CN114817901A

CN114817901A - Authority management method, related device and medium

Info

Publication number: CN114817901A
Application number: CN202210333722.3A
Authority: CN
Inventors: 李斌; 杜威; 林俊鑫; 张楠
Original assignee: Alibaba China Co Ltd
Current assignee: Alibaba China Co Ltd
Priority date: 2022-03-30
Filing date: 2022-03-30
Publication date: 2022-07-29

Abstract

Provided are a rights management method, a related apparatus, and a medium. The authority management method comprises the following steps: acquiring the post change information of a user, wherein the post change information of the user comprises posts of the user before and after the post change, each post has a specific post responsibility and a post authority, and the post responsibility of each post corresponds to the post authority; based on the one-to-one corresponding relation between the preset post change information and the trigger event, acquiring a target trigger event for triggering the modification of the user permission according to the post change information of the user; and executing the target authority configuration behavior corresponding to the target trigger event on the authority of the user based on the one-to-one correspondence between the preset trigger event and the authority configuration behavior, so that the post of the user is matched with the authority of the user after the post is changed. The embodiment of the disclosure improves the efficiency and accuracy of the authority management and reduces the labor cost.

Description

Authority management method, related device and medium

Technical Field

The present disclosure relates to the field of rights management technologies, and in particular, to a rights management method, a related apparatus, and a medium.

Background

The authority management generally refers to controlling that a user can access and only can access authorized resources according to a security rule or a security policy set by a system. As long as the systems in which the users participate generally have rights management, the rights management realizes the control of the user access. Rights management relates to rights configuration and authentication. Currently, the permission configuration process mainly involves an administrator and a permission database, wherein the administrator is responsible for managing permissions, and the permission database is responsible for storing access permissions of users to resources. In the process of authority configuration, an administrator can perform management such as addition, deletion, modification, check and the like on the authority of the user for accessing the resources by modifying the data in the authority database according to the service range of the user. The process of configuring the authority by the administrator is complex, easy to make mistakes and strong in dependence on workers, so that the labor cost is improved, and the efficiency and the accuracy of authority management are reduced.

Disclosure of Invention

In view of the above, it is an object of the present disclosure to improve the efficiency and accuracy of rights management and reduce labor costs.

In a first aspect, an embodiment of the present disclosure provides a rights management method, including:

acquiring the post change information of a user, wherein the post change information of the user comprises posts of the user before and after the post change, each post has a specific post responsibility and a post authority, and the post responsibility of each post corresponds to the post authority;

based on a one-to-one correspondence relationship between preset post change information and a trigger event, acquiring a target trigger event for triggering the modification of the user permission according to the post change information of the user;

and executing the target authority configuration behavior corresponding to the target trigger event for the authority of the user based on the one-to-one correspondence between the preset trigger event and the authority configuration behavior, so that the post of the user is matched with the authority of the user after the post is changed.

Optionally, a plurality of posts are set in an organization architecture of a tenant, the user is assigned to the posts in the organization architecture of the tenant, and before the post change information of the user is acquired, the authority management method further includes:

acquiring possible position change information of position change which may occur in the organization architecture of the tenant;

and taking the possible post change information as a trigger condition of the trigger event to establish a one-to-one correspondence between the preset post change information and the trigger event.

Optionally, before acquiring the post change information of the user, the method for managing the authority further includes:

based on the post responsibility and the post permission of each post in the organization structure of the tenant, determining the post permission change corresponding to the possible post change information according to the possible post change information, and determining permission configuration behavior according to the post permission change; and

and establishing a one-to-one corresponding relation between the preset trigger event and the authority configuration behavior based on the corresponding relation between the possible post change information, the trigger event and the authority configuration behavior.

Optionally, the acquiring the position change information of the user includes:

acquiring personnel change information of the user;

and performing semantic analysis on the personnel change message of the user through a natural language processing technology to obtain the post change information of the user.

Optionally, the authority management mechanism of the authority management method includes a role-based access control mechanism, and the target authority configuration behavior corresponding to the target trigger event executed by the authority of the user includes at least one of:

modifying one or more roles corresponding to the post of the user before the post is changed into one or more roles corresponding to the post of the user after the post is changed;

and modifying one or more permissions included in the role corresponding to the user's post before the post is changed into one or more permissions included in the role corresponding to the user's post after the post is changed.

Optionally, the authority management mechanism of the authority management method includes an attribute-based access control mechanism, and configuring a target authority corresponding to the target trigger event executed by the authority of the user includes:

and modifying one or more authorities corresponding to the post of the user before the post is changed into one or more authorities corresponding to the post of the user after the post is changed.

In a second aspect, an embodiment of the present disclosure provides a rights management device, including:

a post change information acquiring unit, configured to acquire post change information of a user, where the post change information of the user includes posts of the user before and after the post change, each post has a specific post responsibility and a post authority, and the post responsibility of each post corresponds to the post authority;

a target trigger event obtaining unit, configured to obtain, based on a one-to-one correspondence between preset post change information and a trigger event, a target trigger event that triggers modification of a permission of the user according to the post change information of the user;

and the authority configuration unit is used for executing the target authority configuration behavior corresponding to the target trigger event on the authority of the user based on the one-to-one correspondence between the preset trigger event and the authority configuration behavior, so that the post of the user is matched with the authority of the user after the post is changed.

In a third aspect, an embodiment of the present disclosure provides a computing apparatus, including:

a memory for storing computer executable code;

a processor for executing the computer executable code to implement the method of any one of the above.

In a fourth aspect, an embodiment of the present disclosure provides a system on a chip, including:

a memory for storing computer executable code;

In a fifth aspect, embodiments of the present disclosure provide a computer storage medium having computer-executable code stored thereon, which when executed by a processor, implement any of the above-described methods.

In the embodiment of the disclosure, the post change information of the user is acquired, and the target authority configuration behavior corresponding to the target trigger event is automatically executed to the authority of the user based on the one-to-one corresponding relationship between the preset post change information and the trigger event and the one-to-one corresponding relationship between the preset trigger event and the authority configuration behavior, so that the characteristic that each post has a specific post responsibility and a post authority, the post responsibility of each post corresponds to the post authority, and the authority to which the user should be granted before and after the post change is changed due to the post change is skillfully utilized to establish the one-to-one corresponding relationship between the preset post change information and the trigger event and the one-to-one corresponding relationship between the preset trigger event and the authority configuration behavior, so that the target authority configuration behavior corresponding to the post change information of the user can be inquired, and automatically executing the target authority configuration behavior corresponding to the target trigger event to the authority of the user, so that the post of the user is matched with the authority of the user after the post is changed, the manual dependence on the authority of the user is reduced, the labor cost is reduced, and the efficiency and the accuracy of the authority management are improved.

Drawings

The foregoing and other objects, features, and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which refers to the accompanying drawings in which:

FIG. 1 illustrates a block diagram of a supply chain management system to which one embodiment of the present disclosure is applied;

FIG. 2 illustrates an internal block diagram of a computing device, according to one embodiment of the present disclosure;

FIG. 3 shows a flow diagram of a rights management method according to one embodiment of the present disclosure;

FIG. 4A illustrates an organizational architecture of a tenant (e.g., enterprise AA) according to one embodiment of the present disclosure;

figure 4B illustrates an organizational architecture of a tenant (e.g., department 2) according to one embodiment of the present disclosure;

figure 4C illustrates an organizational architecture of a tenant (e.g., department 3) according to one embodiment of the present disclosure;

FIG. 5 illustrates a rights management diagram of a role-based access control mechanism according to one embodiment of the present disclosure;

fig. 6 shows a schematic structural diagram of a rights management device according to an embodiment of the present disclosure.

Detailed Description

The present disclosure is described below based on examples, but the present disclosure is not limited to only these examples. In the following detailed description of the present disclosure, some specific details are set forth in detail. It will be apparent to those skilled in the art that the present disclosure may be practiced without these specific details. Well-known methods, procedures, and procedures have not been described in detail so as not to obscure the present disclosure. The figures are not necessarily drawn to scale.

The following terms are used herein:

a middle platform system: the system is a system formed by a series of execution standards, operation mechanisms, configuration management and execution systems and operation service teams, and provides the capability of quick and low-cost innovation of each participant. After the middle platform system is established, the research and development system is changed from ' centralized development and improvement of research and development efficiency ' into ' distributed development, the global throughput is guaranteed, the research and development efficiency of the participants is improved, and the innovation efficiency of the participants is greatly improved. In a traditional foreground-background architecture, the foreground includes various interfaces for interaction with users, such as web pages, mobile phone apps, and the like; and various functions of the server side for responding to the user request in real time, such as commodity inquiry, an order system and the like, are also included. The background is a configuration management system which is not directly oriented to users, but oriented to operators, such as commodity management, logistics management, settlement management and the like. The participants are independent from each other, and the developer of each participant is responsible for the development work of the participant. However, each participant has the same function to be realized, and the traditional architecture causes each participant to perform repeated development work aiming at the same function, which causes waste of development resources. In order to improve the development efficiency, an intermediate platform needs to be integrated to provide some common resources for each participant, and the intermediate platform is called a middlebox system, which may also be referred to as a middlebox for short. The staging system may be understood as a support system for the foreground that not only owns the common resources that the various participants need to use, but also responds to received processing requests.

Supply chain management: refers to the various activities and processes of planning, coordinating, operating, controlling and optimizing the entire supply chain system, with the goal of being able to bring the Right Product (Right Product) needed by the user to the Right Place (Right Place) at the Right Time (Right Time), in the Right Quantity (Right Quantity), in the Right Quality (Right Quality) and in the Right Status (Right Status), and to optimize the total cost. A supply chain system refers to an integration of key business processes and relationships that provide goods, services or information to users, from the original material provider, through to tenants throughout the chain of end users. It should be appreciated that the supply chain system can provide services to all tenants in the form of resources. The tenants are users of resources of the supply chain system, correspond to management entities in the supply chain, and relate to aspects of purchasing, production, sales, warehousing and transportation. For example, tenants are a group, and different tenants may belong to different companies or different departments.

A computing device: the device with computing or processing capability may be embodied in the form of a terminal, such as an internet of things device, a mobile terminal, a desktop computer, a laptop computer, etc., or may be embodied as a server or a cluster of servers. In the context of a supply chain management system to which the present disclosure applies, the computing device may be a server in a data center.

The disclosure isApplication environment

The embodiment of the disclosure provides a rights management scheme. The whole authority management scheme is relatively universal, and can be used for various hardware devices which need to perform authority management to endow corresponding authority to users, such as data centers, AI (artificial intelligence) acceleration units, GPUs (graphic processing units), IOT (Internet of things) devices capable of executing deep learning models, embedded devices and the like. The rights management scheme is independent of the hardware on which the computing device executing the scheme is ultimately deployed. For exemplary purposes, however, the following description will be made primarily with reference to a supply chain management system as an application scenario. Those skilled in the art will appreciate that the disclosed embodiments are also applicable to other application scenarios.

Supply chain management system

FIG. 1 is a system architecture diagram of a supply chain management system 100 to which one embodiment of the present disclosure is applied. In some embodiments, as shown in FIG. 1, the system may include a business foreground 11, a supply chain foreground 12, and a computing background 13.

In some embodiments, the service foreground 11 may interface users, implementing service functions of the service platform 111, based on the supply chain middleboxes 12. The service foreground 11 may carry one or more service platforms 111, and the service platforms 111 may provide service processing services to implement corresponding service processing functions based on the service processing services. In some embodiments, the business platform 111 may be involved in various aspects of procurement, production, sales, warehousing, transportation, etc. on the supply chain. For example, the business platform 111 may be an enterprise information management platform, a commodity information management platform, a warehouse information management platform, a transportation vehicle and driver management platform, a logistics billing management platform, a contract management platform, a purchase management platform, a sales management platform, a warehousing management platform, a transportation management platform, a financial management platform, and the like. It should be understood that the service platform 111 is a functional module in the service foreground 11, and in terms of implementation, the service platform 111 may be a program module of software, and may also be implemented in hardware, for example, based on FPGA or CPLD.

In some embodiments, the platform 12 in the supply chain does not provide actual business functions, but implements data analysis, presentation, application and the like through intelligent big data functions to integrate the business functions of the business platform of the third party, thereby indirectly providing services for the user. In some embodiments, as shown in FIG. 1, station 12 includes a rights management device 128 in the supply chain. The rights management device 128 may perform rights configuration and rights authentication for the user of the service platform 111. In some embodiments, during the permission configuration process, the permission management device 128 may receive a personnel change message of the user of the service platform 111, and automatically configure a corresponding user permission for the user based on the change of the position that the user is assigned to, so that the position that the user is assigned to after the change of the position matches with the permission of the user. It should be understood that user rights may include both functional rights and data rights. The function authority is the interface authority, menu authority, operation authority and the like of the user. The data authority is the data read-write authority of the user. In one embodiment, the service platform 111 may be a sales management platform, such as a network transaction platform of naught, kyoto, amazada, etc., the sales management platform may send a data access request for obtaining historical transaction information of a certain commodity to the station 12 in the supply chain, the right management device 128 may authenticate the right of the user, and in a case that the user has a relevant right, the station 12 in the supply chain may provide the historical transaction information to the sales management platform, so that the sales management platform uses the historical transaction information to recommend the commodity to the user of the sales management platform. Since the process of automatically configuring the corresponding user authority for the user based on the post change assigned by the user will be described in detail below, further description is omitted.

In some embodiments, as shown in FIG. 1, the supply chain center station 12 further includes a user management module 121 and a supply chain information sharing module 122. In some embodiments, the user management module 121 may include a user registration unit 123, a supply chain building unit 124, and a service processing request unit 125. The user registration unit 123 may receive the user registration information provided by the service platform 111, perform user registration in the related function module of the supply chain information sharing module 122, and configure the user right related to service processing in the supply chain for the user through the right management device 128. The supply chain building unit 124 may receive a service processing request of the service platform 111, call a supply chain line corresponding to a service mode, and build a supply chain or a temporary supply chain having a plurality of service platforms 111. The service processing request unit 125 may receive a service processing request initiated by the service platform 111 in the supply chain, invoke the right management device 128 to perform right authentication for the user, invoke the service provided by the supply chain information sharing module 122 to execute supply chain service processing among the plurality of service platforms 111 under the condition that the user has the related user right, obtain information of the service processing, and feed back the information as a callable shared information resource to the supply chain information sharing module 122. In some embodiments, the supply chain information sharing module 122 may include a tenant information sharing unit 126 and a business process information sharing unit 127. The tenant information sharing unit 126 may extract user information permitted by the user, which is recorded in the user registration unit 123 by the service platform 111, store the user information in a classified manner, and provide services such as tenant information management, commodity information management, warehouse information management, transportation vehicle and driver management, and logistics billing management when the service platform 111 initiates a service processing request. The service processing information sharing unit 127 may obtain information required for performing service processing, provide information required for service processing when the service platform 111 initiates a service processing request, and provide services such as contract management, purchase management, sales management, warehousing management, transportation management, financial management, and the like for the service processing request unit 125, so that the corresponding service platform 111 may execute related services. It should be understood that the rights management device 128, the user management module 121, and the supply chain information sharing module 122 are functional modules in the station 12 in the supply chain, and in implementation, the rights management device 128, the user management module 121, and the supply chain information sharing module 122 may be program modules of software, or may be implemented in hardware, for example, based on FPGA or CPLD.

In some embodiments, as shown in FIG. 1, computing backend 13 may provide computing, data storage, etc. functionality for stations 12 in the supply chain. Computing backend 13 may include offline computing module 131, real-time computing module 132, and rights database 133. Offline computing module 131 may implement offline computing functionality and real-time computing module 132 may implement real-time computing functionality for providing computing support to stations 12 in the supply chain. The rights database 133 can store the access rights of the user to the resources of the supply chain system, and can modify the data in the rights database 133 through the rights management device 128 to modify the rights of the user to access the resources of the supply chain system, so that the management of adding, deleting, modifying, checking and the like of the rights of the user to access the resources of the supply chain system is realized. It should be understood that the offline calculation module 131, the real-time calculation module 132 and the permission database 133 are functional modules in the calculation background 13, and in implementation, the offline calculation module 131, the real-time calculation module 132 and the permission database 133 may be program modules of software, or may be hardware, for example, implemented based on FPGA or CPLD.

In some embodiments, the business foreground 11, the supply chain middle station 12, and the computing background 13 may be respectively borne on a server or other type of electronic device, and the disclosure is not limited thereto. In one embodiment, when the service foreground 11, the supply chain intermediate station 12 and the computation background 13 can be respectively carried by corresponding servers, the servers can be independent physical servers, or can be a server cluster including a plurality of physical servers, or can also be virtual servers or a virtual server cluster, and the disclosure is not limited thereto.

Computing device

FIG. 2 illustrates an internal block diagram of a station 12 (computing device 141 or system on a chip 142 or server 143) in a supply chain according to one embodiment of the disclosure. As shown in fig. 2, computing device 141 may include one or more processors 22, as well as memory 29. The memory 29 in the computing device 141 may be a main memory (referred to as a main memory or an internal memory) for storing instruction information and/or data information represented by data signals, and may also be used for data exchange between the processor 22 and an external storage device 26 (or referred to as an auxiliary memory or an external memory).

In some cases, processor 22 may need to access memory 29 to retrieve data in memory 29 or to make modifications to data in memory 29. To alleviate the speed gap between processor 22 and memory 29 due to the slow access speed of memory 29, computing device 141 further includes a cache memory 28 coupled to bus 21, cache memory 28 being used to cache some data in memory 29, such as program data or message data, that may be recalled repeatedly. The cache Memory 28 is implemented by a storage device such as a Static Random Access Memory (SRAM).

Based on this, the processor 22 may include an instruction execution unit 221, a memory management unit 222, and the like. The instruction execution unit 221 initiates a write access request when executing some instructions that need to modify the memory, where the write access request specifies write data and a corresponding physical address that need to be written into the memory; the memory management unit 222 is configured to translate the virtual addresses specified by the instructions into physical addresses mapped by the virtual addresses, and the physical addresses specified by the write access request may be consistent with the physical addresses specified by the corresponding instructions.

The information exchange between the memory 29 and the cache 28 is typically organized in blocks. In some embodiments, the cache 28 and the memory 29 may be divided into data blocks according to the same spatial size, and the data blocks may be a minimum unit (including one or more data of a preset length) of data exchange between the cache 28 and the memory 29. For the sake of brevity and clarity, each data block in the cache memory 28 will be referred to below simply as a cache block (which may be referred to as a cacheline or cache line), and different cache blocks have different cache block addresses; each data block in the memory 29 is referred to as a memory block, and different memory blocks have different memory block addresses. The cache block address comprises, for example, a physical address tag for locating the data block.

Due to space and resource constraints, cache memory 28 cannot cache the entire contents of memory 29, i.e. the storage capacity of cache memory 28 is generally smaller than that of memory 29, and the addresses of the cache blocks provided by cache memory 28 cannot correspond to the addresses of the memory blocks provided by memory 29. When the processor 22 needs to access the memory, firstly, the processor accesses the cache 28 through the bus 21 to determine whether the content to be accessed is stored in the cache 28, if so, the cache 28 hits, and at this time, the processor 22 directly calls the content to be accessed from the cache 28; if the content that processor 22 needs to access is not in cache 28, processor 22 needs to access memory 29 via bus 21 to look up the corresponding information in memory 29. Because the access rate of the cache memory 28 is very fast, the efficiency of the processor 22 can be significantly improved when the cache memory 28 hits, thereby also improving the performance and efficiency of the overall computing device 141.

As shown, processor 22, cache 28, and memory 29 are packaged in a system on chip (SoC) 201. The designer may configure the SoC architecture so that communications between various elements in computing device 141 are secure.

In this example, the computing device 141 may also include various Software, illustrated as an embedded operating system 206, a loader 207, a Virtual Machine Monitor (VMM) 202, a Virtual Machine 203, a Guest operating system (Guest OS, also known as operating system copy) 204, and an application (also known as Guest Software) 205. The software may be either resident in the memory 29 or stored in the external memory 26. Typically, virtual machine 203, virtual machine monitor 202, loader 207, and embedded operating system 206 are solidified in memory 29, and guest operating system 204 and application programs 205 may be stored in external memory 26.

In some embodiments, as shown in FIG. 2, a virtual machine monitor 202 is provided above the underlying hardware (i.e., system-on-chip 201), and a virtual machine monitor 302 may run on the physical hardware in the form of a user program. The hypervisor 202 is the core software that supports the virtual machines 203, and it is the core of the virtual machine technology, and provides the virtual machines 203 with the abstraction of physical resources of hardware, including virtual processors and other devices, such as I/O devices, memory, external memory, etc., so that the multiple virtual machines 203 running on the upper layer can share the physical resources in a time-sharing manner without concern for hardware details. Virtual machine monitor 202 can provide physical memory management and scheduling for multiple virtual machines 203 running on top of the underlying hardware. In addition, virtual machine monitor 202 may even simulate implementing certain hardware functions.

In some embodiments, the computing device 141 may be a server of a data center, and when using the data center services, the tenant may not actually own resources such as a corresponding physical server, and lease the virtual machine and the associated storage and network services from the data center to obtain computing power, and deploy its own services on the virtual machine as if using the physical server. The virtual machines deployed in the multiple computing devices 141 of the data center form a virtual machine resource pool, the virtual machine resource pool may be divided into multiple groups of virtual machines, and the virtual machines in the same group may be located in different data centers or in different computing devices 141 of the same data center. In some embodiments, for a tenant, it may lease a group of virtual machines, and the leased virtual data center is similar to its private physical data center, and multiple tenants of the data center may share physical devices of the same computing device 141, so that physical resources of one computing device 141 are shared by multiple tenants, and multiple tenants can conveniently and flexibly use the physical resources on the premise of security isolation, thereby greatly improving the utilization rate of the physical resources. In some embodiments, the tenant may deploy an application 205 on the computing device 141, through which application 205 the service 208 may be provided. In some embodiments, the application 205 may be a program on the station 12 side of the supply chain of the service platform 111 to implement the relevant service functionality of the service platform 111. In some embodiments, as shown in FIG. 2, one or more virtual machines 203 may be loaded on top of virtual machine monitor 202, as an example, virtual machines 1 through n are shown; tenants 1 to n may deploy a plurality of applications 205 on virtual machines 1 to n, respectively, as an example, applications 1 to n are shown in the figure, n being a natural number other than 0. A plurality of services 208, e.g., map, music, video, DNS, etc. service types, are provided by the application 205, and as an example, services 1 through n are shown, n being a natural number other than 0. Each virtual machine 203 runs independently on top of the physical hardware, providing a runtime environment for the corresponding application 205 and guest operating system 204. The application 205 may be a program for controlling or responding to an external device (e.g., a biometric sensor, printer, microphone, speaker, flow valve, or other I/O component, sensor, actuator, or device), a program for various I/O tasks, a security program, a validation program, various computing modules, a communication program, a communication support protocol, or other program, or a combination thereof.

In some cases, loader 207 and embedded operating system 206 may be combined into one. For such software to be provided on the underlying hardware of computing device 141, loader 207 may be configured to verify and load various software into cache 28 from external memory 26 or memory 29. The loader 207 itself may be software that is loaded in a secure manner. The computing device 141 may be configured to retrieve the loader 207 from the memory 29 immediately or soon after power-up or reset, and may then determine which software to load based on the configuration information, and then load the corresponding software into the cache 28 based on the verification of the software, e.g., based on software source, fingerprint, certificate, etc., to determine whether to load certain software. A portion of the application 205 may be independent of the embedded operating system 206 and loaded by the loader 207 and another portion of the application 205 may be dependent on the embedded operating system 206 and loaded by and controlling the operation of the embedded operating system 206.

In some embodiments, the computing device 141 may also include a rights management device 210. In some embodiments, in the authority configuring process, the authority management device 210 may receive a personnel change message of the user of the service platform 111, and automatically configure the corresponding user authority for the user based on the position change that the user has been assigned to, so that the position that the user has been assigned to after the position change matches with the authority of the user. Since the process of automatically configuring the corresponding user authority for the user based on the post change assigned by the user will be described below, it is not described herein again.

Further, the computing device 141 may also include input/output devices such as storage device 26, display device 23, audio device 24, mouse/keyboard 25, and the like. The storage device 26 is a device for information access such as a hard disk, an optical disk, and a flash memory coupled to the bus 21 via corresponding interfaces. A display device 23 is coupled to the bus 21, for example via a corresponding graphics card, for displaying in accordance with display signals provided by the bus 21.

The computing device 141 also typically includes a communication device 27 and thus may communicate with a network or other device in a variety of ways. The communication device 27 may include, for example, one or more communication modules, by way of example, the communication device 27 may include a wireless communication module adapted for a particular wireless communication protocol.

Of course, the structure of different computer systems may vary depending on the motherboard, operating system, and instruction set architecture. For example, many computer systems today have an input/output control hub coupled between the bus 21 and various input/output devices, and the input/output control hub may be integrated within the processor 22 or separate from the processor 22.

Authority management method according to embodiment of the disclosure

In some embodiments, as shown in FIG. 3, a rights management method is provided. The method may be performed by the rights management device 210. In the case where the computing apparatus 141 is a single computer, the rights management apparatus 210 is a part of the single computer, and the rights management method is executed by a part of the single computer. When the computing apparatus 141 is a set of a plurality of computers, the right management apparatus 210 is a single computer, and the data synchronization method is executed by the single computer. In the case where the computing device 141 is in the form of a cloud, the rights management device 210 is a series of computers or portions thereof in the cloud, and the rights management method is performed by the series of computers or portions thereof in the cloud.

As shown in fig. 3, a rights management method according to one embodiment of the present disclosure includes: step S310, acquiring the post change information of a user, wherein the post change information of the user comprises posts of the user before and after the post change, each post has a specific post responsibility and a post authority, and the post responsibility of each post corresponds to the post authority; step S320, acquiring a target trigger event for triggering the modification of the authority of the user according to the post change information of the user based on the one-to-one correspondence between the preset post change information and the trigger event; step S330, executing the target authority configuration behavior corresponding to the target trigger event to the authority of the user based on the one-to-one correspondence between the preset trigger event and the authority configuration behavior, so that the post of the user is matched with the authority of the user after the post is changed.

The above steps are described in detail below, respectively.

In step S310, the position change information of the user is obtained, where the position change information of the user includes the positions of the user before and after the position change, each position has a specific position responsibility and a position authority, and the position responsibility of each position corresponds to the position authority.

In some embodiments, taking the supply chain system as an example, the supply chain system may be used to provide services to all tenants in the form of resources. The tenants are users of resources of the supply chain system, correspond to management entities in the supply chain, and relate to aspects of purchasing, production, sales, warehousing and transportation. For example, tenants as a group, different tenants may belong to different companies or different departments. The organization architecture of the tenant may be provided with a plurality of posts, for example, a technical post, a sales post, a financial post, a legal post, a logistics post, etc. It should be understood that different tenants may have different posts. The user serves as a member of the tenant and is at a position in the organization architecture of the tenant. Each post has a particular post responsibility and a post authority, the post responsibility for each post corresponding to the post authority. Figure 4A illustrates an organizational architecture of a tenant (e.g., enterprise AA) according to one embodiment of the present disclosure. In some embodiments, as shown in FIG. 4A, enterprise AA includes several departments, department 1, department 2 … …, department 8, and so on. In one example, the tenant of the supply chain system may be an enterprise AA, several departments, such as department 1, department 2 … …, department 8, etc., may be users of the business platform 111, and department 1, department 2 … …, department 8 may have different post responsibilities and post permissions. Figure 4B illustrates an organizational architecture of a tenant (e.g., department 2) according to one embodiment of the present disclosure. In some embodiments, as shown in FIG. 4B, the enterprise members for department 2 include user A through user D. In one example, the tenant of the supply chain system may be department 2 of enterprise AA, and users a through D may be available for employment on the posts set up by department 2. Users a to D may be users of the service platform 111, and the posts offered by users a to D may have different post responsibilities and post permissions. Figure 4C illustrates an organizational architecture of a tenant (e.g., department 3) according to one embodiment of the present disclosure. In some embodiments, as shown in FIG. 4C, the enterprise members for department 3 include user E through user H. In one example, the tenant of the supply chain system may be department 3 of enterprise AA, and users E through H may be available for employment at the positions established by department 3. The users E to H may be users of the service platform 111, and the posts provided by the users E to H may have different post responsibilities and post permissions.

In some embodiments, personnel change messages for users in an organizational structure of a tenant (e.g., enterprise, department, etc.) may be obtained. The personnel change message may refer to personnel change messages issued by the personnel management system, such as the attendance and leaving of employees, post changes, and the like. It should be understood that the personnel change message may be obtained from the universal personnel management system in any communication path and in any information processing manner, and the disclosure is not limited in any way. The specific representation of the personnel change message is not limited, and may be represented by text, voice, or image, for example. Before extracting the post change information of the user from the personnel change message, the personnel change message expressed in a voice mode may be subjected to voice recognition processing to be converted into the personnel change message expressed in a text mode, or the personnel change message expressed in an image mode may be subjected to image recognition processing to be converted into the personnel change message expressed in a text mode. In some embodiments, the semantic parsing may be performed on the human change message of the user, which is represented in a text manner, by using a natural language processing technology, to obtain the position change information of the user, where the position change information of the user includes a position of the user before the position change and a position of the user after the position change. It can be understood that, due to the change of the user's post, the post responsibilities of the user's post before the change of the post and the user's post after the change of the post are different, and the post permissions of the user's post before the change of the post and the user's post after the change of the post are also different. Therefore, the strong coupling relation between the personnel change message and the trigger event for triggering the modification of the user authority is released, the specific data format and the like of the personnel change message are not strongly dependent, and different personnel management systems can be flexibly accessed. It should be appreciated that natural language processing is a process for systematic analysis, understanding, and information extraction of textual data in an intelligent and efficient manner. Since the natural language processing technology is the prior art, it is not described in detail.

In some embodiments, before performing step S310, the rights management method may further include: acquiring possible position change information of position change which may occur in an organization structure of a tenant; and taking the possible post change information as a trigger condition of the trigger event to establish a one-to-one correspondence relationship between the preset post change information and the trigger event. In some embodiments, due to the reasons of the tenant's process operation, department setting, and function planning, it often happens that a tenant member (i.e., a user) flows among multiple positions in the tenant's organizational structure or the tenant member leaves the position, which may cause position changes of the tenant member in the tenant's organizational structure. In some embodiments, possible position change information corresponding to the organization architecture of the tenant may be obtained according to the possible position changes of the tenant member, where the possible position change information includes a position of the tenant member before the position change and a position of the tenant member after the position change. In some embodiments, a trigger event for triggering modification of the tenant member's permissions may be established based on the potential position change information corresponding to the tenant's organizational architecture. In some embodiments, the trigger event may include a name, a number, a trigger condition, and the like. The possible post change information can be used as a trigger condition of the trigger event, so that a one-to-one correspondence relationship between the post change information and the trigger event preset in the organization architecture of the tenant can be established. In implementation, the one-to-one correspondence between the post change information and the trigger event preset in the organization architecture of the tenant may be stored in a table, and the table may be stored in the permission database.

In some embodiments, before performing step S310, the rights management method may further include: determining the change of the post authority corresponding to the possible post change information according to the possible post change information based on the post responsibility and the post authority of each post in the organization structure of the tenant, and determining the authority configuration behavior according to the change of the post authority; and establishing a one-to-one correspondence between preset trigger events and permission configuration behaviors based on the correspondence between the possible post change information, the trigger events and the permission configuration behaviors. In some embodiments, the possible post change information includes the post of the tenant member before the post change and the post of the tenant member after the post change. The post responsibility of the post of the tenant member before the post change is different from the post responsibility of the post of the tenant member after the post change, and the post authority of the post of the tenant member before the post change is different from the post authority of the post of the tenant member after the post change, namely the post authority change exists between the post of the tenant member before the post change and the post of the tenant member after the post change. In some embodiments, the change of the post permission corresponding to the possible post change information may be determined according to the possible post change information, and the permission configuration behavior for modifying the post permission of the tenant member before the post change into the post permission of the tenant member after the post change may be determined according to the change of the post permission, so that the one-to-one correspondence between the preset trigger event and the permission configuration behavior may be established based on the correspondence between the possible post change information, the trigger event, and the permission configuration behavior. In implementation, the one-to-one correspondence between the preset trigger event and the permission configuration behavior may be stored in a table, and the table may be stored in the permission database. Therefore, the one-to-one corresponding relation between the preset position change information and the trigger event and the one-to-one corresponding relation between the preset trigger event and the authority configuration behavior in the organization structure of the tenant can be established by taking the tenant as a unit, the user authority configurations of different tenants are isolated from each other, the authority management method based on the embodiment of the disclosure can realize the user authority configurations of different tenants, is beneficial to realizing the unified authority management of the middle platform system under the condition that the authority management of different tenants is not influenced mutually, and improves the authority management efficiency of the middle platform system.

In step S320, based on a one-to-one correspondence between preset post change information and a trigger event, a target trigger event that triggers modification of the authority of the user is obtained according to the post change information of the user.

In some embodiments, a target trigger event corresponding to the post change information of the user may be queried based on a one-to-one correspondence between preset post change information and the trigger event by querying the permission database.

In step S330, based on a one-to-one correspondence between a preset trigger event and an authority configuration behavior, a target authority configuration behavior corresponding to the target trigger event is executed for the authority of the user, so that the post of the user is matched with the authority of the user after the post is changed.

In some embodiments, a target permission configuration behavior corresponding to a target trigger event may be queried based on a one-to-one correspondence between a preset trigger event and a permission configuration behavior by querying a permission database. In some embodiments, the rights management mechanism of the rights management method includes a Role-Based Access Control (RBAC) mechanism and an Attribute-Based Access Control (ABAC) mechanism. Fig. 5 illustrates a rights management diagram of a role-based access control mechanism according to one embodiment of the present disclosure. In some embodiments, as shown in fig. 5, the basic idea of role-based access control is: various permissions are not directly granted to specific users, but a role set is established between the user set and the permission set, wherein each role corresponds to a group of corresponding permissions (for example, a role permission table is formed); once a user is assigned the appropriate role (e.g., forming a user role table), the user has all of the operational rights for the role. It should also be understood that the basic idea of attribute-based access control is: based on the attributes, various permissions are granted directly to specific users. In some embodiments, taking a role-based access control mechanism as an example, the method may perform, on the authority of the user, a target authority configuration behavior of modifying one or more roles corresponding to the post of the user before the post change to one or more roles corresponding to the post of the user after the post change, modifying one or more authorities included in the role corresponding to the post of the user before the post change to one or more authorities included in the role corresponding to the post of the user after the post change, and the like, and thus, may modify the authority of the user before the post change to the authority of the user after the post change, so that the post of the user after the post change matches the authority of the user. In some embodiments, taking attribute-based access control as an example, one or more permissions corresponding to the post of the user before the post change may be directly modified to one or more permissions corresponding to the post of the user after the post change, so that the post of the user after the post change matches the permissions of the user.

Fig. 6 is a structural diagram of a rights management device according to one embodiment of the present disclosure. As shown in fig. 6, the rights management apparatus includes: a post change information acquisition unit 610, a target trigger event acquisition unit 620 and an authority configuration unit 630.

A post change information obtaining unit 610, configured to obtain post change information of a user, where the post change information of the user includes posts of the user before and after the post change, each post has a specific post responsibility and a post authority, and the post responsibility of each post corresponds to the post authority. A target trigger event obtaining unit 620, configured to obtain a target trigger event triggering modification of the user's permission according to the post change information of the user based on a one-to-one correspondence between preset post change information and a trigger event. And an authority configuration unit 630, configured to execute, on the basis of a one-to-one correspondence between a preset trigger event and an authority configuration behavior, a target authority configuration behavior corresponding to the target trigger event for the authority of the user, so that the post of the user is matched with the authority of the user after the post is changed.

Since the process of automatically configuring the corresponding user right for the user based on the position change assigned to the user is described in detail above, it is not described herein again.

Commercial value of the disclosed embodiments

In the authority management device provided by the embodiment of the disclosure, the target authority configuration behavior corresponding to the target trigger event can be automatically executed to the authority of the user based on the one-to-one correspondence between the preset position change information and the trigger event and the one-to-one correspondence between the preset trigger event and the authority configuration behavior by acquiring the position change information of the user, so that the manual dependency of configuring the authority of the user is reduced, and the labor cost is reduced. In this scenario, the labor cost for configuring the user right is reduced, so that the cost of the computing device is reduced, and the operation cost of the whole data center is reduced. The embodiment of the disclosure reduces the operation cost of the whole data center, thereby having good commercial value and economic value.

As will be appreciated by one skilled in the art, the present disclosure may be embodied as systems, methods and computer program products. Accordingly, the present disclosure may be embodied in the form of entirely hardware, entirely software (including firmware, resident software, micro-code), or in the form of a combination of software and hardware. Furthermore, in some embodiments, the present disclosure may also be embodied in the form of a computer program product in one or more computer-readable media having computer-readable program code embodied therein.

Any combination of one or more computer-readable media may be employed. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium is, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples of the computer-readable storage medium include: an electrical connection for the particular wire or wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical memory, a magnetic memory, or any suitable combination of the foregoing. In this context, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with a processing unit, apparatus, or device.

A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a chopper. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any other suitable combination. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction system, apparatus, or device.

Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., and any suitable combination of the foregoing.

Computer program code for carrying out embodiments of the present disclosure may be written in one or more programming languages or combinations. The programming language includes an object-oriented programming language such as JAVA, C + +, and may also include a conventional procedural programming language such as C. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAn) or a wide area network (WAn), or the connection may be made to an external computer (for example, through the internet using an internet service provider).

The above description is only a preferred embodiment of the present disclosure and is not intended to limit the present disclosure, and various modifications and changes may be made to the present disclosure by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

Claims

1. A method of rights management, comprising:

and executing the target authority configuration behavior corresponding to the target trigger event for the authority of the user based on the one-to-one corresponding relation between the preset trigger event and the authority configuration behavior, so that the post of the user is matched with the authority of the user after the post is changed.

2. The method of claim 1, wherein a plurality of positions are set in the organization structure of the tenant, the user is assigned to a position in the organization structure of the tenant, and before acquiring the position change information of the user, the method further comprises:

3. The rights management method of claim 2, wherein before acquiring the user's position change information, the rights management method further comprises:

4. The rights management method of claim 1, wherein obtaining the user's position change information comprises:

acquiring personnel change information of the user;

5. The rights management method according to claim 1, wherein the rights management mechanism of the rights management method includes a role-based access control mechanism, and the target rights configuration behavior corresponding to the target trigger event executed on the user's right includes at least one of:

6. The rights management method according to claim 1, wherein the rights management mechanism of the rights management method includes an attribute-based access control mechanism, and configuring a target right configuration behavior corresponding to the target trigger event executed by the right of the user includes:

7. A rights management device comprising:

8. A computing device, comprising:

a memory for storing computer executable code;

a processor for executing the computer executable code to implement the method of any one of claims 1-6.

9. A system on a chip, comprising:

a memory for storing computer executable code;

10. A computer storage medium having computer executable code stored thereon which, when executed by a processor, implements the method of any of claims 1-6 above.