[go: up one dir, main page]

CN116383804A - Authority management method, device, equipment, medium and program product - Google Patents

Authority management method, device, equipment, medium and program product Download PDF

Info

Publication number
CN116383804A
CN116383804A CN202310264872.8A CN202310264872A CN116383804A CN 116383804 A CN116383804 A CN 116383804A CN 202310264872 A CN202310264872 A CN 202310264872A CN 116383804 A CN116383804 A CN 116383804A
Authority
CN
China
Prior art keywords
authority
information
role
rights
permission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310264872.8A
Other languages
Chinese (zh)
Inventor
魏聪惠
许少伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Construction Bank Corp
CCB Finetech Co Ltd
Original Assignee
China Construction Bank Corp
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Construction Bank Corp, CCB Finetech Co Ltd filed Critical China Construction Bank Corp
Priority to CN202310264872.8A priority Critical patent/CN116383804A/en
Publication of CN116383804A publication Critical patent/CN116383804A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/103Workflow collaboration or project management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/105Human resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • Human Resources & Organizations (AREA)
  • Strategic Management (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Operations Research (AREA)
  • Data Mining & Analysis (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • General Business, Economics & Management (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a right management method, device, equipment, medium and program product, relating to the technical field of artificial intelligence. The method comprises the following steps: acquiring a permission application form of a user; the authority application form is approved to obtain an approval result of the authority application form; and under the condition that the approval result is that the approval passes, determining a permission set according to the permission application form and the permission meta-model, and managing the permissions of the user according to the permission set, thereby solving the problems of permission management schemes in the related technology in terms of timeliness, fineness and flexibility of permission adjustment. According to the technical scheme, the automatic right adjustment is realized according to personnel movement, the complexity of manually setting the rights one by one is reduced, the convenience is improved, and the timeliness is improved; in addition, the role configuration and authorization are carried out on the user based on the position mechanism attribution, the position bar line attribution, the position management relationship, the position reporting relationship and the role authority association, so that the fineness of the authority system is expanded, and the authority flexibility is improved.

Description

Authority management method, device, equipment, medium and program product
Technical Field
The embodiment of the invention relates to the technical field of artificial intelligence, in particular to a rights management method, a device, equipment, a medium and a program product.
Background
Rights management generally refers to security rules or policies set by the system that a user can access and only access to resources that he or she is authorized to.
Currently, rights management is generally performed based on a role access control technology RBAC (Role Based Access Control, role-based access control). A role set is established between the user set and the authorities through RBAC, each role corresponds to a group of corresponding authorities, and once a user is assigned with a certain role, the user can obtain all operation authorities of the role.
However, in the related art, in the scenario where personnel are free or allocated, the rights adjustment needs to be performed manually, which has problems in terms of timeliness, fineness and flexibility of the rights adjustment.
Disclosure of Invention
The embodiment of the invention provides a rights management method, a device, equipment, a medium and a program product, which can automatically adjust rights, improve the timeliness of rights adjustment, expand the fineness of a rights system, increase the flexibility of the rights and reduce the workload of manual participation.
In a first aspect, an embodiment of the present invention provides a rights management method, including:
acquiring a user's authority application form, wherein the authority application form comprises characteristic information associated with authority application;
the authority application form is approved, and an approval result of the authority application form is obtained;
and under the condition that the approval result is that the approval passes, determining an authority set according to the authority application form and an authority meta-model, and managing the authority of the user according to the authority set, wherein the authority meta-model is used for carrying out role configuration and authorization on the user based on position mechanism attribution, position stripline attribution, position management relationship, position reporting relationship and role authority association.
In a second aspect, an embodiment of the present invention further provides a rights management apparatus, including:
the system comprises a form acquisition module, a user management module and a user management module, wherein the form acquisition module is used for acquiring a user's authority application form, and the authority application form comprises characteristic information associated with authority application;
the form approval module is used for approving the authority application form to obtain an approval result of the authority application form;
and the authority management module is used for determining an authority set according to the authority application form and the authority meta-model and managing the authority of the user according to the authority set under the condition that the approval result is approval passing, wherein the authority meta-model is used for carrying out role configuration and authorization on the user based on position mechanism attribution, position stripline attribution, position management relationship, position reporting relationship and role authority association.
In a third aspect, an embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the rights management method according to any one of the embodiments of the present invention when the processor executes the program.
In a fourth aspect, embodiments of the present invention further provide a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a rights management method according to any of the embodiments of the present invention.
In a fifth aspect, embodiments of the present invention also provide a computer program product comprising a computer program which, when executed by a processor, implements a rights management method according to any of the embodiments of the present invention.
In the embodiment of the invention, the authority set is determined through the authority application form and the authority meta model which are approved, the authority of the user is automatically managed according to the authority set, the automatic adjustment of the authority according to personnel allocation is realized, the complexity of manually setting the authorities one by one is reduced, the convenience is increased, and the timeliness is improved; in addition, based on position mechanism attribution, position stripline attribution, position management relation, position reporting relation and role authority association, the role configuration and authorization are carried out on the user, the fineness of an authority system is expanded, the authority flexibility is increased, and the problems of the authority management scheme in the related technology in aspects of authority adjustment timeliness, fineness and flexibility are solved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments will be briefly described below, it being understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flowchart of a rights management method according to an embodiment of the present invention;
FIG. 2 is a flowchart of another rights management method according to an embodiment of the present invention;
FIG. 3 is a schematic structural diagram of a rights meta-model according to an embodiment of the present invention;
FIG. 4 is a flowchart of a rights management method according to an embodiment of the present invention;
FIG. 5 is a flowchart of user authorization management according to an embodiment of the present invention;
FIG. 6 is a flowchart of a rights management method according to an embodiment of the present invention;
fig. 7 is a flowchart of automatic configuration of position changing rights provided in an embodiment of the present invention;
FIG. 8 is a block diagram of a rights management unit according to an embodiment of the present invention;
fig. 9 is a block diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The invention is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting thereof. It should be further noted that, for convenience of description, only some, but not all of the structures related to the present invention are shown in the drawings.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures. Meanwhile, in the description of the present invention, the terms "first", "second", and the like are used only to distinguish the description, and are not to be construed as indicating or implying relative importance. The data acquisition, storage, use, processing and the like in the technical scheme meet the relevant regulations of national laws and regulations.
Fig. 1 is a flowchart of a rights management method according to an embodiment of the present invention. The method can be suitable for the condition of carrying out authority management on the personnel, and particularly relates to the authority management scene of the personnel with the same positions and different organizations, different lines, different management or different reporting relations. The method may be performed by a rights management unit, which may be implemented in hardware and/or software and is typically provided in an electronic device. For example, the electronic device may include a server or PC side, or the like. As shown in fig. 1, the method includes:
S110, acquiring a permission application form of the user.
In the embodiment of the invention, the user is a new employee in the enterprise, or an employee who is free or has a position to be moved, and the like. The rights application form may be a form that applies rights to the rights system. For example, for a user initiated role rights application, the rights application form is used to apply to the rights system for configuring roles and authorizations for the user. And for the job information change application initiated by the user, the authority application form is used for applying for changing the role and/or the authority of the user to the authority system. The position information can be a combination of the organization information and the position information, and is divided into abstract positions and apparent positions, and the position information change can comprise personnel free or position movement and the like.
The permission application form may include feature information associated with the permission application, and the like. The feature information may be information of different dimensions related to the rights application. For example, for a user initiated role entitlement application, the feature information may include job information, organization attribution information, line attribution information, management relationship information, reporting relationship information, and the like. Or, for the job information change application initiated by the user, the feature information may include organization attribution change information of the job, line attribution change information of the job, management relationship change information of the job, reporting relationship change information of the job, and the like.
In some embodiments, obtaining the rights application form of the user further includes:
acquiring a role authority application initiated by a user, wherein the role authority application comprises: position information, organization attribution information, line attribution information, management relationship information and reporting relationship information; generating a permission application form of the user according to the role permission application.
Specifically, a user can initiate a role authority application through a human power system, and the human power system analyzes the role authority application to acquire position information, organization attribution information, line attribution information, management relationship information and reporting relationship information. And generating an authority application form of the user based on the position information, the organization attribution information, the stripline attribution information, the management relation information and the reporting relation information according to the form generation rule.
In other embodiments, obtaining the rights application form of the user includes:
acquiring a job information changing application initiated by a user, wherein the job information changing application comprises: the method comprises the steps of setting up change information of a mechanism of a position, setting up change information of a line of the position, change information of a management relationship of the position and change information of a reporting relationship of the position; and generating a permission application form of the user according to the job information change application.
Specifically, a user can initiate a job information change application through a human power system, the human power system analyzes the job information change application, and obtains mechanism attribution change information of the job, line attribution change information of the job, management relationship change information of the job and reporting relationship change information of the job. Generating a permission application form of the user based on the organization attribution change information of the position, the stripline attribution change information of the position, the management relationship change information of the position and the report relationship change information of the position according to the form generation rule.
And S120, the authority application form is approved, and an approval result of the authority application form is obtained.
Wherein, the approval is the operation of the authority application of the auditing user by the branch management lead of the user. For example, a user's rights application or rights change requires an audit that is conducted by a level of leadership that oversees the user, and only acts that pass the audit can be performed.
The authority application forms are circulated among the approval nodes of the authority application forms, and form numbers are associated with approval results of all the approval nodes; and under the condition that each approval result associated with the form number is passing, determining that the approval result of the permission application form is passing.
As a plurality of leaders for managing the users possibly exist, each leader corresponds to one approval node, the approval nodes are arranged according to the approval flow, the authority application forms are circulated among the corresponding approval nodes, the approval of the authority application forms by the leaders in the management is realized, the approval results of the leaders at the approval nodes are obtained, and the form numbers are associated with the approval results of the approval nodes. After the authority application form flows to the last approval node of the approval flow, the approval results corresponding to all the approval nodes are obtained according to the form numbers, and under the condition that the approval results of all the approval nodes are passed, the approval results of the authority application form are confirmed to be passed.
And S130, determining a permission set according to the permission application form and the permission meta-model and managing the permissions of the user according to the permission set when the approval result is approval passing.
The authority meta-model is created based on position related information in the human resource system. The authority meta-model is used for carrying out role configuration and authorization on the user based on position mechanism attribution, position stripline attribution, position management relationship, position reporting relationship and role authority association. The permission set may be a set of permission lists that are determined to match the positions of the users through a permission meta-model, and the permission lists are used for recording operation resources associated with permission items. For example, the rights list describes data scope rights, rights operations, index rights, and the like. The data range may include an organization range, an employee range, a bar, and the like. The rights operations may include menus, reports, APP (application) applications, etc. The index authority may be a field level authority including refusal, reading, writing, etc.
Illustratively, determining the set of rights from the rights application form and the rights metamodel includes: acquiring characteristic information in an authority application form; and matching the authority meta-model according to the characteristic information to obtain an authority set corresponding to the characteristic information.
If the approval result is that the approval is not passed, the authority application of the user is refused.
The embodiment of the invention provides a rights management method, which is characterized in that a rights set is determined through a rights application form and a rights meta model which are approved, and rights of a user are automatically managed according to the rights set, so that the rights are automatically adjusted according to personnel allocation, the complexity of manually setting the rights one by one is reduced, the convenience is improved, and the timeliness is improved; in addition, based on position mechanism attribution, position stripline attribution, position management relation, position reporting relation and role authority association, the role configuration and authorization are carried out on the user, the fineness of an authority system is expanded, the authority flexibility is increased, and the problems of the authority management scheme in the related technology in aspects of authority adjustment timeliness, fineness and flexibility are solved.
Fig. 2 is a flowchart of another rights management method according to an embodiment of the present invention. On the basis of the embodiment, the embodiment of the invention adds a construction mode of the authority meta-model. As shown in fig. 2, the method includes:
S210, constructing a permission meta-model according to the relationship of the set entity, the entity relationship and the operation resource.
The setting entity comprises staff, organization, line, reporting relationship, management relationship, role and authority items. When the entity is a member, the attribute of the entity may be an employee attribute. Where the entity is an organization, the attribute of the entity may be at least one of a setup mechanism, a setup organization, a cost unit, or other custom user group. When the entity is a line, the attribute of the entity may be at least one of an organization line, an employee line, a talent store line, or other business line. When the entity is reporting relationship, the attribute of the entity may be job ID and/or job name, etc. When the entity is in a managed relationship, the attribute of the entity may be an APP ID and/or an APP KEY. When the entity is a role, the attribute of the entity may be a role ID and/or a role name. When the entity is a rights item, the attribute of the entity may be at least one of a rights ID, a resource ID, and a resource type ID.
Fig. 3 is a schematic structural diagram of a rights meta-model according to an embodiment of the present invention. As shown in fig. 3, the rights metamodel includes:
the method comprises the steps of associating an employee with a role, associating the employee with a position, organizing the association with the role, associating a bar with the role, associating a report relationship with the role, associating a management relationship with the role, associating the role with a permission item, and associating the permission item with an operation resource.
The authority meta-model provided by the invention is compatible with the current RBAC authority system, namely, staff is associated with roles, so that the workload of constructing the authority system is reduced. On the basis, the association between the position and the organization and the role is increased, namely, the association relation between the staff and the organization is established, and the association relation between the organization and the role is established. After the role is associated with the organization, unified authorization of the organization can be realized, and when the position of staff is changed by the attribution organization, no matter the staff joins in or leaves the organization, the authority is automatically updated according to the relationship between the position and the organization as well as the role, and the manager is not required to reconfigure.
Furthermore, on the basis of the above, the association between the position and the bar line and the association between the position and the role are increased, namely, the association between the staff and the bar line in one-to-one relationship are established, and the association between the bar line and the role in one-to-n relationship is established. After the association of the roles and the lines is increased, the roles can be allocated to a certain line, the line has corresponding menu authority and other information, when the position attribution line of the user is changed, automatic authority change can be realized, the roles do not need to be re-created for the user by an administrator of each mechanism, and repeated authorization is avoided.
Furthermore, on the basis of the above, the relationship between the position and the reporting relationship and the role association are increased, namely, the relationship between the staff and the reporting relationship is established in one-to-one relation, and the relationship between the reporting relationship and the role in one-to-n relation is established. In some special business scenes, when people need to be selected across institutions to form reporting relations, the association relation between positions and reporting relations can be configured. People can be selected from different lines and different institutions to form a reporting relationship, meanwhile, the reporting relationship is associated with roles, means for carrying out the reporting relationship can be supported, after the subsequent reporting relationship is released, the rights of the members are automatically released from association, and the application of the system in special business scenes can be increased.
Furthermore, on the basis of the above, the association between the job position and the management relationship and the role association are increased, namely, the n-to-one association between the staff and the management relationship is established, and the one-to-n association between the management relationship and the role is established. At present, scenes with the same positions and different management responsibilities exist, after the corresponding relation between the positions and the management and the association between the roles and the management relation are increased, independent authorization on the management can be realized, the scenes with different management authorities of the unified positions are supported, and meanwhile, the role authorities can be automatically changed when the management is changed.
The operation resources comprise menus, page elements, operation authorities, data authorities and authority mutual exclusion information. As shown in fig. 3, the attribute of the menu includes at least one of a menu ID, a menu name, a menu URL, and a parent menu ID. The attributes of the page element include at least one of buttons, connections, and input boxes. The operation authority includes at least one of an operation ID, an operation name, an operation code, and an interception URL prefix. The data rights include at least one of an indication, a table field ID, a rights type (readable and writable, etc.). The authority mutual exclusion information includes authority mutual exclusion rules, and for example, attributes of the authority mutual exclusion information include authority 1ID, authority 2ID, organization ID, and the like. Mutual exclusion rules can be set on authorities or roles, so that the same user is prevented from simultaneously having mutually exclusive authority. For example, mutual exclusion is set between cashier and accounting, so that the same user is prevented from executing a certain work and supervising the execution condition of the work.
It should be noted that, according to the embodiment of the invention, individual authority information can be adjusted based on default authority in the authority meta-model, and management efficiency and flexibility are both considered.
S220, acquiring a permission application form of the user.
And S230, the authority application form is approved, and an approval result of the authority application form is obtained.
And S240, determining a permission set according to the permission application form and the permission meta-model and managing the permissions of the user according to the permission set when the approval result is approval passing.
In the embodiment of the invention, the user permission comprises operation permission and data permission, the operation permission is disassembled into maintenance permission, auditing permission, access permission and the like, the data permission is disassembled into information item permission, recording permission, mechanism permission and the like, and the management and control of the permission on resources are increased and refined. For example, the operation authority includes a menu, a page element (button, input box, etc.), an interface URL, and the like, and the data authority includes an organization data range, a data range based on employee data, a field of table data, and a corresponding read-write authority, and the like.
In an exemplary case that the approval result is that the approval passes, determining an authority set according to an authority application form and an authority meta-model, and performing operation authority management and data authority management on a user according to the authority set, wherein the operation authority comprises a maintenance authority, an auditing authority and an access authority, and the data authority comprises an information item authority, a recording authority and an organization authority.
For example, after determining the authority set of the user, according to the authority list in the authority set, performing data authority control based on the position organization attribution, the position stripline attribution and the position management relationship, and performing operation authority control based on the position reporting relationship and the position management relationship. And the rights and interests of new positions are automatically accepted after personnel are free and allocation is completed, so that the complexity of manually setting rights one by one is reduced, and the timeliness of rights management is improved.
According to the embodiment of the invention, when a user joins a certain organization, organization or line, the role of the corresponding organization, organization or line can be automatically acquired through the authority meta-model. When a user adjusts the sentry, an administrator can automatically adjust the roles only by adjusting the organization, the organization or the line to which the user belongs, and the data authority of the user can be changed accordingly, so that the work that the administrator repeatedly configures the roles for staff can be reduced, the fineness of the authority system is expanded, and the authority flexibility is increased.
Fig. 4 is a flowchart of another rights management method according to an embodiment of the present invention. The embodiment of the invention is added with a permission inheritance mode on the basis of the embodiment. As shown in fig. 4, the method includes:
S410, acquiring a role authority application initiated by a user, and generating an authority application form of the user according to the role authority application.
Fig. 5 is a flowchart of user authorization management provided in an embodiment of the present invention, where, as shown in fig. 5, a user initiates a role authority application, and the user may include a general employee, HR technician, leader, synthesizer, or external system user.
Acquiring a role authority application initiated by a user, wherein the role authority application comprises the following steps: and generating an authority application form according to the position information, the organization attribution information, the line attribution information, the management relation information and the reporting relation information.
S420, the authority application form is approved, and an approval result of the authority application form is obtained.
For example, the approval of the authority application form is obtained by performing flow approval according to the job position of the user, and the organization attribution information, the line attribution information, the management relationship information, the reporting relationship information and the like configured on the authority application form.
S430, judging whether the approval result is approval passing, if so, executing S440, otherwise, executing S470.
S440, determining a permission set according to the permission application form and the permission meta-model, and managing the permissions of the user according to the permission set.
The construction manner of the rights meta-model in the embodiment of the present invention is described in the above embodiment, and is not repeated here.
The feature information in the authority application form is obtained, wherein the feature information comprises position information, organization attribution information, line attribution information, management relationship information and reporting relationship information. Matching the authority meta-model according to the characteristic information to obtain an authority set corresponding to the characteristic information, wherein the method comprises the following steps: matching authority meta-models according to job position information, organization attribution information, line attribution information, management relationship information and reporting relationship information, and determining role information according to matching results; and determining a corresponding authority set according to the role information, wherein roles in the authority meta-model have an association relationship with the authority items.
And performing role configuration and authorization on the user according to the permission set. For example, the authority control system performs data authority control based on position organization attribution, line attribution and management relation, performs operation authority control based on position reporting relation and management relation, and adopts a history table to record authority change process to realize the change of tracking authority and realize traceability of change.
Referring to fig. 5, after determining a set of rights of a user, the user is managed according to a rights list included in the set of rights. The user management may be a level management, for example, configuring a user role, so as to configure the authority of the user according to the role, and implement user authorization.
S450, acquiring a child role created by a parent role, and authorizing the child role according to a permission set corresponding to the parent role.
The parent role can be the upper user of the child role, the parent role can authorize the lower level within the authority range of the parent role, and the upper level approval and configuration workload is reduced.
By way of example, an administrator as a parent role can create one or more child roles according to the role authority range of the administrator, set the authorities corresponding to the child roles, and then assign the child roles to subordinate employees, so that step-by-step authorization of the role authorities can be realized without exceeding the maximum authorities of the administrator.
Referring to fig. 5, the primary manager may authorize the secondary manager and the tertiary manager within the scope of their own role authority.
S460, when the permission set corresponding to the parent role is changed, adjusting the permission set corresponding to the child role based on the change information.
In the embodiment of the invention, the change of the permission set comprises deleting a certain permission, modifying a certain permission or adding a certain permission, and the like. After the authority a of the parent role is retracted, assuming that the parent role grants the authority a to the child role, the authority a of the child role needs to be removed accordingly. For example, deleting the corresponding authority A in the authority set of the sub-role is realized through the authority coding of the authority A.
S470, refusing the authority application of the user.
In the embodiment of the invention, the subordinate user is authorized step by step in the authority range of the user by acquiring the authority, so that the child role inherits the authority of the parent role, the upper-level approval and configuration workload is reduced, and in addition, under the condition that the authority of the parent role authorized to the child role is retracted, the authority of the child role is synchronously eliminated, thereby avoiding the risk caused by untimely update of the child role due to the change of the parent role.
Fig. 6 is a flowchart of another rights management method according to an embodiment of the present invention. The embodiment of the invention specifically limits the authority management under the position change scene on the basis of the embodiment. As shown in fig. 6, the method includes:
s610, acquiring a job information change application initiated by a user, and generating a permission application form of the user according to the job information change application.
Fig. 7 is a flowchart of automatic configuration of job change authority provided in an embodiment of the present invention, as shown in fig. 7, a user initiates a job information change application through a human power system, where the job information change application includes a job organization, a line, a branch pipe, a reporting relationship, and the like.
Acquiring a position information changing application, wherein the position information changing application comprises: the method comprises the steps of job organization attribution change information, job stripline attribution change information, job management relationship change information and job reporting relationship change information. Generating a permission application form of the user according to the organization attribution change information of the position, the line attribution change information of the position, the management relation change information of the position and the reporting relation change information of the position.
S620, the authority application form is approved, and an approval result of the authority application form is obtained.
S630, judging whether the approval result is approval passing, if so, executing S640, otherwise, executing S650.
And S640, determining a permission set according to the permission application form and the permission meta-model, and managing the permissions of the user according to the permission set.
The construction manner of the rights meta-model in the embodiment of the present invention is described in the above embodiment, and is not repeated here.
Illustratively, feature information in the rights application form is obtained, wherein the feature information includes: the method comprises the steps of job organization attribution change information, job stripline attribution change information, job management relationship change information and job reporting relationship change information. Matching the authority meta-model according to the characteristic information to obtain an authority set corresponding to the characteristic information, wherein the method comprises the following steps: matching a permission meta-model according to the organization attribution change information of the position, the stripline attribution change information of the position, the management relationship change information of the position and the reporting relationship change information of the position, and determining changed role information according to a matching result; and determining a corresponding authority set according to the changed role information, wherein roles in the authority meta-model have an association relationship with the authority items. And returning the right set corresponding to the user to the manpower system. The user accesses or processes the service according to the newly returned set of permissions.
S650, sending reject information corresponding to the job information change application to the human system so as to reject the job information change application of the user.
According to the embodiment of the invention, the authority set is automatically determined based on the position mechanism attribution, the position bar line attribution, the position management relationship, the position reporting relationship and the position management responsibility according to personnel allocation, so that the authority is automatically adjusted through personnel change information, the work that an administrator repeatedly configures roles for personnel is reduced, the convenience and the flexibility of a system are improved, and the workload of manual participation is reduced.
Fig. 8 is a block diagram of a rights management unit according to an embodiment of the present invention. The device can be implemented by software and/or hardware, and can execute the rights management method provided by any embodiment of the invention. The apparatus is typically configured in an electronic device. For example, the electronic device may be a server or a PC side, or the like. As shown in fig. 8, the apparatus includes: form acquisition module 810, form approval module 820, and rights management module 830.
A form obtaining module 810, configured to obtain a rights application form of a user, where the rights application form includes feature information associated with a rights application;
the form approval module 820 is configured to approve the rights application form, and obtain an approval result of the rights application form;
and the permission management module 830 is configured to determine a permission set according to the permission application form and the permission meta-model, and manage permissions of the user according to the permission set, where the permission meta-model is configured to perform role configuration and authorization on the user based on position mechanism attribution, position stripline attribution, position management relationship, position reporting relationship and role permission association.
The embodiment of the invention provides a rights management device, which determines a rights set through a rights application form and a rights meta model which pass approval, automatically manages the rights of a user according to the rights set, realizes automatic adjustment of the rights according to personnel allocation, reduces the complexity of manually setting the rights one by one, increases convenience and improves timeliness; in addition, based on position mechanism attribution, position stripline attribution, position management relation, position reporting relation and role authority association, the role configuration and authorization are carried out on the user, the fineness of an authority system is expanded, the authority flexibility is increased, and the problems of the authority management scheme in the related technology in aspects of authority adjustment timeliness, fineness and flexibility are solved.
Optionally, the rights management module 830 is specifically configured to:
acquiring the characteristic information in the authority application form;
and matching the authority meta-model according to the characteristic information to obtain an authority set corresponding to the characteristic information.
Optionally, the form obtaining module 810 is specifically configured to:
acquiring a role authority application initiated by a user, wherein the role authority application comprises: position information, organization attribution information, line attribution information, management relationship information and reporting relationship information;
And generating a permission application form of the user according to the role permission application.
Further, the rights management module 830 is specifically further configured to:
matching the authority meta-model according to position information, organization attribution information, line attribution information, management relation information and reporting relation information, and determining role information according to a matching result;
and determining a corresponding permission set according to the role information, wherein roles and permission items in the permission meta-model have an association relation.
Optionally, the form obtaining module 810 is specifically configured to:
acquiring a job information change application initiated by a user, wherein the job information change application comprises: the method comprises the steps of setting up change information of a mechanism of a position, setting up change information of a line of the position, change information of a management relationship of the position and change information of a reporting relationship of the position;
and generating a permission application form of the user according to the job information change application.
Further, the rights management module 830 is specifically further configured to:
matching the authority meta-model according to the organization attribution change information of the position, the stripline attribution change information of the position, the management relationship change information of the position and the reporting relationship change information of the position, and determining changed role information according to a matching result;
And determining a corresponding permission set according to the changed role information, wherein roles in the permission meta-model and permission items have an association relationship.
Optionally, the form approval module 820 is specifically configured to:
the authority application forms are circulated among the approval nodes of the authority application forms, and form numbers are associated with approval results of all the approval nodes;
and under the condition that each approval result associated with the form number is passing, determining that the approval result of the authority application form is passing.
Optionally, the apparatus further comprises:
the model construction module is used for constructing an authority meta model according to the relationship among the set entity, the entity relationship and the operation resource, wherein the set entity comprises staff, organizations, lines, reporting relationships, management relationships, roles and authority items.
Further, the rights metamodel includes:
the method comprises the steps of associating an employee with a role, associating the employee with a position, organizing the association with the role, associating a bar with the role, associating a report relationship with the role, associating a management relationship with the role, associating the role with a permission item, and associating the permission item with an operation resource.
Further, the operation resources comprise menus, page elements, operation authorities, data authorities and authority mutual exclusion information.
Optionally, the rights management module 830 is further specifically configured to:
and carrying out operation authority management and data authority management on the user according to the authority set, wherein the operation authority comprises maintenance authority, auditing authority and access authority, and the data authority comprises information item authority, recording authority and mechanism authority.
Optionally, the apparatus further comprises:
the authorization module is used for acquiring a child role created by a parent role after the authority of the user is managed according to the authority set, and authorizing the child role according to the authority set corresponding to the parent role;
and the permission changing module is used for adjusting the permission set corresponding to the child role based on the changing information under the condition that the permission set corresponding to the parent role is changed.
The rights management device provided by the embodiment of the invention can execute the rights management method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Fig. 9 is a block diagram of an electronic device according to an embodiment of the present invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 9, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the rights management method.
In some embodiments, the rights management method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the rights management method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the rights management method in any other suitable way (e.g., by means of firmware).
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
Embodiments of the present invention also provide a computer program product comprising a computer program which, when executed by a processor, implements a rights management method as provided by any of the embodiments of the present application.
Computer program product in the implementation, the computer program code for carrying out operations of the present invention may be written in one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.

Claims (16)

1. A rights management method, comprising:
acquiring a user's authority application form, wherein the authority application form comprises characteristic information associated with authority application;
the authority application form is approved, and an approval result of the authority application form is obtained;
and under the condition that the approval result is that the approval passes, determining an authority set according to the authority application form and an authority meta-model, and managing the authority of the user according to the authority set, wherein the authority meta-model is used for carrying out role configuration and authorization on the user based on position mechanism attribution, position stripline attribution, position management relationship, position reporting relationship and role authority association.
2. The method of claim 1, wherein said determining a set of rights from the rights application form and rights metamodel comprises:
acquiring the characteristic information in the authority application form;
and matching the authority meta-model according to the characteristic information to obtain an authority set corresponding to the characteristic information.
3. The method of claim 2, wherein the obtaining the rights application form of the user comprises:
acquiring a role authority application initiated by a user, wherein the role authority application comprises: position information, organization attribution information, line attribution information, management relationship information and reporting relationship information;
and generating a permission application form of the user according to the role permission application.
4. A method according to claim 3, wherein said matching the rights meta-model according to the feature information to obtain a set of rights corresponding to the feature information comprises:
matching the authority meta-model according to position information, organization attribution information, line attribution information, management relation information and reporting relation information, and determining role information according to a matching result;
and determining a corresponding permission set according to the role information, wherein roles and permission items in the permission meta-model have an association relation.
5. The method of claim 2, wherein the obtaining the rights application form of the user comprises:
acquiring a job information change application initiated by a user, wherein the job information change application comprises: the method comprises the steps of setting up change information of a mechanism of a position, setting up change information of a line of the position, change information of a management relationship of the position and change information of a reporting relationship of the position;
and generating a permission application form of the user according to the job information change application.
6. The method according to claim 5, wherein said matching the rights meta-model according to the feature information to obtain a set of rights corresponding to the feature information comprises:
matching the authority meta-model according to the organization attribution change information of the position, the stripline attribution change information of the position, the management relationship change information of the position and the reporting relationship change information of the position, and determining changed role information according to a matching result;
and determining a corresponding permission set according to the changed role information, wherein roles in the permission meta-model and permission items have an association relationship.
7. The method according to claim 1, wherein the examining and approving the rights application form to obtain the examination and approval result of the rights application form includes:
The authority application forms are circulated among the approval nodes of the authority application forms, and form numbers are associated with approval results of all the approval nodes;
and under the condition that each approval result associated with the form number is passing, determining that the approval result of the authority application form is passing.
8. The method as recited in claim 1, further comprising:
and constructing a permission meta-model according to the set entity, the entity relationship and the relationship of the operation resource, wherein the set entity comprises staff, organizations, lines, reporting relationships, management relationships, roles and permission items.
9. The method of claim 8, wherein the rights metamodel comprises:
the method comprises the steps of associating an employee with a role, associating the employee with a position, organizing the association with the role, associating a bar with the role, associating a report relationship with the role, associating a management relationship with the role, associating the role with a permission item, and associating the permission item with an operation resource.
10. The method of claim 9, wherein the operating resources comprise menus, page elements, operating rights, data rights, and rights mutex information.
11. The method of claim 1, wherein the managing the rights of the user according to the set of rights comprises:
and carrying out operation authority management and data authority management on the user according to the authority set, wherein the operation authority comprises maintenance authority, auditing authority and access authority, and the data authority comprises information item authority, recording authority and mechanism authority.
12. The method of claim 1, further comprising, after managing the rights of the user according to the set of rights:
acquiring a child role created by a parent role, and authorizing the child role according to a permission set corresponding to the parent role;
and under the condition that the permission set corresponding to the parent role is changed, adjusting the permission set corresponding to the child role based on the change information.
13. A rights management unit, comprising:
the system comprises a form acquisition module, a user management module and a user management module, wherein the form acquisition module is used for acquiring a user's authority application form, and the authority application form comprises characteristic information associated with authority application;
the form approval module is used for approving the authority application form to obtain an approval result of the authority application form;
And the authority management module is used for determining an authority set according to the authority application form and the authority meta-model and managing the authority of the user according to the authority set under the condition that the approval result is approval passing, wherein the authority meta-model is used for carrying out role configuration and authorization on the user based on position mechanism attribution, position stripline attribution, position management relationship, position reporting relationship and role authority association.
14. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable by the processor, wherein the processor implements the rights management method of any of claims 1-12 when the computer program is executed by the processor.
15. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when executed by a processor, implements the rights management method according to any of claims 1-12.
16. A computer program product comprising a computer program which, when executed by a processor, implements the rights management method of any of claims 1-12.
CN202310264872.8A 2023-03-17 2023-03-17 Authority management method, device, equipment, medium and program product Pending CN116383804A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310264872.8A CN116383804A (en) 2023-03-17 2023-03-17 Authority management method, device, equipment, medium and program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310264872.8A CN116383804A (en) 2023-03-17 2023-03-17 Authority management method, device, equipment, medium and program product

Publications (1)

Publication Number Publication Date
CN116383804A true CN116383804A (en) 2023-07-04

Family

ID=86960716

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310264872.8A Pending CN116383804A (en) 2023-03-17 2023-03-17 Authority management method, device, equipment, medium and program product

Country Status (1)

Country Link
CN (1) CN116383804A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117633748A (en) * 2023-12-05 2024-03-01 国网四川省电力公司 Financial system authority management method based on blockchain

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117633748A (en) * 2023-12-05 2024-03-01 国网四川省电力公司 Financial system authority management method based on blockchain

Similar Documents

Publication Publication Date Title
US20220067186A1 (en) Privilege graph-based representation of data access authorizations
CN110443010B (en) Authority visual configuration control method, device, terminal and storage medium in information system
US10764290B2 (en) Governed access to RPA bots
CN110457891B (en) Permission configuration interface display method, device, terminal and storage medium
US8126920B2 (en) Enterprise security management system using hierarchical organization and multiple ownership structure
US10659469B2 (en) Vertically integrated access control system for managing user entitlements to computing resources
CN108351771B (en) Maintain control over restricted data during deployment to a cloud computing environment
US20160357985A1 (en) Methods and systems for regulating user engagement
AU2014208184A1 (en) Systems and methodologies for managing document access permissions
WO2002044888A1 (en) Workflow access control
US11870783B2 (en) Classification management
US10831904B2 (en) Automatically discovering attribute permissions
CN110245499A (en) Web application rights management method and system
CN112702348A (en) System authority management method and device
US20250117233A1 (en) Cloud Infrastructure Management
CN116383804A (en) Authority management method, device, equipment, medium and program product
US20200167495A1 (en) Vertically integrated access control system for identifying and remediating flagged combinations of capabilities resulting from user entitlements to computing resources
CN111414591B (en) Workflow management method and device
Hummer et al. Advanced identity and access policy management using contextual data
US12254107B2 (en) Orchestration of administrative unit management
US12223076B2 (en) Service and system integration
Millham et al. Role and data-based constraints of data access control in a legacy system migration to a service-oriented environment
CN119691764A (en) User rights management and control method, device, equipment, medium and program product
CN120257351A (en) Application page generation method, device, equipment, medium and product
CN117609165A (en) Data processing method, device, electronic equipment and computer readable medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination