CN115758303A - Authority control method, device, equipment and storage medium - Google Patents

Abstract

The application provides a permission control method, a device, equipment and a storage medium, wherein the method comprises the following steps: acquiring an agent authority setting request sent by an entity user terminal; the proxy permission setting request comprises the following steps: personal user identification and at least one authority set corresponding identification; the permission set comprises at least one permission; generating an agent identity for the personal user identifier according to the agent authority setting request and storing the agent identity and the personal user identifier in a database in an associated manner; and determining the authority in the corresponding identifier of at least one authority set as the authority corresponding to the agent identity identifier according to the agent authority setting request, and determining the authority corresponding to the agent identity identifier as the authority corresponding to the individual user according to the association relation. The authority set is adopted to determine the authority of the agent identity, so that the quick and flexible setting of the authority of the agent identity is realized; the authority of the individual user is determined by granting the proxy identity to the individual user, so that the quick and flexible setting of the authority of the individual user is realized.

Description

Authority control method, device, equipment and storage medium

technical field

The present application relates to the field of information security, and in particular to an authority control method, device, equipment and storage medium.

Background technique

The current common authority management methods include role-based authority control (abbreviated as RBAC in English), in which roles are associated with users and roles are associated with authority to indirectly grant user authority.

However, role-based authority control RBAC is limited in authorization flexibility and maintainability. If the existing role authority does not meet the authority requirements of a user, you can only set a new role for the user and configure the corresponding configuration authority of the role one by one. The maintenance of permissions is difficult, and it is impossible to quickly and flexibly configure permissions according to the differences in permission requirements of various users.

Contents of the invention

The present application provides a permission control method, device, equipment and storage medium to solve the problem.

In a first aspect, the present application provides a permission control method, including:

Obtaining a proxy permission setting request sent by an entity user terminal; the proxy permission setting request includes: an individual user identifier, at least one corresponding identifier of a permission set; the permission set includes at least one permission;

Generate a proxy identity for the personal user ID according to the proxy authority setting request, and store the proxy ID in a database in association with the personal user ID;

Determine the authority corresponding to at least one authority set as the authority corresponding to the agent identity according to the agent authority setting request, so as to determine the authority corresponding to the agent identity as the individual user according to the association relationship between the agent identity and the personal user identity corresponding permissions.

Optionally, the permissions included in the permission set are preset, including:

Obtaining the permission set generation request sent through the permission set setting interface in the entity user terminal, and determining at least one permission selected on the permission set setting interface; the selected at least one permission is in the permission corresponding to the entity user identifier;

Generate a corresponding identifier of the permission set and determine at least one selected permission as a permission included in the permission set.

Optionally, after determining the authority in at least one authority set corresponding identifier as the authority corresponding to the agent identity identifier according to the agent authority setting request, the method further includes:

Obtaining an agent authority change request sent through the authority management interface in the entity user terminal; the agent authority change request includes the agent identity and corresponding authority change information;

Use the access control list to change the corresponding authority of the proxy identity according to the corresponding authority change information.

Optionally, the method described in the first aspect further includes:

Obtaining an entity user authority change request sent through the authority management interface in the entity user terminal; the entity user authority change request includes an entity user identifier and corresponding authority change information;

According to the corresponding authority change information, the access control list is used to change the authority corresponding to the entity user ID.

Optionally, after determining the authority in at least one authority set corresponding identifier as the authority corresponding to the agent identity identifier according to the agent authority setting request, the method further includes:

Obtain access requests sent by individual user terminals;

If it is determined that the proxy identity is not included in the access request, user-level authentication is performed on the access request according to the personal general basic authority;

If it is determined that the user-level authentication passes, it is determined to perform an access operation according to the access request.

Optionally, after obtaining the access request sent by the personal user terminal, it also includes:

If it is determined that the access request includes the proxy identity, then determine the authority corresponding to the agent identity according to the access control list, and perform proxy-level authentication on the access request according to the authority corresponding to the agent identity;

If it is determined that the proxy-level authentication passes, it is determined to perform an access operation according to the access request.

Optionally, the proxy authority setting request also includes: an entity user ID; storing the proxy ID in a database in association with the personal user ID, including:

Store the entity user ID in the proxy authority setting request in association with the proxy ID in the database;

The access request includes authentication mode information; before performing proxy-level authentication on the access request according to the authority corresponding to the proxy identity, it also includes:

If it is determined according to the authentication mode information that the second authentication will be performed on the access request, then determine the entity user identifier associated with the proxy identity identifier;

Determine the corresponding authority of the entity user according to the access control list and the entity user ID, and perform root-level authentication on the access request according to the corresponding authority of the entity user;

If it is determined that the root-level authentication is passed, the proxy-level authentication is performed on the access request according to the authority corresponding to the proxy identity.

In a second aspect, the present application provides an authority control device, including:

An acquisition module, configured to acquire a proxy permission setting request sent by an entity user terminal; the proxy permission setting request includes: an individual user identifier, at least one corresponding identifier of a permission set; the permission set includes at least one permission;

A storage module, configured to generate an agent identity for the personal user identity according to the agent authority setting request and store the agent identity in association with the individual user identity in the database;

A determining module, configured to determine the authority corresponding to at least one authority set as the authority corresponding to the agent identity according to the agent authority setting request, so as to determine the authority corresponding to the agent identity according to the association relationship between the agent identity and the personal user identity The authority is determined as the authority corresponding to the individual user.

In a third aspect, the present application provides an electronic device, including: a processor, and a memory and a transceiver communicatively connected to the processor;

The memory stores computer-executable instructions; the transceiver is used to send and receive data;

The processor executes the computer-executable instructions stored in the memory, so as to implement the permission control method described in any one of the above aspects.

In a fourth aspect, the present application provides a computer-readable storage medium, where computer-executable instructions are stored in the computer-readable storage medium, and when the computer-executable instructions are executed by a processor, they are used to realize the authority described in any of the above-mentioned aspects Control Method.

In a fifth aspect, the present application provides a computer program product, including computer-executable instructions, and when the computer-executable instructions are executed by a processor, the permission control method described in any one of the above-mentioned aspects is implemented.

The authority control method, device, equipment, and storage medium provided in this application obtain the proxy authority setting request sent by the entity user terminal; the proxy authority setting request includes: an individual user identifier, at least one authority set corresponding identifier; the authority concentration Include at least one authority; generate an agent identity for the personal user identity according to the agent authority setting request and store the agent identity and the individual user identity in the database in association; according to the agent authority setting request, at least one authority set corresponds to the identity The authority corresponding to the agent identity is determined as the authority corresponding to the agent identity, so that the authority corresponding to the agent identity is determined as the authority corresponding to the individual user according to the association relationship between the agent identity and the individual user identity. The permission set is used to determine the authority of the agent identity, which realizes the rapid and flexible setting of the authority of the agent identity; by granting the agent identity to the individual user to determine the authority of the individual user, the rapid and flexible setting of the authority of the individual user is realized.

Description of drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description serve to explain the principles of the application.

FIG. 1 is a schematic diagram of a network architecture of the present application;

FIG. 2 is a flow chart of the authority control method provided in Embodiment 1 of the present application;

FIG. 3 is a flow chart of an authority control method provided in Embodiment 4 of the present application;

FIG. 4 is a schematic structural diagram of an authority control device provided in Embodiment 5 of the present application;

FIG. 5 is a schematic structural diagram of an electronic device provided in Embodiment 6 of the present application.

By means of the above drawings, specific embodiments of the present application have been shown, which will be described in more detail hereinafter. These drawings and text descriptions are not intended to limit the scope of the concept of the application in any way, but to illustrate the concept of the application for those skilled in the art by referring to specific embodiments.

Detailed ways

Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. The following description refers to the accompanying drawings

, unless otherwise indicated, the same numerals in different drawings indicate the same or similar elements. The implementations described in 5 in the following exemplary embodiments do not represent all implementations consistent with the present application. Rather, they are only related to the attached

Examples of apparatus and methods consistent with aspects of this application are recited in the claims.

The terms "first", "second", etc. are used for descriptive purposes only, and should not be understood as indicating or implying relative importance or implicitly specifying the quantity of the indicated technical features. In the descriptions of the following embodiments, "plurality" means two or more, unless otherwise specifically defined.

0 First, the prior art involved in the present invention is described and analyzed in detail.

Because role-based authority control RBAC is limited in authorization flexibility and maintainability, if the existing role authority does not meet the authority requirements of a user, directly changing the role authority will simultaneously change the user authority of the role, which will lead to authority confusion , so it is difficult to maintain permissions, and it is impossible to quickly and flexibly configure permissions according to the differences in permission requirements of various users.

5. The inventor found in the research that the authority of the agent identity can be determined by using the authority set, and the authority of the agent identity can be realized.

Fast and flexible setting of the limit; granting the proxy identity to the individual user, the authority of the individual user can be determined through the proxy identity, and the rapid and flexible setting of the authority of the individual user can be realized. After the proxy authority setting request, generate a proxy identity for the individual user ID according to the proxy authority setting request

The identity of the agent and the association between the identity of the agent and the identity of the individual user are stored in the database; according to the proxy authority setting request, the authority in at least one identity set corresponding to 0 is determined as the authority corresponding to the identity of the agent, so that according to the identity of the agent and the

The association relationship of the individual user identifier determines the authority corresponding to the agent identity identifier as the authority corresponding to the individual user.

FIG. 1 is a schematic diagram of a network architecture of the present application, as shown in FIG. 1 , including: a personal user terminal 1, a physical user terminal 2, and an electronic device 3; a personal user can apply for a proxy identity in the personal user terminal 1, to make

The personal user terminal 1 sends a proxy identity application request to the entity user terminal 2; after the entity user terminal 2 receives the proxy 5 identity application request, if it is determined to establish a proxy identity for the personal user ID, it can send the proxy status to the electronic device 3.

Permission setting request; after receiving the proxy permission setting request, the electronic device 3 can execute the permission control method to determine the permission of the proxy identity and grant the proxy identity to the individual user, thereby determining the permission corresponding to the proxy identity as the corresponding permission of the individual user .

In the technical solution of this application, the collection, storage, use, processing, transmission, provision, and disclosure of financial data or user data and other information involved are all in compliance with relevant laws and regulations, and do not violate public order and good customs.

The technical solution of the present application and how the technical solution of the present application solves the above technical problems will be described in detail below with specific embodiments. The following specific embodiments may be combined with each other, and the same or similar concepts or processes may not be repeated in some embodiments. Embodiments of the present application will be described below in conjunction with the accompanying drawings.

Embodiment one

FIG. 2 is a flow chart of the authority control method provided by Embodiment 1 of the present application. The problem addressed by the embodiment of the present application is to provide the authority control method. The method in this embodiment is applied to an authority control device, and the authority control device may be located in an electronic device. Wherein, the electronic device may represent various forms of digital computers. Such as, laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other suitable computers.

As shown in Figure 2, the specific steps of the method are as follows:

Step S101. Obtain the proxy authority setting request sent by the entity user terminal.

Step S102: Generate a proxy identity for the personal user ID according to the proxy authority setting request, and store the proxy ID in association with the personal user ID in the database.

Step S103, according to the agency authority setting request, determine the authority corresponding to at least one authority set as the authority corresponding to the agent identity, so as to determine the authority corresponding to the agent identity as the individual user according to the association relationship between the agent identity and the individual user identity permission.

In this embodiment of the application, the authority corresponding to the proxy identity is the authority of the proxy identity.

In this embodiment of the application, the entity user may be the manager of the accessed resource, and the individual user may be the visitor of the accessed resource. For example, an entity user may be an enterprise user or an entity-level user with unique identification information, and an individual user may be a specific employee of an enterprise or an individual customer.

In this embodiment of the application, entity users and individual users are not associated through upper and lower levels or affiliation relationships to implement authority constraints on individual users. Instead, entity users grant proxy identities to individual users and then authorize users through proxy identities.

Wherein, the proxy authority setting request includes: an individual user identifier, at least one identifier corresponding to an authority set; and the authority set includes at least one authority.

The embodiment of the present application does not limit the manner in which the entity user terminal sends the proxy permission setting request. Exemplarily, an individual user can apply for a proxy identity and corresponding authority from an enterprise user, and after receiving the proxy identity application request, the entity user terminal can respond to the corporate user's confirmation of the proxy identity application request and send the proxy ID to the electronic device. Permission setting request. Optionally, the proxy identity application request may include: a proxy identity purpose description; so that the entity user can determine the permissions that need to be granted to the proxy identity through the proxy identity purpose description, so as to determine the identity corresponding to at least one permission set in the proxy permission setting request.

Exemplarily, the entity user terminal may also send the

Proxy authority setting request; the entity user can select at least one identity corresponding to the authority set to generate the 5 agent identities corresponding to the individual user, and determine the authority in the authority set as the authority of the agent identity. After the entity user triggers the confirmation control, the implementation

The individual user terminal may send to the electronic device a proxy permission setting request including the personal user identifier and at least one corresponding identifier of the permission set.

In the embodiment of this application, according to the proxy permission setting request, the proxy identity is generated for the personal user ID and the proxy

The identity identifier is associated with the personal user identifier and stored in the database to generate a proxy identity for the personal user identifier, so that the personal 0 user can use the proxy identity and access resources with the authority of the proxy identity.

In this embodiment of the application, at least one permission set can be set in advance, and the entity user can select at least one permission set to make the electronic device determine the permission in the corresponding identifier of the permission set as the corresponding permission of the agent identity, so that according to the agent identity and the personal The association relationship of the user identification determines the authority corresponding to the agent identity identification as the authority corresponding to the individual user.

5 Optionally, the proxy authority setting request may also include: a description of the purpose of the proxy identity;

When using resources, you can determine the proxy identity that should be selected through the proxy identity usage description.

The authority control method provided by the embodiment of the present application obtains the proxy authority setting request sent by the entity user terminal; the proxy authority setting request includes: an individual user identifier, at least one corresponding identifier of the authority set; the authority set includes at least one

According to the proxy permission setting request, the proxy identity identifier is generated for the individual user identifier and stored in the database in association with the proxy identity identifier and the individual user identifier; according to the proxy permission setting request, the permission in the corresponding identifier of at least one permission set is determined as The authority corresponding to the agent identity is used to determine the authority corresponding to the agent identity as the authority corresponding to the individual user according to the association relationship between the agent identity and the individual user identity. The permission set is used to determine the authority of the agent identity, which realizes the rapid and flexible setting of the authority of the agent identity; by granting the agent identity to the individual user to determine the authority of the individual user, the rapid and flexible setting of the authority of the individual user is realized.

5 Optionally, the access control list can be used to determine the authority in the identity corresponding to at least one authority set as the proxy identity

Identifies the corresponding permissions.

Specifically, the proxy-level permission access control model can be preset as Identity Recognition and Access Management (English abbreviation:

IAM, English full name: Identity and Access Management) model, the permission control in the IAM model adopts the access

Access control list (English abbreviation: ACL, English full name: Access Control Lists); use json format to configure the IAM model according to at least one permission set corresponding identifier and proxy identity identifier; use the analysis conversion strategy to configure access control according to the configured IAM model List, so as to determine the authority corresponding to the identity of at least one authority set as the authority corresponding to the agent identity according to the agent authority setting request.

Among them, IAM can control user-based resource access and enable single sign-on for user authentication. IAM can authenticate user access requests and can grant or deny permissions to access resources. ACL can control the resources a subject can access by associating subjects (users or user groups) and permissions (including operations and resources) into a list. Users include: individual users and entity users.

It should be understood that IAM can allow appropriate people or things with appropriate permissions to access appropriate resources. Among them, "person or thing" is called the subject, and "resource" is called the object). Traditional IAM generally includes the following parts, often referred to as "4A" or "5A": account, authentication, authority, application, and audit. In this application, access control list (ACL) is used for permission control. IAM can perform logical expression operations based on the subject, resource, and operation ternary ACL permission policies provided by ACL; it can also perform logical AND or operations on multiple ACL permission authentication results according to authorization effect elements; it can also use analysis and conversion strategies for IAM The analysis and transformation of permission policy and ACL permission policy, the difference between IAM permission policy and ACL permission policy is that IAM permission policy is a superset of ACL permission policy, including more permission elements besides subject, resource and operation, such as authorization effect element; You can also query, add, delete, and update IAM permission policies.

In the embodiment of this application, the IAM model includes the IAM authority policy, and the elements in the IAM authority policy can be configured in json format; the elements in the IAM authority policy include: authorization effect Effect element, resource Resource element, and operation Action element; resource elements can be Including: object name, service name, account ID, specific resource ID. The authorization effect element can be compared to the forward authorization and reverse authorization represented by the whitelist and blacklist respectively; the resource element represents the specific authorized object; the operation element refers to the operation of specific resources, which can be served by the resource element Name and specific operation behavior definition.

Specifically, the method of configuring the access control list according to the configured IAM model by adopting the parsing and conversion strategy is as follows: obtain the identity information of the subject of the authorization request according to the format of the IAM model, and obtain the resource element array and the operation element array; after the subject identity information is determined , traverse the array of resource elements, generate a first ACL permission policy for each resource element, and fill in the subject information and resource information in the ACL permission policy according to the resource element; traverse the array of operation elements, and generate a first ACL permission policy for each operation element 2. ACL authority policy, and fill in operation information in the ACL authority policy according to the operation elements; combine the first ACL authority policy and the second ACL authority policy to obtain a complete subject, resource, and operation ternary ACL authority policy. Optionally, after the analysis and conversion is completed to obtain the triple ACL permission policy, confirm that the number of converted triple ACL permission policies is equal to the number of combinations of resource elements and operation elements in the IAM permission policy, and if they are not equal, re-execute the ACL permission policy Configuration. Wherein, the subject's identity information is the proxy identity.

Embodiment two

On the basis of the first embodiment above, the specific steps of the authority control method also include entity user registration and authorization, specifically including:

Step S201. Obtain an entity user registration request sent by an entity user terminal.

Step S202, generating an entity user account according to the entity user registration request and determining a corresponding entity user identifier.

Step S203, initializing the authority corresponding to the entity user identifier, so that the entity user obtains the entity user basic authority.

Wherein, the entity user may be an enterprise user, and the entity user registration request may include: social credit code; and may also include: enterprise name, legal person information, and the like.

Optionally, after obtaining the entity user registration request sent by the entity user terminal, the information in the entity user registration request can also be verified; after the verification of the information is confirmed to be successful, the entity user account is generated according to the entity user registration request and the corresponding entity User ID.

In the embodiment of the present application, the social credit code may be determined as the entity user identifier, or the unique identifier of the entity user may be generated according to preset rules, which is not limited in the embodiment of the present application.

After the entity user account is generated and the corresponding entity user ID is determined, the permissions corresponding to the entity user ID need to be initialized to complete the configuration of the entity user's basic permissions. The entity user's basic permissions can include: system login permissions, authentication information viewing permissions, and product subscription permissions , system console access and other basic permissions to ensure that entity users can complete basic operations.

In the embodiment of this application, after the entity user registers for the first time and sends the entity user registration request and passes the authentication, the subsequent login does not require repeated authentication, and only needs to enter the account number and password information to verify the login.

On the basis of the above-mentioned embodiments, after the entity user registers and obtains the entity user's basic authority, the entity user can change the authority of the entity user, and the method of changing the authority of the entity user specifically includes the following steps:

Step S204, acquiring the entity user authority change request sent through the authority management interface in the entity user terminal.

Wherein, the entity user permission change request includes the entity user identifier and corresponding permission change information. The corresponding permission change information includes the permission to be changed and operations on the permission, such as adding or deleting operations.

Step S205, changing the authority corresponding to the entity user identifier by using the access control list according to the corresponding authority change information.

In this embodiment of the application, the authority corresponding to the entity user identifier is the authority of the entity user, and the authority corresponding to the agent identity identifier is the authority of the agent identity.

The embodiment of the present application does not limit the manner of the entity user authority change request sent by the entity user terminal, and the entity user authority change request may be sent to the electronic device in response to an operation of the entity user. Exemplarily, if an accessible resource is newly added, the entity user may send an entity user authority change request for the newly added resource, so as to increase the access authority of the newly added resource.

In this embodiment of the application, an access control list (ACL) is used to control the access rights of entity users. An access control list controlling entity user permissions may be configured according to an entity user permission change request, so as to change permissions corresponding to entity user identifiers.

The authority control method provided in the embodiment of this application obtains the entity user authority change request sent through the authority management interface in the entity user terminal; the entity user authority change request includes the entity user ID and corresponding authority change information; according to the corresponding authority change information, adopts The access control list changes the permissions corresponding to the entity user ID. Using the access control list can realize more flexible access authority control, facilitate the change of the authority corresponding to the entity user ID, and make the authority corresponding to the entity user ID flexible and configurable.

On the basis of the above-mentioned embodiments, the entity user can set a permission set according to the permission of the entity user, and the way of setting the permission set specifically includes the following steps:

Step S206 , acquiring the permission set generation request sent through the permission set setting interface in the entity user terminal, and determining at least one permission selected in the permission set setting interface.

Step S207, generating an identifier corresponding to the permission set and determining at least one selected permission as a permission included in the permission set.

Wherein, at least one selected permission is in the permission corresponding to the entity user identifier.

In this embodiment of the present application, after the entity user determines the authority corresponding to the entity user ID, at least one authority set according to requirements may be determined.

Specifically, the authority set setting interface in the entity user terminal may display the authority corresponding to the entity user identifier, from which the entity user may select at least one authority, and send a permission set generation request to the electronic device. After receiving the permission set generation request, the electronic device may generate a permission set and a corresponding identifier of the permission set, and determine at least one selected permission as a permission included in the permission set. Optionally, entity users can also delete their set permission sets.

The authority control method provided by the embodiment of the present application obtains the authority set generation request sent through the authority set setting interface in the entity user terminal, and determines at least one authority selected on the authority set setting interface; the selected at least one authority corresponds to the entity user ID Among the permissions: generating a corresponding identifier of the permission set and determining at least one selected permission as a permission included in the permission set. Entity users can flexibly set permission sets according to their own permissions, which can improve the flexibility of setting permission sets, further improve the flexibility and personalization of setting proxy permissions according to permission sets, and ensure that proxy permissions can be personalized. The efficiency of setting proxy permissions is guaranteed.

On the basis of the above embodiments, after the entity user registers and determines the authority corresponding to the entity user ID, an access request can be initiated, and the authority control method provided in the embodiment of the present application can perform authentication on the access request, specifically including the following steps:

Step S208, acquiring the access request sent by the entity user terminal.

Step S209, using the access control list to authenticate the access request according to the authority corresponding to the entity user identifier.

Specifically, after logging in, the entity user can initiate an access request to the resource that needs to be accessed or operated, and the entity user terminal sends the access request to the electronic device, so that the electronic device uses the access control list to authenticate the access request. Wherein, the access request may include: entity user identifier, accessed resource information, and operation information.

After receiving the access request, the electronic device can determine the authentication subject, resource and operation information in the access request, and obtain the authorized permission information of the subject based on the subject information query, and call the ACL logic expression operation to perform the matching operation, and obtain The result of whether the authentication is passed. If it is determined that the authentication is passed, it may be determined to perform an access operation according to the access request; if it is determined that the authentication is not passed, a corresponding error code and a prompt may be sent to the entity user terminal. Wherein, the subject information is the entity user ID, and the authorized authority of the subject is the corresponding authority of the entity user ID.

Embodiment Three

On the basis of any of the above embodiments, the specific steps of the authority control method also include individual user registration and authorization, specifically including:

Step S301. Obtain an individual user registration request sent by an individual user terminal.

Step S302, generating an individual user account and determining a corresponding individual user ID according to the individual user registration request.

Step S303 , initializing the authority corresponding to the individual user ID, so that the individual user can obtain personal general basic authority.

Among them, personal general basic permissions may include: system login permissions, subscription permissions, console access permissions and other permissions.

In the embodiment of the present application, the manner of individual user registration is similar to the manner of entity registration, and will not be repeated here.

Optionally, the personal user registration request may include a mobile phone number, and the mobile phone number may be determined as the personal user identifier.

On the basis of the above-mentioned embodiments, after the individual user registers and obtains the basic authority of the individual user, the method from step S101 to step S103 in the first embodiment can be used to enable the individual user to obtain the agent identity and the authority corresponding to the agent identity identifier.

After the individual user obtains the agent identity and the authority corresponding to the agent identity identifier, the authority of the individual user can be changed. The method of changing the authority of the individual user specifically includes the following steps:

Step S304, acquiring the entity user authority change request sent through the authority management interface in the entity user terminal.

Wherein, the entity user permission change request includes the entity user identifier and corresponding permission change information.

Step S305, changing the authority corresponding to the entity user identifier by using the access control list according to the corresponding authority change information.

The embodiment of the present application does not limit the method of the permission change request sent by the entity user terminal. It is similar to the method of the proxy permission setting request sent by the entity user terminal. The entity user terminal can send the proxy permission setting request sent by the personal user terminal. The permission change request may also send a proxy permission setting request to the electronic device in response to the entity user's proxy identity granting operation.

Exemplarily, when an individual user uses a proxy identity to access resources, if the system prompts that the authentication fails, the individual user may send an application for setting proxy permissions to the electronic device through the personal user terminal to apply for adding relevant resource permissions to the proxy identity. The electronic device can query the entity users with relevant authority, and send an authorization application notification to the corresponding entity user terminal to apply for authorization. The authorization application notification can include: the basic information of the individual user and the detailed information of the agent identity; the detailed information of the agent identity includes: agent Identity grantor, proxy identity purpose description. After the physical user terminal receives the authorization application notification, the physical user can check the individual user qualifications and determine whether to authorize; if it is determined to authorize, it can send a proxy permission change request to the electronic device through the permission management interface in the physical user terminal.

Optionally, if the entity user terminal does not have the authority for individual users to apply for authorization, steps S204 and S205 can be used to change the authority of the entity user; the entity user can define a new IAM by configuring the resource elements and operation elements in the IAM model Authorization policies are used to authorize proxy identities.

The authority control method provided in the embodiment of this application obtains the proxy authority change request sent through the authority management interface in the entity user terminal; the proxy authority change request includes the agent identity and the corresponding authority change information; access control is adopted according to the corresponding authority change information List changes the permissions corresponding to the entity user ID. Only the permissions corresponding to the proxy identity can be changed, and when changing the permissions of a certain proxy identity, it can avoid affecting the permissions or permission sets corresponding to other proxy identities, avoiding security problems caused by permission confusion, and improving resource security.

Optionally, logs may be used to store various types of operation information of the entity user, and the various types of operation information of the entity user include: operation time and operation content of the entity user. Specifically, the operation of the entity user may include: changing the authority corresponding to the entity user identifier, changing the authority corresponding to the proxy identity identifier, creating a proxy identity for the personal user identifier, and so on. It can also provide permission configuration and operation information export function, so as to conduct regular inspections based on the granted permissions.

Embodiment four

Figure 3 is a flow chart of an authority control method provided in Embodiment 4 of the present application. On the basis of any of the above embodiments, individual users can send access requests to electronic devices through personal user terminals to access resources. This embodiment of the present application involves It is a permission control method for authenticating access requests initiated by individual users, as shown in Figure 3, which specifically includes the following steps:

Step S401. Obtain an access request sent by an individual user terminal, and determine whether the access request includes a proxy identity.

In the embodiment of the present application, the access request includes subject information, and the subject information in the access request sent by the individual user terminal is an agent identity or an individual user identity.

In the embodiment of this application, before initiating access, individual users can check the detailed information of the authorized proxy identity, choose the proxy identity to use, or not select the proxy identity; if they choose the proxy identity to use, the access request will Including the proxy identity of the adopted proxy identity, step S403 or step S407 can be performed to proxy the proxy identity; if the proxy identity is not selected, the access request does not include the proxy identity, and step S402 can be performed to perform user-level authentication on individual users. right.

Step S402, if it is determined that the access request does not include the proxy identity, perform user-level authentication on the access request according to the personal general basic authority.

In this embodiment of the application, the personal general basic authority is the authority corresponding to the personal user ID initialized after user registration, and may include system login authority, subscription authority, console access authority and other authorities.

In the embodiment of the present application, if it is determined that the access request does not include the proxy identity, the access request includes: the personal user ID; the access request may also include: accessed resource information, operation information, and identity type information. Optionally, it can also be determined according to the identity type information whether the authentication subject is an individual user or an agent identity.

In the embodiment of the present application, if it is determined that the proxy identity is not included in the access request, it may be determined that the authentication subject is an individual user. After determining that the authentication subject is an individual user, user-level authentication can be performed on the access request according to the personal general basic authority.

The authority control method provided by the embodiment of the present application obtains the access request sent by the personal user terminal; if it is determined that the access request does not include the proxy identity identifier, then perform user-level authentication on the access request according to the personal general basic authority; if it is determined that the user-level authentication If the authorization is passed, it is determined to perform the access operation according to the access request. It can authenticate the access request sent by the individual user terminal; and it can enable individual users to initiate access requests without using proxy identities, which improves the flexibility of initiating access requests and authentication, and enables individual users who have not obtained proxy identities to perform basic operate.

Optionally, after an entity user creates a proxy identity for an individual user, he can configure the authentication mode for the proxy identity; the access request can include authentication mode information, and after determining that the proxy identity is included in the access request, it can be determined whether to perform Secondary authentication and follow-up steps, including:

Step S403. Determine whether to perform secondary authentication according to the authentication mode information.

In the embodiment of the present application, if it is determined that the access request includes the proxy identity and includes authentication mode information, it may be determined whether to perform secondary authentication according to the authentication mode information. The access request may also include: personal user identification, accessed resource information, operation information, authorization effectiveness information, identity type information, and the like. Optionally, it can also be determined according to the identity type information whether the authentication subject is an individual user or an agent identity.

In the embodiment of the present application, if it is determined that the access request includes the proxy identity, it may be determined that the authentication subject is the proxy identity. After it is determined that the authentication subject is the proxy identity, it may be determined whether to perform secondary authentication according to the authentication mode information.

Specifically, if the authentication mode information is secondary authentication, perform step S404 and subsequent steps to perform secondary authentication for the response request; if the authentication mode information is primary authentication, perform step S407 and subsequent steps for the response request Perform proxy-level authentication.

Step S404. Determine the entity user ID that has an association relationship with the proxy ID.

Wherein, the entity user identifier associated with the proxy identity is the identifier of the entity user granted the proxy identity.

In the embodiment of the present application, after the proxy identity is generated for the individual user ID according to the proxy authority setting request, the entity user identifier in the proxy authority setting request and the proxy identity can be associated and stored in the database, so that during the second authentication An entity user ID that has an associated relationship with the proxy ID is determined according to the database.

Step S405, determine the corresponding authority of the entity user according to the access control list and the entity user identifier, and perform root-level authentication on the access request according to the corresponding authority of the entity user.

Among them, the root-level authentication is to authenticate the authority of the entity user who is granted the agent identity of the individual user. Passed after root-level authentication to perform proxy authority authentication.

Specifically, if it is determined that the root-level authentication is passed, then step S406 and subsequent steps are performed to perform proxy-level authentication on the access request according to the authority corresponding to the proxy identity; if it is determined that the root-level authentication fails, a feedback error code and prompt can be sent To the personal user terminal, remind the user that the authority of the entity user authorized by the proxy identity is invalid.

It should be understood that after an entity user grants a certain authority to a proxy identity, and the entity user deletes the permission from the permissions corresponding to its entity user ID, the authority granted to the entity user authorized by the proxy identity becomes invalid, and root-level authentication fails. , proxy-level authentication passed.

In the authority control method provided in the embodiment of the present application, if it is determined according to the authentication mode information that the access request will be subjected to secondary authentication, then the entity user identification associated with the proxy identity identification is determined; The entity user corresponds to the authority, and performs root-level authentication on the access request according to the entity user's corresponding authority; if it is determined that the root-level authentication passes, then performs agent-level authentication on the access request according to the authority corresponding to the agent identity. The secondary authentication of the access request can be realized, so that the root-level authority, that is, the corresponding entity user authority, can be authenticated first before the agent-level authority is authenticated, which can avoid that when only the agent-level authority is verified, if the root The failure of the level authority to act as the proxy level authority has not been adjusted accordingly, resulting in security control loopholes, which can improve the security of resources.

Step S406: Determine the authority corresponding to the agent identity according to the access control list, and perform agent-level authentication on the access request according to the authority corresponding to the agent identity.

In this embodiment of the application, if it is determined to perform proxy-level authentication on the access request, the proxy identity can be obtained from the access request, the authority corresponding to the proxy identity can be determined according to the access control list, and the access request can be processed according to the authority corresponding to the proxy identity. Proxy level authentication.

Specifically, the authorized agent-level authority information can be determined according to the access control list based on the agent identity, and the IAM model can be called to perform matching operations on the access request and the authority corresponding to the agent identity to obtain the result of whether the authentication is passed.

Step S407, if it is determined that the proxy level authentication is passed, then it is determined to perform an access operation according to the access request.

Specifically, if it is determined that the proxy-level authentication is passed, execute step S408 to determine to perform the access operation according to the access request; about permissions.

In the authority control method provided in the embodiment of the present application, if it is determined that the access request includes the proxy identity, then determine the authority corresponding to the proxy identity according to the access control list, and perform proxy-level authentication on the access request according to the authority corresponding to the proxy identity; if it is determined If the agent-level authentication passes, it is determined to perform the access operation according to the access request. It can realize the authentication of agent-level permissions and ensure the security of resources.

Embodiment five

FIG. 4 is a schematic structural diagram of an authority control device provided in Embodiment 5 of the present application. The authority control device provided in the embodiment of the present application can execute the processing flow provided in the authority control method embodiment. As shown in FIG. 4 , the permission control device 50 includes: an interface module 501 , a storage module 502 and a permission control module 503 .

Specifically, the interface module 501 is configured to acquire a proxy permission setting request sent by an entity user terminal; the proxy permission setting request includes: an individual user ID, at least one corresponding ID of a permission set; and the permission set includes at least one permission.

The storage module 502 is configured to generate a proxy identity for the personal user ID according to the proxy permission setting request, and store the proxy ID in association with the personal user ID in the database.

The authority control module 503 is configured to determine the authority corresponding to at least one authority set as the authority corresponding to the agent identity according to the agent authority setting request, so as to determine the authority corresponding to the agent identity according to the association relationship between the agent identity and the personal user identity Permissions corresponding to individual users.

The device provided in the embodiment of the present application may be specifically configured to execute the method embodiment provided in the first embodiment above, and the specific functions will not be repeated here.

Optionally, the interface module 501 is also used to acquire the permission set generation request sent through the permission set setting interface in the entity user terminal; the permission control module 503 is also used to determine at least one permission selected in the permission set setting interface; the selected At least one permission is in the permission corresponding to the entity user identifier; generating the corresponding identifier of the permission set and determining at least one permission selected as the permission included in the permission set.

Optionally, the interface module 501 is also used to obtain the proxy authority change request sent through the authority management interface in the entity user terminal; the proxy authority change request includes the proxy identity and corresponding authority change information; the authority control module 503 is also used to Use the access control list to change the corresponding authority of the proxy identity according to the corresponding authority change information.

Optionally, the interface module 501 is also used to obtain the entity user authority change request sent through the authority management interface in the entity user terminal; the entity user authority change request includes the entity user identifier and corresponding authority change information; the authority control module 503 also It is used to change the permission corresponding to the entity user ID by using the access control list according to the corresponding permission change information.

Optionally, the authority control device 50 also includes: an authentication module; an interface module 501, which is also used to obtain the access request sent by the personal user terminal; the authentication module is used to: if it is determined that the access request does not include the proxy identity, then The personal general basic authority performs user-level authentication on the access request; if it is determined that the user-level authentication passes, it is determined to perform the access operation according to the access request.

Optionally, the authentication module is also used to: if it is determined that the access request includes the proxy identity, then determine the authority corresponding to the proxy identity according to the access control list, and perform proxy-level authentication on the access request according to the authority corresponding to the proxy identity; if If it is determined that the agent-level authentication is passed, it is determined to perform an access operation according to the access request.

Optionally, the proxy authority setting request also includes: entity user identification; the storage module 502 is also used to associate and store the entity user identification in the proxy authority setting request and the proxy identity identification in the database; the authentication module is also used for: If it is determined according to the authentication mode information that the access request will be second-authenticated, then determine the entity user ID that has an associated relationship with the proxy identity; determine the corresponding authority of the entity user according to the access control list and the entity user ID, and The authority performs root-level authentication on the access request; if it is determined that the root-level authentication passes, then the agent-level authentication is performed on the access request according to the authority corresponding to the agent identity.

Optionally, the authority control device 50 further includes: a log module; the log module is used to: store various types of operation information of the entity user, and the various types of operation information of the entity user include: operation time and operation content of the entity user. The log module is also used to: export permission configuration and operation information, so as to conduct regular investigations based on the granted permissions.

The device provided in the embodiment of the present application can be specifically used to execute the above method embodiment, and the specific functions will not be repeated here.

Embodiment six

FIG. 5 is a schematic structural diagram of an electronic device provided in Embodiment 6 of the present application. As shown in FIG. 5 , the present application also provides an electronic device 60 including: a memory 601 , a processor 602 and a transceiver 603 .

Wherein, the memory 601 is used to store instructions executed by the computer, the transceiver 603 is used to send and receive data, and the memory 601, the processor 602 and the transceiver 603 are connected in communication. Specifically, the program may include program code, and the program code includes computer execution instructions. The memory 601 may include a high-speed RAM memory, and may also include a non-volatile memory (non-volatile memory), such as at least one disk memory.

The processor 602 is configured to execute the computer-executable instructions stored in the memory 601 .

Wherein, the computer-executed instructions are stored in the memory 601 and are configured to be executed by the processor 602 to implement the method provided by any one embodiment of the present application. Relevant descriptions can be understood by referring to the relevant descriptions and effects corresponding to the steps in the accompanying drawings, and details are not repeated here.

Wherein, in the embodiment of the present application, the memory 601 and the processor 602 are connected through a bus. The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. . The bus can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in FIG. 5 , but it does not mean that there is only one bus or one type of bus.

The embodiment of the present application further provides a computer-readable storage medium, in which computer-executable instructions are stored, and the computer-executable instructions are used to implement the method provided in any embodiment of the present application when executed by a processor.

An embodiment of the present application further provides a computer program product, including computer-executable instructions, and when the computer-executable instructions are executed by a processor, the method provided in any embodiment of the present application is implemented.

In the several embodiments provided in this application, it should be understood that the disclosed devices and methods may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of modules is only a logical function division. In actual implementation, there may be other division methods. For example, multiple modules or components can be combined or integrated. to another system, or some features may be ignored, or not implemented. In another point, the mutual coupling or direct coupling or communication connection shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or modules may be in electrical, mechanical or other forms.

A module described as a separate component may or may not be physically separated, and a component shown as a module may or may not be a physical module, that is, it may be located in one place, or may also be distributed to multiple network modules. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional module in each embodiment of the present application may be integrated into one processing module, each module may exist separately physically, or two or more modules may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware, or in the form of hardware plus software function modules.

Program codes for implementing the methods of the present application may be written in any combination of one or more programming languages. These program codes can be provided to a processor or a controller of a general-purpose computer, a special-purpose computer, or other programmable full-path trajectory fusion devices, so that the program codes when executed by the processor or the controller make the flow chart and/or the specified in the block diagram The function/operation is implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package partly on the machine and partly on a remote machine or entirely on the remote machine or server.

In the context of the present application, a machine-readable medium may be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium may include, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media would include one or more wire-based electrical connections, portable computer discs, hard drives, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, compact disk read only memory (CD-ROM), optical storage, magnetic storage, or any suitable combination of the foregoing.

In addition, while operations are depicted in a particular order, this should be understood to require that such operations be performed in the particular order shown, or in sequential order, or that all illustrated operations should be performed to achieve desirable results. Under certain circumstances, multitasking and parallel processing may be advantageous. Likewise, while the above discussion contains several specific implementation details, these should not be construed as limitations on the scope of the application. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single implementation. Conversely, various features that are described in the context of a single implementation can also be implemented in multiple implementations separately or in any suitable subcombination.

Other embodiments of the present application will be readily apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any modification, use or adaptation of the application, these modifications, uses or adaptations follow the general principles of the application and include common knowledge or conventional technical means in the technical field not disclosed in the application . The specification and examples are to be considered exemplary only, with a true scope and spirit of the application indicated by the following claims.

It should be understood that the present application is not limited to the precise constructions which have been described above and shown in the accompanying drawings, and various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A permission control method, characterized in that, comprising: Obtaining a proxy permission setting request sent by an entity user terminal; the proxy permission setting request includes: an individual user identifier, at least one corresponding identifier of a permission set; the permission set includes at least one permission; Generate a proxy identity for the personal user ID according to the proxy authority setting request, and store the proxy ID in a database in association with the personal user ID; Determine the authority corresponding to at least one authority set as the authority corresponding to the agent identity according to the agent authority setting request, so as to determine the authority corresponding to the agent identity as the individual user according to the association relationship between the agent identity and the personal user identity corresponding permissions. 2. The method according to claim 1, wherein presetting the permissions included in the permission set includes: Obtaining the permission set generation request sent through the permission set setting interface in the entity user terminal, and determining at least one permission selected on the permission set setting interface; the selected at least one permission is in the permission corresponding to the entity user identifier; Generate a corresponding identifier of the permission set and determine at least one selected permission as a permission included in the permission set. 3. The method according to claim 1, characterized in that, after determining the authority in at least one authority set corresponding identification as the authority corresponding to the agent identity identification according to the agency authority setting request, it also includes: Obtaining an agent authority change request sent through the authority management interface in the entity user terminal; the agent authority change request includes the agent identity and corresponding authority change information; Use the access control list to change the corresponding authority of the proxy identity according to the corresponding authority change information. 4. The method according to claim 2, further comprising: Obtaining an entity user authority change request sent through the authority management interface in the entity user terminal; the entity user authority change request includes an entity user identifier and corresponding authority change information; According to the corresponding authority change information, the access control list is used to change the authority corresponding to the entity user ID. 5. The method according to any one of claims 1-4, characterized in that, after determining the authority in at least one authority set corresponding identifier as the authority corresponding to the agent identity identifier according to the agency authority setting request, further comprising: Obtain access requests sent by individual user terminals; If it is determined that the proxy identity is not included in the access request, user-level authentication is performed on the access request according to the personal general basic authority; If it is determined that the user-level authentication passes, it is determined to perform an access operation according to the access request. 6. The method according to claim 5, characterized in that, after acquiring the access request sent by the personal user terminal, further comprising: If it is determined that the access request includes the proxy identity, then determine the authority corresponding to the proxy identity according to the access control list, and perform proxy-level authentication on the access request according to the authority corresponding to the proxy identity; If it is determined that the proxy-level authentication passes, it is determined to perform an access operation according to the access request. 7. The method according to claim 6, wherein the agent authority setting request also includes: an entity user identifier; storing the agent identity identifier in association with the personal user identifier in a database, including: Store the entity user ID in the proxy authority setting request in association with the proxy ID in the database; The access request includes authentication mode information; before performing proxy-level authentication on the access request according to the authority corresponding to the proxy identity, it also includes: If it is determined according to the authentication mode information that the second authentication will be performed on the access request, then determine the entity user identifier associated with the proxy identity identifier; Determine the corresponding authority of the entity user according to the access control list and the entity user ID, and perform root-level authentication on the access request according to the corresponding authority of the entity user; If it is determined that the root-level authentication is passed, the proxy-level authentication is performed on the access request according to the authority corresponding to the proxy identity. 8. An authority control device, characterized in that it comprises: An interface module, configured to obtain a proxy permission setting request sent by an entity user terminal; the proxy permission setting request includes: an individual user identifier, at least one corresponding identifier of a permission set; the permission set includes at least one permission; A storage module, configured to generate an agent identity for the personal user identity according to the agent authority setting request and store the agent identity in association with the individual user identity in the database; The authority control module is configured to determine the authority in at least one authority set corresponding identifier as the authority corresponding to the agent identity according to the agent authority setting request, so as to associate the agent identity with the agent identity according to the association relationship between the agent identity and the personal user identity The permissions are determined as the corresponding permissions of individual users. 9. An electronic device, comprising: a processor, and a memory and a transceiver communicatively connected to the processor; The memory stores computer-executable instructions; the transceiver is used to send and receive data; The processor executes the computer-implemented instructions stored in the memory to implement the method according to any one of claims 1-7. 10. A computer-readable storage medium, characterized in that, computer-executable instructions are stored in the computer-readable storage medium, and the computer-executable instructions are used to implement any one of claims 1-7 when executed by a processor. method described in the item.

Images