CN111400170A

CN111400170A - Data permission testing method and device

Info

Publication number: CN111400170A
Application number: CN202010131924.0A
Authority: CN
Inventors: 原鹏飞
Original assignee: Ping An Life Insurance Company of China Ltd
Current assignee: Ping An Life Insurance Company of China Ltd
Priority date: 2020-02-29
Filing date: 2020-02-29
Publication date: 2020-07-10
Anticipated expiration: 2040-02-29
Also published as: CN111400170B

Abstract

The embodiment of the application is suitable for testing in research and development management, and discloses a data permission testing method, which comprises the following steps: acquiring a product document of a database and a permission configuration file associated with the product document, wherein the product document comprises a role information set and a permission information set; determining the incidence relation between the role information set and the authority information set and the hierarchical relation of each authority information in the authority information set according to the authority configuration file; generating a role authority relation tree of each role information; and comparing the role authority relation tree of each role information with the authority set associated with the role information in the database, testing the role authority configuration result of each role information in the database, and outputting the test result. By adopting the method and the device, the disordered authority information can be ordered, so that the efficiency of testing the authority is improved.

Description

Data permission testing method and device

Technical Field

The invention relates to the technical field of computers, in particular to a data permission testing method and device.

Background

With the development of the internet, the use of big data and artificial intelligence is more extensive, so that big data testing is very important when a big data technology is used, and the big data testing needs to ensure the accurate synchronization, storage, disaster recovery and other aspects of mass data. Meanwhile, for Application program (APP) testing, especially for data type APPs, besides the need to test the synchronization accuracy of mass data, it also needs to pay attention to the data permission testing of mass data. For example, for the same APP scene or page, since there may exist permission data in the massive data for the APP, only a team leader or a VIP user or a developer has a viewing permission, that is, data that different users can obtain or view are different.

At present, the condition that permission data contain a large amount of chart data exists in common data type APPs in the market, and under the condition, a mature big data permission testing method does not exist for testing the mass data stored in the data type APPs, so that the big data testing efficiency is low.

Disclosure of Invention

Based on the above, the application provides a data permission testing method and device, so as to improve the testing efficiency of the data permission.

A first aspect of the embodiments of the present application provides a data permission testing method, including:

the method comprises the steps that a product document of a database is obtained, wherein the product document comprises a role information set and a permission information set, the role information set comprises a plurality of role information, the role information is used for indicating a class of users, the permission information set comprises a plurality of permission information, and each permission information is used for indicating the permission of a class of data in the database;

acquiring a permission configuration file associated with the product document, and determining the association relation between the role information set and the permission information set and the hierarchical relation among the plurality of permission information according to the permission configuration file;

determining a role node according to each role information in the role information set, and determining an authority node according to each authority information in the authority information set;

generating a role authority relationship tree corresponding to each role information based on the association relationship between the role information set and the authority information set and the hierarchical relationship among the plurality of authority information, wherein the role authority relationship tree consists of corresponding role nodes and a plurality of authority nodes associated with the role nodes;

performing joint query on a plurality of authority data tables of the database based on target role information to obtain an authority set associated with the target role information in the plurality of authority data tables, wherein each authority data table in the plurality of authority data tables comprises a plurality of service data names, each service data name indicates one type of data in the database, the authority set is composed of service data names associated with the target role information in the database, and the authority set is used for indicating that the target role information has access authority for at least one type of data corresponding to the service data names associated with the target role information in the database;

and if the authority node name contained in the role authority relationship tree corresponding to each role information in the role information set is consistent with the business data name in the authority set corresponding to the role information, outputting a test result of successful role authority configuration of the database.

Wherein, the authority configuration file includes at least one section of program code, and the determining the association relationship between the role information set and the authority information set and the hierarchical relationship among the plurality of authority information according to the authority configuration file includes:

acquiring the at least one section of program code in the authority configuration file, and analyzing each line of code statement in the at least one section of program code;

and determining the association relationship between each role information in the role information set and each authority information in the authority information set and the hierarchical relationship between each authority information in the plurality of authority information according to the calling relationship and the execution sequence between each row of code statements.

The generating a role authority relationship tree corresponding to each role information based on the association relationship between the role information set and the authority information set and the hierarchical relationship among the plurality of authority information includes:

taking an ith role node corresponding to ith role information in the role information as a root node of an ith role authority relationship tree, wherein i is a positive integer and is less than or equal to the number of role information included in the role information set;

acquiring a first authority node associated with the ith role node from the authority nodes based on the incidence relation between the role information set and the authority information set;

determining the inclusion relationship among the first authority nodes based on the hierarchical relationship among the authority information in the authority information set;

establishing a parent-child relationship and a brother relationship among the first permission nodes according to the inclusion relationship among the first permission nodes, and taking the first permission nodes as child nodes in the ith role permission relationship tree based on the parent-child relationship and the brother relationship;

until obtaining the role authority relation tree corresponding to each role information in the role information set.

After acquiring the permission set associated with the target role information in the plurality of permission data tables, the method further includes:

acquiring a role authority relationship tree corresponding to the target role information;

acquiring a target authority node from a role authority relationship tree corresponding to the target role information;

and comparing the target authority node name with the service data name in the authority set of the target role information.

Wherein, after the method, further comprising:

if the authority node name contained in the role authority relationship tree corresponding to each role information in the role information set is different from the business data name in the authority set corresponding to the role information, acquiring abnormal authority information and abnormal role information associated with the abnormal authority information, wherein the abnormal authority information is data different between the authority node name contained in the role authority relationship tree corresponding to each role information in the role information set and the business data name in the authority set corresponding to the role information;

if the abnormal authority information belongs to the authority set but not to the authority node, sending an authority recovery request to an authority management terminal so that the authority management terminal recovers the authority of the abnormal role information to the data corresponding to the abnormal authority information, wherein the authority recovery request comprises the abnormal authority information and the abnormal role information;

if the abnormal authority information belongs to the authority node but not to the authority set, sending an authority issuing request to the authority management terminal so that the authority management terminal adds the authority of the data corresponding to the abnormal authority information for the abnormal role information, wherein the authority issuing request comprises the abnormal authority information and the abnormal role information.

Wherein the method further comprises, after:

receiving a permission adjustment message sent by the permission management terminal, and acquiring a permission set associated with the abnormal role information from the plurality of permission data tables;

and if the business data name in the authority set associated with the abnormal role information is consistent with the authority node name in the role authority relationship tree of the abnormal role information, outputting a result of successful authority adjustment aiming at the abnormal role information in the database.

Wherein, determining the association relationship between each role information in the role information set and each authority information in the authority information set and the hierarchical relationship between each authority information in the plurality of authority information according to the calling relationship and the execution sequence between each row of code statements includes:

if the code statement is a conditional statement, determining that role information and authority information included in the conditional statement are associated;

and if the code statement is an execution statement, determining the hierarchical relationship among the authority information included in the execution statement according to the execution sequence of the execution statement.

A second aspect of the embodiments of the present application provides a data permission testing apparatus, including:

the system comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring a product document of a database, the product document comprises a role information set and a permission information set, the role information set comprises a plurality of role information, the role information is used for indicating a class of users, the permission information set comprises a plurality of permission information, and each permission information is used for indicating the permission of a class of data in the database;

the second acquisition module is used for acquiring a permission configuration file associated with the product document, and determining the association relationship between the role information set and the permission information set and the hierarchical relationship among the plurality of permission information according to the permission configuration file;

the determining module is used for determining role nodes according to each role information in the role information set and determining authority nodes according to each authority information in the authority information set;

the generating module is used for generating a role authority relationship tree corresponding to each role information based on the association relationship between the role information set and the authority information set and the hierarchical relationship among the plurality of authority information, wherein the role authority relationship tree consists of corresponding role nodes and a plurality of authority nodes associated with the role nodes;

a third obtaining module, configured to perform joint query on multiple permission data tables of the database based on target role information, and obtain a permission set associated with the target role information in the multiple permission data tables, where each permission data table in the multiple permission data tables includes multiple service data names, each service data name indicates one type of data in the database, the permission set is composed of service data names associated with the target role information in the database, and the permission set is used to indicate that the target role information has access permission to at least one type of data corresponding to the service data name associated with the target role information in the database;

and the display module is used for outputting a test result of successful role permission configuration of the database if the permission node name contained in the role permission relation tree corresponding to each role information in the role information set is consistent with the service data name in the permission set corresponding to the role information.

The second obtaining module is specifically configured to:

The generation module is specifically configured to:

Wherein, the device still includes:

a fourth obtaining module, configured to obtain a role authority relationship tree corresponding to the target role information;

the fourth obtaining module is further configured to obtain a target permission node from the role permission relationship tree corresponding to the target role information;

and the comparison module is used for comparing the target authority node name with the business data name in the authority set of the target role information.

Wherein, the device still includes:

a fifth obtaining module, configured to obtain abnormal permission information and abnormal role information associated with the abnormal permission information if a permission node name included in a role permission relationship tree corresponding to each role information in the role information set is different from a service data name in the permission set corresponding to the role information, where the abnormal permission information is data in which a permission node name included in the role permission relationship tree corresponding to each role information in the role information set is different from a service data name in the permission set corresponding to the role information;

a sending module, configured to send a permission recovery request to a permission management terminal if the abnormal permission information belongs to the permission set but not to the permission node, so that the permission management terminal recovers permission of the abnormal role information to data corresponding to the abnormal permission information, where the permission recovery request includes the abnormal permission information and the abnormal role information;

the sending module is further configured to send a permission issuing request to the permission management terminal if the abnormal permission information belongs to the permission node but not to the permission set, so that the permission management terminal increases the permission of the data corresponding to the abnormal permission information for the abnormal role information, where the permission issuing request includes the abnormal permission information and the abnormal role information.

Wherein the apparatus further comprises:

the receiving module is used for receiving the authority adjusting message sent by the authority management terminal;

the third obtaining module is further configured to obtain a permission set associated with the abnormal role information from the plurality of permission data tables;

and the display module is further configured to output a result of successful permission adjustment for the abnormal role information in the database if the business data name in the permission set associated with the abnormal role information is consistent with the permission node name in the role permission relationship tree of the abnormal role information.

The second obtaining module is specifically configured to:

A third aspect of the embodiments of the present application provides an electronic device, including a processor, a memory, and an input/output interface;

the processor is respectively connected with the memory and the input/output interface, wherein the input/output interface is used for data interaction, the memory is used for storing program codes, and the processor is used for calling the program codes to execute the data permission testing method according to the first aspect in the embodiment of the present application.

The embodiment of the application has the following beneficial effects:

the method comprises the steps that a product document of a database is obtained, wherein the product document comprises a role information set and a permission information set, each role information in the role information set indicates a class of users respectively, and each permission information in the permission information set is used for indicating the permission of a class of data in the database respectively; acquiring a permission configuration file associated with a product document, determining an association relation between a role information set and a permission information set and a hierarchical relation among a plurality of permission information according to the permission configuration file, and generating a role permission relation tree of each role information based on the association relation and the hierarchical relation; performing combined query on a plurality of authority data tables in a database to obtain an authority set associated with each role information in the database; and comparing each node in the role authority relationship tree of each role information with the authority set of the role information to test the role authority configuration of the database and output the test result, thereby realizing the test of the operation authority of the data of the user. The role information and the authority information in the product document are sorted to obtain the tree structure, the tree structure can reflect the incidence relation between the role information and the authority information, the hierarchical relation between the authority information and the like, disordered data authority information is ordered, data can be conveniently extracted and compared, and therefore the efficiency of testing the data authority is improved. And meanwhile, joint query is carried out on a plurality of authority data tables in the database, so that the query efficiency of the database can be improved, and the test efficiency of the authority can be further improved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.

Wherein:

FIG. 1a is a diagram of a data permission test architecture provided in an embodiment of the present application;

fig. 1b is a schematic diagram of a role authority relationship tree according to an embodiment of the present application;

fig. 2 is a schematic flowchart of a data permission testing method according to an embodiment of the present application;

fig. 3 is a schematic diagram of an example of a role authority relationship tree according to an embodiment of the present application;

fig. 4 is a schematic diagram of a data permission testing apparatus according to an embodiment of the present application;

fig. 5 is a schematic structural diagram of an electronic device provided in an embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1a, fig. 1a is a diagram of a data permission test architecture according to an embodiment of the present application. As shown in fig. 1a, a server 103 obtains a product document 101 corresponding to a database 105, where the product document 101 includes a role information set and a permission information set, the role information set includes a plurality of role information, each role information indicates a type of user, the permission information set includes a plurality of permission information, and each permission information indicates a permission for a type of data in the database 105. The server 103 obtains the authority configuration file 102 associated with the product document 101, and determines the association relationship between the role information sets and the authority information sets and the hierarchical relationship between the authority information sets according to the product document 101 and the authority configuration file 102, so as to generate a role authority relationship tree 104 corresponding to each role information. Meanwhile, the server 103 performs joint query on the plurality of permission data tables 106 of the database 105 to obtain a permission set 107 associated with each role information, compares the role permission relationship tree 104 of each role information with the permission set 107 of the role information to realize the test of the role permission configuration condition in the database, and outputs the test result. The authority information can be regarded as a related description of a type of data, and when a role is associated with the authority information, the role is regarded as having the authority of the type of data indicated by the authority information.

For example, when there is a permission information set including data 1, data 2and data 3, the role information combination includes role 1 and role 2, it is determined that data 1 includes data 2 according to the permission configuration file 102, role 1 is associated with data 1, data 2and data 3, role 2 is associated with data 3, according to the above-mentioned association relationship and hierarchical relationship, a role permission relationship tree "role 1- > data 1 > data 2 of role 1, role 1- > data 3 composition" and a role permission relationship tree "role 2- > data 3 of role 2 are generated, the permission set associated with role 1 and the permission set associated with role 2 are queried from a plurality of data permission tables 106 of the database 105, the role permission tree and the permission set of role 1 and the role permission tree and the permission set of role 2 are compared, and a test result of the permission configuration condition of roles in the database 105 is obtained, and outputs the test result. Wherein the role authority relationship tree of role 1 is shown as role authority relationship tree 108 shown in fig. 1b, and the role authority relationship tree of role 2 is shown as role authority relationship tree 109 shown in fig. 1 b.

Further, please refer to fig. 2, which is a flowchart illustrating a data permission testing method according to an embodiment of the present application. Specifically, for different roles, all data included in any data application program are different in data that can be operated, and the application is based on testing data permissions possessed by different roles, specifically as shown in fig. 2, the method includes the following steps:

step S201, acquiring a product document of a database.

Specifically, a product document of a database is obtained, where the product document includes a role information set and a permission information set, the role information set includes a plurality of role information, each role information is used to indicate a type of user, the permission information set includes a plurality of permission information, and each permission information is used to indicate a permission for a type of data in the database. When the data authority stored in the database needs to be tested, a product document of the database is obtained, wherein the product document comprises a role information set and an authority information set, the role information set comprises a plurality of role information, each role information has a corresponding storage record in the database, and corresponds to one type of data recorded in the database. The product document is used for analyzing service data and role information (the service data is used for representing authority information) contained in the application program, and may be regarded as a requirement analysis of the application program to indicate a function that the application program needs to implement, so that each role information in a role information set and each authority information in an authority information set contained in the product document may be unordered, and the relevance between the role information set and the authority information set cannot be reflected. Optionally, the product document includes a hierarchical relationship between the rights information, for example, an inclusion relationship that one rights information belongs to another rights information.

The role information is divided based on the authority of the role information, and it can be considered that each user indicated by each role information has the same authority, that is, the data that can be operated are the same. For example, assuming that the data type APP is used to display text data, and the operation permission for the text data in the data type APP is determined based on the identity location of each user in the data type APP, the role information set in the obtained product document may include "tourist, general user, short-term Important (VIP user), lifelong VIP user, APP administrator, and the like", and it is assumed that the permission information set in the obtained product document includes "resource data, function data, resource 1, channel 1, service 1, channel 2, resource 2, channel 3, service 2, service 3, and the like". Optionally, if the product document includes a hierarchical relationship between the authority information, "resource data- > resource 1- > channel 1- > service 1, resource data- > resource 1- > channel 2, resource data- > resource 2- > channel 3- > service 3", and the like.

Step S202, a permission configuration file associated with the product document is acquired.

Specifically, a permission configuration file associated with the product document is obtained, and an association relationship between the role information set and the permission information set and a hierarchical relationship among a plurality of permission information are determined according to the permission configuration file. Optionally, if the product document includes a hierarchical relationship between the authority information sets, it is only necessary to determine, according to the authority configuration file, an association relationship between each of the role information sets and each of the authority information sets in the authority information set. Wherein, the authority configuration file is at least one section of program code, and the at least one section of program code comprises a plurality of lines of code statements. Specifically, at least one section of program code in the authority configuration file is obtained, and each line of code statement in the at least one section of program code is analyzed; and determining the incidence relation between each role information in the role information set and each authority information in the authority information set and the hierarchical relation between each authority information in a plurality of authority information according to the calling relation and the execution sequence (namely the logic relation realized by the code) between the code statements of each line. The method comprises the steps of determining code data corresponding to each role information in an authority configuration file and code data corresponding to each authority information in the authority configuration file, and determining the association relationship between each role information and each authority information and the hierarchical relationship between each authority information by analyzing the positions of the code data corresponding to each role information and the code data corresponding to each authority information in the authority configuration file.

If the code statement is a conditional statement, determining that role information and authority information included in the conditional statement are associated; if the code statement is an execution statement, determining the hierarchical relationship among the authority information included in the execution statement according to the execution sequence of the execution statement; if the code statement is called by the function, determining the incidence relation between the role information and the authority information or the hierarchical relation between the authority information and the like according to the calling relation between the role information and the authority information contained in the code statement and the called function. Optionally, if the product document includes a hierarchical relationship between the authority information in the authority information set, only the association relationship between each role information and each authority information in the authority information set needs to be determined according to the calling relationship and the execution sequence of the code statement.

For example, if the code statement is a conditional statement, that is, if the condition in the conditional statement and the statement executed when the condition is satisfied can be obtained, the role information or the authority information included in the condition is associated with the role information or the authority information included in the statement executed when the condition is satisfied. For example, if there is a conditional statement, here represented in pseudo code, that is "if (role 1) printf data 1, data 2and data 3", it is determined that role 1 is associated with data 1, data 2and data, and data 1 includes data 2.

And analyzing the logical relationship realized by the authority configuration file to obtain the association relationship between the role information set and the authority information set in the product document and the hierarchical relationship between the authority information sets.

For example, based on the example in step S201, the association relationship "APP administrator" between the role information set and the authority information set is associated with all authority information, "lifelong VIP user" is associated with "resource data, resource 1, channel 1, service 1, channel 2, resource 2, channel 3, service 2and function data," short-term VIP user "is associated with" resource data, resource 1, channel 1, service 1, channel 2, resource 2, channel 3 and service 2, "normal user" is associated with "resource data, resource 1, channel 1, service 1 and channel 2," and "tourist" is associated with "resource data, resource 1, channel 1 and service 1.

Step S203, generating a role authority relation tree according to the product document and the authority configuration file.

Specifically, a role authority relationship tree is generated according to the product document and the authority configuration file. Determining a role node according to each role information in the role information set, determining an authority node according to each authority information in the authority information set, in other words, obtaining a role name in each role information, taking the role name as the role node corresponding to the role information, obtaining an authority name in each authority information, and taking the authority name as the authority node corresponding to the authority information, thereby obtaining the role node of each role information and the authority node of each authority information; and generating a role authority relationship tree corresponding to each role information based on the association relationship between the role information set and the authority information set and the hierarchical relationship among the plurality of authority information, wherein each role authority relationship tree consists of a corresponding role node and a plurality of authority nodes associated with the role node.

Specifically, an ith angle node corresponding to ith angle information in the role information is used as a root node of an ith angle authority relation tree, i is a positive integer, and i is less than or equal to the number of role information included in the role information set; acquiring a first authority node associated with the ith role node from the authority nodes based on the association relationship between the role information set and the authority information set; determining an inclusion relation between first authority nodes based on the hierarchical relation between the authority information in the authority information set; establishing a parent-child relationship and a brother relationship among the first permission nodes according to the inclusion relationship among the first permission nodes, and taking the first permission nodes as child nodes in the ith role permission relationship tree based on the parent-child relationship and the brother relationship; until a role authority relation tree corresponding to each role information in the role information set is obtained.

For example, based on the example shown in step S202, a role authority relationship tree of each role information is generated according to the association relationship between each role information in the role information set and each authority information in the authority information set and the hierarchical relationship between each authority information, and the role authority relationship tree can be shown in fig. 3. Fig. 3 includes a role authority relationship tree 301 of an APP administrator, a role authority relationship tree 302 of a lifelong VIP user, a role authority relationship tree 303 of a short-term VIP user, a role authority relationship tree 304 of a general user, and a role authority relationship tree 305 of a visitor. The role authority relationship tree 301 of the APP administrator takes the APP administrator as a root node and is used for representing role nodes in the role authority relationship tree 301; taking an APP manager as a father node, wherein resource data and functional data are child nodes of the APP manager, namely a user node; taking the authority node of the resource data as a father node, wherein the resource 1 and the resource 2 are child nodes of the authority node of the resource data; taking the resource 1 as a father node, wherein the channel 1 and the channel 2 are child nodes of the authority node of the resource 1; taking the channel 1 as a father node and the service 1 as a child node of the authority node of the channel 1; taking the resource 2 as a father node and the channel 3 as a child node of the authority node of the resource 2; the channel 3 is taken as a father node, and the service 2and the service 3 are child nodes of the authority node of the channel 3. Similarly, the role authority relationship tree 302 of the lifelong VIP user takes the user node of the lifelong VIP user as the root node of the tree, and includes branches of "lifelong VIP user- > resource data- > resource 1- > channel 1- > service 1, lifelong VIP user- > resource data- > resource 1- > channel 2, lifelong VIP user- > resource data- > resource 2- > channel 3- > service 2, and lifelong VIP user- > function data"; the role authority relationship tree 303 of the short term VIP users takes the user node of the short term VIP user as the root node of the tree, and comprises branches of "short term VIP user- > resource data- > resource 1- > channel 1- > business 1, short term VIP user- > resource data- > resource 1- > channel 2, and short term VIP user- > resource data- > resource 2- > channel 3- > business 2"; the role authority relationship tree 304 of the ordinary user takes the user node of the ordinary user as a root node of the tree, and comprises branches of 'ordinary user- > resource data- > resource 1- > channel 1- > service 1 and ordinary user- > resource data- > resource 1- > channel 2'; the role authority relationship tree 305 for the guest has the guest as the user node as the root node of the tree, including the branches "guest- > resource data- > resource 1- > channel 1- > service 1".

Step S204, acquiring the authority set of each role information in the database, and comparing the authority set with the role authority relationship tree of the role information to obtain a test result.

Specifically, joint query is performed on multiple authority data tables of a database based on target role information, an authority set associated with the target role information in the multiple authority data tables is obtained, each authority data table in the multiple authority data tables comprises multiple service data names, each service data name indicates one type of data in the database, the authority set is composed of the service data names associated with the target role information in the database, the authority set is used for indicating that the target role information has access authority for at least one type of data corresponding to the service data names associated with the target role information in the database, a role authority relation tree of the target role information is obtained, the authority set of the target role information is compared with the role authority relation tree of the target role information, and a test result is obtained. The target role information is any role information in a role information set in the product document. Acquiring a role authority relationship tree corresponding to target role information; acquiring a target authority node from a role authority relationship tree corresponding to target role information; and comparing the target authority node name with the service data name in the authority set of the target role information to obtain a test result.

If the authority node name contained in the role authority relationship tree corresponding to each role information in the role information set is different from the business data name in the authority set corresponding to the role information, acquiring abnormal authority information and abnormal role information associated with the abnormal authority information, wherein the abnormal authority information is data with different authority node names contained in the role authority relationship tree corresponding to each role information in the role information set and business data names in the authority set corresponding to the role information.

If the abnormal authority information belongs to the authority set but not to the authority node, sending an authority recovery request to the authority management terminal so that the authority management terminal can recover the authority of the abnormal role information to the data corresponding to the abnormal authority information, wherein the authority recovery request comprises the abnormal authority information and the abnormal role information; and if the abnormal authority information belongs to the authority node but not to the authority set, sending an authority issuing request to the authority management terminal so that the authority management terminal adds the authority of the data corresponding to the abnormal authority information for the abnormal role information, wherein the authority issuing request comprises the abnormal authority information and the abnormal role information.

Optionally, after sending a permission recovery request or a permission issue request to the permission management terminal, receiving a permission adjustment message sent by the permission management terminal, obtaining a permission set associated with the abnormal role information from the plurality of permission data tables, and comparing the permission set with the role permission relationship tree of the abnormal role information. And if the business data name in the authority set associated with the abnormal role information is consistent with the authority node name in the role authority relationship tree of the abnormal role information, outputting a result of successful authority adjustment aiming at the abnormal role information in the database.

Optionally, when acquiring the authority set of any role information, determining an inclusion relationship among a plurality of service data names obtained after joint query based on a nested relationship when performing joint query on a plurality of authority data tables, obtaining an authority set based on the inclusion relationship and the plurality of service data names, comparing authority node names contained in the role authority relationship tree and service data names in the authority set corresponding to the role information when comparing the authority set of the role information with the role authority relationship tree of the role information, determining accuracy of the service data recorded in the database and associated with the role information, and comparing the inclusion relationship of each service data in the authority set and sibling relationships and parent relationships among the authority nodes in the role authority relationship tree corresponding to the role information, only if the relationships between the data and the authority information are the same, and considering that the role authority configuration of the database is successful. For example, joint query is performed on a plurality of authority data tables, and it is assumed that the role information and the minimum service data which can be operated by the role information are stored in association in the plurality of authority data tables, the minimum service number is used to indicate that the role information can operate all service data included in the minimum service data, and if the role 1 is queried, the pseudo code of the query statement is "select business data 1from table 1where is associated with 1 ═ (select business data 2from table 2where is associated with 2 ═ select business data 3from table 3where is associated with 3 ═ … (select business data n from table n where is associated with n ═ role 1)))", the results queried by each select statement from inside to outside in parentheses in the pseudo code of the query statement are in a contained relationship, i.e., business data n belongs to business data (n-1) through to business data 1. The method for determining the association storage manner in the plurality of permission data tables and the inclusion relationship between the service data associated with each role information is an optional method, and is not limited to other storage manners in which the association between the roles and the service data can be realized, or other determination methods in which the inclusion relationship between the service data can be determined.

The authority name included in the authority information mentioned in the present application is essentially the name of the service data, and when the authority information is associated with the role information, it indicates that the role information has the operation authority for the service data indicated by the authority information.

Further, referring to fig. 4, fig. 4 is a schematic diagram of a data permission testing apparatus according to an embodiment of the present application. As shown in fig. 4, the data permission testing apparatus may be used in the electronic device in the embodiment corresponding to fig. 2, and specifically, the data permission testing apparatus 40 includes a first obtaining module 11, a second obtaining module 12, a determining module 13, a generating module 14, a third obtaining module 15, and a display module 16.

The first obtaining module 11 is configured to obtain a product document of a database, where the product document includes a role information set and a permission information set, the role information set includes a plurality of role information, the role information is used to indicate a type of user, the permission information set includes a plurality of permission information, and each permission information is used to indicate a permission for a type of data in the database;

a second obtaining module 12, configured to obtain a permission configuration file associated with the product document, and determine, according to the permission configuration file, an association relationship between the role information set and the permission information set, and a hierarchical relationship among the plurality of permission information sets;

a determining module 13, configured to determine a role node according to each role information in the role information set, and determine an authority node according to each authority information in the authority information set;

a generating module 14, configured to generate a role authority relationship tree corresponding to each role information based on an association relationship between the role information set and the authority information set and a hierarchical relationship between the plurality of authority information, where the role authority relationship tree is composed of a corresponding role node and a plurality of authority nodes associated with the role node;

a third obtaining module 15, configured to perform joint query on multiple permission data tables of the database based on target role information, and obtain a permission set associated with the target role information in the multiple permission data tables, where each permission data table in the multiple permission data tables includes multiple service data names, each service data name indicates one type of data in the database, the permission set is composed of service data names associated with the target role information in the database, and the permission set is used to indicate that the target role information has access permission to at least one type of data corresponding to the service data name associated with the target role information in the database;

and the display module 16 is configured to output a test result that the role authority configuration of the database is successful if the authority node name included in the role authority relationship tree corresponding to each role information in the role information set is consistent with the service data name in the authority set corresponding to the role information.

The second obtaining module 12 is specifically configured to:

The generating module 14 is specifically configured to:

Wherein, the device still includes:

a fourth obtaining module 17, configured to obtain a role authority relationship tree corresponding to the target role information;

the fourth obtaining module 17 is further configured to obtain a target permission node from the role permission relationship tree corresponding to the target role information;

and the comparison module 18 is configured to compare the target authority node name with the service data name in the authority set of the target role information.

Wherein, the device still includes:

a fifth obtaining module 19, configured to obtain abnormal permission information and abnormal role information associated with the abnormal permission information if a permission node name included in a role permission relationship tree corresponding to each role information in the role information set is different from a service data name in the permission set corresponding to the role information, where the abnormal permission information is data in which a permission node name included in the role permission relationship tree corresponding to each role information in the role information set is different from a service data name in the permission set corresponding to the role information;

a sending module 20, configured to send a permission recovery request to a permission management terminal if the abnormal permission information belongs to the permission set but does not belong to the permission node, so that the permission management terminal recovers permission of the abnormal role information to data corresponding to the abnormal permission information, where the permission recovery request includes the abnormal permission information and the abnormal role information;

the sending module 20 is further configured to send a permission issuing request to the permission management terminal if the abnormal permission information belongs to the permission node but not to the permission set, so that the permission management terminal adds permission of data corresponding to the abnormal permission information to the abnormal role information, where the permission issuing request includes the abnormal permission information and the abnormal role information.

Wherein the apparatus further comprises:

a receiving module 21, configured to receive an authority adjustment message sent by the authority management terminal;

the third obtaining module 15 is further configured to obtain, from the plurality of permission data tables, a permission set associated with the abnormal role information;

the display module 16 is further configured to output a result of successful permission adjustment for the abnormal role information in the database if the service data name in the permission set associated with the abnormal role information is consistent with the permission node name in the role permission relationship tree of the abnormal role information.

The second obtaining module 12 is specifically configured to:

The embodiment of the application provides a data permission testing device, which is used for obtaining a product document of a database, wherein the product document comprises a role information set and a permission information set, each role information in the role information set respectively indicates a class of users, and each permission information in the permission information set is respectively used for indicating the permission of a class of data in the database; acquiring a permission configuration file associated with a product document, determining an association relation between a role information set and a permission information set and a hierarchical relation among a plurality of permission information according to the permission configuration file, and generating a role permission relation tree of each role information based on the association relation and the hierarchical relation; performing combined query on a plurality of authority data tables in a database to obtain an authority set associated with each role information in the database; and comparing each node in the role authority relationship tree of each role information with the authority set of the role information to test the role authority configuration of the database and output the test result, thereby realizing the test of the operation authority of the data of the user. The role information and the authority information in the product document are sorted to obtain the tree structure, the tree structure can reflect the incidence relation between the role information and the authority information, the hierarchical relation between the authority information and the like, disordered data authority information is ordered, data can be conveniently extracted and compared, and therefore the efficiency of testing the data authority is improved. And meanwhile, joint query is carried out on a plurality of authority data tables in the database, so that the query efficiency of the database can be improved, and the test efficiency of the authority can be further improved.

Referring to fig. 5, fig. 5 is a schematic structural diagram of an electronic device provided in an embodiment of the present application. As shown in fig. 5, the electronic device in the present embodiment may include: one or more processors 501, memory 502, and input-output interface 503. The processor 501, the memory 502, and the input/output interface 503 are connected by a bus 504. The memory 502 is used for storing a computer program, the computer program includes program instructions, and the input/output interface 503 is used for data interaction with the caller and the processor; the processor 501 is configured to execute the program instructions stored in the memory 502, and perform the following operations:

In some possible embodiments, the processor 501 may be a Central Processing Unit (CPU), and the processor may be other general-purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), field-programmable gate arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

The memory 502 may include both read-only memory and random-access memory, and provides instructions and data to the processor 501 and the input-output interface 503. A portion of the memory 502 may also include non-volatile random access memory. For example, the memory 502 may also store device type information.

In a specific implementation, the electronic device may execute the implementation manners provided in the steps of fig. 2 through the built-in functional modules, which may specifically refer to the implementation manners provided in the steps of fig. 2, and details are not described herein again.

The embodiment of the present application provides an electronic device, including: the processor, the input/output interface and the memory, the computer instructions in the memory are obtained through the processor, the steps of the method shown in the figure 2 are executed, the disordered role information set and the authority information set in the product document are arranged into the role authority relationship tree through the authority configuration file, the role information set and the authority information set are ordered, the multiple authority data tables in the database are jointly queried, the query efficiency is improved, and the efficiency of testing the data authority of the roles can be improved.

An embodiment of the present application further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, where the computer program includes program instructions, and when the program instructions are executed by a processor, the data permission testing method provided in each step in fig. 2 is implemented, which may specifically refer to the implementation manner provided in each step in fig. 2, and is not described herein again.

The computer readable storage medium may be the data permission testing apparatus provided in any of the foregoing embodiments or an internal storage unit of the terminal device, such as a hard disk or a memory of an electronic device. The computer readable storage medium may also be an external storage device of the electronic device, such as a plug-in hard disk, a Smart Memory Card (SMC), a Secure Digital (SD) card, a flash card (flash card), and the like, which are provided on the electronic device. Further, the computer readable storage medium may also include both an internal storage unit and an external storage device of the electronic device. The computer-readable storage medium is used for storing the computer program and other programs and data required by the electronic device. The computer readable storage medium may also be used to temporarily store data that has been output or is to be output.

The terms "first," "second," and the like in the description and in the claims and drawings of the embodiments of the present application are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "comprises" and any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, apparatus, product, or apparatus that comprises a list of steps or elements is not limited to the listed steps or modules, but may alternatively include other steps or modules not listed or inherent to such process, method, apparatus, product, or apparatus.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The method and the related apparatus provided by the embodiments of the present application are described with reference to the flowchart and/or the structural diagram of the method provided by the embodiments of the present application, and each flow and/or block of the flowchart and/or the structural diagram of the method, and the combination of the flow and/or block in the flowchart and/or the block diagram can be specifically implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block or blocks of the block diagram. These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block or blocks of the block diagram. These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block or blocks.

The above disclosure is only for the purpose of illustrating the preferred embodiments of the present invention, and it is therefore to be understood that the invention is not limited by the scope of the appended claims.

Claims

1. A data permission test method is characterized by comprising the following steps:

2. The method of claim 1, wherein the permission configuration file comprises at least one piece of program code, and the determining the association relationship between the role information set and the permission information set and the hierarchical relationship between the plurality of permission information according to the permission configuration file comprises:

3. The method of claim 1, wherein the generating a role-authority relationship tree corresponding to each role information based on the association relationship between the role information set and the authority information set and the hierarchical relationship between the plurality of authority information comprises:

4. The method of claim 1, wherein after obtaining the set of permissions associated with the target role information in the plurality of permission data tables, further comprising:

5. The method of claim 1, wherein the method is followed by further comprising:

6. The method of claim 5, further comprising, after the method:

7. The method of claim 2, wherein the determining, according to the call relationship and the execution sequence between each row of code statements, the association relationship between each piece of role information in the set of role information and each piece of authority information in the set of authority information, and the hierarchical relationship between each piece of authority information in the plurality of pieces of authority information, comprises:

8. A data permission testing apparatus, characterized in that the apparatus comprises:

9. An electronic device, comprising a processor, a memory, an input-output interface;

the processor is respectively connected with the memory and the input/output interface, wherein the input/output interface is used for data interaction, the memory is used for storing program codes, and the processor is used for calling the program codes to execute the method according to any one of claims 1 to 7.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium stores a computer program comprising program instructions which, when executed by a processor, perform the method according to any one of claims 1-7.