CN114969716A - Authority management method, device, electronic equipment and medium - Google Patents

Authority management method, device, electronic equipment and medium Download PDF

Info

Publication number
CN114969716A
CN114969716A CN202210535914.2A CN202210535914A CN114969716A CN 114969716 A CN114969716 A CN 114969716A CN 202210535914 A CN202210535914 A CN 202210535914A CN 114969716 A CN114969716 A CN 114969716A
Authority
CN
China
Prior art keywords
user
access
attribute
maintenance
branch
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210535914.2A
Other languages
Chinese (zh)
Inventor
张雯
丁文定
徐平
王金余
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210535914.2A priority Critical patent/CN114969716A/en
Publication of CN114969716A publication Critical patent/CN114969716A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2111Location-sensitive, e.g. geographical location, GPS
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2113Multi-level security, e.g. mandatory access control
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The present disclosure provides a method for managing authority, which relates to the technical field of authority management and can be applied to the technical field of financial science and technology, and the method comprises the following steps: acquiring organization information of an access user, wherein the organization information comprises a branch organization, an operation and maintenance organization and an application development organization; setting the user type and the user role of the access user according to the organization information, wherein the user roles set by different branches are the same; determining an application attribute and a maintenance attribute corresponding to the access user, wherein the application attribute is used for representing an application corresponding to a resource which can be accessed by the access user, and the maintenance attribute is used for representing a maintenance region corresponding to the resource which can be accessed by the access user; and determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance place attribute. The present disclosure also provides a rights management apparatus, an electronic device, a computer-readable storage medium, and a computer program product.

Description

Authority management method, device, electronic equipment and medium
Technical Field
The disclosure relates to the technical field of authority control, can be applied to the field of financial science and technology, and particularly relates to an authority management method, an authority management device, electronic equipment and a medium.
Background
With the rapid development of information technology, modern large-scale enterprises have independent development centers and data centers to research, develop, operate and maintain the scientific and technological assets of the enterprises. For enterprises with large and complex organization levels, branch scientific and technological departments in various places, both inside and outside the sea, are also required to carry out operation and maintenance work locally. The functions and management modes of a development center, a data center and branches in various regions are different, and the system authority management of cross-organization deployment management is challenged. In the conventional technology, authority management generally establishes various roles for each organization respectively, and manages authority through the roles. However, as the organization expands, roles rapidly increase, resulting in a drastic increase in management complexity and use cost.
BRIEF SUMMARY OF THE PRESENT DISCLOSURE
In view of this, an aspect of the present disclosure provides a method for rights management, including: acquiring organization information of an access user, wherein the organization information comprises a branch organization, an operation and maintenance organization and an application development organization; setting the user type and the user role of the access user according to the organization information, wherein the user roles set by different branches are the same; determining an application attribute and a maintenance attribute corresponding to the access user, wherein the application attribute is used for representing an application corresponding to a resource which can be accessed by the access user, and the maintenance attribute is used for representing a maintenance region corresponding to the resource which can be accessed by the access user; and determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance place attribute.
According to an embodiment of the present disclosure, the setting of the user type and the user role of the access user according to the mechanism information includes: responding to the branch information, setting the user type of the access user of the branch as a branch user, and setting the user role as a branch administrator; responding to the mechanism information as an operation and maintenance mechanism, setting the user type of an access user of the operation and maintenance mechanism as a data center user, and setting the user role as a mechanism administrator; and responding to the mechanism information as an application development mechanism, setting the user type of the access user of the application development mechanism as a development center user, and setting the user role as a visitor.
According to the embodiment of the present disclosure, the determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance attribute comprises: responding to the fact that the access user is a development center user or a data center user, and allowing the development center user or the data center user to view resources corresponding to the application attributes according to the application attributes of the development center user or the data center user; and in response to the fact that the access user is a branch user, allowing the branch user to view resources corresponding to the maintenance region contained in the maintenance region attribute according to the maintenance region attribute of the branch user.
According to the embodiment of the present disclosure, the determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance place attribute comprises: responding to the fact that the access user is a branch user, and allowing the branch user to add, delete or modify resources corresponding to a maintenance region contained in the maintenance region attribute of the branch user; responding to the fact that the access user is a development center user, and determining that the development center user does not have the authority of adding, deleting or modifying the access resource; and responding to the fact that the access user is a data center user, and allowing the data center user to add, delete or modify the resources corresponding to the application attributes of the data center user.
According to the embodiment of the present disclosure, the determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance attribute comprises: and determining the authority of the access user to access the menu according to the user role of the access user.
According to the embodiment of the disclosure, the access user with the user role as the visitor does not have the menu authority of the access user with the user role as the organization administrator and the branch administrator.
According to the embodiment of the present disclosure, the determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance attribute comprises: and determining user management authority according to the user role and the user type of the access user.
According to the embodiment of the disclosure, the access user with the user role as the mechanism administrator has the authority of viewing, modifying, adding and deleting the access user with the user role as the mechanism administrator, wherein the user type of the access user is the same as that of the access user with the user role as the mechanism administrator, and the role authority is smaller than or equal to that of the access user with the user role as the mechanism administrator; the access user with the user role as the branch administrator has the function of viewing, modifying, adding and deleting the maintenance region from the access user with the user role as the branch administrator corresponding to the maintenance region.
According to an embodiment of the present disclosure, the method further comprises: for each branch office, determining from the branch office a visiting user as a branch office administrator for the branch office; and allocating access operation authority to each access user of the branch machine through the branch administrator, wherein the access operation authority of each access user is smaller than the access operation authority of the branch administrator.
According to an embodiment of the present disclosure, the method further comprises: and in response to the user role of the access user being a system administrator, determining that the system administrator has no access operation permission limitation.
According to an embodiment of the present disclosure, the method further comprises: and under the condition that the corresponding application attribute and the corresponding maintenance attribute of the access user are modified, repeatedly executing the operation of determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance attribute.
According to an embodiment of the present disclosure, before acquiring organization information of an access user, the method further includes: and performing identity authentication on the access user.
Another aspect of the present disclosure provides a rights management apparatus, including: the system comprises an acquisition module, a management module and a management module, wherein the acquisition module is used for acquiring organization information of an access user, and the organization information comprises a branch organization, an operation and maintenance organization and an application development organization; the setting module is used for setting the user type and the user role of the access user according to the mechanism information, wherein the user roles set by different branch mechanisms are the same; a first determining module, configured to determine an application attribute and a maintenance location attribute corresponding to the access user, where the application attribute is used to characterize an application corresponding to a resource that can be accessed by the access user, and the maintenance location attribute is used to characterize a maintenance region corresponding to the resource that can be accessed by the access user; and the second determining module is used for determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance place attribute.
Another aspect of the present disclosure provides an electronic device including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
FIG. 1 schematically illustrates a system architecture 100 for a rights management method and system according to an embodiment of the disclosure;
FIG. 2 schematically illustrates a flow diagram of a rights management method according to an embodiment of the disclosure;
FIG. 3 schematically illustrates a flow chart of a user type and user role determination method according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow chart of an application property and a method of obtaining a maintainable property according to an embodiment of the present disclosure;
FIG. 5 schematically illustrates a flow diagram of a method of resource viewing permission verification, in accordance with an embodiment of the present disclosure;
FIG. 6 schematically illustrates a flow diagram of a method for resource operation privilege verification according to an embodiment of the present disclosure;
FIG. 7 schematically illustrates a flow chart of a method of menu privilege validation according to an embodiment of the present disclosure;
FIG. 8 schematically illustrates a flow chart of a method of user management rights verification according to an embodiment of the present disclosure;
FIG. 9 schematically illustrates a flow diagram of a rights management method according to another embodiment of the disclosure;
FIG. 10 schematically illustrates a flow chart of a rights management method according to yet another embodiment of the disclosure;
FIG. 11 schematically illustrates a flow chart of a rights management method according to yet another embodiment of the present disclosure;
FIG. 12 schematically illustrates a flow chart of a rights management method according to yet another embodiment of the present disclosure;
FIG. 13 schematically illustrates a block diagram of a rights management device according to an embodiment of the disclosure;
FIG. 14 schematically illustrates a block diagram of the setup module 1320, according to an embodiment of the present disclosure;
FIG. 15 schematically illustrates a block diagram of the first determination module 1330, according to an embodiment of the present disclosure;
FIG. 16 schematically illustrates a block diagram of the second determining module 1340 according to an embodiment of the present disclosure;
FIG. 17 schematically illustrates a block diagram of the second determining module 1340 according to another embodiment of the present disclosure;
FIG. 18 schematically illustrates a block diagram of the second determining module 1340 according to yet another embodiment of the present disclosure;
fig. 19 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs, unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
Some block diagrams and/or flow diagrams are shown in the figures. It will be understood that some blocks of the block diagrams and/or flowchart illustrations, or combinations thereof, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the instructions, which execute via the processor, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks. The techniques of this disclosure may be implemented in hardware and/or software (including firmware, microcode, etc.). In addition, the techniques of this disclosure may take the form of a computer program product on a computer-readable storage medium having instructions stored thereon for use by or in connection with an instruction execution system.
In the technical scheme of the disclosure, the collection, storage, use, processing, transmission, provision, disclosure, application and other processing of the personal information of the related user are all in accordance with the regulations of related laws and regulations, necessary confidentiality measures are taken, and the customs of the public order is not violated.
In the technical scheme of the disclosure, before the personal information of the user is acquired or collected, the authorization or the consent of the user is acquired.
The method for managing the authority provided by the embodiment of the disclosure specifically includes: and acquiring organization information of the access user, wherein the organization information comprises a branch organization, an operation and maintenance organization and an application development organization. And setting the user type and the user role of the access user according to the organization information, wherein the user roles set by different branches are the same. And acquiring an application attribute and a maintenance attribute corresponding to the access user, wherein the application attribute is used for representing the application corresponding to the resource which can be accessed by the access user, and the maintenance attribute is used for representing the maintenance region corresponding to the resource which can be accessed by the access user. And determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance place attribute.
Fig. 1 schematically illustrates a system architecture 100 for a rights management method and system according to an embodiment of the disclosure. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios.
As shown in FIG. 1, a system architecture 100 according to this embodiment may include a client 101, a network 102, and a server 103. Network 102 is used to provide communication links between clients 101 and servers 103.
The client 101 may include, for example, but not limited to, a smart phone, a tablet, a desktop PC, a laptop PC, a netbook computer, a workstation, a server, a game console, etc., and the client 101 may be used to access user login identity information and send an access request. Network 102 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few. The wired mode may be, for example, a connection using a cable and any one of the following interfaces: the wireless communication system comprises a fiber channel, an Infrared interface, a D-Type data interface, a serial interface, a USB Type-C interface or a Dock interface, and the wireless communication mode can be connected by adopting a wireless communication mode, wherein the wireless communication mode can adopt any one of a plurality of wireless technology standards such as Bluetooth, Wi-Fi, infra, ZigBee and the like. The server 103 is configured to obtain an access user logged in by the client 101 through the network 102, perform rights management on the access user, and send a resource that can be accessed by the access user to the client 101 through the network 102.
It should be noted that the rights management method provided by the embodiment of the present disclosure may be executed by the server 103. Accordingly, the rights management device provided by the embodiment of the present disclosure may be disposed in the server 103. Alternatively, the rights management method provided by the embodiment of the present disclosure may also be executed by a server or a server cluster different from the server 103 and capable of communicating with the client 101 and/or the server 103. Accordingly, the rights management device provided by the embodiment of the disclosure may also be disposed in a server or a server cluster different from the server 103 and capable of communicating with the client 101 and/or the server 103. Alternatively, the rights management method provided by the embodiment of the present disclosure may also be partially executed by the server 103 and partially executed by the client 101. Accordingly, the rights management device provided by the embodiment of the disclosure may also be partially disposed in the server 103 and partially disposed in the client 101.
It should be understood that the number of clients, networks, and servers in FIG. 1 is merely illustrative. There may be any number of clients, networks, and servers, as desired for an implementation.
The authority management method provided by the embodiment of the disclosure can be applied to the field of financial science and technology. For example, a bank generally includes a head office, each region also includes a branch office, which has an independent development center and a data center to perform research and development and operation and maintenance work of bank scientific and technical assets, and needs scientific and technical departments of the branch office to perform operation and maintenance work locally, and the functions and management modes of the development center, the data center and each branch office are different, which needs to relate to authority management across institutions. In the prior art, various roles are generally required to be established for each branch, the authority is managed through the roles, the roles are rapidly increased along with the continuous expansion of the branches, and the management complexity and the use cost are rapidly increased. By adopting the authority management method provided by the embodiment of the disclosure, the technical problem can be at least partially solved.
It should be understood that the rights management method provided by the embodiments of the present disclosure is not limited to be applied to the field of financial technology, and the above description is only exemplary, and the rights management method of the embodiments of the present disclosure may be applied to the technical fields related to cross-organization rights management, such as the field of electronic commerce, the field of logistics, and the field of communication.
In order to solve the problems of high maintenance cost and high complexity of the rights management in the cross-organization scene in the prior art, the embodiment of the disclosure provides a method for performing the rights management according to the combined attributes. The users of the development center and the data center manage the authority according to the application granularity, and the users of the branch organizations manage the authority according to the site granularity. The user adds the department type and the maintenance place attribute on the basis of the role attribute, manages resources and adds the maintenance place and the affiliated application attribute. The method comprises the following steps that a development center and a data center user access application list obtained from an application information system determine access operation authority through matching application attributes of resources; and matching the maintenance place attribute of the resource by the branch user, and determining the access operation authority. The management authority with low cost according to various granularities can be judged through simple combination of the three attributes, and meanwhile, the management authority can be continuously expanded according to the number of the mechanism types. As described in detail below.
Fig. 2 schematically shows a flow chart of a rights management method according to an embodiment of the present disclosure.
As shown in fig. 2, the rights management method may include operations S201 to S204, for example.
In operation S201, organization information of an access user is acquired, the organization information including branch organizations, operation and maintenance organizations, and application development organizations.
In operation S202, a user type and a user role of an access user are set according to organization information, wherein the user roles set by different branches are the same.
In operation S203, an application attribute and a maintenance attribute corresponding to the access user are obtained, where the application attribute is used to characterize an application corresponding to a resource that the access user can access, and the maintenance attribute is used to characterize a maintenance region corresponding to the resource that the access user can access.
In operation S204, an access operation authority of the access user is determined according to the user type, the user role, the application attribute, and the maintenance attribute.
In the embodiment of the present disclosure, the data on which the authority management is performed needs to include organization information, application information, maintenance information, and the like.
The organization information may include, for example, an organization type and an organization ID. The organization types can comprise operation and maintenance organizations, application development organizations and branch organizations, wherein the operation and maintenance organizations are mainly responsible for operation and maintenance work of enterprises, the application development organizations are mainly responsible for development work of application services of the enterprises, and the branch organizations are mainly responsible for completing various businesses of the enterprises and assisting the operation and maintenance organizations to carry out operation and maintenance work. Because different types of mechanisms work differently, the rights granted by different types of mechanisms are also different. The institution ID is also the identity of each institution.
The application information may include, for example, an application ID, an application english name, an application full name, an application development department ID, an application developer ID, an application maintenance department ID, an operation and maintenance person ID, and the like. According to the information, the corresponding application attributes of different access users can be granted, and the application corresponding to the resource which can be accessed by the access user is represented by the application attributes.
The maintenance location information may include, for example, a region name that enables maintenance access to the organization. Wherein the same facility may include multiple maintenance sites. According to the maintenance place information, corresponding maintenance place attributes of different access users can be granted, and the maintenance areas to which the resources which can be accessed by the access users belong are represented by the maintenance place attributes.
In the embodiment of the present disclosure, the acquired application information, the information of the maintenance place, the organization information, and the user type, the user role, and the like determined according to the organization information may be stored in the form of a table. Table 1 is an application information table for storing application information, table 2 is a user table for storing a correspondence relationship between user types, user roles, organization IDs, and other information, and table 2 is an organization location relationship table for storing a correspondence relationship between branch organization IDs and maintenance locations. For example, the following may be used:
TABLE 1
Figure BDA0003646659860000091
TABLE 2
User ID User name User roles Type of user Organization ID
260000221 All-grass of Sanhao plum Organization manager Branch of 0017700000
TABLE 3
Organization ID Maintenance site
0017700000 (Anhui)
0017700000 Nanjing
Based on the information of the user type, the user role, the application attribute, the maintenance attribute and the like, the authority management of the access user can be realized.
According to the authority management method provided by the embodiment of the disclosure, the roles are combined with the user types and the access resource attributes (application attributes and maintenance attributes), so that the access users of different organizations can determine the access authority according to different resource attributes. In addition, because the access resource attribute is introduced in the authority management, different branches can set the same role, compared with the prior art that a new role needs to be added when one organization is added, a large number of roles do not need to be created when the number of the organizations is expanded, and the technical problems that the roles are rapidly increased and the management complexity and the use cost are rapidly increased along with the expansion of the management organization are solved.
The rights management method provided in fig. 2 in the embodiment of the present disclosure is further described below with reference to the accompanying drawings based on the obtained information.
Fig. 3 schematically shows a flow chart of a user type and user role determination method according to an embodiment of the present disclosure.
As shown in fig. 3, the user type and user role determination method may include operations S301 to S304, for example.
In operation S301, the organization type in the organization information corresponding to the access user is acquired.
In operation S302, in response to the organization information being a branch, a user type of an access user of the branch is set as a branch user, and a user role is set as a branch administrator.
In operation S303, in response to that the organization information is an operation and maintenance organization, the user type of the access user of the operation and maintenance organization is set as a data center user, and the user role is set as an organization administrator.
In operation S304, in response to the organization information being the application development organization, the user type of the access user of the application development organization is set as a development center user, and the user role is set as a guest.
According to the embodiment of the disclosure, based on the organization information, a corresponding user type and a user role can be set for the access user included in each organization information, so as to be used for subsequent authority management.
Fig. 4 schematically shows a flowchart of an application attribute and maintenance attribute acquisition method according to an embodiment of the present disclosure.
As shown in fig. 4, the process of acquiring the application attribute and the maintained attribute may also be referred to as authorizing the access user, and the authorization process may include, for example, operations S401 to S406.
In operation S401, it is determined whether the current visiting user is a branch office user.
Whether a corresponding user exists in the user table can be searched through the user ID, if the corresponding user exists, it is indicated that the current accessing user is a branch user, operation S402 is performed, and if the corresponding user does not exist, it is indicated that the current accessing user is not a branch user, operation S403 is performed.
In operation S402, the attribute of the maintainable region granted to the user for maintenance is looked up in the organization location relation table according to the organization ID corresponding to the current access user.
The maintenance place attribute indicates that the access user can access the resource corresponding to the maintenance region.
In operation S403, it is determined whether the current visiting user is a data center user.
The column of the application information table "operation and maintenance personnel ID" may be searched for by the user ID, if there is a matching record, it indicates that the current accessing user is a data center user, operation S404 is performed, and if there is no matching record, it indicates that the current accessing user is not a data center user, operation S405 is performed.
In operation S404, an application attribute is granted to the user according to the application matched by the user ID in the application information table.
The application attribute indicates that the access user can have access operation authority on the matched application.
In operation S405, it is determined whether the current visiting user is a development center user.
The column of the application information table "application developer ID" may be searched for by the user ID, and if there is a matching record indicating that the current visiting user is a development center user, operation S404 is performed, and if there is no matching record indicating that the current visiting user is not a development center user, operation S406 is performed.
In operation S406, the access user is set to have no access operation authority.
Therefore, by combining the information table, means can be orderly and accurately carried out on more visiting users, and further the subsequent authentication management can be ensured.
It should be understood that the sequence of operations S401 to S406 is exemplary and not intended to limit the disclosure, and only the determination of the user-free type for the current accessing user is ensured.
According to the embodiment of the present disclosure, the process of determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance attribute may also be referred to as an authority verification process in the actual access process of the user, and the authority verification may include, for example, resource viewing authority verification, resource operation authority verification, menu authority verification and user management authority verification. The following is a detailed description of specific embodiments.
FIG. 5 schematically shows a flowchart of a method of resource viewing permission verification according to an embodiment of the present disclosure.
As shown in fig. 5, the resource viewing right verification method may include, for example, operations S501 to S503.
In operation S501, a user type of a current visiting user is determined.
The user types comprise development center users, data center users and branch office users.
In operation S502, in response to the access user being a development center user or a data center user, a resource corresponding to the view application attribute of the development center user or the data center user is developed according to the application attribute of the development center user or the data center user.
For a development center user or a data center user, the development center user or the data center user can view the accessed resource only when the resource currently accessed by the development center user or the data center user contains the application contained in the application attribute of the development center user or the data center user.
In operation S503, in response to the accessing user being a branch office user, the branch office user is allowed to view the resource corresponding to the maintenance area included in the maintenance location attribute according to the maintenance location attribute of the branch office user.
For a branch office user, the branch office user can view the accessed resource only when the resource currently accessed by the branch office user is contained in the maintenance region attribute of the branch office user.
FIG. 6 schematically shows a flowchart of a method for resource operation privilege verification according to an embodiment of the present disclosure.
As shown in fig. 6, the resource operation authority verification method may include, for example, operations S601 to S604.
In operation S601, a user type of a current visiting user is determined.
The user types comprise development center users, data center users and branch office users.
In operation S602, in response to the access user being a development center user, it is determined that the development center user has no right to add, delete, or modify the access resource.
For a development center user, the user does not have the right to add, delete or modify the access resources.
In operation S603, in response to the access user being a data center user, the data center user is allowed to add, delete, or modify the resource corresponding to the application attribute of the data center user.
For a data center user, the data center user can add, delete or modify the access resource only when the resource currently accessed by the data center user contains an application contained in the application attribute of the data center user.
In operation S604, in response to the access user being a branch user, the branch user is allowed to add, delete or modify the resource corresponding to the maintenance region included in the maintenance location attribute of the branch user.
For a branch office user, the branch office user can add, delete or modify the accessed resource only if the resource currently accessed by the branch office user is contained in the maintenance region attribute of the branch office user.
FIG. 7 schematically shows a flowchart of a method of menu privilege validation according to an embodiment of the present disclosure.
As shown in fig. 7, the menu authority verification method may include, for example, operation S701.
In operation S701, a right to access a menu is determined according to a user role of an access user.
For an access user with a user role of organization administrator or branch administrator, the system management menu authority is not provided, and for an access user with a user role of visitor, the access user with a user role of organization administrator or branch administrator does not have the menu authority accessed by the access user.
FIG. 8 schematically illustrates a flow chart of a method of user management rights verification according to an embodiment of the present disclosure.
As shown in fig. 8, the user management authority verification method may include, for example, operation S801.
In operation S801, a user management authority is determined according to a user role and a user type of an access user.
For the access user with the user role as the organization administrator, the authority for checking, modifying, adding and deleting the access user with the user role as the organization administrator and the role authority less than or equal to that of the access user with the user role as the organization administrator is provided, and the authority for checking the access user with the user role as the organization administrator and the role authority less than or equal to that of the access user with the user role as the organization administrator is provided, namely, the organization administrator can only check the users with the user type as well as the role authority less than or equal to that of the current user, and only can modify, add and delete the users with the user type as well as the role authority less than that of the current user.
For the access user with the user role of the branch administrator, the access user has the maintenance region of modification, addition and deletion included in the access user with the user role of the branch administrator corresponding to the maintenance user, that is, the user maintenance region modified, added and deleted by the branch administrator must be included in the maintenance region included in the attribute of the current user maintenance region.
According to the embodiment of the disclosure, the access of the menu is controlled by using the user role, the authority management of resource viewing and operation is performed by using the access resource attribute, the user management is performed by using the user role and the user type, and the authority management can be flexibly and finely performed according to different authority management bases.
Fig. 9 schematically shows a flow chart of a rights management method according to another embodiment of the disclosure.
As shown in fig. 9, the rights management method may include operations S901 to S903, for example.
In operation S901, for each branch, a visiting user is determined from the branch as a branch administrator for the branch.
In operation S902, an access operation authority is assigned to each access user of the branch machine by the branch administrator.
In the embodiment of the disclosure, although the branch level and the management mechanism are different from each other in the enterprise, the same branch level and the management mechanism collect a member as a branch manager to each organization, store the member in the user table, and subsequently assign the rest personnel authority of the organization to the user. The access operation authority of each access user is less than or equal to that of a branch administrator.
According to the embodiment of the disclosure, by setting the branch administrator for each branch, the authority of the branch is managed by the branch administrator, so that the expansibility of authority management is high and the maintenance cost is low.
Fig. 10 schematically shows a flowchart of a rights management method according to yet another embodiment of the present disclosure.
As shown in fig. 10, the rights management method may include operations S1001 to S1002, for example.
In operation S1001, it is determined whether the application attribute and the maintenance attribute corresponding to the access user are modified.
In case the corresponding application attribute and the maintenance attribute of the access user are modified, operation S1002 is performed.
In operation 1002, an operation of determining an access operation authority of the access user according to the user type, the user role, the application attribute, and the maintenance attribute is repeatedly performed.
In the embodiment of the disclosure, when the user adjusts the authority attributes of the applications, such as the application to which the resource belongs, the maintenance region, and the like, the authorization verification operation is performed twice or more before and after the modification, so that all the adjustments of the resource are ensured to be within the authority range of the user.
Fig. 11 schematically shows a flowchart of a rights management method according to yet another embodiment of the present disclosure.
As shown in fig. 11, the rights management method may include, for example, operation S1101.
In operation S1101, in response to the user role of the access user being a system administrator, it is determined that the system administrator has no access operation authority limit.
In the embodiment of the present disclosure, unlimited permissions are granted to users whose user roles are system administrators, that is, users whose user roles are system administrators have no limitation on menu permissions, resource viewing permissions, and resource operation permissions. The user type of the system administrator can be defaulted to be a data center user, and the corresponding user information can be stored in a user table, namely the user table actually stores the information of users of a branch office administrator and the system administrator.
Fig. 12 schematically shows a flowchart of a rights management method according to yet another embodiment of the present disclosure.
As shown in fig. 12, the rights management method may include, for example, operation S1201, operation S201 to operation S204.
In operation S1201, an identity authentication is performed on an access user.
Generally, all personnel of an enterprise have a pass account number, and can perform identity authentication on an access user through a unified authentication system based on the pass account number, when each system accesses resources, the system firstly jumps to the authentication system for authentication, and if the authentication passes, the authentication system user returns information such as a user ID, a user name, an affiliated organization ID and the like to the access user, as shown in table 4:
TABLE 4
User ID User name Belonging machineConstruct ID
260000220 Zhang San 0018200000
And continuing subsequent authority management on the user passing the authentication, otherwise directly confirming that no authority exists.
For example, in some special cases, an enterprise system may be subject to external attacks, i.e., non-enterprise personnel may masquerade as the identity of enterprise personnel to perform resource access operations. To obtain the information they want, if the process of identity authentication is not added, based on the authority management method shown in fig. 2, through authorization or verification operation, it can also be recognized that the user does not have the authority to access the corresponding resource, but consumes the redundant resource to a certain extent. And the identity authentication process is added, so that the identity of the non-enterprise personnel can be identified to have problems through the authentication system at the initial stage, the non-enterprise personnel is directly identified to have no access authority, the subsequent authorization or authentication operation is not needed, and the authority management resources are saved to a certain extent.
Therefore, based on the identity authentication mode, the access of non-enterprise personnel can be limited to the initial stage of the authority management, so that the condition that the access of the non-enterprise personnel needs to be subjected to subsequent authority management operation is avoided, and the authority management resources are saved.
In summary, the method for managing permissions provided by the embodiment of the present disclosure combines the user type and the access resource attribute through the role, so that the access users of different organizations can determine the access permissions according to different resource attributes, and can flexibly and finely manage the permissions. In addition, because the access resource attribute is introduced in the authority management, different branch organizations can set the same role, and a large number of roles do not need to be created when the organization number is expanded, thereby reducing the management complexity and the use cost. Furthermore, the user role is used for controlling the access of the menu, the access resource attribute is used for carrying out the authority management of resource viewing and operation, the user role and the user type are used for carrying out the user management, and the authority management can be further flexibly and finely carried out according to different authority management bases. In addition, the authority of the branch organization is managed by the branch organization administrator, so that the expansibility of authority management is high, the maintenance cost is low, meanwhile, the attribute management can be added when the organization type is expanded, the original management and control flow is not influenced, and the branch organization administrator has the advantage of low invasiveness.
Fig. 13 schematically shows a block diagram of a rights management device according to an embodiment of the disclosure.
As shown in fig. 13, the rights management device 1300 may include an acquisition module 1310, a setting module 1320, a first determination module 1330, and a second determination module 1340.
The obtaining module 1310 is configured to obtain organization information of the access user, where the organization information includes a branch organization, an operation and maintenance organization, and an application development organization.
A setting module 1320, configured to set a user type and a user role of the access user according to the organization information, where the user roles set by different branches are the same.
The first determining module 1330 is configured to determine an application attribute and a maintenance attribute corresponding to the access user, where the application attribute is used to characterize an application corresponding to a resource that can be accessed by the access user, and the maintenance attribute is used to characterize a maintenance region corresponding to the resource that can be accessed by the access user.
The second determining module 1340 is configured to determine the access operation authority of the access user according to the user type, the user role, the application attribute, and the maintenance attribute.
FIG. 14 schematically illustrates a block diagram of the setup module 1320 according to an embodiment of the disclosure.
As shown in fig. 14, the setting module 1320 may include, for example, a first obtaining unit 1321, a first setting unit 1322, a second setting unit 1323, and a third setting unit 1324.
A first obtaining unit 1321, configured to obtain the organization type in the organization information corresponding to the access user.
A first setting unit 1322 is configured to set a user type of an access user of the branch as a branch user and a user role as a branch administrator in response to the institution information being a branch.
And a second setting unit 1323, configured to set, in response to the organization information being an operation and maintenance organization, the user type of the access user of the operation and maintenance organization as a data center user, and the user role as an organization administrator.
And a third setting unit 1324, configured to set, in response to the organization information being an application development organization, a user type of an access user of the application development organization as a development center user and a user role as a visitor.
Fig. 15 schematically illustrates a block diagram of the first determination module 1330 according to an embodiment of the present disclosure.
As shown in fig. 15, the first determining module 1330 may include, for example, a first determining unit 1331, a first awarding unit 1332, a second determining unit 1333, a second awarding unit 1334, a third determining unit 1335 and a fourth setting unit 1336.
A first determination unit 1331 is used to determine whether the current visiting user is a branch office user.
A first granting unit 1332, configured to, when the current access user is a branch office user, search, in the office location relationship table, the attribute of the maintainable region granted to the user for maintenance according to the office ID corresponding to the current access user.
A second determining unit 1333, configured to determine whether the current visiting user is a data center user in a case that the current visiting user is not a branch office user.
And a second granting unit 1334, configured to grant the application attribute to the user according to the application matched by the user ID in the application information table, if the current access user is the data center user or the development center user.
A third determining unit 1335, configured to determine whether the current access user is a development center user.
A fourth setting unit 1336, configured to set the access user as no access operation authority in a case where the current access user is not the branch office user, the data center user, and the development center user.
FIG. 16 schematically illustrates a block diagram of the second determining module 1340 according to an embodiment of the present disclosure.
As shown in fig. 16, the second determining module 1340 may include, for example, a fourth determining unit 1341, a first responding unit 1342, and a second responding unit 1343.
A fourth determining unit 1341, configured to determine a user type of the current accessing user.
The first responding unit 1342 is configured to, in response to that the access user is a development center user or a data center user, develop a resource corresponding to the viewing application attribute of the development center user or the data center user according to the application attribute of the development center user or the data center user.
A second responding unit 1343, configured to, in response to that the access user is a branch user, allow the branch user to view the resource corresponding to the maintenance area included in the maintenance area attribute according to the maintenance area attribute of the branch user.
FIG. 17 schematically illustrates a block diagram of the second determining module 1340 according to another embodiment of the present disclosure.
As shown in fig. 17, the second determining module 1340 may include, for example, a fourth determining unit 1341, a third responding unit 1344, a fourth responding unit 1345, and a fifth responding unit 1346.
A fourth determining unit 1341, configured to determine a user type of the current accessing user.
And a third responding unit 1344, configured to determine that the development center user has no right to add, delete, or modify the access resource in response to the access user being the development center user.
A fourth responding unit 1345, configured to allow the data center user to add, delete, or modify the resource corresponding to the application attribute of the data center user in response to the access user being the data center user.
A fifth responding unit 1346, configured to, in response to that the access user is a branch user, allow the branch user to add, delete, or modify a resource corresponding to the maintenance area included in the maintenance location attribute of the branch user.
FIG. 18 schematically illustrates a block diagram of the second determining module 1340 according to yet another embodiment of the present disclosure.
As shown in fig. 18, the second determining module 1340 may further include a fifth determining unit 1347 and a sixth determining unit 1348, for example.
A fifth determining unit 1347, configured to determine the authority of the accessing user to access the menu according to the user role of the accessing user.
A sixth determining unit 1348, configured to determine the user management authority according to the user role and the user type of the accessing user.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be implemented at least partly as a computer program module, which when executed, may perform a corresponding function.
For example, any number of the obtaining module 1310, the setting module 1320, the first determining module 1330, and the second determining module 1340 may be combined and implemented in one module/unit/sub-unit, or any one of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/sub-units may be combined with at least part of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to an embodiment of the disclosure, at least one of the obtaining module 1310, the setting module 1320, the first determining module 1330, and the second determining module 1340 may be implemented at least partially as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware, and firmware, or in any suitable combination of any of them. Alternatively, at least one of the obtaining module 1310, the setting module 1320, the first determining module 1330 and the second determining module 1340 may be at least partially implemented as a computer program module that, when executed, may perform a corresponding function.
It should be noted that the rights management apparatus portion in the embodiment of the present disclosure corresponds to the rights management method portion in the embodiment of the present disclosure, and the specific implementation details and the technical effects thereof are also the same, and are not described herein again.
Fig. 19 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure. The electronic device shown in fig. 19 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 19, an electronic device 1900 according to an embodiment of the present disclosure includes a processor 1901, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1902 or a program loaded from a storage section 1908 into a Random Access Memory (RAM) 1903. The processor 1901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 1901 may also include onboard memory for caching purposes. The processor 1901 may include a single processing unit or multiple processing units for performing different actions of a method flow according to an embodiment of the disclosure.
In the RAM1903, various programs and data necessary for the operation of the electronic apparatus 1900 are stored. The processor 1901, ROM1902, and RAM1903 are connected to each other via a bus 1904. The processor 1901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM1902 and/or RAM 1903. Note that the programs may also be stored in one or more memories other than the ROM1902 and the RAM 1903. The processor 1901 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, electronic device 1900 may also include an input/output (I/O) interface 1905, input/output (I/O) interface 1905 also being connected to bus 1904. Electronic device 1900 may also include one or more of the following components connected to I/O interface 1905: an input section 1906 including a keyboard, a mouse, and the like; an output section 1907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 1908 including a hard disk and the like; and a communication section 1909 including a network interface card such as a LAN card, a modem, or the like. The communication section 1909 performs communication processing via a network such as the internet. Drivers 1910 are also connected to I/O interface 1905 as needed. A removable medium 1911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1910 as necessary, so that a computer program read out therefrom is mounted in the storage section 1908 as necessary.
According to embodiments of the present disclosure, method flows according to embodiments of the present disclosure may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such embodiments, the computer program may be downloaded and installed from a network via communications portion 1909 and/or installed from removable media 1911. The computer program, when executed by the processor 1901, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer readable storage medium may be a non-volatile computer readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM1902 and/or the RAM1903 described above and/or one or more memories other than the ROM1902 and the RAM 1903.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.

Claims (16)

1. A method of rights management, comprising:
acquiring organization information of an access user, wherein the organization information comprises a branch organization, an operation and maintenance organization and an application development organization;
setting the user type and the user role of the access user according to the mechanism information, wherein the user roles set by different branch mechanisms are the same;
determining an application attribute and a maintenance attribute corresponding to the access user, wherein the application attribute is used for representing an application corresponding to a resource which can be accessed by the access user, and the maintenance attribute is used for representing a maintenance region corresponding to the resource which can be accessed by the access user;
and determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance place attribute.
2. The rights management method of claim 1, wherein the setting of the user type and the user role of the accessing user according to the organization information comprises:
responding to the branch information, setting the user type of the access user of the branch as a branch user, and setting the user role as a branch administrator;
responding to the mechanism information as an operation and maintenance mechanism, setting the user type of an access user of the operation and maintenance mechanism as a data center user, and setting the user role as a mechanism administrator;
and responding to the mechanism information as an application development mechanism, setting the user type of the access user of the application development mechanism as a development center user, and setting the user role as a visitor.
3. The rights management method of claim 2, wherein the determining access operation rights of the access user according to the user type, user role, and the application attribute and the maintainability attribute comprises:
responding to the fact that the access user is a development center user or a data center user, and allowing the development center user or the data center user to view resources corresponding to the application attributes according to the application attributes of the development center user or the data center user;
and in response to the fact that the access user is a branch user, allowing the branch user to view resources corresponding to the maintenance region contained in the maintenance region attribute according to the maintenance region attribute of the branch user.
4. The rights management method of claim 2, wherein the determining access operation rights of the access user according to the user type, user role, and the application attribute and the maintainability attribute comprises:
responding to the fact that the access user is a branch user, and allowing the branch user to add, delete or modify resources corresponding to a maintenance region contained in the maintenance region attribute of the branch user;
responding to the fact that the access user is a development center user, and determining that the development center user does not have the authority of adding, deleting or modifying the access resource;
and responding to the fact that the access user is a data center user, and allowing the data center user to add, delete or modify the resources corresponding to the application attributes of the data center user.
5. The rights management method of claim 2, wherein the determining access operation rights of the access user according to the user type, user role, and the application attribute and the maintainability attribute comprises:
and determining the authority of the access user to access the menu according to the user role of the access user.
6. The rights management method of claim 5, wherein an access user with the user role of guest does not have the menu rights that the user role of organization administrator and branch administrator access user.
7. The rights management method of claim 2, wherein the determining access operation rights of the access user according to the user type, user role, and the application and maintenance attributes comprises:
and determining user management authority according to the user role and the user type of the access user.
8. The right management method according to claim 7, wherein the access user whose user role is organization administrator has the right to modify, add and delete the same user type as the access user whose user role is organization administrator and whose role right is smaller than that of the access user whose user role is organization administrator;
the access user with the user role as the organization administrator has the authority for viewing the access user with the user role as the organization administrator, wherein the user type of the access user is the same as that of the access user with the user role as the organization administrator, and the role authority is smaller than or equal to that of the access user with the user role as the organization administrator;
the access user with the user role as the branch administrator has the function of viewing, modifying, adding and deleting the maintenance region from the access user with the user role as the branch administrator corresponding to the maintenance region.
9. The rights management method of claim 2, the method further comprising:
for each branch office, determining from the branch office a visiting user as a branch office administrator for the branch office;
and allocating access operation authority to each access user of the branch machine through the branch administrator, wherein the access operation authority of each access user is less than or equal to the access operation authority of the branch administrator.
10. The rights management method of claim 1, the method further comprising:
and in response to the user role of the access user being a system administrator, determining that the system administrator has no access operation permission limitation.
11. The rights management method of claim 1, the method further comprising:
and under the condition that the corresponding application attribute and the corresponding maintenance attribute of the access user are modified, repeatedly executing the operation of determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance attribute.
12. The rights management method of claim 1, prior to obtaining organization information for an accessing user, the method further comprising:
and performing identity authentication on the access user.
13. A rights management device comprising:
the system comprises an acquisition module, a management module and a management module, wherein the acquisition module is used for acquiring organization information of an access user, and the organization information comprises a branch organization, an operation and maintenance organization and an application development organization;
the setting module is used for setting the user type and the user role of the access user according to the mechanism information, wherein the user roles set by different branches are the same;
a first determining module, configured to determine an application attribute and a maintenance location attribute corresponding to the access user, where the application attribute is used to characterize an application corresponding to a resource that can be accessed by the access user, and the maintenance location attribute is used to characterize a maintenance region corresponding to the resource that can be accessed by the access user;
and the second determining module is used for determining the access operation authority of the access user according to the user type, the user role, the application attribute and the maintenance place attribute.
14. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-12.
15. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 12.
16. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 12.
CN202210535914.2A 2022-05-17 2022-05-17 Authority management method, device, electronic equipment and medium Pending CN114969716A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210535914.2A CN114969716A (en) 2022-05-17 2022-05-17 Authority management method, device, electronic equipment and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210535914.2A CN114969716A (en) 2022-05-17 2022-05-17 Authority management method, device, electronic equipment and medium

Publications (1)

Publication Number Publication Date
CN114969716A true CN114969716A (en) 2022-08-30

Family

ID=82983554

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210535914.2A Pending CN114969716A (en) 2022-05-17 2022-05-17 Authority management method, device, electronic equipment and medium

Country Status (1)

Country Link
CN (1) CN114969716A (en)

Similar Documents

Publication Publication Date Title
US9225704B1 (en) Unified management of third-party accounts
US9871825B2 (en) Policy enforcement for compute nodes
US9805209B2 (en) Systems and methodologies for managing document access permissions
US10560435B2 (en) Enforcing restrictions on third-party accounts
US11870882B2 (en) Data processing permits system with keys
US10148637B2 (en) Secure authentication to provide mobile access to shared network resources
CN105989275B (en) Method and system for certification
US10831915B2 (en) Method and system for isolating application data access
CN109766708B (en) Data resource access method, system, computer system and storage medium
US20210081550A1 (en) Serving Data Assets Based on Security Policies by Applying Space-Time Optimized Inline Data Transformations
US20180060605A1 (en) Image obfuscation
US9785791B2 (en) Using a location authorization extension to provide access authorization for a module to access a computing system
CN113761552A (en) Access control method, device, system, server and storage medium
KR20200019059A (en) Method and system at service platform provider side for risk identification of personal information
CN112699407A (en) Service data access method, device, equipment and storage medium
US11271944B2 (en) Authentication framework to enforce contractual geographical restrictions
US10831904B2 (en) Automatically discovering attribute permissions
US11687627B2 (en) Media transit management in cyberspace
CN113535574B (en) Automatic generation method, device, equipment and medium for test user data
US20230114138A1 (en) Sensitive data management system
CN114969716A (en) Authority management method, device, electronic equipment and medium
US20210064775A1 (en) Nlp workspace collaborations
US20240037270A1 (en) System and Method for Managing Data Stored in A Remote Computing Environment
US9961132B2 (en) Placing a user account in escrow
KR102085452B1 (en) Method and system at user side for risk identification of personal information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination