CN108683672B - Authority management method and device - Google Patents

Authority management method and device Download PDF

Info

Publication number
CN108683672B
CN108683672B CN201810492220.9A CN201810492220A CN108683672B CN 108683672 B CN108683672 B CN 108683672B CN 201810492220 A CN201810492220 A CN 201810492220A CN 108683672 B CN108683672 B CN 108683672B
Authority
CN
China
Prior art keywords
authentication
authority
policy
user
target object
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810492220.9A
Other languages
Chinese (zh)
Other versions
CN108683672A (en
Inventor
罗洪
伍治源
王俊
王雷
童轩
魏再跃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN201810492220.9A priority Critical patent/CN108683672B/en
Publication of CN108683672A publication Critical patent/CN108683672A/en
Application granted granted Critical
Publication of CN108683672B publication Critical patent/CN108683672B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a permission management method and a device for realizing the same. In the current practice, because only a fixed and unchangeable authentication strategy can be adopted, when the access rights of a plurality of users to the target object need to be adjusted, the rights of each user to the target object can only be modified respectively, so that the efficiency of rights management is low. Aiming at the problem of low efficiency generated by the current method, the invention can change the access authority obtained by authenticating a plurality of users according to the modified authentication strategy by modifying the adopted authentication strategy, thereby effectively improving the authority management efficiency.

Description

Authority management method and device
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for rights management.
Background
The authority management generally refers to controlling that a user can access and only can access authorized resources according to a security rule or a security policy set by a system. As long as the systems in which the users participate generally have rights management, the rights management realizes the control of the user access.
In the existing permission configuration process, when the permission of the user for the target file needs to be adjusted, the permission can be generally adjusted only by modifying the permission of the user. If the authority of all members of the department A for accessing the folder a is originally allowed and the authority of all members of the department A needs to be changed into forbidden, the configuration process is as follows: the authority data of each member of the department A about the folder a is deleted firstly, and then the authority of each member of the department A for accessing the folder a is reconfigured to be forbidden. Therefore, when the number of members in the department A is large, the efficiency of permission configuration by adopting the method is low, and the original permission data can be deleted in the configuration process.
Disclosure of Invention
The embodiment of the invention provides a permission management method, a permission management device and a computer readable storage medium, which can modify an authentication strategy, further change the access permission of a plurality of users to a target object, and are beneficial to improving the permission configuration efficiency.
In a first aspect, an embodiment of the present invention provides a rights management method, which is used in an electronic device, where the electronic device includes at least two authentication policies, each authentication policy is used to determine an access right of a user to a target object, and each authentication policy has a policy identifier, where the method includes: receiving an authentication strategy setting request, wherein the authentication strategy setting request comprises a strategy identifier of an authentication strategy to be set, setting a current authentication strategy of the electronic equipment as an authentication strategy corresponding to the strategy identifier, and determining the access authority of a target object according to the current authentication strategy.
According to the technical scheme, the current authentication strategy can be modified, so that the access authority of the target object obtained after authentication processing is carried out according to the modified current authentication strategy is changed, on one hand, the access authority of a plurality of users to the target object can be influenced (or changed) by modifying the current authentication strategy, and the authority management efficiency is improved; on the other hand, in the process of modifying the current authentication strategy, original authority data of the user about the target object does not need to be deleted, further, the authority recovery is convenient, and the authority management efficiency is improved.
In one implementation, the user includes at least two authentication identities, each authentication identity has a right to a target object, the authentication policy includes a first authentication policy, the first authentication policy is used to determine an access right of the user to the target object according to the right of each authentication identity of the user, and a specific implementation manner of setting the current authentication policy of the electronic device as the authentication policy corresponding to the policy identifier may be: and setting the current authentication strategy of the electronic equipment as a first authentication strategy corresponding to the strategy identification.
According to the technical scheme, different first authentication strategies can be customized for different enterprises or departments and the like according to different authority requirements, and the authority management efficiency is improved. In addition, when the user includes at least two authentication identities, the authority of the user for accessing the target object can be changed only by adjusting the current authentication strategy under the condition that the application scene is changed, the authority limit value of the authentication identity of the user relative to the target object does not need to be adjusted, the authority can be changed and restored on the premise that the historical data is not cleaned, and the authority management efficiency is improved.
In one implementation, the target object is a lowest-level subdirectory in a file directory, the file directory includes at least two layers of directories, each authentication identity of the user has an authority for each layer of directory, the authentication policy includes a second authentication policy, the second authentication policy is used to determine an access authority of each authentication identity of the user to the target object, and a specific implementation manner of setting the current authentication policy of the electronic device as the authentication policy corresponding to the policy identifier may be: and setting the current authentication strategy of the electronic equipment as a second authentication strategy corresponding to the strategy identification.
The technical scheme of the invention can set different second authentication strategies for different enterprises or departments so as to meet the personalized authority requirements of each enterprise or department and be beneficial to improving the authority management efficiency. In addition, when the user includes an authentication identity, the authority of the authentication identity of the user to access the target object can be changed only by adjusting the current authentication strategy under the condition that the application scene is changed, further, the authority of the user to access the target object can be changed, the authority of the authentication identity of the user is not required to be adjusted relative to the level authority value of the target object, and the authority can be changed and restored on the premise that historical data is not cleaned, so that the authority management efficiency is improved.
In one implementation, the authentication policy includes: the method comprises the following steps that at least two of a near right authentication strategy, a first highest right strategy, a second highest right strategy, a first lowest right strategy, a second lowest right strategy and a priority authentication strategy are adopted, wherein the near right authentication strategy is that the right of a user authentication identity to a target directory is determined as the access right of the authentication identity to a target object, and the target directory is the directory closest to the target object; the first highest authority strategy is that the highest authority in the authority of each authentication identity of the user to the target object is determined as the access authority of the user to the target object; the second highest authority policy is to determine the highest authority in the authority of the authentication identity of the user aiming at each layer of directory as the access authority of the authentication identity of the user to the target object; the first lowest authority strategy is that the lowest authority in the authority of each authentication identity of the user to the target object is determined as the access authority of the user to the target object; the second lowest authority policy is to determine the lowest authority in the authority of the authentication identity of the user aiming at each layer of directory as the access authority of the authentication identity of the user to the target object; the priority authentication strategy is that if a preset identity exists in at least two authentication identities included by the user, the authority of the preset identity to the target object is determined as the access authority of the user to the target object.
The technical scheme of the invention provides a plurality of authentication strategies (including a multi-level authentication strategy and a multi-identity authentication strategy), and when authority configuration is carried out, more abundant authority configuration schemes can be obtained according to different combinations of the multi-level authentication strategy and the multi-identity authentication strategy, thereby being beneficial to improving the flexibility of the authority management method.
In one implementation manner, after the current authentication policy of the electronic device is set as the authentication policy corresponding to the policy identifier, timing is started, and when the timing time reaches a preset time, the authentication policy of the user for the target object is restored to the authentication policy adopted before the authentication policy corresponding to the policy identifier is set.
According to the technical scheme, the temporary permission about the target object can be set for the user, so that more application scenes can be matched. Furthermore, the temporary authority can be automatically cleaned, so that the workload of authority management personnel is reduced, and the intelligence and the flexibility of the authority management method are improved.
In a second aspect, an embodiment of the present invention provides a rights management device, where the device has a function of implementing the rights management method provided in the first aspect. The function can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules corresponding to the functions described above.
In a third aspect, an embodiment of the present invention provides a computer-readable storage medium for storing computer program instructions for a rights management device, which includes a program for executing the above first aspect.
In a fourth aspect, an embodiment of the present invention provides an electronic device, where the electronic device includes a memory and a processor, where the memory stores program instructions, and the processor calls the program instructions stored in the memory to implement the rights management method provided in the first aspect.
By implementing the embodiment of the invention, the current authentication strategy can be modified, so that the access authority of the target object obtained after authentication processing is carried out according to the modified current authentication strategy is changed, on one hand, the access authority of a plurality of users to the target object can be influenced (or changed) by modifying the current authentication strategy, and the authority management efficiency is favorably improved; on the other hand, in the process of modifying the current authentication strategy, original authority data of the user about the target object does not need to be deleted, further, the authority recovery is convenient, and the authority management efficiency is improved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or the background art of the present invention, the drawings required to be used in the embodiments or the background art of the present invention will be described below.
Fig. 1 is a schematic architecture diagram of a communication system according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating a rights management method according to an embodiment of the present invention;
FIG. 3a is an interface diagram of a rights management interface according to an embodiment of the present invention;
FIG. 3b is an interface diagram of a new rights management interface according to an embodiment of the present invention;
FIG. 4 is an interface schematic diagram of another rights management interface disclosed in embodiments of the invention;
FIG. 5 is a flow chart illustrating another rights management method disclosed in an embodiment of the invention;
FIG. 6 is a flow chart illustrating another rights management method disclosed in the embodiments of the present invention;
FIG. 7 is a flowchart illustrating another rights management method according to an embodiment of the present invention;
fig. 8 is a schematic flowchart of an authentication method according to an embodiment of the present invention;
FIG. 9 is a schematic structural diagram of a rights management device according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
The embodiments of the present invention will be described below with reference to the drawings.
In the embodiment of the invention, aiming at the authority of a user to access objects such as a certain file, a folder or other information resources, especially a large number of objects exist in a large-scale enterprise, the invention sets the authority abundantly for each authentication subject such as a group, a person and the like in a department organization, can realize high-efficiency authority management by a flexible authority configuration method, and can also improve the safety of enterprise resources.
The authority management relates to authority configuration and authentication, and the authority configuration refers to setting the authority for a user to access resources. In one implementation, the process of configuring permissions involves primarily an administrator and a permission database. The administrator refers to a user who can add, delete, check, change, and the like, and generally, one or more administrators can be owned in one system. The administrator is responsible for managing the authority, and the condition that any user can change the authority is avoided.
In one implementation, the access rights of each user to each resource may be stored based on a rights database, and the rights of the user to access the resource may be modified by modifying data in the rights database. In one implementation, the rights database may be stored in a resource server or a terminal device.
In order to better understand a rights management method disclosed in the embodiment of the present invention, a communication system to which the embodiment of the present invention is applied is first described below.
Referring to fig. 1, fig. 1 is a schematic diagram of a communication system according to an embodiment of the present invention. As shown in fig. 1, the communication system includes a terminal device 101, an electronic device 102, an authentication module 1021 integrated in the electronic device 102, and a user device 103. The terminal device 101 may be a User Equipment (UE), a remote terminal, a mobile terminal, a wireless communication device, a user agent, or a user equipment. The user device 103 may be a cell phone, a desktop computer, a laptop computer, etc. The electronic device 102 may be used to store a target object (e.g., a file) and manage the rights of the target object. In one implementation, the electronic device 102 may be comprised of a processor, memory, and a network interface. In one implementation, the electronic device 102 may be a terminal device or a server (e.g., a resource server such as a video server or a novel server), which is not limited in this embodiment of the present invention. The authentication module 1021 is used for processing operations related to rights management, such as rights configuration, authentication, and the like. In an implementation manner, the electronic device 102 may further store a permission database, and the authentication module 1021 may call the permission database to obtain permission data stored in the permission database, so as to authenticate the user. The permission database may be SQL Server, Oracle, DB2, or other common databases, which is not limited in the embodiment of the present invention.
As shown in fig. 1, the administrator may access the authentication module 1021 in the electronic device 102 by operating the terminal device 101 to perform the authority configuration. When a general user accesses a target object stored in the electronic device 102 by operating the user device 103, the authentication module 1021 in the electronic device 102 may perform authentication processing on the general user for the target object to be accessed, and only after the authentication is passed, the general user can access the target object.
It should be understood that the communication system described in the embodiment of the present invention is for more clearly illustrating the technical solution of the embodiment of the present invention, and does not form a limitation on the technical solution provided in the embodiment of the present invention, and as a person having ordinary skill in the art knows that along with the evolution of the system architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present invention is also applicable to similar technical problems.
In the windows system, the rights of the user to the target object may include: refusing, allowing, inheriting by default, and refusing > allow > inheriting by default, that is, when the user has multiple identities, each identity having different rights to the target object, the electronic device can determine the actual rights of the user to the target object by refusing > allow > inheriting by default through the authentication policy. For example, if it is desired that the authority of the member of the group 1 to the folder a (i.e., the target object) is allowed, but the authority of the member of the group 2 to the folder a is set as refused in the electronic device at this time, when the user belongs to both groups (i.e., the user has two identities) and the operating system of the electronic device is windows at the same time, the electronic device may determine the actual authority of the user to the folder a by inheriting the authentication policy by default according to refusal > allow >, and the obtained actual authority of the user to the folder a is refused.
In the linux system, the user's rights to a certain target object may include: deny, allow, and allow > deny, i.e., when a user has multiple identities, each with different rights to a target object, the electronic device may determine the user's actual rights to the target object by allowing > deny this authentication policy. For example, if it is desired that the authority of the member of the group 1 to the folder a (i.e., the target object) is denied, but the authority of the member of the group 2 to the folder a is set as allowed in the electronic device at this time, when the user belongs to the two groups at the same time and the operating system of the electronic device is linux, the electronic device will deny the authentication policy according to the permission > to determine the actual authority of the user to the folder a, that is, the obtained actual authority of the user to the folder a is allowed.
From the above example, it can be seen that: in the prior art, a fixed and unchangeable authentication policy (for example, an authentication policy of refusing > allow > default inheritance is adopted in a windows system, and an authentication policy of refusing > allow > is adopted in a linux system) is adopted to determine the actual authority of a user to a target object, so that the actual authorities of the user to the target object obtained in different scenes are the same, that is, the authentication policy cannot be adaptively changed according to the change of an application scene to obtain different actual authorities, and the efficiency of authority management is reduced. The authority management method provided by the embodiment of the invention can modify the authentication strategy, so that the actual authority obtained after the authentication processing is carried out on the user according to the modified authentication strategy is changed, and the actual authority is matched with the current application scene or the user requirement, thereby being beneficial to improving the efficiency of authority management. For example, in the scenario described in the above example, the user requirement may be satisfied by modifying the authentication policy adopted by the linux system to deny > allow (i.e. making the actual authority of the user to the folder a be deny).
Based on the architecture diagram of the communication system shown in fig. 1, please refer to fig. 2, and fig. 2 is a flowchart illustrating a rights management method according to an embodiment of the present invention, the method includes, but is not limited to, the following steps:
step S201: the electronic equipment receives an authentication policy setting request, wherein the authentication policy setting request comprises a policy identifier of an authentication policy to be set. The electronic device comprises at least two authentication strategies, wherein the authentication strategies are used for determining the access authority of a user to a target object, and the target object refers to an entity of authority management, such as a folder or a file. It should be noted that, by performing authentication processing on the user by using different authentication policies, the obtained access rights of the user to the target object are different. Therefore, the access right of the user to the target object can be changed by modifying the authentication strategy adopted by the electronic equipment. Specifically, the electronic device receives the authentication policy setting request, which indicates that the authentication policy needs to be modified, and further, the electronic device may obtain a policy identifier of the authentication policy to be set, which is included in the authentication policy setting request, and modify the current authentication policy adopted by the electronic device into the authentication policy corresponding to the policy identifier. When the subsequent electronic device receives the authentication request, the authentication processing is performed on the user by using the current authentication strategy (i.e. the authentication strategy corresponding to the strategy identifier). Each authentication strategy has a strategy identification, and the strategy identification is used for uniquely identifying the authentication strategy.
In one implementation, the authentication policy setting request may be generated and sent by the terminal device. In another implementation, the authentication policy setting request may be generated by an authentication module, for example, the authentication module may generate the authentication policy setting request when a click operation of a user on a determination adjustment button included in a rights management interface displayed in the electronic device is detected. Wherein, the authentication module can be integrated in the electronic device.
Step S202: and the electronic equipment sets the current authentication strategy as the authentication strategy corresponding to the strategy identification. At least two authentication strategies are stored in the electronic device, and the current authentication strategy adopted by the electronic device can be one of the at least two authentication strategies. It should be noted that, before step S202, the current authentication policy adopted by the electronic device may be set by the electronic device by default, or may be set by the user according to an actual situation, which is not limited in the embodiment of the present invention.
In one implementation, the modification process of modifying the current authentication policy into the authentication policy corresponding to the policy identifier by the electronic device may take effect on all target objects stored in the electronic device, that is, after step S202, if the electronic device receives an authentication request of a user on different target objects, the same current authentication policy (i.e., the authentication policy corresponding to the policy identifier) is used to authenticate the user. For example, after the electronic device modifies the current authentication policy to authentication policy a, if an authentication request for a user to access to file a and file b is received, the electronic device performs authentication processing on the user by using authentication policy a. By the method, the authentication strategies of a large number of target objects can be modified in batch, and the authority management efficiency is improved.
In one implementation, the authentication policy setting request may further include an object identifier of the target object to be set, and accordingly, the electronic device may modify the current authentication policy of the target object corresponding to the object identifier to the authentication policy corresponding to the policy identifier, that is, the modification process in step S202 is only effective on the target object corresponding to the object identifier. The object identifier is used to uniquely identify the target object, for example, when the target object is folder a, the object identifier may be a storage path of folder a in the electronic device. For example, a file a and a file B are stored in the electronic device, the authentication policies originally adopted for the file a and the file B are both authentication policy a, if the electronic device receives an authentication policy setting request about the file a and modifies the current authentication policy about the file a into an authentication policy B, then when the subsequent electronic device receives the authentication requests about the file a and the file B, the authentication policy B is adopted to determine the access authority of the user about the file a, and the authentication policy a is adopted to determine the access authority of the user about the file B. By the method, different target objects (such as common files and important files) stored in the electronic equipment can be subjected to differentiated authority management, and the safety of the authority management is improved.
In an implementation manner, the modification process described in step S202 may be effective for all users, that is, after step S202, if the electronic device receives authentication requests of different users regarding the same target object, the same current authentication policy (i.e., the authentication policy corresponding to the policy identifier) is adopted to perform authentication processing on the different users. For example, after the electronic device modifies the current authentication policy to authentication policy a, if an authentication request for accessing the file a by the user a and the user B is received, the electronic device performs authentication processing on the user a and the user B by using the authentication policy a. By the method, the authentication strategies of a large number of users can be modified in batch, and the authority management efficiency is improved.
In one implementation, the authentication policy setting request may further include a user identifier of the target user to be set, and accordingly, the electronic device may modify the current authentication policy of the target user corresponding to the user identifier into the authentication policy corresponding to the policy identifier, that is, the modification process in step S202 is only effective for the target user corresponding to the user identifier. The user identifier is used for uniquely identifying the target user, and for example, the user identifier may be an identity card number, a job number, or a user name. For example, if the user a needs to go on business to the company B due to work, the electronic device may modify the current authentication policy of the user a to the authentication policy a, and keep the current authentication policy of the employee of the company B as the authentication policy B, so that when the employees of the user a and the company B access the same file (such as an important file) of the company B, the obtained access rights are different due to different authentication policies, thereby preventing some important files of the company B from leaking. By the method, different users can be subjected to differentiated authority management, and the safety of the authority management is improved.
Step S203: and the electronic equipment determines the access authority of the target object according to the current authentication strategy. Specifically, the electronic device may determine the access right of the target object according to the current authentication policy when receiving an authentication request for the target object.
The access rights of a user to a target object may include: deny, allow, inherit by default. In one implementation, a user may have M permissions for a target object, each permission corresponding to an access permission. For example, if the permission value is one-level permission (1), the corresponding access permission is permission. Wherein M is a positive integer, and M can also be increased according to actual needs. For example, 5 original authority values (i.e., M is 5) of one user for a certain target object are: default forbidding (0), primary permission (1), primary forbidding (2), secondary permission (3) and secondary forbidding (4), wherein two authority values can be added according to actual needs: three-level enable (5) and three-level disable (6), wherein M is 7, and Arabic numerals in parentheses are used for representing the size of the authority value. For example, the three-level enable (5) is less than the three-level disable (6). It should be noted that the value of M may be infinitely expanded according to a change of a scene or a user requirement, where M ═ 7 is merely an example and does not limit the embodiment of the present invention, and the value of M may also be 8, 9, 12, 25, and the like.
It should be further noted that the above three-level enable is smaller than the three-level disable for example only, and in other possible implementations, the three-level enable may also be larger than the three-level disable, which is not limited by the embodiment of the present invention.
In the embodiment of the present invention, a user may include one or more authentication identities, and the authentication policy stored in the electronic device may include two types: multi-identity authentication strategy and multi-level authentication strategy. In one implementation, if the user includes multiple authentication identities, and each authentication identity has mutually independent identity permission values with respect to the target object, when the electronic device receives an authentication request for the target object, the process of how the electronic device selects one identity permission value among the multiple identity permission values as the permission value of the user for the target object may be managed by a multi-identity authentication policy. It can be understood that, when the electronic device performs authentication processing on the target object by the user according to different multi-identity authentication policies, the obtained authentication result may be different. Therefore, the electronic device may select a target multi-identity authentication policy (or a first authentication policy) matching the current application scenario or the user requirement from the multiple candidate multi-identity authentication policies based on the user requirement or the difference of the application scenarios, and set the current multi-identity authentication policy as the target multi-identity authentication policy, so that the access right of the target object obtained according to the current multi-identity authentication policy matches the current application scenario.
In one implementation, the file directory to which the target object belongs may include at least two layers of directories, and each authentication identity of the user has a hierarchy authority value for each layer of directory, and when the electronic device receives an authentication request for the target object, the process of how the electronic device selects one hierarchy authority value from the hierarchy authority values as the authority value of the authentication identity of the user for the target object may be managed by a multi-hierarchy authentication policy. It can be understood that, when the electronic device performs authentication processing on the target object by the user according to different multi-level authentication policies, the obtained authentication result may be different. Therefore, the electronic device may select a target multi-level authentication policy (or a second authentication policy) matching the current application scenario or the user requirement from the multiple candidate multi-level authentication policies based on the difference between the user requirements or the application scenarios, and set the current multi-level authentication policy as the target multi-level authentication policy, so that the access right of the authentication identity of the user to the target object obtained according to the current multi-level authentication policy matches the current application scenario.
Compared with the method of adopting a fixed and unchangeable authentication strategy in any scene in the prior art, if the access right of the target object is required to be changed, the prior art can only realize the purpose of changing the access right of the target object by deleting the original identity right value of the authentication identity included by the user to the target object and configuring a new identity right value for the original identity right value. The approach described in the prior art will lead to a problem: it is difficult to restore the original access rights of the target object. By adopting the authority management method of the embodiment of the invention, under the condition of application scene change, the access authority of the target object can be changed only by modifying the current multi-identity authentication strategy into the target multi-identity authentication strategy, and the authority can be changed and restored without changing the original identity authority value of the authentication identity relative to the target object, namely on the premise of not clearing historical data.
Therefore, by implementing the embodiment of the invention, the current authentication strategy can be modified, so that the access authority of the target object obtained after authentication processing is carried out according to the modified current authentication strategy is changed, on one hand, the access authority of a plurality of users to the target object can be influenced (or changed) by modifying the current authentication strategy, and the authority management efficiency is favorably improved; on the other hand, in the process of modifying the current authentication strategy, original authority data (such as a hierarchy authority value, an identity authority value and the like) of the user about the target object does not need to be deleted, further, the authority recovery is convenient, and the authority management efficiency is favorably improved.
In case the user comprises a plurality of authentication identities, the access rights of the target object are related to the identity rights values of each authentication identity corresponding to the user with respect to the target object. In one implementation, the electronic device may change the access right of the target object obtained by the electronic device according to the target multi-identity authentication policy by adding an authentication identity, such as a target authentication identity, to the user and setting an identity right value, such as a target identity right value, for the target authentication identity to access the target object. By the method, the access authority of the target object can be changed on the basis of not changing the original identity authority value of each original authentication identity of the user relative to the target object. And if the access right of the target object needs to be restored to the original access right subsequently, only the newly added target authentication identity and the newly added target identity authority value need to be deleted, so that the operation is simple and the error is not easy to occur.
Taking an interface schematic diagram of a rights management interface shown in fig. 3a as an example, an administrator may configure access rights of a user with respect to a target object through the rights management interface. In one implementation, the rights management interface may include a user identifier, a target object, an adjusted authentication policy, an add authentication identity button, a confirm adjust button, and a cancel adjust button. As can be seen from fig. 3a, the administrator may edit the target object, the user identification, and the adjusted authentication policy text box. For example, the user may input the authentication policy a in the adjusted authentication policy text box to determine the authentication policy a as the adjusted authentication policy, where the shadow effect of the authentication policy a indicates that the authentication policy is in an editable state. For another example, when the user clicks the adjusted authentication policy text box, a selection box (not shown) may be output, where the selection box includes the alternative authentication policies, and the user may select the authentication policy a from the alternative authentication policies to determine the authentication policy a as the adjusted authentication policy.
As shown in fig. 3a, after popping up the new rights management interface, the administrator may further input the authentication identity added to the user, i.e., the target authentication identity (e.g., VIP group member), in the text box of the added authentication identity in the new rights management by clicking the add authentication identity button, as shown in fig. 3b, which is an interface schematic diagram of the new rights management interface. When the administrator clicks the confirm adjust button shown in fig. 3a or fig. 3b, the electronic device may generate an authentication policy setting request, and further, the electronic device may set the current authentication policy as the authentication policy a (entered in the adjusted authentication policy text box) to complete the configuration process of the access right to the target object. After the configuration is completed, the access rights of the target object are changed to match the current application scenario.
Taking an interface schematic diagram of another rights management interface shown in fig. 4 as an example, the rights management interface may include a user identifier, a target object, a right to be configured, a confirm adjustment button, and a cancel adjustment button. Wherein, the authority input in the text box of the authority to be configured is as follows: when the user is authenticated with respect to the target object, the configurator wishes to obtain the rights under the current application scenario. For example, the document (C: \ internal material, i.e., target object) is internal material of company A, Zhang III was not an employee of company A until 24 months from 4, and thus, the authority of Zhang III on C: \ internal material was prohibited until 24 months from 4. But Zhang III formally becomes an employee of company A in 4 months and 24 days, and should have the authority to access the internal data of the company. In this scenario, the authority manager of company a may input the authority desired to be obtained (i.e., permission) to the authority text box to be configured, and send the authority adjustment information to the electronic device by clicking the determination adjustment button. Furthermore, the electronic equipment can automatically calculate a proper authentication strategy based on the authority which is expected to be obtained, and adjust the authentication strategy of Zusanyuan C: \ internal data, so that the new authority of Zusanyuan C: \ internal data obtained according to the adjusted authentication strategy is consistent with the authority which is expected to be obtained, and the current application scene is matched. By the method, the work of the authority management personnel can be effectively reduced, and the authority management efficiency can be improved.
It should be noted that, the number of the target objects in the rights management interface described in fig. 3a, fig. 3b, and fig. 4 is only one for example, and in other possible implementations, the number of the target objects in the rights management interface may be at least two. For example, when the target objects in the rights management interface are the file a and the file B, the electronic device may complete the rights configuration of the user with respect to the two target objects (i.e., the file a and the file B) through one configuration process, and compared with a mode in which the rights configuration process needs to be performed twice for the two target objects, the rights configuration efficiency can be effectively improved by using the method. For another example, in a scene of employee resignation, the employee needs to be completely prohibited from accessing ALL files inside the company a, at this time, "ALL" may be input in a target object text box in an authority management interface, and the authority to be configured is set to be prohibited, so that the resignation employee cannot access any file of the original company, which is beneficial to improving the security of resources, and meanwhile, the authority configuration efficiency can be effectively improved.
It should be further noted that the rights management interfaces shown in fig. 3a, fig. 3b, and fig. 4 are only for example and do not limit the embodiments of the present invention. In other possible implementations, the rights management interface may further include other parameters related to the rights configuration, such as the effective time and the ineffective time of the rights configuration.
Referring to fig. 5, fig. 5 is a schematic flow chart of another rights management method according to an embodiment of the present invention, where the method includes, but is not limited to, the following steps:
step S501: the electronic equipment receives an authentication policy setting request, wherein the authentication policy setting request comprises a policy identifier of a first authentication policy to be set. The first authentication strategy is used for determining the access right of the user to the target object. In one implementation, if the user includes at least two authentication identities, and each authentication identity has a corresponding identity permission value with respect to the target object, the electronic device may determine the access permission of the user to the target object according to the identity permission value that each authentication identity of the user has and the current multi-identity authentication policy.
In an implementation manner, the identity authority value that each authentication identity of the user has with respect to the target object may be directly set by the electronic device, or may be obtained by the electronic device according to the current multi-tier authentication policy in the embodiment of fig. 6 and the tier authority value that the authentication identity included by the user has at each storage tier, which is not limited in this embodiment of the present invention.
Step S502: the electronic equipment sets the current authentication strategy of the electronic equipment as a first authentication strategy corresponding to the strategy identification. Under the condition that the user comprises at least two authentication identities, the access authority of the user for accessing the target object is obtained according to the identity authority value of each authentication identity related to the target object and the current multi-identity authentication strategy adopted by the electronic equipment. It is understood that the electronic device may change the access right of the user to access the target object by modifying the current multi-identity authentication policy to the target multi-identity authentication policy (i.e., the first authentication policy).
In one implementation, at least two multi-identity authentication policies may be stored in the electronic device, and the electronic device may select one multi-identity authentication policy from the at least two multi-identity authentication policies as a target multi-identity authentication policy (i.e., a first authentication policy), and further modify the current multi-identity authentication policy into the target multi-identity authentication policy (i.e., the first authentication policy), thereby changing an access right of the user to access the target object.
In one implementation, the multi-identity authentication policy may include: a first highest authority policy, a first lowest authority policy and a priority authentication policy. Taking the identity authority values of the respective authentication identities included in the user with respect to the target object as shown in table 1 as an example, when the user has 5 authentication identities: when the VIP group 1 member, the group 2 member, the group 3 member, anyone and the user open three, the current multi-identity authentication strategy is modified into a target multi-identity authentication strategy, and the access authority of the user for accessing the target object is changed.
Table 1: identity authority value table
Authentication systemPortions are Identity authority value
VIP group 1 members First order Admission (1)
Group 2 members Forbidden by default (0)
Group 3 members Two-level permission (3)
Any person First class inhibition (2)
Zhang san of user Forbidden by default (0)
The first highest permission policy is: and determining the highest authority in the authority of each authentication identity of the user on the target object as the access authority of the user on the target object, namely determining the maximum identity authority value in the identity authority values of each authentication identity of the user on the target object as the authority value of the user on the target object. For example, if the current multi-identity authentication policy is modified to the first highest authority policy, in table 1, the authority value of the user for accessing the target object is: the maximum identity authority value in primary enable (1), default disable (0), secondary enable (3), primary disable (2) and default disable (0), namely secondary enable (3).
The first lowest permission policy is: and determining the lowest authority in the authority of each authentication identity of the user on the target object as the access authority of the user on the target object, namely determining the minimum identity authority value in the identity authority values of each authentication identity of the user on the target object as the authority value of the user on the target object. For example, if the current multi-identity authentication policy is modified to the first lowest authority policy, in table 1, the authority value of the user for accessing the target object is: the minimum identity authority value in the primary permission (1), the default prohibition (0), the secondary permission (3), the primary prohibition (2) and the default prohibition (0), namely the default prohibition (0).
The priority authentication strategy is as follows: if the preset identity exists in at least two authentication identities included by the user, determining the authority of the preset identity to the target object as the access authority of the user to the target object, namely determining the identity authority value of the preset identity to the target object as the authority value of the user to the target object. For example, if the current multi-identity authentication policy is modified to the priority authentication policy and the preset identity is a member of the VIP group, in table 1, the right value of the user to access the target object is: the authentication identity is an identity authority value corresponding to the VIP group 1 member, namely, primary permission (1). For another example, if the preset identity is a specific person, in table 1, the right value of the user to access the target object is: the authentication identity is an identity authority value corresponding to the third user, namely, the default prohibition (0) is realized, because the specific human user of the user is the third user.
It should be noted that the multi-identity authentication policy is only used for example, and is not limited to the embodiment of the present invention, and in other possible implementations, other multi-identity authentication policies may also be included.
In one implementation, the target multi-identity authentication policy (i.e., the first authentication policy) may be configured by the electronic device according to an identity permission value of each authentication identity of the user and an access permission desired to be obtained and input by the user, for example, the electronic device may automatically calculate a suitable target multi-identity authentication policy based on a permission required by the user, and set the current multi-identity authentication policy as the target multi-identity authentication policy, so that the target object is authenticated according to the current multi-identity authentication policy, and a permission indicated by the obtained permission value is consistent with the permission required by the user. In one implementation, the target multi-identity authentication policy (i.e., the first authentication policy) may be set by the user according to actual circumstances. For example, the user may calculate a suitable target multi-identity authentication policy based on the rights to be obtained, and input the target multi-identity authentication policy to the electronic device, so that the rights indicated by the authentication result obtained by the electronic device performing authentication according to the target multi-identity authentication policy are consistent with the rights to be obtained.
Step S503: and the electronic equipment determines the access authority of the target object according to the current authentication strategy. After the current multi-identity authentication strategy is determined, the authority value of the user for accessing the target object can be obtained according to the identity authority value of the current multi-identity authentication strategy and each authentication identity of the user on the target object in the subsequent authentication of the user.
The electronic device may obtain different access right values for the user to access the target object based on different current multi-identity authentication policies. For example, in table 1, the user includes 5 authentication identities, and if the current multi-identity authentication policy adopted by the electronic device is the first highest authority policy, the authority value for accessing the target object by the user is a second-level permission (3). For another example, if the current multi-identity authentication policy adopted by the electronic device is a priority authentication policy and the preset identity is a VIP group member, the right value of the user to access the target object is as follows: the authentication identity is an identity authority value corresponding to the VIP group 1 member, namely, primary permission (1). Therefore, the obtained authority value of the user for accessing the target object is different by setting the current multi-identity authentication strategy adopted by the electronic equipment to be different multi-identity authentication strategies. That is, the electronic device may select different target multi-identity authentication policies from alternative multi-identity authentication policies (i.e., a first highest-right policy, a first lowest-right policy, a priority authentication policy, etc.) according to different application scenarios or different user requirements, and set the current multi-identity authentication policy as the target multi-identity authentication policy, so as to obtain different authority values for accessing the target object by the user according to the different current multi-identity authentication policies, so as to match with more service scenarios. That is to say, the electronic device can set different current multi-identity permission policies for different enterprises according to different permission requirements, so as to obtain different access permissions, and improve the permission management efficiency.
Therefore, by implementing the embodiment of the invention, different current multi-identity authority strategies can be customized for different enterprises or departments and the like according to different authority requirements, and the authority management efficiency can be improved. In addition, when the user includes at least two authentication identities, the authority of the user for accessing the target object can be changed only by adjusting the current multi-identity authentication strategy under the condition that the application scene is changed, the authority limit value of the authentication identity of the user relative to the target object does not need to be adjusted, the authority can be changed and restored on the premise that historical data is not cleaned, and the authority management efficiency is improved.
Referring to fig. 6, fig. 6 is a schematic flow chart of another rights management method according to an embodiment of the present invention, where the method includes, but is not limited to, the following steps:
step S601: the electronic equipment receives an authentication policy setting request, wherein the authentication policy setting request comprises a policy identifier of a second authentication policy to be set. And the second authentication strategy is used for determining the access right of the authentication identity of the user to the target object.
Step S602: the electronic equipment sets the current authentication strategy of the electronic equipment as a second authentication strategy corresponding to the strategy identification. In one implementation, the file directory to which the target object belongs includes at least two layers of directories, and the target object is a lowest-level subdirectory in the file directory, and each authentication identity of the user has a hierarchical authority value for each layer of directory. The electronic equipment can determine the access right of the authentication identity of the user to the target object according to the hierarchy authority value of each authentication identity of the user for each layer of directory and the current multi-hierarchy authentication strategy. It is understood that the electronic device may change the access right of the authentication identity to access the target object by modifying the current multi-level authentication policy into the target multi-level authentication policy (i.e. the second authentication policy), and further, may change the access right of the user to access the target object. Wherein, the hierarchy authority value of each authentication identity of the user for each layer of directory can be directly set by the electronic device.
In one implementation, at least two multi-level authentication policies may be stored in the electronic device, the electronic device may select one multi-level authentication policy from the at least two multi-level authentication policies as a target multi-level authentication policy (i.e., a second authentication policy), and further modify the current multi-level authentication policy into the target multi-level authentication policy (i.e., the second authentication policy), thereby changing an access right of the user for accessing the target object by the authentication identity.
In one implementation, the multi-level authentication policy may include: a near right authentication strategy, a second highest right strategy and a second lowest right strategy. Taking the hierarchical authority value of the authentication identity for each layer of directory as an example, shown in table 2, the target object is a file a.txt, and the directory structure is as follows: and a/b/c/d/a.txt, wherein a/b/c/d/is a storage path of the target object in the electronic equipment. The current multi-level authentication strategy is modified into a target multi-level authentication strategy, the authority value of the authentication identity (such as a group 1 member) for accessing the target object is changed, and correspondingly, the authority value of the user for accessing the target object is also changed.
Table 2: hierarchical authority value table
Authentication identity Directory Hierarchy authority value
Group 1 Member a First order Admission (1)
Group 1 Member a/b Forbidden by default (0)
Group 1 Member a/b/c Two-level permission (3)
Group 1 Member a/b/c/d First class inhibition (2)
Group 1 Member a/b/c/d/a.txt Forbidden by default (0)
The authentication strategy of the nearby authority is as follows: and determining the authority of the authentication identity of the user on the target directory as the access authority of the authentication identity on the target object, namely determining the hierarchy authority value of the authentication identity of the user on the target directory as the identity authority value of the authentication identity on the target object, wherein the target directory is the directory closest to the target object. For example, if the current multi-level authentication policy is modified to the near-right authentication policy, in table 2, the identity right value of the group 1 member access file a.txt is: the hierarchy weight value when the directory is a/b/c/d/a.txt, i.e. default disable (0), because a/b/c/d/a.txt (i.e. target directory) is the closest directory to a.txt (i.e. target object).
The second highest permission policy is: and determining the highest authority in the authorities of the authentication identity of the user for each layer of directory as the access authority of the authentication identity of the user for the target object, namely determining the maximum hierarchy authority value in the hierarchy authority values of the authentication identity of the user for each layer of directory as the identity authority value of the authentication identity of the user for the target object. For example, if the current multi-level authentication policy is modified to the second highest authority policy, in table 2, the identity authority value of the group 1 member access file a.txt is: the maximum hierarchical authority value in the primary enable (1), the default disable (0), the secondary enable (3), the primary disable (2) and the default disable (0), namely, the secondary enable (3).
The second lowest permission policy is: determining the lowest authority in the authority of the authentication identity of the user for each layer of directory as the access authority of the authentication identity of the user for the target object, and determining the minimum level authority value in the level authority values of the authentication identity of the user for each layer of directory as the identity authority value of the authentication identity of the user for the target object, for example, if the current multi-level authentication policy is modified to the second lowest authority policy, in table 2, the identity authority value of the group 1 member access file a.txt is: the minimum hierarchy weight value in the primary enable (1), the default disable (0), the secondary enable (3), the primary disable (2), and the default disable (0), i.e., the default disable (0).
In one implementation, the multi-level authentication policy may further include: advanced proximity rights policy. The high-level nearby permission policy is as follows: firstly, obtaining a first-level authority value by adopting a near authority authentication strategy, and if the first-level authority value is not a preset-level authority value (if the default is forbidden), determining the first-level authority value as an identity authority value of an authentication identity access target object; if the first level authority value is a preset level authority value, inquiring a second level authority value of a previous level directory where the target object is located, and if the second level authority value is not the preset level authority value, determining the second level authority value as an identity authority value for authenticating the identity to access the target object; if the second level authority value is the preset level authority value, the step of inquiring the second level authority value of the upper level directory of the current directory from the current directory is repeatedly executed until the second level authority value of the upper level directory of the current directory is found not to be the preset level authority value, and the second level authority value of the upper level directory of the current directory is determined as the identity authority value of the authentication identity access target object.
For example, if a high-level proximity policy is adopted and the preset level permission value is forbidden by default (0), in table 2, the identity permission values of the group 1 members to access the file a.txt are: first order inhibit (2). Because the first-level authority value obtained by the electronic equipment according to the near-authority authentication strategy is forbidden by default (0), the second-level authority value of the upper-level directory a/b/c/d of a/b/c/d/a.txt needs to be inquired, the inquired second-level authority value is forbidden by one level (2), and the second-level authority value is not a preset-level authority value, so the second-level authority value is determined as the identity authority value of the authentication identity access target object.
It should be noted that the multi-level authentication policy is only used for example and is not limited to the embodiment of the present invention, and in other possible implementations, other multi-level authentication policies may also be included. It should be further noted that, in the embodiment of the present invention, the permissions of the parent folder and the child folders are independent from each other, that is, the permission value of the user for accessing the parent folder is not necessarily greater than the permission value of the user for accessing the child folders.
Step S603: and the electronic equipment determines the access authority of the target object according to the current authentication strategy. After the current multi-level authentication strategy is determined, subsequently, when the user is authenticated, the identity authority value of the authentication identity to the target object can be obtained according to the current multi-level authentication strategy and the level authority value of each authentication identity to each layer of directory. In case the user comprises an authentication identity, the access right value of the user to the target object is the same as the identity right value of the authentication identity the user comprises to access the target object. For example, when the user includes only one authentication identity (e.g., a member of group 1), the user access rights value for file a (i.e., the target object) is the same as the rights value for the member of group 1 to access file a. In case that the user includes multiple authentication identities, the electronic device may obtain the authority value of the user for accessing the target object according to the current multi-identity authentication policy described in the embodiment of fig. 5.
In the embodiment of the present invention, the electronic device may select different target multi-level authentication policies from alternative multi-level authentication policies (such as a near right authentication policy, a second highest right policy, and a second lowest right policy) according to different application scenarios or different user requirements, and set the current multi-level authentication policy as the target multi-level authentication policy, so as to obtain different identity authority values for authenticating the identity to access the target object according to the different current multi-level authentication policies, so as to match more service scenarios. That is to say, the electronic device can set different current multi-level authority policies for different enterprises according to different authority requirements, so as to obtain different identity authority values, which is beneficial to improving the authority management efficiency.
Taking the level authority value of the department a for each layer of directory shown in table 3 as an example (the target object is folder c), the level authority value of the department B for each layer of directory is the same as that of the department a, and for the sake of brevity, only the level authority value table of the department a is drawn here. If the hierarchy authority value of the folder c needs to be modified into secondary prohibition (4) in the current application scenario, the department A wants the modification to take effect on all subfolders (c/d, c/d/e), the department B wants the modification not to cover the set hierarchy authority value under the subfolders (namely, primary permission (1)), and the modified hierarchy authority value is shown in the table 4 (after the modification, the hierarchy authority value of the department B for each layer of directory is still the same as that of the department A). To achieve this, the electronic device may set the current multi-tier authentication policy for department a to the second highest authority policy and the current multi-tier authentication policy for department B to the immediate authority authentication policy.
Table 3: hierarchy authority value table for each layer of catalogue of A department
Authentication identity Directory Hierarchy authority value
A department c First order Admission (1)
A department c/d First order Admission (1)
A department c/d/e First order Admission (1)
Table 4: hierarchy authority value table for each layer of catalog of A department (after modifying hierarchy authority value)
Authentication identity Directory Hierarchy authority value
A department c Second class forbidden (4)
A department c/d First order Admission (1)
A department c/d/e First order Admission (1)
After the electronic equipment sets the current multi-level authentication policy about the department A as the second highest authority policy, when the electronic equipment receives an authentication request of the department A for accessing the subfolder c/d/e (or c/d), the result of the authority value of the department A for accessing the subfolder c/d/e (or c/d) is two-level prohibition (4) according to the second highest authority policy, so that the modification is effective to all the subfolders (c/d, c/d/e).
After the electronic equipment sets the current multi-level authentication policy about the B department as the near authority authentication policy, when the electronic equipment receives an authentication request of the B department for accessing the subfolder c/d/e (or c/d), the right value result of the B department for accessing the subfolder c/d/e (or c/d) is obtained as a first-level permission (1) according to the near authority authentication policy, and therefore, the set level right value under the subfolder is not covered by the modification.
Therefore, the embodiment of the invention is based on the infinitely expandable authority value model, and can set different current multi-level authentication strategies (namely target multi-level authentication strategies) for different enterprises or departments so as to meet the personalized authority requirements of each enterprise or department and be beneficial to improving the authority management efficiency.
In one implementation, the electronic device may configure a temporary permission for a user to access a target object, the temporary permission being valid for a preset time period. Taking the schematic flow chart of another rights management method shown in fig. 7 as an example, the method includes steps S701 to S705, where the execution processes of steps S701 to S703 can respectively refer to the detailed descriptions of steps 201 to S203 in fig. 2, and are not repeated here.
Step S701: the electronic equipment receives an authentication policy setting request, wherein the authentication policy setting request comprises a policy identifier of an authentication policy to be set. Wherein the authentication policy setting request is used to configure the temporary permission.
Step S702: and the electronic equipment sets the current authentication strategy as the authentication strategy corresponding to the strategy identification.
Step S703: and the electronic equipment determines the access authority of the target object according to the current authentication strategy.
Step S704: and the electronic equipment starts timing after setting the current authentication strategy as the authentication strategy corresponding to the strategy identification. Specifically, after the electronic device completes the configuration process of the temporary permission of the user about the target object, timing may be started immediately, so as to determine whether the temporary permission has expired. For example, if the employee of company a, lie four, needs to make a trip to company B for a month due to work, the authority manager of company B wants to make sure that lie four can access the internal resources of company B during the trip, but cannot access the internal resources of company B after the trip is over. In this scenario, after successfully modifying the access right of lie iv to the internal resource of company B from prohibited to permitted, the electronic device may immediately perform countdown with a duration of one month, and when the countdown is finished, the electronic device may automatically recover the right of lie iv to the internal resource of company B, so that the access right of lie iv to the internal resource of company B is prohibited after the business trip is finished. By the method, the work of the authority management personnel can be reduced, and the authority management efficiency is effectively improved.
It should be noted that the execution sequence of steps S703 and S704 is not sequential, for example, step S704 may be executed first, and then step S703 is executed, or steps S703 and S703 may be executed simultaneously, which is not limited in the embodiment of the present invention.
Step S705: and when the timing time reaches the preset time, the electronic equipment restores the authentication strategy of the user for the target object to the authentication strategy adopted before the authentication strategy corresponding to the strategy identification is set. And when the timing time reaches the preset time, the use period of the temporary authority of the user on the target object is expired, and the electronic equipment can recover the authority of the user on the target object. Specifically, the electronic device may restore the current authentication policy to the authentication policy adopted before step S702. For example, step 702 is: if the current authentication policy is modified from the authentication policy a to the authentication policy B, the step S705 may be: and restoring the current authentication strategy into an authentication strategy A.
Therefore, by implementing the embodiment of the invention, the temporary permission about the target object can be set for the user, so that more application scenes can be matched. Furthermore, the temporary authority can be automatically cleaned, so that the workload of authority management personnel is reduced, and the efficiency of authority management is improved.
In one implementation, after completing the modification process of the current authentication policy (e.g., current multi-level authentication policy, current multi-identity authentication policy), the electronic device may further authenticate the user, taking a flow diagram of an authentication method shown in fig. 8 as an example, the method includes, but is not limited to, the following steps.
Step S801: the electronic device receives an authentication request for a target object, the authentication request including a user identification. Specifically, after the electronic device completes the modification process of the current authentication policy (e.g., the current multi-level authentication policy, the current multi-identity authentication policy), an authentication request for the target object may be received.
Step S802: the electronic equipment acquires each authentication identity corresponding to the user identification. Each authentication identity corresponding to the user identification is stored in the electronic equipment. Specifically, the electronic device may query the database to obtain each authentication identity corresponding to the user identifier.
In one implementation, if a user corresponding to a user identifier includes 3 authentication identities: the authentication identity 1, the authentication identity 2 and the authentication identity 3, when the electronic device receives an authentication request of a user to a target object, the electronic device can perform identity decomposition processing on the user to obtain 3 authentication identities. Further, the electronic device may determine the 3 authentication identities one by one with respect to the identity authority value of the target object.
Step S803: and the electronic equipment obtains the identity authority value of each authentication identity access target object corresponding to the user identification according to the current multi-level authentication strategy adopted by each authentication identity and the level authority value of each authentication identity.
The current multi-level authentication strategy adopted by the authentication identity can be any one of a near right authentication strategy, a second highest right strategy and a second lowest right strategy. The hierarchy authority value of each authentication identity is composed of the hierarchy authority value of each authentication identity for each layer of the file directory to which the target object belongs.
If the user includes 3 authentication identities, in one implementation, the electronic device may determine the identity permission values of the 3 authentication identities accessing the target object in parallel to obtain 3 identity permission values. In another implementation, the electronic device may sequentially determine the identity permission values of the 3 authentication identity access target objects to obtain 3 identity permission values.
It should be noted that the current multi-level authentication policies adopted by the authentication identities included in the user are independent from each other, and may be the same multi-level authentication policy or different from each other. For example, the current multi-level authentication policy adopted by the authentication identity 1 is a near right authentication policy, the current multi-level authentication policy adopted by the authentication identity 2 is a second highest right policy, and the current multi-level authentication policy adopted by the authentication identity 3 is a second lowest right policy.
Step S804: and the electronic equipment obtains the authority value of the user for accessing the target object according to the adopted current multi-identity authentication strategy and the identity authority value of each authentication identity for accessing the target object.
The current multi-identity authentication policy may be any one of a first highest authority policy, a first lowest authority policy, and a priority authentication policy.
In one implementation, if the user includes an authentication identity, that is, the number of the calculated identity permission values for accessing the target object by the authentication identity is 1, the permission value for accessing the target object by the user is the same as the identity permission value for accessing the target object by the authentication identity.
In an implementation manner, if the number of the calculated identity authority values for authenticating the identity to access the target object is 3, the electronic device may determine a target identity authority value from the 3 identity authority values according to the current multi-identity authentication policy, and determine the target identity authority value as the authority value for the user to access the target object. According to different current multi-identity authentication strategies, the obtained authority values of the user for accessing the target object may be different.
Therefore, by implementing the embodiment of the invention, different current multi-level authentication strategies or current multi-identity authentication strategies can be customized for different enterprises or departments and the like according to different authority requirements so as to match more service scenes. In addition, the embodiment of the invention provides various multi-level authentication strategies and multi-identity authentication strategies, and when the authentication strategies are modified, more abundant authority configuration schemes can be obtained according to different combinations of the multi-level authentication strategies and the multi-identity authentication strategies, so that the authority management efficiency is improved.
It should be noted that the various rights management methods provided by the embodiments of the present invention may be applied to different operating systems, such as Windows series operating systems, Unix type operating systems, Linux type operating systems, Mac operating systems, and the like.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a rights management apparatus 90 according to an embodiment of the present invention, where the rights management apparatus 90 is configured to perform steps performed by an electronic device in the method embodiments corresponding to fig. 2 to fig. 8, where the rights management apparatus 90 includes at least two authentication policies, each authentication policy is used to determine an access right of a user to a target object, and each authentication policy has a policy identifier, and the rights management apparatus 90 may include:
a receiving module 901, configured to receive an authentication policy setting request, where the authentication policy setting request includes a policy identifier of an authentication policy to be set;
a processing module 902, configured to set a current authentication policy of the rights management device 90 as an authentication policy corresponding to the policy identifier;
and the authentication module 903 is used for determining the access right of the target object according to the current authentication strategy.
In one implementation, the user includes at least two authentication identities, each authentication identity has a right to the target object, the authentication policy includes a first authentication policy, and the first authentication policy is used for determining the access right of the user to the target object according to the right of each authentication identity of the user; the processing module 902 is specifically configured to set a current authentication policy of the rights management device as a first authentication policy corresponding to the policy identifier.
In one implementation, the target object is a lowest-level subdirectory in a file directory, the file directory includes at least two layers of directories, each authentication identity of the user has a right for each layer of directory, the authentication policy includes a second authentication policy, and the second authentication policy is used for determining an access right of each authentication identity of the user to the target object; the processing module 902 is specifically configured to set a current authentication policy of the rights management device as a second authentication policy corresponding to the policy identifier.
In one implementation, the authentication policy includes: the system comprises a near authority authentication strategy, a first highest authority strategy, a second highest authority strategy, a first lowest authority strategy, a second lowest authority strategy and a priority authentication strategy. The near authority authentication strategy is to determine the authority of the authentication identity of the user aiming at the target directory as the access authority of the authentication identity to the target object, wherein the target directory is the directory closest to the target object; the first highest authority strategy is that the highest authority in the authority of each authentication identity of the user to the target object is determined as the access authority of the user to the target object; the second highest authority policy is to determine the highest authority in the authority of the authentication identity of the user aiming at each layer of directory as the access authority of the authentication identity of the user to the target object; the first lowest authority strategy is that the lowest authority in the authority of each authentication identity of the user to the target object is determined as the access authority of the user to the target object; the second lowest authority policy is to determine the lowest authority in the authority of the authentication identity of the user aiming at each layer of directory as the access authority of the authentication identity of the user to the target object; the priority authentication strategy is that if a preset identity exists in at least two authentication identities included by the user, the authority of the preset identity to the target object is determined as the access authority of the user to the target object.
In one implementation, the processing module 902 is further configured to time;
the processing module 902 is further configured to, when the timing time reaches the preset time, restore the authentication policy of the user on the target object to the authentication policy adopted before the authentication policy corresponding to the policy identifier is set.
It should be noted that details that are not mentioned in the embodiment corresponding to fig. 9 and specific implementation manners of the steps executed by each module may refer to the embodiments shown in fig. 2 to fig. 8 and the foregoing details, and are not described again here.
In one implementation, the relevant functions implemented by the various modules in FIG. 9 may be implemented in connection with a processor and a communications interface. Referring to fig. 10, fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, where the electronic device 100 includes: a processor 1001, a memory 1002, a receiver 1003, said processor 1001, said memory 1002, said receiver 1003 being connected by one or more communication buses.
The processor 1001 is configured to perform the functions of the electronic device according to the method described in fig. 2-8. The processor 1001 may be a Central Processing Unit (CPU), a Network Processor (NP), a hardware chip, or any combination thereof.
The memory 1002 is used to store program codes and the like. The memory 1002 may include volatile memory (volatile memory), such as Random Access Memory (RAM); the memory 1002 may also include a non-volatile memory (non-volatile memory), such as a read-only memory (ROM), a flash memory (flash memory), a Hard Disk Drive (HDD), or a solid-state drive (SSD); the memory 1002 may also comprise a combination of the above-described types of memory.
The receiver 1003 is used to receive data. For example, the receiver 1003 may be used to receive an authentication policy setting request.
The processor 1001 may call the program code stored in the memory 1002 to perform the following operations:
receiving, by the receiver 1003, an authentication policy setting request including a policy identifier of an authentication policy to be set;
setting a current authentication strategy of the electronic equipment as an authentication strategy corresponding to the strategy identification;
and determining the access authority of the target object according to the current authentication strategy.
Further, the processor 1001 may also execute operations corresponding to the electronic device in the embodiments shown in fig. 2 to fig. 8, which may specifically refer to the description in the method embodiment and will not be described herein again.
An embodiment of the present invention further provides a computer-readable storage medium, which can be used to store computer software instructions for the rights management apparatus in the embodiment shown in fig. 9, and which contains a program designed for executing the electronic device in the foregoing embodiment.
The computer readable storage medium includes, but is not limited to, flash memory, hard disk, solid state disk.
An embodiment of the present invention further provides a computer program product, and when the computer program product is executed by a computing device, the method for managing permissions designed for an electronic device in the embodiments of fig. 2 to 8 may be executed.
In an embodiment of the present invention, there is further provided a chip including a processor and a memory, where the memory includes the processor and the memory, and the memory is used to store a computer program, and the processor is used to call and run the computer program from the memory, and the computer program is used to implement the method in the above method embodiment.
Those of ordinary skill in the art would appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in or transmitted over a computer-readable storage medium. The computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (9)

1. A authority management method is used for electronic equipment, and is characterized in that the electronic equipment comprises at least two authentication strategies, the authentication strategies are used for determining the access authority of a user to a target object, and each authentication strategy has a strategy identification;
the method comprises the following steps:
receiving an authentication strategy setting request, wherein the authentication strategy setting request comprises a strategy identifier of an authentication strategy to be set;
setting the current authentication strategy of the electronic equipment as the authentication strategy corresponding to the strategy identification;
determining the access authority of the target object according to the current authentication strategy;
the at least two authentication policies include: at least two of a proximity permission authentication policy, a first highest permission policy, a second highest permission policy, a first lowest permission policy, a second lowest permission policy, and a priority authentication policy, wherein,
the nearby authority authentication strategy is to determine the authority of the authentication identity of the user on a target directory as the access authority of the authentication identity on the target object, wherein the target directory is the directory closest to the target object;
the first highest authority policy is to determine the highest authority in the authority of each authentication identity of the user to the target object as the access authority of the user to the target object;
the second highest authority policy is to determine the highest authority in the authority of the authentication identity of the user aiming at each layer of directory in the file directory to which the target object belongs as the access authority of the authentication identity of the user to the target object;
the first lowest authority policy is to determine the lowest authority in the authority of each authentication identity of the user to the target object as the access authority of the user to the target object;
the second lowest authority policy is to determine the lowest authority in the authority of the authentication identity of the user aiming at each layer of directory in the file directory to which the target object belongs as the access authority of the authentication identity of the user to the target object;
and the priority authentication strategy is that if a preset identity exists in at least two authentication identities included by the user, the authority of the preset identity to the target object is determined as the access authority of the user to the target object.
2. The method of claim 1, wherein the user comprises at least two authentication identities, each authentication identity having a right to the target object, wherein the authentication policy comprises a first authentication policy for determining a user's access right to the target object according to the right of each authentication identity of the user, and wherein setting the current authentication policy of the electronic device to the authentication policy corresponding to the policy identifier comprises setting the current authentication policy of the electronic device to the first authentication policy corresponding to the policy identifier.
3. The method according to claim 1, wherein the target object is a lowest-level subdirectory in a file directory, the file directory includes at least two layers of directories, each authentication identity of the user has a right for each layer of directory, the authentication policy includes a second authentication policy, the second authentication policy is used for determining an access right of each authentication identity of the user to the target object, and the setting of the current authentication policy of the electronic device to the authentication policy corresponding to the policy identifier includes setting the current authentication policy of the electronic device to the second authentication policy corresponding to the policy identifier.
4. The method according to any one of claims 1 to 3, wherein after setting the current authentication policy of the electronic device as the authentication policy corresponding to the policy identifier, the method further comprises:
starting timing;
and when the timing time reaches the preset time, restoring the authentication strategy of the user for the target object to the authentication strategy adopted before the authentication strategy corresponding to the strategy identification is set.
5. A kind of authority management device, characterized by that, the said authority management device includes at least two kinds of authentication tactics, the said authentication tactics are used for confirming the user's access right to the target object, each kind of authentication tactics have a tactics label;
the device comprises:
a receiving module, configured to receive an authentication policy setting request, where the authentication policy setting request includes a policy identifier of an authentication policy to be set;
the processing module is used for setting the current authentication strategy of the authority management device as the authentication strategy corresponding to the strategy identification;
the authentication module is used for determining the access authority of the target object according to the current authentication strategy;
the at least two authentication policies include: at least two of a proximity permission authentication policy, a first highest permission policy, a second highest permission policy, a first lowest permission policy, a second lowest permission policy, and a priority authentication policy, wherein,
the nearby authority authentication strategy is to determine the authority of the authentication identity of the user on a target directory as the access authority of the authentication identity on the target object, wherein the target directory is the directory closest to the target object;
the first highest authority policy is to determine the highest authority in the authority of each authentication identity of the user to the target object as the access authority of the user to the target object;
the second highest authority policy is to determine the highest authority in the authority of the authentication identity of the user aiming at each layer of directory in the file directory to which the target object belongs as the access authority of the authentication identity of the user to the target object;
the first lowest authority policy is to determine the lowest authority in the authority of each authentication identity of the user to the target object as the access authority of the user to the target object;
the second lowest authority policy is to determine the lowest authority in the authority of the authentication identity of the user aiming at each layer of directory in the file directory to which the target object belongs as the access authority of the authentication identity of the user to the target object;
and the priority authentication strategy is that if a preset identity exists in at least two authentication identities included by the user, the authority of the preset identity to the target object is determined as the access authority of the user to the target object.
6. The apparatus of claim 5, wherein the user comprises at least two authentication identities, each authentication identity having a right to the target object, and wherein the authentication policy comprises a first authentication policy for determining the access right of the user to the target object according to the right of each authentication identity of the user;
the processing module is specifically configured to set a current authentication policy of the rights management device as a first authentication policy corresponding to the policy identifier.
7. The apparatus of claim 5, wherein the target object is a lowest-level subdirectory in a file directory, the file directory comprises at least two layers of directories, each authentication identity of the user has authority for each layer of directories, and the authentication policy comprises a second authentication policy for determining access authority of each authentication identity of the user to the target object;
the processing module is specifically configured to set a current authentication policy of the rights management device as a second authentication policy corresponding to the policy identifier.
8. The apparatus according to any one of claims 5 to 7,
the processing module is also used for timing;
and the processing module is further configured to restore the authentication policy of the target object by the user to the authentication policy adopted before the authentication policy corresponding to the policy identifier is set when the timing time reaches a preset time.
9. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions which, when executed by a processor, cause the processor to carry out the method according to any one of claims 1 to 4.
CN201810492220.9A 2018-05-21 2018-05-21 Authority management method and device Active CN108683672B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810492220.9A CN108683672B (en) 2018-05-21 2018-05-21 Authority management method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810492220.9A CN108683672B (en) 2018-05-21 2018-05-21 Authority management method and device

Publications (2)

Publication Number Publication Date
CN108683672A CN108683672A (en) 2018-10-19
CN108683672B true CN108683672B (en) 2021-09-21

Family

ID=63807574

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810492220.9A Active CN108683672B (en) 2018-05-21 2018-05-21 Authority management method and device

Country Status (1)

Country Link
CN (1) CN108683672B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110378086B (en) * 2019-07-31 2021-06-29 中国工商银行股份有限公司 Authority management method and device
CN113965375A (en) * 2021-10-20 2022-01-21 上海华讯网络***有限公司 Method and system for managing firewall by using policy object model
CN117272278B (en) * 2023-11-20 2024-01-26 国网浙江省电力有限公司 Decentralization management method and device for digital asset platform

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101166156A (en) * 2006-10-20 2008-04-23 佳能株式会社 Document management system and document management method
CN101414253A (en) * 2007-10-17 2009-04-22 华为技术有限公司 Method and system for managing authority
CN101539922A (en) * 2008-03-18 2009-09-23 北京书生国际信息技术有限公司 Method for realizing authority of document library system
WO2015080731A1 (en) * 2013-11-27 2015-06-04 Hewlett-Packard Development Company, L.P. Authorizing application access to virtual private network resource
EP2888693A1 (en) * 2012-08-24 2015-07-01 VMware, Inc. Method and system for facilitating isolated workspace for applications
CN104992118A (en) * 2015-06-30 2015-10-21 北京奇虎科技有限公司 Unified permission management method and system for multiple service systems
CN107766743A (en) * 2017-11-09 2018-03-06 广州杰赛科技股份有限公司 Method to set up and device, terminal device, the storage medium of file access authority
CN107835181A (en) * 2017-11-16 2018-03-23 泰康保险集团股份有限公司 Right management method, device, medium and the electronic equipment of server cluster

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8874923B2 (en) * 2012-07-24 2014-10-28 Adobe Systems Incorporated Policy-based signature authentication system and method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101166156A (en) * 2006-10-20 2008-04-23 佳能株式会社 Document management system and document management method
CN101414253A (en) * 2007-10-17 2009-04-22 华为技术有限公司 Method and system for managing authority
CN101539922A (en) * 2008-03-18 2009-09-23 北京书生国际信息技术有限公司 Method for realizing authority of document library system
EP2888693A1 (en) * 2012-08-24 2015-07-01 VMware, Inc. Method and system for facilitating isolated workspace for applications
WO2015080731A1 (en) * 2013-11-27 2015-06-04 Hewlett-Packard Development Company, L.P. Authorizing application access to virtual private network resource
CN104992118A (en) * 2015-06-30 2015-10-21 北京奇虎科技有限公司 Unified permission management method and system for multiple service systems
CN107766743A (en) * 2017-11-09 2018-03-06 广州杰赛科技股份有限公司 Method to set up and device, terminal device, the storage medium of file access authority
CN107835181A (en) * 2017-11-16 2018-03-23 泰康保险集团股份有限公司 Right management method, device, medium and the electronic equipment of server cluster

Also Published As

Publication number Publication date
CN108683672A (en) 2018-10-19

Similar Documents

Publication Publication Date Title
US11368403B2 (en) Access management tags
US10375054B2 (en) Securing user-accessed applications in a distributed computing environment
US10419488B2 (en) Delegating security policy management authority to managed accounts
US7529931B2 (en) Managing elevated rights on a network
US10165007B2 (en) Securing data usage in computing devices
US9515950B2 (en) Multi-tenancy support for enterprise social business computing
US20100241668A1 (en) Local Computer Account Management at Domain Level
CN108683672B (en) Authority management method and device
US11126460B2 (en) Limiting folder and link sharing
US8180894B2 (en) System and method for policy-based registration of client devices
US9026456B2 (en) Business-responsibility-centric identity management
US20240007458A1 (en) Computer user credentialing and verification system
US9467448B2 (en) Consigning authentication method
EP2585968A2 (en) Consigning authentication method
US11418515B2 (en) Multi-vendor support for network access control policies
US10111273B2 (en) Communication paths hierarchy for managed computing device
US11868494B1 (en) Synchronization of access management tags between databases
US11803569B2 (en) Computer system and method for accessing user data that is distributed within a multi-zone computing platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant