US7650644B2 (en) | Object-based access control | |
| US8234299B2 (en) | Method and system for using fine-grained access control (FGAC) to control access to data in a database | |
| CN1979466A (en) | Method and device for allowing multi-users to edit a shared electronic file simultaneously | |
| CN112417503A (en) | Post authority authorization method, device, electronic device and storage medium | |
| CN111931140A (en) | Authority management method, resource access control method and device and electronic equipment | |
| US20150254577A1 (en) | System and methods for location based management of cloud platform data | |
| CN113434901A (en) | Intelligent data query method and device, electronic equipment and storage medium | |
| US20190392657A1 (en) | Managing access control permission groups | |
| US9158932B2 (en) | Modeled authorization check implemented with UI framework | |
| CN109657177A (en) | The generation method of the page, device, storage medium and computer equipment after upgrading | |
| US20220086161A1 (en) | Systems and methods for access control | |
| WO2022005571A1 (en) | Experience for sharing computer resources and modifying access control rules using mentions | |
| US20070056026A1 (en) | Role-based access control management for multiple heterogeneous application components | |
| CN112541640A (en) | Resource authority management method and device, electronic equipment and computer storage medium | |
| CN111814181A (en) | System authority authorization method and device, electronic equipment and storage medium | |
| CN118886039B (en) | A method, device and equipment for multi-level permission control access to a large model knowledge base | |
| CN109815714A (en) | Rights management method, device and computer-readable storage medium | |
| CN103560994A (en) | Context-aware-based security access control method for RFID system | |
| CN114493901A (en) | Data access application processing method and device, computer equipment and storage medium | |
| CN114547676A (en) | Permission control method and device for application program page | |
| CN113434542A (en) | Data relation identification method and device, electronic equipment and storage medium | |
| CN115550010B (en) | Key environment access control method based on block chain | |
| CN116032579B (en) | An access control system and method based on ABAC model |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |