CN111259350A - Access control method, device and computer readable storage medium - Google Patents

Access control method, device and computer readable storage medium Download PDF

Info

Publication number
CN111259350A
CN111259350A CN202010024604.5A CN202010024604A CN111259350A CN 111259350 A CN111259350 A CN 111259350A CN 202010024604 A CN202010024604 A CN 202010024604A CN 111259350 A CN111259350 A CN 111259350A
Authority
CN
China
Prior art keywords
user
resource
service
tree
authority tree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010024604.5A
Other languages
Chinese (zh)
Inventor
王忠钊
陈煜�
周继恩
尹祥龙
王培林
邓昶
袁野
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Unionpay Co Ltd
Original Assignee
China Unionpay Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Unionpay Co Ltd filed Critical China Unionpay Co Ltd
Priority to CN202010024604.5A priority Critical patent/CN111259350A/en
Publication of CN111259350A publication Critical patent/CN111259350A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9027Trees

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Hardware Design (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides an access control method, an access control device, an access control system and a computer readable storage medium, wherein the method comprises the following steps: receiving an access request of a user, wherein the access request comprises user information and target service resources; determining a resource authority tree of the user according to the user information, wherein the resource authority tree of each user is constructed in advance according to authorization relations among a plurality of service resources and a plurality of users and dependency relations among the plurality of service resources; the complicated permission judgment problem is simplified into a tree structure traversal search problem, so that the permission judgment process is greatly simplified.

Description

Access control method, device and computer readable storage medium
Technical Field
The invention belongs to the field of authority management, and particularly relates to an access control method and device and a computer readable storage medium.
Background
This section is intended to provide a background or context to the embodiments of the invention that are recited in the claims. The description herein is not admitted to be prior art by inclusion in this section.
Rights management generally relates to functional rights management and data rights management. Wherein, the function authority is usually realized based on a mature RBAC (role-based authority access control) mechanism; however, the data authority management is not a few generalized technologies, and data authority logic is generally integrated into a specific service code.
At present, a management system usually has the characteristic of 'weak account strong service', but the existing data authority implementation mode has the following problems that (1) authority judgment is complex due to dynamic authorization, and service resources are generally dynamically circulated in various roles or users; when the authority relationship needs to be judged, a large number of service scenes need to be traced, and the judgment logic is complex. (2) Implicit dependency relations lead to fuzzy definition of authority boundaries, implicit dependencies on business relations sometimes exist among business resources in a management system, and then implicit inheritance on authorization relations is brought, so that the authority boundary definition rules of the business resources are unclear. For example, in a purchasing system, a purchasing requirement is proposed by a staff of a demand department, the staff of the demand department has an authority to access information (a kind of business resource) of the purchasing requirement, a purchasing item is proposed by the staff of the purchasing department for the purchasing requirement submitted by the demand department, the staff of the purchasing department has an authority to access information (another kind of business resource) of the purchasing item, in a purchasing process, the staff of the purchasing department should be allowed to access the information of the purchasing requirement related to the purchasing item, however, since the staff is only granted the access authority of the purchasing item, there is no direct authorization operation of the purchasing requirement, thereby leading to the failure of the conventional authority defining rule. Great inconvenience is brought to the authority management of the management system.
Disclosure of Invention
In view of the above problems in the prior art, an access control method, an access control apparatus, and a computer-readable storage medium are provided.
The present invention provides the following.
In a first aspect, an access control method is provided, including: receiving an access request of a user, wherein the access request comprises user information and target service resources; determining a resource authority tree of the user according to the user information, wherein the resource authority tree of each user is constructed in advance according to authorization relations among a plurality of service resources and a plurality of users and dependency relations among the plurality of service resources; and judging whether the user can access the target service resource or not according to the resource authority tree of the user.
In a possible implementation manner, the resource authority tree of each user takes the user to which the resource authority tree belongs as a root node, and the method further includes: and matching the root nodes according to the user information to determine the resource authority tree of the user.
In a possible implementation, creating a resource authority tree for each user further includes: in response to a preset trigger event, extracting an authorization relationship between each service resource and a specified user to form an authorization relationship library; checking the independence of each service resource, and if any one service resource runs depending on another service resource, generating a dependency relationship between the any one service resource and the another service resource to form a dependency relationship library; and creating a resource authority tree of each user by utilizing a directed graph algorithm according to the authorization relation library and the dependency relation library.
In one possible embodiment, the preset triggering event includes: any one or more of creation event, handover event, audit event and subscription event of each business resource.
In a possible implementation manner, creating a resource authority tree of each user by using a directed graph algorithm according to the authorization relationship library and the dependency relationship library, further includes: determining a root node of a resource authority tree of a first user as the first user, wherein the first user is any one user contained in an authorization relation library; traversing the authorization relation library according to the root node to obtain first class of service resources, and determining a first-layer child node of a resource authority tree of a first user according to the first class of service resources; traversing the dependency relationship library according to the first class of service resources to obtain a second class of service resources, and determining child nodes from the second layer to the Nth layer of the resource authority tree of the first user according to the second class of service resources, wherein N is a positive integer greater than or equal to 2.
In a possible implementation manner, determining the second-level to nth-level child nodes of the resource authority tree of the first user further includes: determining a current highest-layer child node of the resource authority tree; traversing the dependency relationship library according to the current highest-layer child node, acquiring an appointed service resource having a dependency relationship with the current highest-layer child node, and determining a previous-layer child node of the current highest-layer child node according to the appointed service resource; and iteratively executing the steps until the hierarchy height of the resource authority tree of the first user is fixed.
In one possible embodiment, the method further comprises: and receiving a newly added authorization relationship and/or a newly added dependency relationship, and dynamically refreshing the resource authority tree of each user.
In a possible implementation manner, determining whether the user can access the target service resource according to the resource authority tree of the user further includes: and traversing the resource authority tree of the user according to the breadth-first search algorithm, and allowing the user to access the target service resource if the target service resource is matched with any child node of the resource authority tree of the user.
In a second aspect, an access control apparatus is provided, including: the system comprises a receiving unit, a processing unit and a processing unit, wherein the receiving unit is used for receiving an access request of a user, and the access request comprises user information and target service resources; the determining unit is used for determining the resource authority tree of the user according to the user information, wherein the resource authority tree of each user is constructed in advance according to the authorization relationship among a plurality of service resources and a plurality of users and the dependency relationship among the plurality of service resources; and the judging unit is used for judging whether the user can access the target service resource according to the resource authority tree of the user.
In a possible implementation manner, the resource authority tree of each user takes the user to which the resource authority tree belongs as a root node, and the determining unit is further configured to: and matching the root nodes according to the user information to determine the resource authority tree of the user.
In a possible implementation, the apparatus further comprises a creating unit configured to: in response to a preset trigger event, extracting an authorization relationship between each service resource and a specified user to form an authorization relationship library; checking the independence of each service resource, and if any one service resource runs depending on another service resource, generating a dependency relationship between the any one service resource and the another service resource to form a dependency relationship library; and creating a resource authority tree of each user by utilizing a directed graph algorithm according to the authorization relation library and the dependency relation library.
In one possible embodiment, the preset triggering event includes: any one or more of creation event, handover event, audit event and subscription event of each business resource.
In a possible embodiment, the creating unit is further configured to: determining a root node of a resource authority tree of a first user as the first user, wherein the first user is any one user contained in an authorization relation library; traversing the authorization relation library according to the root node to obtain first class of service resources, and determining a first-layer child node of a resource authority tree of a first user according to the first class of service resources; traversing the dependency relationship library according to the first class of service resources to obtain a second class of service resources, and determining child nodes from the second layer to the Nth layer of the resource authority tree of the first user according to the second class of service resources, wherein N is a positive integer greater than or equal to 2.
In a possible embodiment, the creating unit is further configured to: determining a current highest-layer child node of the resource authority tree; traversing the dependency relationship library according to the current highest-layer child node, acquiring an appointed service resource having a dependency relationship with the current highest-layer child node, and determining a previous-layer child node of the current highest-layer child node according to the appointed service resource; and iteratively executing the steps until the hierarchy height of the resource authority tree of the first user is fixed.
In a possible implementation, the apparatus further comprises a refresh unit configured to: and receiving a newly added authorization relationship and/or a newly added dependency relationship, and dynamically refreshing the resource authority tree of each user.
In one possible embodiment, the decision unit is further configured to: and traversing the resource authority tree of the user according to the breadth-first search algorithm, and allowing the user to access the target service resource if the target service resource is matched with any child node of the resource authority tree of the user.
In a third aspect, an access control apparatus is provided, including: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform: receiving an access request of a user, wherein the access request comprises user information and target service resources; determining a resource authority tree of the user according to the user information, wherein the resource authority tree of each user is constructed in advance according to authorization relations among a plurality of service resources and a plurality of users and dependency relations among the plurality of service resources; and judging whether the user can access the target service resource or not according to the resource authority tree of the user.
In a fourth aspect, there is provided a computer readable storage medium storing a program which, when executed by a multicore processor, causes the multicore processor to perform the method of the first aspect.
The embodiment of the application adopts at least one technical scheme which can achieve the following beneficial effects: in the embodiment, complicated service authority relationships in a service system are abstracted and extracted, and intricate authorization relationships and dependency association relationships are converted into hierarchical relationships of a tree structure; and the access authority judgment of the user and the target service resource is completed by searching each child node of the resource authority tree, so that the complex authority judgment problem is simplified into a resource authority tree traversal search problem for each user. Thereby greatly simplifying the authority determination process.
It should be understood that the above description is only an overview of the technical solutions of the present invention, so as to clearly understand the technical means of the present invention, and thus can be implemented according to the content of the description. In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, embodiments accompanied with figures are described in detail below.
Drawings
The advantages and benefits described herein, as well as other advantages and benefits, will be apparent to those of ordinary skill in the art upon reading the following detailed description of the exemplary embodiments. The drawings are only for purposes of illustrating exemplary embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like elements throughout. In the drawings:
FIG. 1 is a flow chart illustrating an access control method according to an embodiment of the present invention;
FIG. 2 is a diagram illustrating a structure of a resource authority tree according to an embodiment of the present invention;
FIG. 3 is a diagram of an authorization relationship library according to an embodiment of the invention;
FIG. 4 is a schematic diagram of a dependency library according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of an access control device according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of an access control device according to another embodiment of the present invention.
In the drawings, the same or corresponding reference numerals indicate the same or corresponding parts.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
In the present invention, it is to be understood that terms such as "including" or "having," or the like, are intended to indicate the presence of the disclosed features, numbers, steps, behaviors, components, parts, or combinations thereof, and are not intended to preclude the possibility of the presence of one or more other features, numbers, steps, behaviors, components, parts, or combinations thereof.
It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
The inventor provides an access control method, which can construct a resource authority tree of each user according to authorization relations among a plurality of service resources, a plurality of users and dependency relations among the plurality of service resources in a service management system, and when receiving an access request of a user L1 to a target service resource R1, can obtain the resource authority tree of the user L1 from the pre-constructed resource authority trees of the users according to user information carried by the access request, so that whether the user L1 has access authority to the target service resource R1 can be judged by searching and traversing the resource authority tree of the user L1, and the authority judgment process is greatly simplified.
Having described the general principles of the invention, various non-limiting embodiments of the invention are described in detail below.
Fig. 1 is a schematic flowchart of an access control method 100 according to an embodiment of the present application, in which from a device perspective, an execution subject may be one or more electronic devices, and more specifically, may be a processing module in an electronic device; from the program perspective, the execution main body may accordingly be a program loaded on these electronic devices.
As shown in fig. 1, the method 100 may include:
step 101, receiving an access request of a user, wherein the access request comprises user information and a target service resource;
the access request is an access request aiming at the target service resource. The user information may refer to identification information of the user, such as a user name, user role information, and the like. Optionally, the user information may further include a login password of the user for security authentication after receiving the access request.
As shown in fig. 1, the method 100 includes:
step 102, determining the resource authority tree of the user according to the user information,
the resource authority tree of each user is constructed in advance according to authorization relations among a plurality of service resources and a plurality of users and dependency relations among the plurality of service resources. The resource authority tree of the user takes the user as a root node and at least one service resource as a child node, and the user and each service resource on the resource authority tree have an authorization relationship or an invisible authorization relationship. For example, fig. 2 is an exemplary resource right tree, assuming that the user is a user L1, a resource right tree of a user L1 is obtained according to user information, a root node of the resource right tree is a user L1, a first-layer child node is a service resource authorized for the user L1, and a second-layer or higher child node is a service resource implicitly authorized for the user L1.
In a possible implementation manner, the resource authority tree of each user takes the user to which the resource authority tree belongs as a root node, wherein step 102 may further include: and matching the root nodes according to the user information to determine the resource authority tree of the user. The resource authority trees of the users form a tree library, and the root node matching means that the tree library is searched according to user information carried in the access request, the root node information of the resource authority trees of the users is matched, and the resource authority trees of the users are obtained from the tree library.
In a possible implementation, creating a resource authority tree for each user further includes: in response to a preset trigger event, extracting an authorization relationship between each service resource and a specified user to form an authorization relationship library; checking the independence of each service resource, and if any one service resource runs depending on another service resource, generating a dependency relationship between the any one service resource and the another service resource to form a dependency relationship library; and creating a resource authority tree of each user by utilizing a directed graph algorithm according to the authorization relation library and the dependency relation library.
Wherein, the preset trigger event comprises: any one or more of creation event, handover event, audit event and subscription event of each business resource. For example, when the business resource R1 is created by a web page operation, the web page background obtains a creation event of the business resource R1, and the creation event may include: service resource R1, authorized user U1 of service resource R1, type of service resource R1: purchase demand, etc. An authorized user of a given business resource is used to indicate one or more users that have permission to read or operate the given business resource. Further, in response to the creation event of the service resource R1, the authorization relationship between the service resource R1 and the authorized user U1 is extracted: r1 → U1, store in the authorization relation base. As shown in fig. 3, an exemplary authorization relationship repository 30 is shown, which contains authorization relationships between a plurality of business resources and authorized users thereof, the authorization relationships having directionality from the business resources toward the authorized users.
Wherein, if the appointed service resource operates without depending on another service resource, the independence is provided; if the specified business resource runs in dependence on another business resource, generating a dependence relationship between any one business resource and another business resource. Optionally, the checking the independence of each service resource refers to determining whether a preset trigger event carries a dependent object of the service resource. For example, when the business resource P1 is created through a web page operation, the web page background obtains a creation event of the business resource P1, where the creation event may include: service resource P1, authorized user U5 of service resource P1, dependent object of service resource P1: service resource R1 and service resource R2, type of service resource: and (6) purchasing the project. The business resource R1 may be purchase demand information for purchasing commodity 1, the business resource R2 may be purchase demand information for purchasing commodity 2, and the business resource P1 may be purchase item information for purchasing commodity 1 and commodity 2. Further, in response to the creation event of the service resource P1, extracting an authorization relationship P1 → U5 between the service resource P1 and the authorized user U5, and storing the authorization relationship in an authorization relationship library; then, whether the creating event contains a dependent object is judged, and the dependency relationship between the service resource P1 and the service resource R1 is extracted: r1 → P1, and the dependency between the traffic resource P1 and the traffic resource R2: r2 → P1, store in the dependency database. As shown in FIG. 4, an exemplary dependency library 40 is shown that contains dependencies between a plurality of business resources with directionality from dependency objects to a specified business resource.
In the embodiment, the resource authority tree of each user is created based on the directed graph according to a plurality of directional authorization relations in the authorization relation library as one type of directed edge and a plurality of directional dependency relations in the dependency relation library as another type of directed edge. For example, based on the authorization relationship library shown in fig. 3 and the dependency relationship library shown in fig. 4, for the user L1, a resource right tree as shown in fig. 2 can be constructed by using a directed graph algorithm, where the first-layer business resources M1 and M2 are business resources having authorization relationships with the user L1, and the second-layer and third-layer business resources are business resources having invisible authorization relationships with the user L1, and the invisible authorization relationships are determined based on the dependency relationships.
In a possible implementation manner, creating a resource authority tree of each user by using a directed graph algorithm according to the authorization relationship library and the dependency relationship library, further includes: determining a root node of a resource authority tree of a first user as the first user, wherein the first user is any one user contained in an authorization relation library; traversing the authorization relation library according to the root node to obtain first class of service resources, and determining a first-layer child node of a resource authority tree of a first user according to the first class of service resources; traversing the dependency relationship library according to the first class of service resources to obtain a second class of service resources, and determining child nodes from the second layer to the Nth layer of the resource authority tree of the first user according to the second class of service resources, wherein N is a positive integer greater than or equal to 2.
Specifically, each user in the authorization relationship library may be traversed and a resource right count may be created for each user in turn. For example, according to the authorization relation library shown in fig. 3 and the dependency relation library shown in fig. 4, assuming that a first user is a user L1 in the authorization relation library, when constructing a resource authority tree of a user L1, first, the user L1 is used as a root node of the resource authority tree, and the authorization relation library in fig. 3 is traversed according to the user L1, so as to obtain a first class of service resources M1 and M2, where the user L1 is an authorization object of the service resource M1 and the service resource M2, and both have an authorization relation, and the service resource M1 and the service resource M2 are stored in the resource authority tree of the user L1 as a first-level child node. Further, the dependency relationship library in fig. 4 is traversed according to the first-level child nodes, thereby determining the second-level to higher-level child nodes of the resource right tree. Of course, if the dependency relationship library does not have a dependency object of the first class of service resources, the resource authority tree may also only include the first-layer child node, which is not limited in the present application.
In one possible implementation, to determine the second-level to nth-level child nodes of the resource right tree of the first user, the method 100 may further include: determining a current highest-layer child node of the resource authority tree; traversing the dependency relationship library according to the current highest-level child node, acquiring an appointed service resource having a dependency relationship with the current highest-level child node, and increasing the hierarchy of a resource authority tree of a first user according to the appointed service resource; and iteratively executing the steps until the hierarchy height of the resource authority tree of the first user is fixed. For example, to build a resource rights tree as shown in FIG. 2, a first iteration may be performed: after creating the first level child node, the current highest level child node of the resource permission tree of L1 may be determined to be the first level child node; according to the current highest-layer child node: the business resource M1 and the business resource M2 traverse the dependency relationship library to obtain the dependency object of M1: and the business resource P1 acquires the dependent object of M2: the service resource P2, which stores the P1 and P2 into the resource authority tree of user L1 as the second layer of sub-nodes; further, whether the hierarchy height of the resource authority tree of the user L1 is changed is detected, and if the hierarchy height is found to be increased by one level, a second iteration is executed: respectively storing the service resources P1 and P2 into a resource authority tree of a user L1 as a third-level child node by traversing the dependency relation library; further, whether the hierarchy height of the resource authority tree of the user L1 is changed is detected, and if the hierarchy height is found to be increased by one level, a third iteration is executed: through traversing the dependency relationship library, the fact that the service resources of the third-layer child nodes do not have dependent objects in the dependency relationship library is found, and the child nodes do not need to be added; further, whether the hierarchy height of the resource authority tree of the user L1 is changed or not is detected, and if the hierarchy height is found to be fixed, the resource authority tree of the user L1 is output. In the embodiment, whether the resource authority tree is constructed can be simply, conveniently and quickly judged by observing whether the hierarchy height of the resource authority tree is fixed or not.
In a possible implementation manner, after the resource authority tree of each user in the authorization relation library is created, if there is a newly created service resource, the method 100 may further include: and receiving a newly increased authorization relationship and/or a newly increased dependency relationship, and dynamically refreshing the resource authority tree corresponding to each user. In this embodiment, the dynamic refresh scheme can adapt to the dynamic change characteristics of the management system.
As shown in fig. 1, the method 100 includes:
and 103, judging whether the user can access the target service resource according to the resource authority tree of the user.
Specifically, the resource authority tree of the user takes at least one service resource as a child node, and the user has an authorization relationship or an invisible authorization relationship with each service resource in the resource authority tree. Therefore, if the target service resource exists in the resource authority tree of the user, the user is considered to be accessible to the target service resource, otherwise, the user is not accessible.
In a possible implementation, step 103 may further include: and traversing the resource authority tree of the user according to the breadth-first search algorithm, and allowing the user to access the target service resource if the target service resource is matched with any child node of the resource authority tree of the user. The breadth-first search algorithm is similar to tree hierarchy traversal, all the adjacent points of the resource authority tree are sequentially traversed starting from the root node of the tree by using the algorithm, and then the adjacent points are sequentially accessed starting from the adjacent points. According to the process, the adjacent points of all the accessed vertexes in the resource authority tree are accessed.
According to various aspects of the embodiment of the invention, complicated authorization relation and dependency association relation are converted into hierarchical relation of a tree structure by abstracting and extracting complicated service authority relation in a service system; and the access authority judgment of the user and the target service resource is completed by searching each child node of the resource authority tree, so that the complex authority judgment problem is simplified into a resource authority tree traversal search problem for each user. Thereby greatly simplifying the authority determination process.
Based on the same technical concept, an embodiment of the present invention further provides an access control apparatus, configured to execute the access control method provided in any of the above embodiments. Fig. 5 is a schematic structural diagram of an access control apparatus according to an embodiment of the present invention.
As shown in fig. 5, the apparatus 500 includes:
a receiving unit 501, configured to receive an access request of a user, where the access request includes user information and a target service resource;
a determining unit 502, configured to determine a resource authority tree of the user according to the user information, where a resource authority tree of each user is constructed in advance according to authorization relationships between multiple service resources and multiple users and dependency relationships between multiple service resources;
a determining unit 503, configured to determine whether the user can access the target service resource according to the resource authority tree of the user.
In a possible implementation manner, the resource authority tree of each user takes the user to which the resource authority tree belongs as a root node, and the determining unit 502 is further configured to: and matching the root nodes according to the user information to determine the resource authority tree of the user.
In a possible implementation, the apparatus 500 further comprises a creating unit configured to: in response to a preset trigger event, extracting an authorization relationship between each service resource and a specified user to form an authorization relationship library; checking the independence of each service resource, and if any one service resource runs depending on another service resource, generating a dependency relationship between the any one service resource and the another service resource to form a dependency relationship library; and creating a resource authority tree of each user by utilizing a directed graph algorithm according to the authorization relation library and the dependency relation library.
In one possible embodiment, the preset triggering event includes: any one or more of creation event, handover event, audit event and subscription event of each business resource.
In a possible embodiment, the creating unit is further configured to: determining a root node of a resource authority tree of a first user as the first user, wherein the first user is any one user contained in an authorization relation library; traversing the authorization relation library according to the root node to obtain first class of service resources, and determining a first-layer child node of a resource authority tree of a first user according to the first class of service resources; traversing the dependency relationship library according to the first class of service resources to obtain a second class of service resources, and determining child nodes from the second layer to the Nth layer of the resource authority tree of the first user according to the second class of service resources, wherein N is a positive integer greater than or equal to 2.
In a possible embodiment, the creating unit is further configured to: determining a current highest-layer child node of the resource authority tree; traversing the dependency relationship library according to the current highest-layer child node, acquiring an appointed service resource having a dependency relationship with the current highest-layer child node, and determining a previous-layer child node of the current highest-layer child node according to the appointed service resource; and iteratively executing the steps until the hierarchy height of the resource authority tree of the first user is fixed.
In a possible implementation, the apparatus further comprises a refresh unit configured to: and receiving a newly added authorization relationship and/or a newly added dependency relationship, and dynamically refreshing the resource authority tree of each user.
In a possible implementation, the determining unit 503 is further configured to: and traversing the resource authority tree of the user according to the breadth-first search algorithm, and allowing the user to access the target service resource if the target service resource is matched with any child node of the resource authority tree of the user.
Thus, according to various aspects of the embodiment of the invention, complicated authorization relation and dependency association relation are converted into hierarchical relation of a tree structure by abstracting and extracting complicated service authority relation in a service system; and the access authority judgment of the user and the target service resource is completed by searching each child node of the resource authority tree, so that the complex authority judgment problem is simplified into a resource authority tree traversal search problem for each user. Thereby greatly simplifying the authority determination process.
It should be noted that the access control device in the embodiment of the present application may implement each process of the foregoing embodiment of the access control method, and achieve the same effect and function, which is not described herein again.
Fig. 6 is an access control apparatus according to an embodiment of the present application, configured to execute the access control method shown in fig. 1, where the apparatus includes: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform:
receiving an access request of a user, wherein the access request comprises user information and target service resources; determining a resource authority tree of a user according to user information, wherein the resource authority tree of each user is constructed in advance according to authorization relations among a plurality of service resources and a plurality of users and dependency relations among the plurality of service resources; and judging whether the user can access the target service resource or not according to the resource authority tree of the user.
According to some embodiments of the application, there is provided a non-transitory computer storage medium having stored thereon computer-executable instructions configured to, when executed by a processor, perform:
receiving an access request of a user, wherein the access request comprises user information and target service resources; determining a resource authority tree of a user according to user information, wherein the resource authority tree of each user is constructed in advance according to authorization relations among a plurality of service resources and a plurality of users and dependency relations among the plurality of service resources; and judging whether the user can access the target service resource or not according to the resource authority tree of the user.
The embodiments in the present application are described in a progressive manner, and the same and similar parts among the embodiments can be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, device, and computer-readable storage medium embodiments, the description is simplified because they are substantially similar to the method embodiments, and reference may be made to some descriptions of the method embodiments for their relevance.
The apparatus, the device, and the computer-readable storage medium provided in the embodiment of the present application correspond to the method one to one, and therefore, the apparatus, the device, and the computer-readable storage medium also have advantageous technical effects similar to those of the corresponding method.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. Moreover, while the operations of the method of the invention are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions.
While the spirit and principles of the invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, nor is the division of aspects, which is for convenience only as the features in such aspects may not be combined to benefit. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.

Claims (18)

1. An access control method, comprising:
receiving an access request of a user, wherein the access request comprises user information and a target service resource;
determining the resource authority tree of the user according to the user information, wherein the resource authority tree of each user is constructed in advance according to authorization relations among a plurality of service resources and a plurality of users and dependency relations among the plurality of service resources;
and judging whether the user can access the target service resource or not according to the resource authority tree of the user.
2. The method of claim 1, wherein the resource authority tree of each user takes the user as a root node, and the method further comprises:
and matching root nodes according to the user information to determine the resource authority tree of the user.
3. The method of claim 1, wherein creating the resource rights tree for each user further comprises:
in response to a preset trigger event, extracting an authorization relationship between each service resource and a specified user to form an authorization relationship library;
checking the independence of each service resource, and if any one service resource runs depending on another service resource, generating a dependency relationship between the any one service resource and the another service resource to form a dependency relationship library;
and creating the resource authority tree of each user by utilizing a directed graph algorithm according to the authorization relation library and the dependency relation library.
4. The method of claim 3, wherein the preset trigger event comprises:
any one or more of a creation event, a handover event, an audit event and a subscription event of each business resource.
5. The method according to claim 3, wherein creating the resource right tree of each user by using a directed graph algorithm according to the authorization relationship library and the dependency relationship library further comprises:
determining a root node of a resource authority tree of a first user as the first user, wherein the first user is any one user contained in the authorization relation library;
traversing the authorization relation library according to the root node to obtain first class of service resources, and determining a first-layer child node of a resource authority tree of the first user according to the first class of service resources;
traversing the dependency relationship library according to the first class of service resources to obtain a second class of service resources, and determining sub-nodes from a second layer to an Nth layer of a resource authority tree of the first user according to the second class of service resources, wherein N is a positive integer greater than or equal to 2.
6. The method of claim 5, wherein determining the second-level to Nth-level child nodes of the resource privilege tree of the first user further comprises:
determining a current highest-level child node of the resource permission tree;
traversing the dependency relationship library according to the current highest-layer child node, acquiring a designated service resource having a dependency relationship with the current highest-layer child node, and determining a previous-layer child node of the current highest-layer child node according to the designated service resource;
and iteratively executing the steps until the hierarchy height of the resource authority tree of the first user is fixed.
7. The method of claim 3, further comprising:
and receiving a newly increased authorization relationship and/or a newly increased dependency relationship, and dynamically refreshing the resource authority tree of each user.
8. The method of claim 3, wherein determining whether the user can access the target business resource according to the user's resource authority tree further comprises:
and traversing the resource authority tree of the user according to a breadth-first search algorithm, and allowing the user to access the target service resource if the target service resource is matched with any child node of the resource authority tree of the user.
9. An access control apparatus, comprising:
a receiving unit, configured to receive an access request of a user, where the access request includes user information and a target service resource;
the determining unit is used for determining the resource authority tree of the user according to the user information, wherein the resource authority tree of each user is constructed in advance according to authorization relations among a plurality of service resources and a plurality of users and dependency relations among the plurality of service resources;
and the judging unit is used for judging whether the user can access the target service resource according to the resource authority tree of the user.
10. The apparatus of claim 9, wherein the resource authority trees of the users respectively take the user as a root node, and the determining unit is further configured to:
and matching root nodes according to the user information to determine the resource authority tree of the user.
11. The apparatus according to claim 9, wherein the apparatus further comprises a creating unit configured to:
in response to a preset trigger event, extracting an authorization relationship between each service resource and a specified user to form an authorization relationship library;
checking the independence of each service resource, and if any one service resource runs depending on another service resource, generating a dependency relationship between the any one service resource and the another service resource to form a dependency relationship library;
and creating the resource authority tree of each user by utilizing a directed graph algorithm according to the authorization relation library and the dependency relation library.
12. The apparatus of claim 11, wherein the preset trigger event comprises:
any one or more of a creation event, a handover event, an audit event and a subscription event of each business resource.
13. The apparatus of claim 11, wherein the creating unit is further configured to:
determining a root node of a resource authority tree of a first user as the first user, wherein the first user is any one user contained in the authorization relation library;
traversing the authorization relation library according to the root node to obtain first class of service resources, and determining a first-layer child node of a resource authority tree of the first user according to the first class of service resources;
traversing the dependency relationship library according to the first class of service resources to obtain a second class of service resources, and determining sub-nodes from a second layer to an Nth layer of a resource authority tree of the first user according to the second class of service resources, wherein N is a positive integer greater than or equal to 2.
14. The apparatus of claim 13, wherein the creating unit is further configured to:
determining a current highest-level child node of the resource permission tree;
traversing the dependency relationship library according to the current highest-layer child node, acquiring a designated service resource having a dependency relationship with the current highest-layer child node, and determining a previous-layer child node of the current highest-layer child node according to the designated service resource;
and iteratively executing the steps until the hierarchy height of the resource authority tree of the first user is fixed.
15. The apparatus of claim 11, further comprising a refresh unit to:
and receiving a newly increased authorization relationship and/or a newly increased dependency relationship, and dynamically refreshing the resource authority tree of each user.
16. The apparatus of claim 11, wherein the determination unit is further configured to:
and traversing the resource authority tree of the user according to a breadth-first search algorithm, and allowing the user to access the target service resource if the target service resource is matched with any child node of the resource authority tree of the user.
17. An access control apparatus, comprising:
at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to cause the at least one processor to perform:
receiving an access request of a user, wherein the access request comprises user information and a target service resource;
determining the resource authority tree of the user according to the user information, wherein the resource authority tree of each user is constructed in advance according to authorization relations among a plurality of service resources and a plurality of users and dependency relations among the plurality of service resources;
and judging whether the user can access the target service resource or not according to the resource authority tree of the user.
18. A computer-readable storage medium storing a program that, when executed by a multi-core processor, causes the multi-core processor to perform the method of any one of claims 1-8.
CN202010024604.5A 2020-01-10 2020-01-10 Access control method, device and computer readable storage medium Pending CN111259350A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010024604.5A CN111259350A (en) 2020-01-10 2020-01-10 Access control method, device and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010024604.5A CN111259350A (en) 2020-01-10 2020-01-10 Access control method, device and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN111259350A true CN111259350A (en) 2020-06-09

Family

ID=70952728

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010024604.5A Pending CN111259350A (en) 2020-01-10 2020-01-10 Access control method, device and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111259350A (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111881477A (en) * 2020-07-28 2020-11-03 平安科技(深圳)有限公司 Indexing method and device of data content, computer equipment and storage medium
CN112235253A (en) * 2020-09-22 2021-01-15 杭州安恒信息技术股份有限公司 Data asset combing method and device, computer equipment and storage medium
CN112487484A (en) * 2020-12-15 2021-03-12 深圳壹账通智能科技有限公司 Dynamic configuration method and device for node permission in block chain network
CN113204371A (en) * 2021-05-28 2021-08-03 金蝶软件(中国)有限公司 Access control method, related device and storage medium
CN114257701A (en) * 2020-09-23 2022-03-29 北京字节跳动网络技术有限公司 Access configuration method, device and storage medium of video processing algorithm
CN116150436A (en) * 2023-04-14 2023-05-23 北京锐服信科技有限公司 Data display method and system based on node tree
TWI821052B (en) * 2021-12-05 2023-11-01 熵碼科技股份有限公司 Electronic device and method for performing permission management of storage device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105488431A (en) * 2015-11-30 2016-04-13 布比(北京)网络技术有限公司 Authority management method and device for block chain system
CN105677651A (en) * 2014-11-18 2016-06-15 方正国际软件(北京)有限公司 Permission tree generation method and device
US20170295186A1 (en) * 2016-04-08 2017-10-12 Vmware, Inc. Access control for user accounts using a bidirectional search approach

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105677651A (en) * 2014-11-18 2016-06-15 方正国际软件(北京)有限公司 Permission tree generation method and device
CN105488431A (en) * 2015-11-30 2016-04-13 布比(北京)网络技术有限公司 Authority management method and device for block chain system
US20170295186A1 (en) * 2016-04-08 2017-10-12 Vmware, Inc. Access control for user accounts using a bidirectional search approach

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111881477A (en) * 2020-07-28 2020-11-03 平安科技(深圳)有限公司 Indexing method and device of data content, computer equipment and storage medium
CN112235253A (en) * 2020-09-22 2021-01-15 杭州安恒信息技术股份有限公司 Data asset combing method and device, computer equipment and storage medium
CN114257701A (en) * 2020-09-23 2022-03-29 北京字节跳动网络技术有限公司 Access configuration method, device and storage medium of video processing algorithm
CN112487484A (en) * 2020-12-15 2021-03-12 深圳壹账通智能科技有限公司 Dynamic configuration method and device for node permission in block chain network
WO2022127122A1 (en) * 2020-12-15 2022-06-23 深圳壹账通智能科技有限公司 Dynamic configuration method and apparatus for node permissions in blockchain network
CN113204371A (en) * 2021-05-28 2021-08-03 金蝶软件(中国)有限公司 Access control method, related device and storage medium
CN113204371B (en) * 2021-05-28 2023-09-19 金蝶软件(中国)有限公司 Access control method, related device and storage medium
TWI821052B (en) * 2021-12-05 2023-11-01 熵碼科技股份有限公司 Electronic device and method for performing permission management of storage device
CN116150436A (en) * 2023-04-14 2023-05-23 北京锐服信科技有限公司 Data display method and system based on node tree
CN116150436B (en) * 2023-04-14 2023-08-08 北京锐服信科技有限公司 Data display method and system based on node tree

Similar Documents

Publication Publication Date Title
CN111259350A (en) Access control method, device and computer readable storage medium
Treude et al. Difference computation of large models
Zhang et al. Privacy preservation over big data in cloud systems
US11275850B1 (en) Multi-faceted security framework for unstructured storage objects
US10936574B2 (en) System and method for use of lock-less techniques with a multidimensional database
Bouyer et al. Reachability in networks of register protocols under stochastic schedulers
US20240037264A1 (en) Systems and methods for providing network-based permissioning using security node hash identifiers
US11720607B2 (en) System for lightweight objects
Wetzels et al. Branch Decomposition‐Independent Edit Distances for Merge Trees
KR20150104156A (en) Immutable object types
Schmieders et al. Runtime model-based privacy checks of big data cloud services
Gupta et al. Detection of vulnerabilities in blockchain smart contracts: a review
WO2014107390A2 (en) Managing authorization of actions associated with data objects
Bender et al. Fine-grained disclosure control for app ecosystems
Pomares-Quimbaya et al. Anonylitics: From a small data to a big data anonymization system for analytical projects
US9009731B2 (en) Conversion of lightweight object to a heavyweight object
CN109947403B (en) Decomposition and modeling method of safety target and related equipment
Gahar et al. An ontology-driven mapreduce framework for association rules mining in massive data
Prasath et al. Autonomous Application in Requirements Analysis of Information System Development for Producing a Design Model
El Ouazzani et al. Dynamic management of data warehouse security levels based on user profiles
Nasrullah et al. A Study of Performance Evaluation and Comparison of NOSQL Databases Choosing for Big Data: HBase and Cassandra Using YCSB
Aqib et al. An algorithm to detect inconsistencies in access control policies
Al-Obeidallah et al. MLDA: a multiple levels detection approach for design patterns recovery
US7987470B1 (en) Converting heavyweight objects to lightwight objects
US20240248691A1 (en) Detecting software code anomalies based on organizational information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination