CN114385999A - User authority management method, device, equipment and medium - Google Patents

User authority management method, device, equipment and medium Download PDF

Info

Publication number
CN114385999A
CN114385999A CN202210058357.XA CN202210058357A CN114385999A CN 114385999 A CN114385999 A CN 114385999A CN 202210058357 A CN202210058357 A CN 202210058357A CN 114385999 A CN114385999 A CN 114385999A
Authority
CN
China
Prior art keywords
user
role
current login
public
login user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210058357.XA
Other languages
Chinese (zh)
Inventor
蔡博宇
王莉
宋微奇
郑子茹
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Agricultural Bank of China
Original Assignee
Agricultural Bank of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Agricultural Bank of China filed Critical Agricultural Bank of China
Priority to CN202210058357.XA priority Critical patent/CN114385999A/en
Publication of CN114385999A publication Critical patent/CN114385999A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a method, a device, equipment and a medium for managing user authority, wherein the method comprises the following steps: when the fact that the public product comprehensive management platform starts to be in a login state is detected, according to a user identification corresponding to a current login user, when it is determined that a historical user role matched with the current login user does not exist locally, according to an affiliated mechanism corresponding to the current login user, a target user role matched with the current login user is obtained in a preset user role list; and according to the user permissions respectively corresponding to the current login user and each pair of public products, performing access control corresponding to the public product comprehensive management platform on the current login user according to the user permissions respectively corresponding to each pair of public products. According to the technical scheme of the embodiment, the authority control method based on the user role can realize effective user authority management of multi-product access, and can improve the management fineness of the user authority corresponding to different products.

Description

User authority management method, device, equipment and medium
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to a method, a device, equipment and a medium for managing user rights.
Background
The public product management system is one of important components of a bank system, realizes effective management of the public product management system on user permission, and has important significance for improving the use experience of the bank system of a user.
At present, in the existing user authority management method for a public product management system, one product generally corresponds to one management end, and the user authority management of each product is responsible for the management end corresponding to each product, so that the product management in the public service field is dispersed, and service staff in a branch need to frequently log in and log out different product management systems, thereby increasing the operation complexity, and failing to realize the fine control of access authority and operation authority of users of different products.
Disclosure of Invention
Embodiments of the present invention provide a method, an apparatus, a device, and a medium for managing user permissions, which can implement effective user permission management for accessing multiple products, and can improve management precision of user permissions corresponding to different products.
In a first aspect, an embodiment of the present invention provides a method for managing user permissions, which is applied to a platform for comprehensively managing public products, and includes:
when detecting that the comprehensive management platform for the public products starts to be in a login state, judging whether a historical user role matched with a current login user exists locally or not according to a user identifier corresponding to the current login user;
if not, acquiring the affiliated mechanism corresponding to the current login user, and acquiring a target user role matched with the current login user in a preset user role list according to the affiliated mechanism corresponding to the current login user;
and according to the target user role matched with the current login user, acquiring user permissions respectively corresponding to the current login user and each pair of public products in a public product comprehensive management platform, and according to the user permissions respectively corresponding to the current login user and each pair of public products, performing access control corresponding to the public product comprehensive management platform on the current login user.
In a second aspect, an embodiment of the present invention further provides a device for managing user permissions, which is applied to a platform for comprehensively managing public products, and includes:
the historical user role judging module is used for judging whether a historical user role matched with a current login user exists locally or not according to a user identifier corresponding to the current login user when the fact that the comprehensive management platform for the public products starts to be in a login state is detected;
a target user role obtaining module, configured to, if not, obtain an affiliated mechanism corresponding to the current login user, and obtain, according to the affiliated mechanism corresponding to the current login user, a target user role matched with the current login user in a preset user role list;
and the user authority acquisition module is used for acquiring user authorities respectively corresponding to the current login user and each pair of public products in the public product comprehensive management platform according to the target user role matched with the current login user, and performing access control corresponding to the public product comprehensive management platform on the current login user according to the user authorities respectively corresponding to the current login user and each pair of public products.
In a third aspect, an embodiment of the present invention further provides an electronic device, where the electronic device includes:
one or more processors;
a memory for storing one or more computer programs;
the method for managing user rights provided by any embodiment of the present invention is implemented when the one or more computer programs are executed by the one or more processors, such that the one or more processors execute the computer programs.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the computer program implements the method for managing user permissions according to any embodiment of the present invention.
According to the technical scheme provided by the embodiment of the invention, when the fact that the comprehensive management platform for the public products is in the login state is detected, according to the user identification corresponding to the current login user, when the fact that the historical user role matched with the current login user does not exist locally is determined, according to the mechanism to which the current login user belongs, the target user role matched with the current login user is obtained in the preset user role list; according to the role of the target user, the user permissions corresponding to the current login user and each pair of public products are obtained, access control corresponding to the public product comprehensive management platform is performed on the current login user according to the user permissions corresponding to each pair of public products, effective user permission management of multi-product access can be achieved through the permission control method based on the user role, and management fineness of the user permissions corresponding to different products can be improved.
Drawings
Fig. 1A is a flowchart of a method for managing user rights according to a first embodiment of the present invention;
FIG. 1B is a functional diagram of a user privilege hierarchy model according to a first embodiment of the present invention;
fig. 1C is a schematic view of a role scope of a user role in the first embodiment of the present invention;
fig. 2A is a flowchart of a method for managing user rights in a second embodiment of the present invention;
FIG. 2B is a diagram illustrating relationships between entities according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a device for managing user rights according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device in a fourth embodiment of the present invention.
Detailed Description
Embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present invention. It should be understood that the drawings and the embodiments of the present invention are illustrative only and are not intended to limit the scope of the present invention.
Example one
Fig. 1A is a flowchart of a user right management method according to an embodiment of the present invention, where the embodiment of the present invention is applicable to a situation where user right management for accessing multiple products is implemented through a pre-established common integrated product management platform; the method may be performed by a device for managing user rights in the embodiment of the present invention, which may be composed of hardware and/or software, and may be generally integrated in an electronic device, and typically, may be integrated in a computer device or a server. As shown in fig. 1A, the method specifically includes the following steps:
s110, when the fact that the comprehensive management platform for the public products is in a login state is detected, whether a historical user role matched with the current login user exists locally or not is judged according to the user identification corresponding to the current login user.
The integrated management platform for the public products is a plurality of unified management ends for the public products, and can comprise a plurality of product modules, wherein the product modules correspond to the public products one to one, and the public products are used for providing services for unit services. Typically, the common product integrated management platform may be a common product integrated management platform of a financial system (e.g., a bank).
In this embodiment, the functions of the user authority system model for the common product integrated management platform are shown in fig. 1B. Specifically, the functions of the user authority system model mainly comprise user management, role management and authority management; the user management may include management of user information and user operations, and the user operations may include adding, deleting, and changing user information, and role assignment (including setting expiration date, role assignment status, and the like); role management, which may include management of role information and role operations, where the role operations may include adding, deleting, changing role information, and assigning permissions (including assigning permissions according to granularity, setting authorization categories); rights management, which may include both rights granularity (including menu rights, operations, or functional rights) management and rights operations (e.g., adding, changing, deleting rights information) management.
In this embodiment, when it is detected that the user successfully logs in the integrated management platform for public products, the user identifier corresponding to the currently logged-in user may be searched in the server according to the login information of the user, for example, a login account and a login password; the user identifier may be a real name of the user, or a unique number of the user in the integrated management platform for the public products. Further, according to the user identification corresponding to the current login user, whether a historical user role matched with the current login user exists is searched. The historical user role may be a user role with which the current login user is associated before.
It should be noted that, the user right design of the public product integrated management platform may associate the right with a Role Based on a Role-Based Access Control (RBAC) model, and the user may obtain the Access right of some resources (such as menus, operations, etc.) by associating a specific Role. The method comprises the following steps that (1) according to the public product corresponding to each product module, each product has own authorized operation, so that a user role can be created under each public product, and the user can only be associated with one user role at most under each public product; alternatively, one user role may be associated with different rights to a public product.
And S120, if not, acquiring the affiliated mechanism corresponding to the current login user, and acquiring a target user role matched with the current login user in a preset user role list according to the affiliated mechanism corresponding to the current login user.
If it is determined that the historical user role matched with the current login user does not exist, the mechanism to which the current login user corresponds can be searched and obtained according to the user identifier corresponding to the current login user; taking the bank system as an example, the mechanism corresponding to the current login user may be a branch, a branch or a head office where the current login user is located, or may be a bank department where the current login user is located. Specifically, the public product integrated management platform may pre-store user information of all users corresponding to the current platform, for example, information such as a user number, a user name, a user password, corresponding registration time, identity information, a contact manner, an employee number, an organization category of an affiliated organization, and an organization number of the affiliated organization; therefore, according to the user identifier (for example, the user name, the user number, and the like) corresponding to the current login user, the pre-stored user information matched with the current login user can be searched to obtain the corresponding affiliated mechanism.
In this embodiment, a certain number of user roles corresponding to different user permissions for different public products may be preconfigured and stored in the user role list, and a corresponding applicable mechanism or applicable mechanism range is preconfigured for each user role. Therefore, after the affiliated mechanism corresponding to the current login user is determined, the affiliated mechanism can be sequentially matched and compared with the applicable mechanism corresponding to each user role in the user role list to obtain the target user role matched with the current login user, and further, the user role of the current login user is distributed.
In an optional implementation manner of this embodiment, obtaining, according to an organization to which the current login user belongs, a target user role matched with the current login user in a preset user role list may include:
determining an applicable mechanism range corresponding to each user role according to a preset role grade and a preset mechanism range corresponding to each user role in a preset user role list; matching and comparing the mechanism corresponding to the current login user with the applicable mechanism range corresponding to each user role respectively; and if the fact that the mechanism corresponding to the current login user meets the applicable mechanism range corresponding to a certain user role is detected, determining the detected user role as a target user role matched with the current login user.
Wherein, the role level refers to the level of the role in the comprehensive management platform for the public products, and corresponds to the organization level one by one; note that a user can only be associated with the same level of user role as the organization to which the user belongs; the scope of the organization refers to the topmost organization that can use the role. In this embodiment, the applicable mechanism range corresponding to the user role may be configured by configuring the role level and the mechanism range corresponding to the user role.
In a specific example, taking a bank system as an example, the organization level is set to 5 levels, namely, a head office level, a first branch level, a second branch level, a first branch level and a second branch level, when operators of all the second branch levels are required to have the same authority, but operators of all the second branch levels under the second branch level X-a and the second branch level Y-a have respective authority, a role L can be created, the role level is set as the second branch level, and the organization range is set as the head office; establishing a role M, setting the role level as a secondary branch, and setting a secondary branch X-A in the mechanism range; and (3) creating a role N, setting the role level as a secondary branch, and setting a secondary branch Y-A in the mechanism range. Therefore, the permission requirements can be met by creating three user roles, and the configuration efficiency of the user permissions is greatly improved.
For example, the role range of the user role is shown in fig. 1C, and two attributes of the role level and the mechanism range of the user role may form a triangle in the system architecture, where the mechanism range defines a triangle vertex and two hypotenuses, and the role level defines a triangle base. The mechanism on the bottom side of the triangle is the mechanism that can use the current user role, that is, the applicable mechanism range corresponding to the current user role, and in this embodiment, only the users within the applicable mechanism range can establish the association relationship with the current user role.
The advantages of the above arrangement are: the method can meet the requirement of flexibly creating and maintaining role information in a system range, the created roles can be applied in a larger range, the work of associating corresponding authorities for each organization can be avoided, and the authority configuration efficiency is improved.
S130, according to the target user role matched with the current login user, obtaining user permissions corresponding to the current login user and each pair of public products in a public product integrated management platform respectively, and according to the user permissions corresponding to the current login user and each pair of public products respectively, performing access control corresponding to the public product integrated management platform on the current login user.
In this embodiment, the user role is associated with user rights to the public product; therefore, after the target user role matched with the current login user is determined, the user permissions respectively corresponding to the current login user and each pair of public products in the pair of public product comprehensive management platforms can be obtained according to the different user permissions of the public products associated with the target user role. Therefore, when detecting the behaviors of the current login user, such as access or operation on various public products, it can be firstly judged whether the current login user has the corresponding authority to determine whether to pass the access or operation of the user. It is worth noting that when it is determined that the currently logged-in user does not have corresponding user rights, a predefined prompt message, for example, "you do not have such rights", may be sent to the user.
The user permission comprises a menu permission and an executable operation or function permission in the menu; in this embodiment, each user right has a corresponding unique number. It should be noted that the user permissions corresponding to different operations or functions may be predefined, for example, the user permission information may include a permission name, a permission type (e.g., menu, function button or other operations, function type), whether to be hidden (whether a setting page is visible in a sidebar), whether to require authorization, a permission status (whether to be possible), creation information (e.g., creator and creation time), and the like. Therefore, when the user roles are configured, the automatic configuration of the user roles corresponding to the public products can be realized only by configuring the user roles and the association relationship between the product numbers of the public products and the authority numbers corresponding to the user authorities, and the configuration efficiency of the user roles can be improved.
Optionally, one user role may associate a plurality of association relationships between the product number of the public product and the authority number of the corresponding user authority, so as to implement configuration of different user authorities corresponding to different public products for one user role. At this time, the current login user is associated with one user role, so that automatic configuration of the current login user and different user permissions of different public products can be realized, and the configuration efficiency of the user permissions can be further improved.
According to the technical scheme provided by the embodiment of the invention, when the fact that the comprehensive management platform for the public products is in the login state is detected, according to the user identification corresponding to the current login user, when the fact that the historical user role matched with the current login user does not exist locally is determined, according to the mechanism to which the current login user belongs, the target user role matched with the current login user is obtained in the preset user role list; according to the role of the target user, the user permissions corresponding to the current login user and each pair of public products are obtained, access control corresponding to the public product comprehensive management platform is performed on the current login user according to the user permissions corresponding to each pair of public products, effective user permission management of multi-product access can be achieved through the permission control method based on the user role, and management fineness of the user permissions corresponding to different products can be improved.
In another optional implementation manner of this embodiment, the technical solution of this embodiment may further include: responding to a creating request for a new user role, and acquiring a role category corresponding to the new user role; if the role type corresponding to the newly-built user role is detected to be an administrator role, configuring an execution authority and an authorization authority of system operation corresponding to a public product comprehensive management platform for the newly-built user role respectively, configuring at least one authorization authority of transaction operation corresponding to a public product in the public product comprehensive management platform for the newly-built user role, and acquiring the newly-built user role after configuration and adding the newly-built user role into a preset user role list; and if the role type corresponding to the newly-built user role is detected to be an operator role, configuring at least one execution authority for the transaction type operation corresponding to the public product in the public product comprehensive management platform for the newly-built user role, and acquiring the newly-built user role after configuration and adding the newly-built user role into a preset user role list.
The role categories can include an administrator role and an operator role; still taking the banking system as an example, the administrator role may correspond to the system administrator of the head office, and the operator may correspond to the staff of each branch or branch, such as a teller, a customer manager, and the like. The administrator role has system operation execution and authorization authority, and only has authorization authority and no execution authority for transaction operation, and at the moment, the administrator role can create a new administrator role and also can create a new operator role; however, the administrator role cannot do transaction type operation by itself, and the administrator role cannot modify the corresponding authority information of the role of the administrator role, so that the security of the system is ensured in the aspect of authority distribution. The operator role has no system authority (no execution authority and no authorization authority), and the transaction operation only has execution authority and no authorization authority.
The advantages of the above arrangement are: through the authority distribution, the separation of the system authority and the transaction authority can be realized, and the safety of the system and the transaction is ensured.
Optionally, when the current login user corresponds to the administrator role, if the current login user needs to allocate the user role or modify the role information, the user role may be divided into an allocable role and an editable role. The assignable roles refer to roles with the same level as the mechanism level of the mechanism to which the user to be assigned belongs, the mechanism range is the user roles of the mechanism to which the administrator belongs or the superior mechanism, and the number of the assignable roles comprises and is more than the roles created by the administrator; the editable role refers to a user role created by the administrator role, and the administrator role can only modify or delete the role information created by the administrator role.
Correspondingly, obtaining user permissions respectively corresponding to the current login user and each pair of public products in the public product integrated management platform according to the target user role matched with the current login user may include: if the role type of the target user role is detected to be an administrator role, acquiring an execution authority and an authorization authority of system class operation corresponding to a public product integrated management platform and an authorization authority of at least one transaction class operation corresponding to a public product in the public product integrated management platform; and if the role type of the target user role is detected to be the operator role, acquiring the execution authority of at least one transaction type operation corresponding to the public product in the public product integrated management platform.
In this embodiment, when creating a user role, different operation permissions may be configured for each new user role according to the role category of the new user role and the correspondence between the role category and the permissions of the system operation and the transaction operation. Further, when the corresponding user authority is obtained according to the target user role corresponding to the login user, the authority of different transaction type operations or the authority of system type operations can be obtained for the target user roles of different role types.
In another optional implementation manner of this embodiment, after obtaining the execution right of the transaction class operation corresponding to at least one public product in the public product integrated management platform, the method may further include:
determining the public product pair with the execution authority corresponding to the transaction operation of the current login user as an effective public product pair; and generating a front-end display home page of the public product comprehensive management platform corresponding to the current login user according to the preset home product function modules respectively corresponding to the effective public products.
The product function module may be a software entity for implementing specific functions in a public product. In this embodiment, after determining that the valid pair of public products corresponding to the current login user are valid, the first product function module in the first order may be determined according to the order of the product function modules corresponding to the valid pair of public products, and a front-end display home page when the current login user accesses the comprehensive management platform for the public products is generated through the first product function module.
Example two
Fig. 2A is a flowchart of a user right management method provided in a second embodiment of the present invention, which is a further refinement of the foregoing technical solution, and the technical solution in this embodiment may be combined with one or more of the foregoing implementations. Specifically, referring to fig. 2A, the method specifically includes the following steps:
s210, when the fact that the comprehensive management platform for the public products starts to be in a login state is detected, whether a historical user role matched with the current login user exists locally or not is judged according to a user identification corresponding to the current login user.
S220, if not, acquiring the mechanism corresponding to the current login user, and acquiring a target user role matched with the current login user in a preset user role list according to the mechanism corresponding to the current login user.
And S230, acquiring user rights respectively corresponding to the current login user and each pair of public products in the public product comprehensive management platform according to the target user role matched with the current login user.
The user right can include an execution right and an authorization right of transaction type operation, and an execution right and an authorization right of system type operation.
In one specific example, the relationship between the public products, users, user roles, and permissions may be as shown in FIG. 2B. The definition information of the public product may include a product Identifier (ID), a chinese name, an english abbreviation, a product description (a background path of the product), a visitor area (a network environment flag required to be deployed by the product), and a self-defined organization type. The definition information of the custom organization may include an organization ID (unique number of the organization under each organization category), an organization name, a provincial code, an organization category, a superior organization ID (number of the superior organization of the present organization), an organization level, an organization status (available or not), and an organization type. The definition information of the organization level may include an organization level ID, an organization level name, an organization level sequence number, and an organization category. The definition information of the user may include a user ID, a user name (real name), a user password, a registration time, a user status (e.g., normal, locked, and logged out), a number of login failures, a locking time, a password expiration date, an identification number, a employee number, a teller number, a mobile phone number, an office phone, and a mailbox address.
The definition information of the user role may include a role ID, a role name, a role level (corresponding to an organization level), an organization scope, an organization category, a role description, a creator ID, and a creation time. The definition information of the authority may include an authority ID, a parent node ID, a product ID (indicating which pair of public products the authority belongs to), a chinese name, an english name, a route name, an authority chinese description, an address path, a component name (for resolving a component corresponding to a front-end route), an authority type (e.g., menu, function button, etc.), an icon class name (for rendering a small icon before a menu name), whether hidden, whether breadcrumb navigation is clickable (whether a route is clickable in breadcrumb navigation), a keep-alive cache, whether authorization is required, an authority status (whether available), an authority sequence number (referring to the ordering of menus or operations at the same level), an application ID, a creator, and a creation time.
Wherein, whether authorization is needed includes two types of authorization-free and authorization-needed; the operation without authorization refers to an operation that can be executed without checking whether the user has the right, for example, a page such as login or 401, but whether the user session is normal (except for a login operation, since the user session is not created when the user performs the login operation, the login operation does not check the user session). The operation needing authorization refers to the operation needing to check whether the user has the authority, and the user can execute the operation only if the user has the authority and can not execute the operation if the user does not have the authority; it is checked whether the user session is normal or not, and whether the user can perform this operation or not.
And the user role is used for representing the mapping relation between the user and the user role, and comprises a role ID, a user ID, a product ID, a mapping state (comprising normal and frozen) and an expiration date. And the role authority is used for expressing the association relationship between the user role and the user authority, and comprises a role ID, an authority father node ID, an authority type, a product ID (the serial number of a product to which the role authority association relationship belongs), and an authorization category. The authorization category comprises three categories of 'only execution', 'only authorization', 'executable and authorized'; "execute only" means that the user has the right of the operation, the operation is displayed on the page in a menu, button or link mode, and the preset right check interceptor passes the operation, but the right cannot be granted to other people; "authorization only" means that the user does not have the right of this operation, this operation is not displayed in the form of menu, button or link on the page, and the right check interceptor does not let this operation pass, but this right can be granted to others; the 'authorization, executable' means that the user has the right of the operation, the operation is displayed on a page in a menu, a button or a link mode, the operation is passed by the right check interceptor, and the right can be granted to other people.
The user product refers to the corresponding relation between the user and the operable public product, and comprises a user ID and a product ID. The user mechanism is used for representing mechanism information to which the user belongs, and can comprise a user ID, a mechanism ID and a mechanism category.
S240, responding to an access request of a current login user for a target to a public product, and judging whether the current login user has an execution authority of a transaction operation corresponding to the target to the public product according to the user authority corresponding to the current login user and each pair of public products in a public product comprehensive management platform.
The target public product refers to a public product which needs to be accessed or operated by a current login user. In this embodiment, after the user permissions respectively corresponding to the current login user and each pair of public products in the public product integrated management platform are obtained, when a click selection or an operation instruction of the current login user on the public product by the target is received, it may be further determined whether the current login user has an execution permission for performing a transaction operation on the public product by the target.
S250, if yes, displaying a preset page corresponding to the target public product to the current login user; and if not, displaying first preset authority alarm information to the current login user.
If it is determined that the current login user has the execution permission for performing the transaction operation on the target public product, a preset page of the target public product, such as a main page or a transaction operation page, may be displayed to the current login user. However, if it is determined that the current login user does not have the execution authority for the transaction type operation on the public product by the target, a preset authority alarm message, for example, "you do not have the execution authority for the transaction type operation corresponding to the public product," may be sent to the current login user.
In an optional implementation manner of this embodiment, after obtaining, according to the mechanism to which the current login user belongs, a target user role matched with the current login user in a preset user role list, the method may further include:
configuring a mapping state value between the current login user and the target user role as a preset state value, and configuring an expiration date corresponding to the mapping state value;
displaying the preset page corresponding to the target to the public product to the current login user may include: and when detecting that the current system time does not exceed the expiration date corresponding to the mapping state value between the current login user and the target user role, displaying a preset page corresponding to the target public product to the current login user.
The preset state value is a preset numerical value used for representing the mapping state between the user and the role; for example, the preset state value may be 0, that is, when the mapping state value between the user and the role is 0, it is determined that the user is successfully associated with the role; when the mapping status value between the user and the role is not 0, for example, 1, it may be determined that the user is not associated with the role. And the expiration date represents the expiration time of the current mapping state value, and when the expiration date is reached, the association state between the user and the corresponding user role is automatically released, and the corresponding user authority is automatically lost.
In this embodiment, after determining the target user role matched with the current login user, the mapping relationship between the current login user and the target user role may be marked by using the mapping state value, and the expiration date corresponding to the mapping relationship is set, so that the role is prevented from being occupied by the invalid user for a long time, and the role allocation efficiency is improved; in addition, the mapping relation between the user and the matched user role can be avoided being manually released, and waste of human resources is avoided.
In another optional implementation manner of this embodiment, the technical solution of this embodiment may further include: responding to a role freezing request of the current login user, and configuring a state attribute corresponding to a mapping state value between the current login user and the target user role as a freezing state;
correspondingly, after the preset page corresponding to the target public product is displayed to the current login user, the method may further include: when the transaction type operation of the current login user on the public product by the target is detected, if the state attribute corresponding to the mapping state value between the current login user and the target user role is determined to be in the frozen state, second preset authority warning information is displayed to the current login user.
In this embodiment, considering the situation that the user right of the current login user needs to be temporarily recovered, but the mapping relationship between the current login user and the matched target user role needs to be maintained, when the mapping state value between the current login user and the target user role is configured, the state attribute corresponding to the mapping state value may be added; wherein the state attributes may include a normal state and a frozen state.
Specifically, after the mapping relationship between the user and the role is established, the mapping state is set to be a normal state, and the user can normally perform transaction operation; when the user right needs to be temporarily recovered, a freezing operation can be performed to set the mapping state to a freezing state, at this time, the user performs a transaction operation, the right check interceptor throws out a right frozen exception, and sends out corresponding right alarm information, for example, "right frozen". When the mapping relation needs to be changed back to the normal state, a unfreezing operation may be performed to update the mapping state to the normal state.
It is noted that the freezing operation and the unfreezing operation support batch processing, and the mapping relationship between a plurality of users and user roles can be operated at the same time.
According to the technical scheme provided by the embodiment of the invention, when the fact that the comprehensive management platform for the public products is in the login state is detected, according to the user identification corresponding to the current login user, when the fact that the historical user role matched with the current login user does not exist locally is determined, according to the mechanism to which the current login user belongs, the target user role matched with the current login user is obtained in the preset user role list; according to the role of the target user, user permissions corresponding to the current login user and each pair of public products are obtained respectively, the access request of the current login user for the target to the public products is responded, when the current login user is determined to have the execution permission of the transaction operation corresponding to the target to the public products, the preset page corresponding to the target to the public products is displayed to the current login user, the access or operation behavior of the target of the user to the public products is controlled by judging whether the user has the execution permission of the transaction operation corresponding to the target to the public products, the fine control of the user permissions after a plurality of products are accessed to the comprehensive management platform for the public products is achieved, and the user permission management performance is improved.
EXAMPLE III
Fig. 3 is a schematic structural diagram of a device for managing user permissions according to a third embodiment of the present invention. The device can be applied to a comprehensive management platform for public products. As shown in fig. 3, the apparatus includes: a historical user role determination module 310, a target user role acquisition module 320 and a user authority acquisition module 330. Wherein the content of the first and second substances,
the historical user role judging module 310 is configured to, when it is detected that the integrated management platform for the public products starts to be in a login state, judge whether a historical user role matched with a current login user exists locally according to a user identifier corresponding to the current login user;
a target user role obtaining module 320, configured to, if not, obtain an affiliated mechanism corresponding to the current login user, and obtain, according to the affiliated mechanism corresponding to the current login user, a target user role matched with the current login user in a preset user role list;
the user authority obtaining module 330 is configured to obtain, according to a target user role matched with the current login user, user authorities corresponding to the current login user and each pair of public products in the public product integrated management platform respectively, and perform access control corresponding to the pair of public product integrated management platform on the current login user according to the user authorities corresponding to the current login user and each pair of public products respectively.
According to the technical scheme provided by the embodiment of the invention, when the fact that the comprehensive management platform for the public products is in the login state is detected, according to the user identification corresponding to the current login user, when the fact that the historical user role matched with the current login user does not exist locally is determined, according to the mechanism to which the current login user belongs, the target user role matched with the current login user is obtained in the preset user role list; according to the role of the target user, the user permissions corresponding to the current login user and each pair of public products are obtained, access control corresponding to the public product comprehensive management platform is performed on the current login user according to the user permissions corresponding to each pair of public products, effective user permission management of multi-product access can be achieved through the permission control method based on the user role, and management fineness of the user permissions corresponding to different products can be improved.
Optionally, on the basis of the foregoing technical solution, the target user role obtaining module 320 includes:
an applicable mechanism range determining unit, configured to determine, according to a preset role level and a preset mechanism range that correspond to each user role in a preset user role list, an applicable mechanism range that corresponds to each user role;
the matching comparison unit is used for matching and comparing the mechanism corresponding to the current login user with the applicable mechanism range corresponding to each user role;
and the target user role determining unit is used for determining the detected user role as the target user role matched with the current login user if the fact that the mechanism to which the current login user corresponds meets the applicable mechanism range corresponding to a certain user role is detected.
Optionally, on the basis of the foregoing technical solution, the apparatus for managing user rights further includes:
the role category acquisition module is used for responding to a creation request of a new user role and acquiring a role category corresponding to the new user role;
the first new user role acquisition module is used for respectively configuring the execution authority and the authorization authority of system operation corresponding to a public product comprehensive management platform for the new user role if the role type corresponding to the new user role is detected to be an administrator role, configuring at least one authorization authority of transaction operation corresponding to a public product in the public product comprehensive management platform for the new user role, and acquiring the newly configured user role and adding the newly configured user role into a preset user role list;
the second newly-built user role obtaining module is used for configuring at least one execution authority for the transaction type operation corresponding to the public product in the public product comprehensive management platform for the newly-built user role if the role type corresponding to the newly-built user role is detected to be the operator role, and obtaining the newly-built user role after configuration to be added into a preset user role list;
the user right obtaining module 330 includes:
the first authority acquisition unit is used for acquiring the execution authority and the authorization authority of system class operation corresponding to the public product integrated management platform and the authorization authority of transaction class operation corresponding to at least one public product in the public product integrated management platform if the role type of the target user role is detected to be the administrator role;
and the second permission obtaining unit is used for obtaining the execution permission of the transaction type operation corresponding to at least one public product in the public product integrated management platform if the role type of the target user role is detected to be the operator role.
Optionally, on the basis of the foregoing technical solution, the user right obtaining module 330 includes:
the authority judgment unit is used for responding to an access request of a current login user for a target to a public product, and judging whether the current login user has an execution authority of a transaction type operation corresponding to the target to the public product according to the current login user and user authorities corresponding to each pair of public products in a public product comprehensive management platform;
the first warning information display unit is used for displaying a preset page corresponding to the target public product to the current login user if the target public product is found to be the public product; and if not, displaying first preset authority alarm information to the current login user.
Optionally, on the basis of the foregoing technical solution, the apparatus for managing user rights further includes:
the expiration date configuration module is used for configuring a mapping state value between the current login user and the target user role as a preset state value and configuring an expiration date corresponding to the mapping state value;
and the first alarm information display unit is specifically used for displaying a preset page corresponding to the target public product to the current login user when detecting that the current system time does not exceed the expiration date corresponding to the mapping state value between the current login user and the target user role.
Optionally, on the basis of the foregoing technical solution, the apparatus for managing user rights further includes:
the state attribute configuration module is used for responding to the role freezing request of the current login user, and configuring the state attribute corresponding to the mapping state value between the current login user and the target user role into a freezing state;
and the first warning information display module is used for displaying second preset authority warning information to the current login user if the state attribute corresponding to the mapping state value between the current login user and the target user role is determined to be in a frozen state when the transaction type operation of the current login user on the target public product is detected.
Optionally, on the basis of the foregoing technical solution, the apparatus for managing user rights further includes:
the effective public product pairing determining module is used for determining the public product pairing of which the current login user has the execution authority of the corresponding transaction type operation as an effective public product pairing;
and the front-end display home page generation module is used for generating a front-end display home page of the public product comprehensive management platform corresponding to the current login user according to the preset home product function modules respectively corresponding to the effective public products.
The device can execute the user authority management method provided by the embodiment of the invention, and has corresponding functional modules and beneficial effects for executing the method. For the technical details that are not described in detail in the embodiments of the present invention, reference may be made to the method for managing user rights provided in the foregoing embodiments of the present invention.
Example four
Fig. 4 is a schematic structural diagram of an electronic device according to a fourth embodiment of the present invention, as shown in fig. 4, the electronic device includes a processor 410, a memory 420, an input device 430, and an output device 440; the number of the processors 410 in the electronic device may be one or more, and one processor 410 is taken as an example in fig. 4; the processor 410, the memory 420, the input device 430 and the output device 440 in the electronic apparatus may be connected by a bus or other means, and the bus connection is exemplified in fig. 4. The memory 420 serves as a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to a method for managing user permissions in any embodiment of the present invention (for example, the historical user role determination module 310, the target user role acquisition module 320, and the user permission acquisition module 330 in a user permission management device). The processor 410 executes various functional applications and data processing of the electronic device by executing software programs, instructions and modules stored in the memory 420, namely, implements one of the above-mentioned user right management methods. That is, the program when executed by the processor implements:
when detecting that the comprehensive management platform for the public products starts to be in a login state, judging whether a historical user role matched with a current login user exists locally or not according to a user identifier corresponding to the current login user;
if not, acquiring the affiliated mechanism corresponding to the current login user, and acquiring a target user role matched with the current login user in a preset user role list according to the affiliated mechanism corresponding to the current login user;
and according to the target user role matched with the current login user, acquiring user permissions respectively corresponding to the current login user and each pair of public products in a public product comprehensive management platform, and according to the user permissions respectively corresponding to the current login user and each pair of public products, performing access control corresponding to the public product comprehensive management platform on the current login user.
The memory 420 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 420 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, memory 420 may further include memory located remotely from processor 410, which may be connected to an electronic device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 430 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic apparatus, and may include a keyboard, a mouse, and the like. The output device 440 may include a display device such as a display screen.
EXAMPLE five
Fifth, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method according to any embodiment of the present invention. Of course, the computer-readable storage medium provided in the embodiments of the present invention may perform related operations in a method for managing user rights provided in any embodiment of the present invention. That is, the program when executed by the processor implements:
when detecting that the comprehensive management platform for the public products starts to be in a login state, judging whether a historical user role matched with a current login user exists locally or not according to a user identifier corresponding to the current login user;
if not, acquiring the affiliated mechanism corresponding to the current login user, and acquiring a target user role matched with the current login user in a preset user role list according to the affiliated mechanism corresponding to the current login user;
and according to the target user role matched with the current login user, acquiring user permissions respectively corresponding to the current login user and each pair of public products in a public product comprehensive management platform, and according to the user permissions respectively corresponding to the current login user and each pair of public products, performing access control corresponding to the public product comprehensive management platform on the current login user.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes instructions for enabling an electronic device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the apparatus for managing user permissions, the included units and modules are only divided according to functional logic, but are not limited to the above division, as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (10)

1. A user authority management method is applied to a public product comprehensive management platform and comprises the following steps:
when detecting that the comprehensive management platform for the public products starts to be in a login state, judging whether a historical user role matched with a current login user exists locally or not according to a user identifier corresponding to the current login user;
if not, acquiring the affiliated mechanism corresponding to the current login user, and acquiring a target user role matched with the current login user in a preset user role list according to the affiliated mechanism corresponding to the current login user;
and according to the target user role matched with the current login user, acquiring user permissions respectively corresponding to the current login user and each pair of public products in a public product comprehensive management platform, and according to the user permissions respectively corresponding to the current login user and each pair of public products, performing access control corresponding to the public product comprehensive management platform on the current login user.
2. The method according to claim 1, wherein obtaining a target user role matched with the current login user in a preset user role list according to the mechanism to which the current login user corresponds comprises:
determining an applicable mechanism range corresponding to each user role according to a preset role grade and a preset mechanism range corresponding to each user role in a preset user role list;
matching and comparing the mechanism corresponding to the current login user with the applicable mechanism range corresponding to each user role respectively;
and if the fact that the mechanism corresponding to the current login user meets the applicable mechanism range corresponding to a certain user role is detected, determining the detected user role as a target user role matched with the current login user.
3. The method of claim 1, further comprising:
responding to a creating request for a new user role, and acquiring a role category corresponding to the new user role;
if the role type corresponding to the newly-built user role is detected to be an administrator role, configuring an execution authority and an authorization authority of system operation corresponding to a public product comprehensive management platform for the newly-built user role respectively, configuring at least one authorization authority of transaction operation corresponding to a public product in the public product comprehensive management platform for the newly-built user role, and acquiring the newly-built user role after configuration and adding the newly-built user role into a preset user role list;
if the role type corresponding to the newly-built user role is detected to be an operator role, configuring at least one execution authority for the transaction type operation corresponding to the public product in a public product comprehensive management platform for the newly-built user role, and acquiring the newly-built user role after configuration and adding the newly-built user role into a preset user role list;
according to the target user role matched with the current login user, acquiring user permissions respectively corresponding to the current login user and each pair of public products in the public product comprehensive management platform, wherein the user permissions comprise:
if the role type of the target user role is detected to be an administrator role, acquiring an execution authority and an authorization authority of system class operation corresponding to a public product integrated management platform and an authorization authority of at least one transaction class operation corresponding to a public product in the public product integrated management platform;
and if the role type of the target user role is detected to be the operator role, acquiring the execution authority of at least one transaction type operation corresponding to the public product in the public product integrated management platform.
4. The method of claim 3, wherein performing access control corresponding to the common product integrated management platform for the current login user according to user permissions respectively corresponding to the current login user and the common product comprises:
responding to an access request of a current login user for a target to a public product, and judging whether the current login user has an execution authority of a transaction operation corresponding to the target to the public product according to user authorities corresponding to the current login user and each pair of public products in a public product comprehensive management platform;
if so, displaying a preset page corresponding to the target to the public product to the current login user; and if not, displaying first preset authority alarm information to the current login user.
5. The method according to claim 4, further comprising, after obtaining a target user role matching the current login user from a preset user role list according to the affiliated organization corresponding to the current login user:
configuring a mapping state value between the current login user and the target user role as a preset state value, and configuring an expiration date corresponding to the mapping state value;
displaying a preset page corresponding to the public product by the target to the current login user, wherein the preset page comprises the following steps:
and when detecting that the current system time does not exceed the expiration date corresponding to the mapping state value between the current login user and the target user role, displaying a preset page corresponding to the target public product to the current login user.
6. The method of claim 5, further comprising:
responding to a role freezing request of the current login user, and configuring a state attribute corresponding to a mapping state value between the current login user and the target user role as a freezing state;
after the preset page corresponding to the target public product is displayed to the current login user, the method further comprises the following steps:
when the transaction type operation of the current login user on the public product by the target is detected, if the state attribute corresponding to the mapping state value between the current login user and the target user role is determined to be in the frozen state, second preset authority warning information is displayed to the current login user.
7. The method of claim 3, after obtaining the execution authority for the transaction class operation corresponding to the public product for at least one of the public product integrated management platforms, further comprising:
determining the public product pair with the execution authority corresponding to the transaction operation of the current login user as an effective public product pair;
and generating a front-end display home page of the public product comprehensive management platform corresponding to the current login user according to the preset home product function modules respectively corresponding to the effective public products.
8. The utility model provides a management device of user's authority, its characterized in that is applied to and synthesizes management platform to public goods, includes:
the historical user role judging module is used for judging whether a historical user role matched with a current login user exists locally or not according to a user identifier corresponding to the current login user when the fact that the comprehensive management platform for the public products starts to be in a login state is detected;
a target user role obtaining module, configured to, if not, obtain an affiliated mechanism corresponding to the current login user, and obtain, according to the affiliated mechanism corresponding to the current login user, a target user role matched with the current login user in a preset user role list;
and the user authority acquisition module is used for acquiring user authorities respectively corresponding to the current login user and each pair of public products in the public product comprehensive management platform according to the target user role matched with the current login user, and performing access control corresponding to the public product comprehensive management platform on the current login user according to the user authorities respectively corresponding to the current login user and each pair of public products.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more computer programs;
the method of managing user rights according to any one of claims 1-7 is implemented when the one or more computer programs are executed by the one or more processors such that the one or more processors execute the computer programs.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a method for managing user rights according to any one of claims 1 to 7.
CN202210058357.XA 2022-01-19 2022-01-19 User authority management method, device, equipment and medium Pending CN114385999A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210058357.XA CN114385999A (en) 2022-01-19 2022-01-19 User authority management method, device, equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210058357.XA CN114385999A (en) 2022-01-19 2022-01-19 User authority management method, device, equipment and medium

Publications (1)

Publication Number Publication Date
CN114385999A true CN114385999A (en) 2022-04-22

Family

ID=81204012

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210058357.XA Pending CN114385999A (en) 2022-01-19 2022-01-19 User authority management method, device, equipment and medium

Country Status (1)

Country Link
CN (1) CN114385999A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115767025A (en) * 2022-11-10 2023-03-07 合芯科技有限公司 Method and device for preventing data leakage, electronic equipment and storage medium
CN117541032A (en) * 2024-01-09 2024-02-09 云南建投物流有限公司 Business digital management method and system based on transaction architecture construction

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115767025A (en) * 2022-11-10 2023-03-07 合芯科技有限公司 Method and device for preventing data leakage, electronic equipment and storage medium
CN115767025B (en) * 2022-11-10 2024-01-23 合芯科技有限公司 Method, device, electronic equipment and storage medium for preventing data leakage
CN117541032A (en) * 2024-01-09 2024-02-09 云南建投物流有限公司 Business digital management method and system based on transaction architecture construction
CN117541032B (en) * 2024-01-09 2024-04-23 云南建投物流有限公司 Business digital management method and system based on transaction architecture construction

Similar Documents

Publication Publication Date Title
US9231914B2 (en) Mobile device security management system
CN107563203B (en) Integrated security policy and event management
CN114385999A (en) User authority management method, device, equipment and medium
US9799003B2 (en) Context-dependent transactional management for separation of duties
CN111695156A (en) Service platform access method, device, equipment and storage medium
CN114266021A (en) User authority management method, device, equipment and medium
CN103414585A (en) Method and device for building safety baselines of service system
JP2004158007A (en) Computer access authorization
CN113761552A (en) Access control method, device, system, server and storage medium
CN109491733A (en) Based on visual interface display method and relevant device
CN114493901A (en) Data access application processing method and device, computer equipment and storage medium
CN111147496B (en) Data processing method and device
CN112579997A (en) User permission configuration method and device, computer equipment and storage medium
US20230130885A1 (en) Expedited Authorization and Access Management
KR20180007792A (en) Apparatus and method for providing data based on cloud service
CN111930449B (en) Data management method and server
JP2020181337A (en) Account management system, account management device, account management method, and program
CN111722881B (en) Resource expansion method, system and device of container cloud platform
CN113032770A (en) User classification authority management method and device and intelligent terminal
WO2020258694A1 (en) Domain name management method and system
US20030014509A1 (en) Account management module user interface
CN111443907A (en) Method and device for calling SDK function
CN115086321B (en) Multi-cluster traffic forwarding method and device and electronic equipment
JP2023135797A (en) Policy setting control apparatus, policy setting control method, and policy setting control program
CN115001729B (en) User authority control method, device, equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination