CN118036023A - RBAC-based authority control method, and method and device for establishing model - Google Patents

Abstract

The present invention discloses a permission control method based on RBAC, a method for establishing a model and a device, the method comprising: receiving a request signal and confirming the permission space and permission space serial number corresponding to the request signal; the request signal is a signal generated when a user requests a permission operation; judging whether the role corresponding to the user contains the permission space; if so, obtaining the permission variable corresponding to the permission space; obtaining the permission variable value according to the permission space serial number; judging whether the permission variable value is the same as the preset permission variable value of the role; if so, generating a permission signal. The permission control method described in the above embodiment of the present invention can solve the accuracy and fine-grainedness problems of permissions and realize precise control of permissions.

Description

A permission control method based on RBAC, a model establishment method and a device

Technical Field

The present invention relates to the field of computer software, and in particular to a permission control method based on RBAC, a model establishment method and a device.

Background technique

RBAC is role-based access control. In RBAC, permissions are associated with roles. Users obtain permissions of these roles by becoming members of appropriate roles, which greatly simplifies the management of permissions. Because the management levels based on RBAC are interdependent, permissions are granted to roles, and then roles are granted to users. This permission design is clear and easy to manage.

The RBAC model is a broad subject model that specifies the relationship between users, roles, and permissions, and on this basis, RBAC1, RBAC2, and RBAC3 are extended. RBAC1, RBAC2, and RBAC3 are essentially extensions of roles, such as role inheritance, role constraints, etc. There are no detailed regulations on the specific implementation of permissions. At present, the conventional implementation scheme of permissions in the industry is to control permissions in three dimensions: menus, buttons, and data permissions of software systems. Menus and buttons are controlled through role management that conforms to RBAC, and data permissions can only be implemented through non-RBAC organizational levels. Other schemes implement data permissions separately; or permissions that conform to the RBAC model are implemented through roles, that is, the RBAC model only implements simple data permission control. However, this permission control method is insufficient in terms of the accuracy and granularity of functional permissions and data permission control.

Informatization, digitization, and intelligence are the development trends of today's society. With the popularization of data and networks, data security, network security, and other security issues are becoming more and more important. The data or network that users can obtain requires to be more accurate and timely. User permission control is an important means to ensure security. The accuracy, timeliness, and efficiency of user permissions are even more important. A new permission control method needs to be proposed to solve the above problems.

Summary of the invention

The purpose of the present invention is to provide a permission control method based on RBAC, a method for establishing a model and a device, so as to solve the problem that the traditional RBAC model in the prior art is insufficient in accuracy and granularity in controlling functional permissions and data permissions.

To achieve the above object, the present invention provides a permission control method based on RBAC, the method comprising:

Receive a request signal and confirm the permission space and permission space serial number corresponding to the request signal; the request signal is a signal generated when a user requests a permission operation, and the permission space is a permission control point;

Determine whether the role corresponding to the user contains the permission space;

If yes, then obtain the permission variable corresponding to the permission space; the permission variable represents the attribute of the permission operation;

Obtaining the permission variable value according to the permission space sequence number;

Determine whether the permission variable value is the same as the preset permission variable value of the role;

If so, a permission signal is generated.

Optionally, the permission operation includes: function permission and/or data permission; and generating a permission signal includes:

Generate an operation signal according to the functional authority to enable the user to perform the authority operation, and/or obtain data corresponding to the data authority and return it to the user.

Optionally, the acquiring the data corresponding to the data permission and returning it to the user includes:

Acquire first data, where the first data is an intersection of obtainable data corresponding to the permission variables under the same permission space sequence number;

For any permission space corresponding to the data permission, take a union of the first data controlled by the sequence numbers of the permission spaces corresponding to the data permission to obtain the second data;

Taking a union of the second data controlled by each permission space corresponding to the data permission to obtain third data;

The third data is returned to the user.

Optionally, the method further includes:

Determining a resource corresponding to the request signal; the resource represents an event requiring permission control;

A permission space corresponding to the resource is acquired based on the resource.

Optionally, the method further includes:

Obtaining a timeliness object; the timeliness object is used to define the validity of an object; the object includes: users, roles, resources, permission spaces, permission variables, the correspondence between users and roles, the correspondence between roles and resources, the correspondence between resources and permission spaces, the correspondence between roles and permission spaces, and the correspondence between permission spaces and permission variables;

The object that is valid is calculated based on the time-effective object.

Optionally, the method further includes: generating a no-authority result when the role corresponding to the user does not include the permission space or when the permission variable value is different from the preset permission variable value.

The present invention provides a permission control device based on RBAC, the device comprising:

A receiving unit, configured to receive a request signal and confirm the permission space and permission space sequence number corresponding to the request signal; the request signal is a signal generated when a user requests a permission operation, and the permission space is a permission control point;

A first judging unit, configured to judge whether the role corresponding to the user includes the permission space;

A first acquisition unit is configured to acquire, if yes, a permission variable corresponding to the permission space; the permission variable represents an attribute of the permission operation;

A second acquisition unit, used to acquire the permission variable value according to the permission space sequence number;

A second judgment unit, used to judge whether the authority variable value is the same as the preset authority variable value of the role;

A generating unit is used for generating a permission signal if yes.

The present invention provides a method for establishing a permission control model based on RBAC, the method comprising:

Establishing an authority space; the authority space is an authority control point;

Establishing roles, and establishing associations between users and roles, and between the roles and the permission space;

Establishing an authority variable, and establishing an association relationship between the authority space and the authority variable;

Set one or more permission variable values corresponding to the permission variable;

A corresponding relationship between the permission variable value and the permission space sequence number is established.

Optionally, the method further includes: establishing resources corresponding to the permission space; the resources represent events that require permission control.

Optionally, the method comprises:

Establishing time-limited objects;

Establish associations between time-limited objects and objects; the time-limited objects are used to define the validity of the objects; the objects include: users, roles, resources, permission spaces, permission variables, the correspondence between users and roles, the correspondence between roles and resources, the correspondence between resources and permission spaces, the correspondence between roles and permission spaces, and the correspondence between permission spaces and permission variables.

The present invention also provides a device for establishing a permission control model based on RBAC, the device comprising:

A first establishing unit is used to establish an authority space; the authority space is an authority control point;

A second establishing unit, used to establish a role, and establish an association relationship between a user and a role, and an association relationship between the role and the permission space;

A third establishing unit, used to establish an authority variable, and establish an association relationship between the authority space and the authority variable;

A setting unit, used to set one or more permission variable values corresponding to the permission variable;

The fourth establishing unit is used to establish a corresponding relationship between the permission variable value and the permission space sequence number.

The present invention also provides a computer device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein when the processor executes the program, the steps of the RBAC-based permission control method described in any one of the above items and/or the method for establishing the RBAC-based permission control model described in any one of the above items are implemented.

The present invention also provides a computer-readable storage medium, which stores one or more programs, and the one or more programs can be executed by one or more processors to implement the steps of any of the above-mentioned RBAC-based permission control methods and/or any of the methods for establishing an RBAC-based permission control model.

The present invention provides a permission control method based on RBAC, a method for establishing a model and a device, which improves the accuracy and fine-grainedness of permission control by defining a permission space as a permission control point, including permission variables under the permission control point and determining the permission variable value through the permission space sequence number.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a flow chart of a permission control method based on RBAC according to an embodiment of the present invention;

FIG2 is a flow chart of a permission control method based on RBAC according to an embodiment of the present invention;

3 is a diagram of a relationship model between an object and a time-effect object according to an embodiment of the present invention;

FIG4 is a structural diagram of a permission control device based on RBAC according to an embodiment of the present invention;

5 is a flow chart of a method for establishing a permission control model based on RBAC according to an embodiment of the present invention;

6 is a structural diagram of a device for establishing a permission control model based on RBAC according to an embodiment of the present invention;

7 is a structural diagram of a permission control model based on RBAC according to an embodiment of the present invention;

FIG. 8 is a structural diagram of a computer device according to an embodiment of the present invention.

Detailed ways

The specific implementation modes of the present invention are described in detail below in conjunction with the accompanying drawings, but it should be understood that the protection scope of the present invention is not limited by the specific implementation modes.

Unless explicitly stated otherwise, throughout the specification and claims, the term “comprise” or variations such as “include” or “comprising”, etc., will be understood to include the stated elements or components but not to exclude other elements or components.

According to an optional implementation of the present invention, a permission control method based on RBAC is shown in FIG1 , and the method includes:

Step 101, receiving a request signal and confirming the permission space and permission space serial number corresponding to the request signal; the request signal is a signal generated when a user requests a permission operation, and the permission space is a permission control point. Specifically, when a user needs to operate a certain function, he first sends a request signal to the server to request permission, and the obtained permission can be used to operate the function. After the server receives the request signal sent by the user, it is necessary to confirm whether the user has the corresponding operation permission according to the request signal. Here, it is necessary to confirm the permission space corresponding to the request signal according to the request signal. In a specific embodiment of the present invention, the permission space is a permission control point, which represents a certain permission of the smallest granularity, and represents the fine-grained minimum division of the control of a specific permission into the permission space. Dividing the user's permissions into several permission spaces to define multiple permissions of the user through the permission space provides fine-grained permission control, making it more accurate when granting permissions.

Step 102, determine whether the role corresponding to the user contains the permission space. Specifically, the user and the role corresponding to the user can be identified according to the request signal sent by the user end. Users and roles can correspond one-to-one or many-to-many, that is, the same user may have different roles in different situations, and different roles have a mapping relationship with different permission spaces, and roles and permission spaces can also correspond one-to-one or many-to-many, that is, a role has different permission spaces, and a permission space can also correspond to multiple roles. In this way, the permission spaces corresponding to the same user under different roles may be different. If it is necessary to confirm whether the user has the authority corresponding to the permission space, it is necessary to determine whether the permission space confirmed in step 100 is included in the multiple roles corresponding to the user, so as to determine whether the role corresponding to the user in this scenario and the permission space have a corresponding relationship.

Step 103, if yes, then obtain the permission variable corresponding to the permission space; the permission variable represents the attribute of the permission operation. Specifically, the permission variable is a permission control attribute, which can be a function permission control attribute or a data permission control attribute. The permission space, which is the permission control point with the smallest granularity, also includes the permission variable, a flexible permission control attribute, to further solve the accuracy and granularity problems of permissions. Specifically, the permission space usually combines one or more permission variables to control specific operation permissions. Among them, the permission space and the permission variable can be a one-to-one relationship, a one-to-many relationship, or a many-to-many relationship, which is applied according to specific needs.

Step 104, obtain the permission variable value according to the permission space serial number. Specifically, the permission variable may include one or more permission variable values, and the permission variable value may satisfy user needs and clarify the specific role of the role by limiting the assignment range of the permission variable value during the initial setting. The permission space serial number corresponds to the permission variable value, and the permission space can determine its corresponding permission space serial number, and then determine the specific assignment of the permission variable corresponding to the permission space, that is, the permission variable value, through the permission space serial number. For example, when permission space A corresponds to two permission space serial numbers 1 and 2, and the permission space A corresponds to three permission variables X, Y, and Z, then the permission variable values of permission variables X, Y, and Z can be determined by permission space serial numbers 1 and/or 2, respectively.

Step 105, determine whether the permission variable value is the same as the preset permission variable value of the role. Specifically, after obtaining the permission variable value, it is still necessary to determine whether the variable value of one or more permission variables is the same as the preset permission variable value of the user to further determine the specific permissions of the user, that is, through the top-down multi-layer permission screening, accurate control of permissions is achieved. In the embodiment of the present invention, different permission variable values once again subdivide permissions, so that permission operations are more subdivided and specific, which is convenient for application in different scenarios or systems.

Step 106: If yes, generate an authorization signal.

When it is determined in step 105 that the authority variable value is the same as the preset authority variable value of the role, it means that the user has the authority, and therefore the authority is authorized to the user by generating an authority signal.

The above-mentioned embodiment of the present invention performs permission judgment based on the user's role to confirm the user's permission scope, and at the same time defines the permission space as a permission control point, and judges the permission scope through the mutual relationship between the user, role and permission space, so as to solve the accuracy and granularity problems of permissions and realize precise control of permissions.

In a permission control method based on RBAC described in another optional specific embodiment of the present invention, the permission operation includes: functional permission and/or data permission; the generating permission signal includes: generating an operation signal according to the functional permission to make the user perform the permission operation and/or obtain the data corresponding to the data permission and then return it to the user. In a specific embodiment, when the permission variable value corresponding to the permission variable is the same as the preset permission variable value of the user, different signals or data can be provided according to whether the permission operation requested in the request signal sent by the user end is a functional permission or a data permission. For example, when the permission operation is a functional permission, the corresponding operation function will eventually be provided to the user, that is, the user can operate on a certain permission; if the permission operation is a data permission, that is, the permission operation requested by the user end is to obtain a certain or a certain type of data, the corresponding data will be obtained according to the permission variable and the corresponding data will be provided to the user end for the user to view. The embodiment of the present invention clearly refines the user's functional permissions and data permissions, and improves the security, timeliness and efficiency of the system.

In a method for controlling permissions based on RBAC according to a specific embodiment of the present invention, optionally, as shown in FIG2 , the step of returning the data corresponding to the data permission to the user after obtaining the data includes:

Step 107, obtain the first data, which is the intersection of the obtainable data corresponding to the permission variable under the same permission space sequence number. Specifically, when requesting a data permission operation, since the permission control point is the permission space, when the permission space contains only one permission space sequence number, the obtainable data corresponding to all permission variables under the permission space sequence number are mutually exclusive, that is, the same obtainable data is the first data corresponding to the permission space sequence number, and the different data under each permission variable is not the first data of the permission space sequence number. Therefore, it is necessary to take the intersection of the obtainable data corresponding to multiple permission variables in the same permission space sequence number to obtain the first data under the permission space sequence number.

Step 108: For any permission space corresponding to the data permission, take the union of the first data controlled by each permission space number corresponding to the data permission to obtain the second data. When there are multiple permission space numbers, the data required by the user is the sum of the first data corresponding to each permission space number. That is, the union of the first data corresponding to a single permission space number is used as the second data;

Step 109, taking the union of the second data controlled by each permission space corresponding to the data permission to obtain the third data. Specifically, when one permission space corresponds to multiple permission space numbers, that is, the data permission to be obtained is multiple second data, the union of all the required second data is obtained through step 109 to obtain the third data, and the third data is all the data required by the user.

Step 110: Return the third data to the user. Now the user can obtain the data corresponding to the data permission.

The RBAC-based permission control method described in the specific embodiment of the present invention, optionally, after obtaining the role corresponding to the user information, the method further includes:

Confirm the resource corresponding to the request signal; the resource represents an event that requires permission control. Specifically, the resource can be any event that requires permission control, such as a menu of an information system, a port number on a gateway, a video on a video website, etc. Taking the ERP system as an example, resources can refer to menus, interfaces, reports, etc. of the system. Menus can be menus such as "Material Procurement Management" and "Material Inventory Management", and interfaces can be interfaces such as "Material Query", "Material Addition", and "Material Modification", so that the permission space corresponding to the resource is obtained based on the resource. This embodiment is different from the above embodiment. The permission space and the role are connected through resources, that is, the role and the resource, the resource and the permission space have an association relationship respectively, for example, the role and the resource have an association relationship, and the resource and the permission space have an association relationship, so as to increase the sophistication of permission control through different resources.

Based on the resource, the permission space corresponding to the resource is obtained. In a specific embodiment of the present invention, the permission space corresponding to the resource is searched through the resource corresponding to the role, and finally the permission space corresponding to the role is obtained. For example, the resource is a material procurement management menu, which corresponds to the creation of a material procurement management permission space s_materil and the creation of a material inventory management permission space s_stock, that is, the material procurement management menu resource corresponds to the permission spaces s_materil and s_stock.

The RBAC-based permission control method described in the specific embodiment of the present invention, optionally, the method further includes:

Obtaining a timeliness object; the timeliness object is used to define the validity of an object; the object includes: users, roles, resources, permission spaces, permission variables, the correspondence between users and roles, the correspondence between roles and resources, the correspondence between resources and permission spaces, the correspondence between roles and permission spaces, and the correspondence between permission spaces and permission variables;

The object that is valid is calculated based on the time-effective object.

In a specific embodiment, a timeliness object is a definition of the validity of the object to which it belongs, which can be a period of time, several conditions or a specific environment, etc. In a specific embodiment of the present invention, as shown in FIG3 , a timeliness object can act on all objects or part of the objects in the model, and the objects include users, roles, resources, permission spaces and permission variables, as well as the correspondence between users and roles, the correspondence between roles and resources, the correspondence between resources and permission spaces, the correspondence between roles and permission spaces, and the correspondence between permission spaces and permission variables. Through the above specific embodiments, system administrators or operators can create and modify the timeliness of objects at any time. When the timeliness requirements are met, the permissions automatically take effect or become invalid, and there is no need to manually operate on time, which greatly improves the security and efficiency of the system.

A method for controlling permissions based on RBAC described in a specific embodiment of the present invention, optionally, the method further includes: generating a no-authority result when the role corresponding to the user does not contain the permission space or when the variable value of the permission variable is different from the preset permission variable value of the user. The no-authority result means that the user does not have the requested permission, that is, has no right to obtain permission. For example, the role does not contain the permission space or the permission variable value of the permission variable is different from the preset permission variable value of the user, both of which are situations where there is no right to obtain permission.

A specific embodiment of the present invention provides a permission control device based on RBAC, as shown in FIG4 , the device includes:

The receiving unit 401 is used to receive a request signal and confirm the permission space and permission space sequence number corresponding to the request signal; the request signal is a signal generated when a user requests a permission operation, and the permission space is a permission control point;

A first judging unit 402 is used to judge whether the role corresponding to the user includes the permission space;

A first acquisition unit 403 is configured to acquire a permission variable corresponding to the permission space, wherein the permission variable represents a property of the permission operation;

A second acquisition unit 404 is used to acquire the permission variable value according to the permission space sequence number;

The second judgment unit 405 is used to judge whether the authority variable value is the same as the preset authority variable value of the role;

The generating unit 406 is configured to generate a permission signal if yes.

The specific embodiment of the present invention further provides a method for establishing a permission control model based on RBAC, as shown in FIG5 , the method further includes:

Step 501, establish a permission space, which is a permission control point. Specifically, the permission space is the permission control point with the smallest granularity, representing the fine-grained division of control permissions into the permission space. Dividing the user's permissions into several atomic granularity permission spaces to define multiple permissions of the user through the permission space provides fine-grained permission control, making it more accurate when granting permissions.

Step 502, establish roles, and establish associations between users and roles, and between the roles and the permission spaces. Specifically, users and roles can correspond one-to-one or many-to-many, that is, the same user may have different roles in different situations, and different roles have mapping relationships with different permission spaces, and roles and permission spaces can also correspond one-to-one or many-to-many, that is, one role has different permission spaces, and one permission space can also correspond to multiple roles. In this way, an association between a user and one or more roles is established, and an association between a role and multiple permission spaces is established under different roles.

Step 503, establish permission variables, and establish an association relationship between the permission space and the permission variables. Specifically, permission variables are permission control attributes, which can be functional permission control attributes or data permission control attributes. A single permission variable cannot constitute an executable specific permission, and a combination of multiple permission variables corresponding to a permission space is required to achieve a specific permission. Under the permission control point of the smallest granularity, the permission variable is established as a flexible permission control attribute to further solve the accuracy and granularity of permissions. Specifically, the permission space usually combines one or more permission variables to control specific operating permissions. Among them, the permission space and the permission variable can be a one-to-many or many-to-many relationship, which is created according to specific needs.

Step 504, setting one or more permission variable values corresponding to the permission variable;

Step 505, establish a corresponding relationship between the permission variable value and the permission space serial number. Specifically, the permission variable may include one or more permission variable values. When the permission variable value is initially set, the assignment range of the permission variable value is limited to meet the user's needs and clarify the specific role of the role, and the different permission variable values of the permission variable are matched with the permission space serial number one by one.

The permission control model established in the above embodiment of the present invention defines the permission space as the smallest permission control point, and divides the permission scope according to the mutual relationship between users, roles and permission space, so as to solve the accuracy and granularity problems of permissions and realize precise control of permissions.

A method for establishing a permission control model based on RBAC described in a specific embodiment of the present invention also includes: establishing resources corresponding to the permission space; the resources represent events that require permission control. Specifically, resources can be any event that requires permission control, such as a menu of an information system, a port number on a gateway, a video on a video website, etc. Taking the ERP system as an example, resources can refer to menus, interfaces, reports, etc. of the system. Menus can be menus such as "Material Procurement Management" and "Material Inventory Management", and interfaces can be interfaces such as "Material Query", "Material Addition", and "Material Modification". This embodiment is different from the above embodiment. The permission space and the role are connected through resources, that is, the role and the resource, and the resource and the permission space have an association relationship respectively. For example, the role and the resource have an association relationship, and the resource and the permission space have an association relationship, so as to increase the precision of permission control through different resources.

A method for establishing a permission control model based on RBAC according to a specific embodiment of the present invention also includes:

Establishing a time-effect object: In a specific embodiment, a time-effect object is a definition of the validity of the object to which it belongs, which can be a period of time, several conditions or a specific environment.

Establish an association relationship between a time-limited object and an object, the time-limited object is used to define the validity of the object; the object includes: users, roles, resources, permission spaces, permission variables, the correspondence between users and roles, the correspondence between roles and resources, the correspondence between resources and permission spaces, the correspondence between roles and permission spaces, and the correspondence between permission spaces and permission variables. In a specific embodiment of the present invention, the time-limited object can act on all objects or part of the objects in the model, and the objects include users, roles, resources, permission spaces, and permission variables, as well as the correspondence between users and roles, the correspondence between roles and resources, the correspondence between resources and permission spaces, the correspondence between roles and permission spaces, and the correspondence between permission spaces and permission variables. Through the above specific embodiments, system administrators or operators can create and modify the timeliness of objects at any time. When the timeliness requirements are met, the permissions automatically take effect or become invalid, and there is no need to manually operate on time, which greatly improves the security and efficiency of the system.

The specific embodiment of the present invention further provides a device for establishing a permission control model based on RBAC, as shown in FIG6 , the device includes:

A first establishing unit 601 is used to establish an authority space; the authority space is an authority control point;

The second establishing unit 602 is used to establish a role, and establish an association relationship between a user and a role, and an association relationship between the role and the permission space;

The third establishing unit 603 is used to establish an authority variable and establish an association relationship between the authority space and the authority variable;

A setting unit 604, configured to set one or more permission variable values corresponding to the permission variable;

The fourth establishing unit 605 is used to establish a corresponding relationship between the permission variable value and the permission space sequence number.

The present invention also provides a specific embodiment. First, the permission variable to be controlled under the permission space is established according to the association relationship between the permission space and the permission variable, and then the permission variable value that can be assigned to the permission variable is confirmed and corresponds one-to-one with the permission space sequence number. For example, the following permission variables and the permission variable values that can be assigned are confirmed:

The permission variable function button (v_button) represents the function button of the material procurement management page. The possible permission variable values are query purchase order (query), add purchase order (add), modify purchase order (edit) and delete purchase order (del) buttons, etc.

The authority variable factory (v_factory) represents an enterprise or factory. The possible authority variable values are Daqing Petrochemical Enterprise (F001), Daqing Oil Production Plant No. 1 (F001002001), Daqing Oil Production Plant No. 2 (F001002002), Daqing Refining and Chemical Plant No. 3 (F001003003), etc.

The authority variable material type (v_materil_type) represents the type of industrial material. The possible authority variable values are heavy rail (M001), light rail (M002), large I-beam (M003) and H-beam (M004).

At this time, the permission space s_materil has the permission variables v_button, v_factory and v_materil_type.

In an optional embodiment, it also includes establishing roles, resources included in roles, permission spaces corresponding to resources, and permission space serial numbers corresponding to permission spaces, and assigning permission variable values to permission variables under permission spaces to clarify the specific role of the role. For example, the objects shown in Table 1 are established as follows:

Table I

Establish the association between users and roles. For example, assign role A to operator A, assign roles B, C, and D to operator B, and assign roles B, D, and E to operator C.

In an optional embodiment, it also includes creating a time-limited object and creating a model and algorithm for the time-limited object. For example, the model is modeled with a time period, and the model includes two conditions: the start time and the end time. If the current time is within the start time and the end time, it is confirmed to be valid, otherwise it is invalid. In a specific embodiment, the relationship between the time-limited object and the user, the user and the role, the role, the role and the resource, the resource, the resource and the permission space, the role and the permission space, the permission space, the permission space and the permission variable, and the permission variable are established, and the corresponding time-limited object is established according to the different characteristics of the thing. As shown in Figure 7, a time-limited object is created and modeled with time-limited attributes. The model includes two attributes, the start time and the end time. The attribute assignment start time is 2022-05-01, and the end time attribute assignment is 2022-05-02; or the start time is 2023-12-01, and the end time is 2023-12-08. If the current time is within the start time and the end time, it is confirmed to be valid, otherwise it is invalid. Then, establish the relationship between time-limited objects and users, users and roles, roles, roles and resources, resources, resources and permission spaces, roles and permission spaces, permission spaces, permission spaces and permission variables, and permission variables, and establish corresponding time-limited objects according to the different characteristics of things. For example, add a time-limited object M of the role to the role, and add a time-limited object M to the relationship between the user and the role.

Preferably, the created user, role and other data are saved as a complete file in a unified data format and saved or copied. When applying user authority data, the universal user ID is directly used to obtain it from the cache, eliminating the data combination and calculation process. This embodiment puts this process in advance processing to improve the operating efficiency of the authority. Preferably, the data format is json format.

In order to illustrate the authority control method of the embodiment of the present invention, the present invention also provides a specific embodiment. The function authority algorithm of operator C, operator C has role B, role D and role E, and before adding the purchase order to the database, an operation authority check is required. First, check whether the time-limited objects of role B, role D and role E are valid, assuming that all are valid, and then check whether operator C has the permission space for creating material procurement management s_materil, because role B, role D and role E all have the permission space for creating material procurement management s_materil, then the next step needs to check whether the value filled in the purchase order meets the user role requirements, if the factory filled in on the form is Daqing Oil Production Plant No. 1 (F001002001), the material is heavy rail (M001), and the operation is to add a purchase order (add), then first check that the permission variable value of the permission variable v_button corresponding to the permission space sequence number s_materil_1 in role B is query, and query! = add, that is, role B does not meet the conditions. Then check the permission variable v_button corresponding to the permission space number s_materil_1 in role D, the permission variable value is add, which meets the requirements. Then check the permission variable v_factory corresponding to the permission space number s_materil_1, the permission variable value is F001002002, because F001002002!=F001002001, so role D does not meet the conditions. Finally, check the permission variable v_button corresponding to the permission space number s_materil_1 in role E, the permission variable value is query, because query!=add, so role E does not meet the conditions. All roles do not meet the requirements. Finally, operator C does not have the permission to add the factory is Daqing Oil Production Plant No. 1 (F001002001), and the material is heavy rail (M001) purchase order. Using the same algorithm, if the factory filled in on the form is Daqing Oil Production Plant No. 2 (F001002002), the material is heavy rail (M001), and the operation is to add a purchase order (add), then operator C's role D meets the requirements, so operator C has the authority to operate.

The following is an introduction to a specific embodiment of the present invention by taking data permissions as an example. Assume that the purchase order table in the database contains the data shown in Table 2 below:

Table II

Purchase Order Name Purchasing Factory Purchase material type Purchase Order 1 F001002001 M001 Purchase Order 2 F001002001 M002 Purchase Order 3 F001003003 M001 Purchase Order 4 F001003003 M002 Purchase Order 5 F001003002 M002

Operator C has roles B, D, and E. When querying purchase orders, data permissions must be checked. First, check whether the time-limited objects of roles B, D, and E are valid. Assume that all are valid. Then check whether operator C has the s_materil permission space. Since roles B, D, and E all have the s_materil permission space, the first step passes the check. The second step takes out all the data in the database table. First, check whether the first data meets the requirements. Since the permission operation of the first data is query, the permission variable values of the first data corresponding to the permission variable are v_button=query, v_factory=F001002001, and v_materil_type=M001. Compare this value with the values in roles B, D, and E. If the variable values of the three permission variables meet the requirements, operator C can view this data. Loop through the roles for comparison. Since role B meets the requirements, operator C can view this data. By analogy, it is found that the permission variable values corresponding to the 4th data are v_button = query, v_factory = F001003003, v_materil_type = M002, which do not meet the requirements when compared with the preset permission variable values of the corresponding users of role B, role D, and role E. Therefore, this data cannot be viewed and there is no permission for this data. The data that can be obtained by the final operation C is shown in Table 3 below:

Table 3

Purchase Order Name Purchasing Factory Purchase material type Purchase Order 1 F001002001 M001 Purchase Order 2 F001002001 M002 Purchase Order 3 F001003003 M001 Purchase Order 5 F001003002 M002

As shown in FIG8 , a computer device provided in an embodiment of this invention is shown. In an embodiment of this invention, the permission control device can be a computer device in this embodiment, and the above method of this invention is executed. The computer device 802 may include one or more processors 804, such as one or more central processing units (CPUs), and each processing unit may implement one or more hardware threads. The computer device 802 may also include any memory 806, which is used to store any kind of information such as code, settings, data, etc. Non-limitingly, for example, the memory 806 may include any one or more combinations of the following: any type of RAM, any type of ROM, flash memory device, hard disk, optical disk, etc. More generally, any memory may use any technology to store information. Further, any memory may provide volatile or non-volatile retention of information. Further, any memory may represent a fixed or removable component of the computer device 802. In one case, when the processor 804 executes an associated instruction stored in any memory or a combination of memories, the computer device 802 may perform any operation of the associated instruction. The computer device 802 also includes one or more drive mechanisms 808 for interacting with any memory, such as a hard disk drive mechanism, an optical disk drive mechanism, etc.

The computer device 802 may also include an input/output module 810 (I/O) for receiving various inputs (via input devices 812) and for providing various outputs (via output devices 814). A specific output mechanism may include a presentation device 816 and an associated graphical user interface (GUI) 818. In other embodiments, the input/output module 810 (I/O), the input device 812, and the output device 814 may not be included, and the computer device 802 may be used as a computer device in a network. The computer device 802 may also include one or more network interfaces 820 for exchanging data with other devices via one or more communication links 822. One or more communication buses 824 couple the components described above together.

The communication link 822 may be implemented in any manner, for example, through a local area network, a wide area network (e.g., the Internet), a point-to-point connection, etc., or any combination thereof. The communication link 822 may include any combination of hardwired links, wireless links, routers, gateway functions, name servers, etc., governed by any protocol or combination of protocols.

An embodiment of the present invention also provides a computer-readable storage medium, which stores one or more programs, and the one or more programs can be executed by one or more processors to implement the steps of any of the above-mentioned permission control methods and/or any of the methods for establishing an RBAC-based permission control model.

It should be understood that in the various embodiments of this document, the size of the serial numbers of the above-mentioned processes does not mean the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this document.

Those skilled in the art will appreciate that the embodiments of the present application may be provided as methods, systems, or computer program products. Therefore, the present application may adopt the form of a complete hardware embodiment, a complete software embodiment, or an embodiment in combination with software and hardware. Moreover, the present application may adopt the form of a computer program product implemented in one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) that include computer-usable program code.

The present application is described with reference to the flowchart and/or block diagram of the method, device (system) and computer program product according to the embodiment of the present application. It should be understood that each process and/or box in the flowchart and/or block diagram, and the combination of the process and/or box in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor or other programmable data processing device to produce a machine, so that the instructions executed by the processor of the computer or other programmable data processing device produce a device for realizing the function specified in one process or multiple processes in the flowchart and/or one box or multiple boxes in the block diagram.

These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing device to work in a specific manner, so that the instructions stored in the computer-readable memory produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

The foregoing description of specific exemplary embodiments of the present invention is for the purpose of illustration and demonstration. These descriptions are not intended to limit the present invention to the precise form disclosed, and it is clear that many changes and variations can be made based on the above teachings. The purpose of selecting and describing the exemplary embodiments is to explain the specific principles of the present invention and its practical application, so that those skilled in the art can realize and utilize various different exemplary embodiments of the present invention and various different selections and changes. The scope of the present invention is intended to be limited by the claims and their equivalents.

Claims (13)

1. A permission control method based on RBAC, characterized in that the method comprises: Receive a request signal and confirm the permission space and permission space serial number corresponding to the request signal; the request signal is a signal generated when a user requests a permission operation, and the permission space is a permission control point; Determine whether the role corresponding to the user contains the permission space; If yes, then obtain the permission variable corresponding to the permission space; the permission variable represents the attribute of the permission operation; Obtaining the permission variable value according to the permission space sequence number; Determine whether the permission variable value is the same as the preset permission variable value of the role; If so, a permission signal is generated. 2. According to the RBAC-based permission control method of claim 1, the permission operation includes: functional permission and/or data permission; the generating permission signal includes: Generate an operation signal according to the functional authority to enable the user to perform the authority operation, and/or obtain data corresponding to the data authority and return it to the user. 3. The RBAC-based permission control method according to claim 2, wherein the step of obtaining the data corresponding to the data permission and returning the data to the user comprises: Acquire first data, where the first data is an intersection of obtainable data corresponding to the permission variables under the same permission space sequence number; For any permission space corresponding to the data permission, take a union of first data controlled by the sequence numbers of each permission space corresponding to the data permission to obtain second data; Taking a union of the second data controlled by each permission space corresponding to the data permission to obtain third data; The third data is returned to the user. 4. The RBAC-based permission control method according to claim 1, characterized in that the method further comprises: Determining a resource corresponding to the request signal; the resource represents an event requiring permission control; A permission space corresponding to the resource is acquired based on the resource. 5. The RBAC-based permission control method according to claim 4, characterized in that the method further comprises: Obtaining a timeliness object; the timeliness object is used to define the validity of an object; the object includes: users, roles, resources, permission spaces, permission variables, the correspondence between users and roles, the correspondence between roles and resources, the correspondence between resources and permission spaces, the correspondence between roles and permission spaces, and the correspondence between permission spaces and permission variables; The object that is valid is calculated based on the time-effective object. 6. According to a RBAC-based permission control method according to claim 1, it is characterized in that the method also includes: when the role corresponding to the user does not contain the permission space or when the permission variable value is different from the preset permission variable value, generating a no-authority result. 7. A permission control device based on RBAC, characterized in that the device comprises: A receiving unit, configured to receive a request signal and confirm the permission space and permission space sequence number corresponding to the request signal; the request signal is a signal generated when a user requests a permission operation, and the permission space is a permission control point; A first judging unit, configured to judge whether the role corresponding to the user includes the permission space; A first acquisition unit is configured to acquire, if yes, a permission variable corresponding to the permission space; the permission variable represents an attribute of the permission operation; A second acquisition unit, used to acquire the permission variable value according to the permission space sequence number; A second judgment unit, used to judge whether the authority variable value is the same as the preset authority variable value of the role; A generating unit is used for generating a permission signal if yes. 8. A method for establishing a permission control model based on RBAC, characterized in that the method comprises: Establishing an authority space, wherein the authority space is an authority control point; Establishing roles, and establishing associations between users and roles, and between the roles and the permission space; Establishing an authority variable, and establishing an association relationship between the authority space and the authority variable; Set one or more permission variable values corresponding to the permission variable; A corresponding relationship between the permission variable value and the permission space sequence number is established. 9. A method for establishing a RBAC-based permission control model according to claim 8, characterized in that the method further comprises: establishing resources corresponding to the permission space; the resources represent events that require permission control. 10. A method for establishing a RBAC-based authority control model according to claim 9, characterized in that the method comprises: Establishing time-limited objects; Establish associations between time-limited objects and objects; the time-limited objects are used to define the validity of the objects; the objects include: users, roles, resources, permission spaces, permission variables, the correspondence between users and roles, the correspondence between roles and resources, the correspondence between resources and permission spaces, the correspondence between roles and permission spaces, and the correspondence between permission spaces and permission variables. 11. A device for establishing a permission control model based on RBAC, characterized in that the device comprises: A first establishing unit is used to establish an authority space; the authority space is an authority control point; A second establishing unit, used to establish a role, and establish an association relationship between a user and a role, and an association relationship between the role and the permission space; A third establishing unit, used to establish an authority variable, and establish an association relationship between the authority space and the authority variable; A setting unit, used to set one or more permission variable values corresponding to the permission variable; The fourth establishing unit is used to establish a corresponding relationship between the permission variable value and the permission space sequence number. 12. A computer device, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that when the processor executes the program, the steps of the RBAC-based permission control method described in any one of claims 1 to 6 are implemented, and/or the method for establishing the RBAC-based permission control model described in any one of claims 8 to 10 are implemented. 13. A computer-readable storage medium, characterized in that the computer-readable storage medium stores one or more programs, and the one or more programs can be executed by one or more processors to implement the steps of any one of the RBAC-based permission control methods according to claims 1-6, and/or the method for establishing the RBAC-based permission control model according to any one of claims 8-10.