CN106878325B - A kind of method and device of determining access privilege - Google Patents
A kind of method and device of determining access privilege Download PDFInfo
- Publication number
- CN106878325B CN106878325B CN201710165821.4A CN201710165821A CN106878325B CN 106878325 B CN106878325 B CN 106878325B CN 201710165821 A CN201710165821 A CN 201710165821A CN 106878325 B CN106878325 B CN 106878325B
- Authority
- CN
- China
- Prior art keywords
- resource
- value
- role
- target
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 238000013475 authorization Methods 0.000 claims abstract description 81
- 230000004044 response Effects 0.000 claims abstract description 8
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 claims description 17
- 238000010586 diagram Methods 0.000 description 8
- 238000012423 maintenance Methods 0.000 description 5
- 230000008569 process Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 229910002056 binary alloy Inorganic materials 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000001174 ascending effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of method and devices of determining access privilege, the described method includes: in response to the request of target user's access target resource, determine the target roles for assigning the target user in advance, wherein, the target roles are one of role's set user role, the target resource is a resource items to be visited in resource collection, the resource items to be visited are configured with an access authorization for resource value, imply each user role to the current accessed permission of the resource items to be visited in the access authorization for resource value;The corresponding access authorization for resource value of the target resource is analyzed, determines the target roles to the current accessed permission of the target resource.The present invention can determine user to the access authority of system resource on the basis of reducing the memory space of rights management data.
Description
Technical field
The present invention relates to rights management techniques field more particularly to a kind of method and devices of determining access privilege.
Background technique
Rights management, refers generally to the safety regulation or security strategy being arranged according to system, and user is accessible and only
Oneself authorized resource can be accessed, rights management occurs nearly in any system, espespecially needs user and code entry
System.
Based on the system resource for being provided with access authority, different user has different access authority, for example, for same
Each list items in list, the access authority being allowed to also are not necessarily identical, and some list items may allow to be owned
User's access, and some list items may only allow to be accessed by specific one or multiple users.This multi-user is weighed more
The case where limit, the prior art usually require to store different user respectively to the access authority of different system resource items, this to need
The rights management data to be prestored is relatively more, causes to occupy a large amount of memory space, especially compare in user and resource items
In the case where more.
Summary of the invention
The main purpose of the embodiment of the present invention is to provide a kind of method and device of determining access privilege, Neng Gou
On the basis of the memory space for reducing rights management data, determine user to the access authority of system resource.
The embodiment of the invention provides a kind of methods of determining access privilege, comprising:
In response to the request of target user's access target resource, the target roles for assigning the target user in advance are determined,
Wherein, the target roles be role set one of user role, the target resource be resource collection in one to
Resource items are accessed, the resource items to be visited are configured with an access authorization for resource value, imply in the access authorization for resource value each described
Current accessed permission of the user role to the resource items to be visited;
The corresponding access authorization for resource value of the target resource is analyzed, determines the target roles to the current of the target resource
Access authority.
Optionally, the current accessed permission for permission access authority or forbids access authority;The method also includes:
Forbid access authority with described for the permission access authority, assigns different authority credentials respectively;
For each user role in role set, different role attribute values is assigned respectively according to model identical;
According to each user role to the authority credentials of the current accessed permission of the resource items to be visited and described
Role attribute value generates the corresponding access authorization for resource value of the resource items to be visited.
Optionally, it is described according to each user role to the permission of the current accessed permission of the resource items to be visited
Value and the role attribute value generate the corresponding access authorization for resource value of the resource items to be visited, comprising:
Calculate the corresponding access authorization for resource value of the resource items to be visited;
Wherein, the access authorization for resource value is the sum of corresponding role's value of each user role, role's value
For the product of the first numerical value and second value, first numerical value is the user role to the current of the resource items to be visited
The authority credentials of access authority, the second value are the corresponding role attribute value of the user role.
Optionally, the corresponding access authorization for resource value of the analysis target resource, determines the target roles to the mesh
Mark the current accessed permission of resource, comprising:
According to the assignment mode of the authority credentials and the role attribute value, the corresponding resource power of the target resource is analyzed
Limit value determines the target roles to the current accessed permission of the target resource.
Optionally, described to forbid the corresponding authority credentials of access authority be 0, and the corresponding authority credentials of the permission access authority is
1;The n times side that the corresponding role attribute value of the user role is 2, n are the corresponding unique character coding of the user role;
The assignment mode according to the authority credentials and the role attribute value, analyzes the corresponding money of the target resource
Source authority credentials determines the target roles to the current accessed permission of the target resource, comprising:
Obtain corresponding first binary value of role attribute value of the target roles;
Obtain corresponding second binary value of access authorization for resource value of the target resource;
The identical bits of first binary value and second binary value are subjected to phase and operation respectively, obtain third
Binary value;
If all positions of the third binary value are not zero, it is determined that the target roles have the target resource
There is the permission access authority;
If all positions of the third binary value are zero, it is determined that the target roles have the target resource
It is described to forbid access authority.
The embodiment of the invention also provides a kind of devices of determining access privilege, comprising:
Target roles determination unit determines for the request in response to target user's access target resource and assigns institute in advance
State the target roles of target user, wherein the target roles are one of role's set user role, the target resource
For a resource items to be visited in resource collection, the resource items to be visited are configured with an access authorization for resource value, the resource power
Each user role is implied in limit value to the current accessed permission of the resource items to be visited;
Access authority determination unit determines the target angle for analyzing the corresponding access authorization for resource value of the target resource
Current accessed permission of the color to the target resource.
Optionally, the current accessed permission for permission access authority or forbids access authority;Described device further include:
Access right limit value assignment unit assigns respectively for forbidding access authority with described for the permission access authority
Different authority credentials;
Role attribute value assignment unit, for each user role in gathering for the role, according to model identical point
Different role attribute values is not assigned;
Access authorization for resource value generation unit, for the current visit according to each user role to the resource items to be visited
Ask permission authority credentials and the role attribute value, generate the corresponding access authorization for resource value of the resource items to be visited.
Optionally, the access authorization for resource value generation unit is specifically used for: it is corresponding described to calculate the resource items to be visited
Access authorization for resource value;
Wherein, the access authorization for resource value is the sum of corresponding role's value of each user role, role's value
For the product of the first numerical value and second value, first numerical value is the user role to the current of the resource items to be visited
The authority credentials of access authority, the second value are the corresponding role attribute value of the user role.
Optionally, the access authority determination unit is specifically used for: according to the authority credentials and the role attribute value
Assignment mode analyzes the corresponding access authorization for resource value of the target resource, determines that the target roles work as the target resource
Preceding access authority.
Optionally, described to forbid the corresponding authority credentials of access authority be 0, and the corresponding authority credentials of the permission access authority is
1;The n times side that the corresponding role attribute value of the user role is 2, n are the corresponding unique character coding of the user role;
The access authority determination unit includes:
Binary value obtains subelement, corresponding first binary system of role attribute value for obtaining the target roles
Value;Obtain corresponding second binary value of access authorization for resource value of the target resource;
With position phase and operation subelement, for the identical bits of first binary value and second binary value to be divided
Not Jin Hang mutually and operation, obtain third binary value;
Access authority determines subelement, if all positions for the third binary value are not zero, it is determined that described
Target roles have the permission access authority to the target resource;If all positions of the third binary value are zero,
Then determine that the target roles forbid access authority with described to the target resource.
A kind of method and device of determining access privilege provided in an embodiment of the present invention is accessed when target user triggers
When the request of target resource, the target roles for assigning target user in advance are determined, wherein target roles are one in role's set
Kind user role, target resource are a resource items to be visited in resource collection, each resource to be visited in resource collection
Item is each equipped with an access authorization for resource value, and each user role is implied in the access authorization for resource value to corresponding resource items to be visited
Current accessed permission;Then, by analyzing the corresponding access authorization for resource value of the target resource, determine the target roles to described
The current accessed permission of target resource.As it can be seen that an access authorization for resource value is all had, because of resource for each resource items to be visited
Authority credentials is a numerical value, so its memory space occupied is smaller;Further, since being implied in each access authorization for resource value
Therefore each user role accesses the current accessed permission of corresponding resource items to be visited by analysis target user
The access authorization for resource value of resource items to be visited can determine target user to the access authority of the resource items to be visited.
Detailed description of the invention
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, to embodiment or will show below
There is attached drawing needed in technical description to be briefly described, it should be apparent that, the accompanying drawings in the following description is the present invention
Some embodiments for those of ordinary skill in the art without creative efforts, can also basis
These attached drawings obtain other attached drawings.
Fig. 1 is the flow diagram of the method for determining access privilege provided in an embodiment of the present invention;
Fig. 2 is the flow diagram of the method provided in an embodiment of the present invention for generating access authorization for resource value;
Fig. 3 is the flow diagram of the method for determining active user's access authority provided in an embodiment of the present invention;
Fig. 4 is the composition schematic diagram of the device of determining access privilege provided in an embodiment of the present invention.
Specific embodiment
In order to make the object, technical scheme and advantages of the embodiment of the invention clearer, below in conjunction with the embodiment of the present invention
In attached drawing, technical scheme in the embodiment of the invention is clearly and completely described, it is clear that described embodiment is
A part of the embodiment of the present invention, instead of all the embodiments.Based on the embodiments of the present invention, those of ordinary skill in the art
Every other embodiment obtained without making creative work, shall fall within the protection scope of the present invention.
A kind of method and device of determining access privilege provided in an embodiment of the present invention, can preset multiple use
System resource is divided into multiple resource items to be visited by family role, and presets each user role to each money to be visited
The access authority of source item.It, can be using an access authorization for resource value come hidden in order to save the memory space of access authority management data
Containing each user role to the current accessed permission of certain resource items to be visited, in this way, each resource items to be visited just correspond to one
Access authorization for resource value;When certain user accesses one of them resource items to be visited, by analyzing the corresponding money of the resource items to be visited
Source authority credentials can determine the user to the access authority of the resource items to be visited.
Lower mask body introduces the embodiment of the present invention.
It is a kind of flow diagram of the method for determining access privilege provided in an embodiment of the present invention referring to Fig. 1, it should
Method includes S101-S102:
S101: in response to the request of target user's access target resource, the target for assigning the target user in advance is determined
Role, wherein the target roles are one of role's set user role, and the target resource is one in resource collection
A resource items to be visited, the resource items to be visited are configured with an access authorization for resource value, imply in the access authorization for resource value each
Current accessed permission of the user role to the resource items to be visited.
For ease of description, the active user for carrying out resource access is known as target user by the present embodiment, the target is used
Each resource items to be visited that family requests access to are known as target resource.
In the present embodiment, multiple user roles can be preset, these user roles form role's set,
In, a user role can correspond to one or more users, i.e., each user can have one or more user roles
Identity.For example, the administrator of group is user role for the group created under the chat softwares such as QQ, there is management
The user of member's identity can have one or more;In another example can be drawn according to the job specification of employee in an engineering project
Divide user role, for example, these roles can be " assembling ", " maintenance " etc., the employee (i.e. user) with " assembling " identity can
To there is one or more, the employee (i.e. user) with " maintenance " role can have one or more.
In the present embodiment, all system resource can also be divided, obtains multiple resource items to be visited, these
Resource items to be visited form the resource collection.For example, the example based on above-mentioned engineering project, system resource can be divided into
The different resource items to be visited such as " assembling " data, " maintenance " data, " assembling " data and " maintenance " data etc. can also be done
Further division, using each subdata marked off as resource items to be visited.In addition, the present embodiment does not limit the resource set
The storage or display mode of conjunction, can be tabular form or other forms, should when the resource collection is a display list
One or more list items in display list may act as a resource items to be visited.
In the present embodiment, each resource items to be visited in the resource collection may be by with different role attribute value
User's access, below with reference to table 1, with there are there are 15 in 16 kinds of user roles, the resource collection in role set
For a resource items to be visited, to illustrate the embodiment of the present invention.
Table 1
In an embodiment of the invention, it can generate in the following manner each wait visit in the resource collection
Ask resource items corresponding access authorization for resource value, the flow diagram of the method for generation access authorization for resource value shown in Figure 2 is specific to wrap
Include step S201-S203:
S201: forbid access authority with described for the permission access authority, assign different authority credentials respectively.
In the present embodiment, every kind of user role can be to allow to visit to the current accessed permission of the resource items to be visited
Ask permission or forbid access authority, for example, the permission access authority can be allow to carry out the resource items to be visited it is clear
It the permissions such as lookes at, modify, forbidding access authority can be forbidding browsing the resource items to be visited, repair correspondingly, described
The permissions such as change.
It is specifically, described to forbid access authority corresponding it is possible to further which the authority credentials of both access authority is arranged
Authority credentials can be 0, described to allow the corresponding authority credentials of access authority that be 1 (being also possible to the value that 0.1 etc. is not 0).
For ease of understanding, referring to table 1, left side be coding be followed successively by 1,2 ..., 14,15 totally 15 resources to be visited
, the top be coding be followed successively by 15,14 ... 1,0 totally 16 user roles, when forbidding the corresponding authority credentials of access authority
For 0, when to allow the corresponding authority credentials of access authority be 1, for resource items 1 to be visited, whole user roles, which have it, to be permitted
Perhaps access authority;For resource items 2 to be visited, totally 7 user roles have permission to it by user role 15, user role 5-0
Access authority, other user roles, which have it, forbids access authority;About between other resource items to be visited and user role
Access authority relationship, no longer describe one by one herein, referring to table 1.
S202: it for each user role in role set, assigns different roles respectively according to model identical and belongs to
Property value.
In the present embodiment, every kind of user role in role's set has its corresponding role attribute value, specifically
, uniqueness coding can be carried out to each user role in advance, for example encode to user role according to ascending or descending order,
And make the n times side (i.e. 2 of the corresponding role attribute value 2 of each user rolen), wherein n is that the user role is corresponding only
One role coding.
Referring to table 2, for 16 kinds of user roles in table 1, role's coding be followed successively by 0,1 ..., 14,15,
In, the role attribute value of user role 0 is 20=1, the role attribute value of user role 1 is 21=2, the role of user role 2 belongs to
Property value be 22=4, etc., the role attribute of other user roles no longer describes one by one at place, referring to table 2.
Table 2
| User role | Role attribute value |
| User role 0 | 1 |
| User role 1 | 2 |
| User role 2 | 4 |
| User role 3 | 8 |
| User role 4 | 16 |
| User role 5 | 32 |
| User role 6 | 64 |
| User role 7 | 128 |
| User role 8 | 256 |
| User role 9 | 512 |
| User role 10 | 1024 |
| User role 11 | 2048 |
| User role 12 | 4096 |
| User role 13 | 8192 |
| User role 14 | 16384 |
| User role 15 | 32768 |
S203: according to each user role to the authority credentials of the current accessed permission of the resource items to be visited and described
Role attribute value generates the corresponding access authorization for resource value of the resource items to be visited.
In an embodiment of the invention, step S203 can specifically include: calculate the resource items pair to be visited
The access authorization for resource value answered;Wherein, the access authorization for resource value is the sum of corresponding role's value of each user role, the role
Value is the product of the first numerical value and second value, and first numerical value is that the user role works as the resource items to be visited
The authority credentials of preceding access authority, the second value are the corresponding role attribute value of the user role.
Present embodiment for ease of understanding, referring to the right side of table 1, resource items 1 to be visited therein, resource items to be visited
2 ..., resource items 15 to be visited are respectively provided with an access authorization for resource value, and the access authorization for resource value of any resource items to be visited meets
Following calculation formula:
Wherein, zyqiFor be encoded to i resource items to be visited access authorization for resource value, i=1,2 ..., 15;QijFor coding
For j user role to the authority credentials of the current accessed permissions of the resource items to be visited for being encoded to i, value is 0 or 1;JjTo compile
Code is the corresponding role attribute value of user role of j, value 2i。
For example, for the resource items to be visited 2 in table 1, access authorization for resource value are as follows:
zyq2=215+25+24+23+22+21+20=32831
It should be noted that the encoded radio of the user role for role set, can be 0,1 ..., 15,
Can be 0,2,4 ..., as long as its coding mode meets certain rule.
It further, in an embodiment of the invention, can also include: that stepping on for the target user is pre-created
Land information relationship corresponding with the target roles.It in this embodiment, all can be its setting for each user
One logon information there is provision of the corresponding user role of each user, wherein the logon information of certain user usually may include
The user name and user password of the user, and when the user has one or more user roles, it can establish the user's
The corresponding relationship of logon information and one or more user roles.
Based on the foundation of above-mentioned corresponding relationship, " target angle for assigning the target user in advance is determined in step S101
Color " can specifically include: according to the corresponding relationship between the logon information of the target user and the target roles, determine
The target roles that the target user has.For example, when the user role 15 in target user's table 1 has corresponding relationship, then
When target user uses its logon information login system, it can determine that it has been assigned user role 15.
S102: the corresponding access authorization for resource value of the target resource is analyzed, determines the target roles to the target resource
Current accessed permission.
By the Conduce Disciplinarian of the access authorization for resource value of above-mentioned each resource items to be visited, each resource items to be visited can be made
Access authorization for resource value in imply each user role to the current accessed permission of the resource items to be visited.Therefore, when with certain use
The user (the i.e. described target user) of family role (the i.e. described target roles) accesses some resource items (i.e. described target money to be visited
Source) when, the user can be determined to the resource items to be visited based on the Conduce Disciplinarian of the access authorization for resource value of the resource items to be visited
Current accessed permission.
Specifically, in one embodiment of the invention, step S102 may include: according to the authority credentials and the angle
The assignment mode of color attribute value analyzes the corresponding access authorization for resource value of the target resource, determines the target roles to the mesh
Mark the current accessed permission of resource.
More specifically, forbidding the corresponding authority credentials of access authority for 0, the corresponding permission of the permission access authority when described
Value is that (n is the user role pair for the corresponding role attribute value of each user role is 2 in 1, role set n times side
The unique character coding answered) when, the flow diagram of the method for really settled preceding access privilege shown in Figure 3, step
S102 can specifically include S301-S306:
S301: corresponding first binary value of role attribute value of the target roles is obtained.
Referring to table 1, it is assumed that the target roles for assigning the target user are user role 15, and the user role 15 is corresponding
Role attribute value is 32768 (i.e. 215), the corresponding binary value of the value is 1000000000000000.
S302: corresponding second binary value of access authorization for resource value of the target resource is obtained.
Referring to table 1, it is assumed that the target resource is resource items 1 to be visited, the corresponding access authorization for resource of resource items 1 to be visited
Value is 65535, and the corresponding binary value of the value is 1111111111111111.
S303: the identical bits of first binary value and second binary value are subjected to phase and operation respectively, are obtained
To third binary value.
By the 0th of 1000000000000000 with 1111111111111111 the 0th progress mutually and operation, will
The 1st of 1000000000000000 with 1111111111111111 the 1st progress mutually with operation ..., will
The 15th of 1000000000000000 and 1111111111111111 the 15th progress mutually and operation, finally obtained two into
Value processed is 1000000000000000.
S304: whether all positions for judging the third binary value are zero, if it is, S306 is executed, if not,
Then execute S305.
S305: determine that the target roles have the permission access authority to the target resource.
S306: determine that the target roles forbid access authority with described to the target resource.
Continue previous example, since the third binary value obtained through above-mentioned phase with operation is 1000000000000000,
Since the value is not zero, then illustrate that the target user with 15 identity of user role has access authority to resource items 1 to be visited.
It further, in the present embodiment, can be by the mark of each resource items to be visited and corresponding access authorization for resource value
The storage for carrying out correspondence, since access authorization for resource is worth, occupied memory space is smaller, its correspondence can be stored in this
In ground file, in this way, when it needs to be determined that active user access authority when, can be determined by accessing the local file current
User not only saves the memory space of permissions data to the access authority of accessed resource, can also by be locally stored come
Save Internet resources.It is of course also possible to which the mark of each resource items to be visited is carried out correspondence with corresponding access authorization for resource value
Be stored in server database, specific storage mode the present embodiment is with no restrictions.
In addition, it is contemplated that the safety of storing data, it can be by the mark of each resource items to be visited and corresponding resource
Authority credentials is stored in encryption file, for example, being stored in the binary file of encryption, file designation can be resource to be visited
The mark title .dat of item.When users log on, rights management software with this binary file of automatic identification and can read file
In information, so as to step shown in subsequent execution Fig. 1.
It should be noted that the present embodiment can update user role according to demand, can also repartition according to demand
Resource items to be visited, and update access authority relationship between the two;When user's access system resources, according to updated interior
Hold and realizes step shown in Fig. 1.
To sum up, the method for a kind of determining access privilege provided in an embodiment of the present invention, for each resource to be visited
, an access authorization for resource value is all had, because access authorization for resource value is a numerical value, so its memory space occupied is smaller;This
Outside, the current accessed of corresponding resource items to be visited is weighed due to implying each user role in each access authorization for resource value
Therefore limit by analyzing the access authorization for resource value for the resource items to be visited that target user is accessed, can determine target user to this
The access authority of resource items to be visited.
More easily to understand the embodiment of the present invention, it is exemplified below:
Shoe by a kind of method of determining access privilege provided in an embodiment of the present invention, applied to a set of complex device
It goes through in management software.
Assuming that the equipment is divided into N number of component, each component has M bulk-breaking, and maintenance note is recorded from assembling in each bulk-breaking
Record is all maintained in a electronic record, using the corresponding related data of bulk-breaking each in N × M bulk-breaking as resource to be visited
?;Assume user role being divided into 16 kinds again, visit of each user role to each bulk-breaking data can be set in software manager
It asks permission, that is, allow access authority or forbids access authority, for example, certain can be made based on the considerations of worrying that information is accidentally modified
User role can only access the relevant information of its practical action.
Table 3
Referring to table 3, by analyzing the access authorization for resource value of each resource items to be visited:
The data content of No. 1, No. 2 and No. 15 component, all user roles all may have access to;The data content of No. 3 components, 1
Number user role is accessible;The data content of No. 4 components, No. 2 user roles are accessible;The data content of No. 5 components, 7
Number user role is accessible;The data content of No. 6 components, No. 8 user roles are accessible;The data content of No. 7 components, 9
Number user role is accessible;The data content of No. 8 and No. 9 components, No. 10 user roles are accessible;No. 10-No. 14 components
Data content, No. 11 user roles are accessible.
It referring to fig. 4, is a kind of composition schematic diagram of the device of determining access privilege provided in an embodiment of the present invention, it should
Device 400 includes:
Target roles determination unit 401 is determined and is assigned in advance for the request in response to target user's access target resource
The target roles of the target user, wherein the target roles are one of role's set user role, the target money
Source is a resource items to be visited in resource collection, and the resource items to be visited are configured with an access authorization for resource value, the resource
Each user role is implied in authority credentials to the current accessed permission of the resource items to be visited;
Access authority determination unit 402 determines the target for analyzing the corresponding access authorization for resource value of the target resource
Current accessed permission of the role to the target resource.
In an embodiment of the invention, the current accessed permission for permission access authority or forbids access right
Limit;Described device 400 can also include:
Access right limit value assignment unit assigns respectively for forbidding access authority with described for the permission access authority
Different authority credentials;
Role attribute value assignment unit, for each user role in gathering for the role, according to model identical point
Different role attribute values is not assigned;
Access authorization for resource value generation unit, for the current visit according to each user role to the resource items to be visited
Ask permission authority credentials and the role attribute value, generate target roles determination unit 401 in the resource items to be visited
The corresponding access authorization for resource value.
In an embodiment of the invention, the access authorization for resource value generation unit can be specifically used for: described in calculating
The corresponding access authorization for resource value of resource items to be visited;
Wherein, the access authorization for resource value is the sum of corresponding role's value of each user role, role's value
For the product of the first numerical value and second value, first numerical value is the user role to the current of the resource items to be visited
The authority credentials of access authority, the second value are the corresponding role attribute value of the user role.
In an embodiment of the invention, the access authority determination unit 402 can be specifically used for: according to described
The assignment mode of authority credentials and the role attribute value analyzes the corresponding access authorization for resource value of the target resource, determines the mesh
Role is marked to the current accessed permission of the target resource.
In an embodiment of the invention, it is described forbid the corresponding authority credentials of access authority be 0, it is described to allow to access
The corresponding authority credentials of permission is 1;The n times side that the corresponding role attribute value of the user role is 2, n are the user role pair
The unique character coding answered;
The access authority determination unit 402 may include:
Binary value obtains subelement, corresponding first binary system of role attribute value for obtaining the target roles
Value;Obtain corresponding second binary value of access authorization for resource value of the target resource;
With position phase and operation subelement, for the identical bits of first binary value and second binary value to be divided
Not Jin Hang mutually and operation, obtain third binary value;
Access authority determines subelement, if all positions for the third binary value are not zero, it is determined that described
Target roles have the permission access authority to the target resource;If all positions of the third binary value are zero,
Then determine that the target roles forbid access authority with described to the target resource.
Described device 400 includes processor and memory, and above-mentioned target roles determination unit 401, access authority determine single
Members 402 etc. store in memory as program unit, execute above procedure unit stored in memory by processor
To realize corresponding function.
Include kernel in processor, is gone in memory to transfer corresponding program unit by kernel.Kernel can be set one
Or more, by adjusting kernel parameter, on the basis of reducing the memory space of rights management data, determine that user provides system
The access authority in source.
Memory may include the non-volatile memory in computer-readable medium, random access memory (RAM) and/
Or the forms such as Nonvolatile memory, if read-only memory (ROM) or flash memory (flash RAM), memory include that at least one is deposited
Store up chip.
The device of a kind of determining access privilege provided in an embodiment of the present invention, compared with prior art, for each
Resource items to be visited all have an access authorization for resource value, because access authorization for resource value is a numerical value, so its storage occupied is empty
Between it is smaller;Corresponding resource items to be visited are worked as further, since implying each user role in each access authorization for resource value
Therefore preceding access authority by analyzing the access authorization for resource value for the resource items to be visited that target user is accessed, can determine target
Access authority of the user to the resource items to be visited.
The present invention also provides a kind of computer program products, when executing on data processing equipment, are adapted for carrying out just
The program code of beginningization there are as below methods step:
In response to the request of target user's access target resource, the target roles for assigning the target user in advance are determined,
Wherein, the target roles be role set one of user role, the target resource be resource collection in one to
Resource items are accessed, the resource items to be visited are configured with an access authorization for resource value, imply in the access authorization for resource value each described
Current accessed permission of the user role to the resource items to be visited;
The corresponding access authorization for resource value of the target resource is analyzed, determines the target roles to the current of the target resource
Access authority.
As seen through the above description of the embodiments, those skilled in the art can be understood that above-mentioned implementation
All or part of the steps in example method can be realized by means of software and necessary general hardware platform.Based on such
Understand, substantially the part that contributes to existing technology can be in the form of software products in other words for technical solution of the present invention
It embodies, which can store in storage medium, such as ROM/RAM, magnetic disk, CD, including several
Instruction is used so that a computer equipment (can be the network communications such as personal computer, server, or Media Gateway
Equipment, etc.) execute method described in certain parts of each embodiment of the present invention or embodiment.
It should be noted that each embodiment in this specification is described in a progressive manner, each embodiment emphasis is said
Bright is the difference from other embodiments, and the same or similar parts in each embodiment may refer to each other.For reality
For applying device disclosed in example, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, related place
Referring to method part illustration.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one
Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation
There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain
Lid non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
The foregoing description of the disclosed embodiments enables those skilled in the art to implement or use the present invention.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the present invention.Therefore, of the invention
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (4)
1. a kind of method of determining access privilege characterized by comprising
In response to the request of target user's access target resource, the target roles for assigning the target user in advance are determined, wherein
The target roles are one of role's set user role, and the target resource is a money to be visited in resource collection
Source item, the resource items to be visited are configured with an access authorization for resource value, imply each user angle in the access authorization for resource value
Current accessed permission of the color to the resource items to be visited;The access authorization for resource value is that each user role is corresponding
The sum of role's value, role's value are the product of the first numerical value and second value, and first numerical value is the user role pair
The authority credentials of the current accessed permission of the resource items to be visited, the second value are that the corresponding role of the user role belongs to
Property value, the n times side that the corresponding role attribute value of the user role is 2, n is that the corresponding unique character of the user role is compiled
Code;The current accessed permission is to allow access authority or forbid access authority, described to forbid the corresponding authority credentials of access authority
It is 0, the corresponding authority credentials of the permission access authority is 1;
Obtain corresponding first binary value of role attribute value of the target roles;
Obtain corresponding second binary value of access authorization for resource value of the target resource;
By the identical bits of first binary value and second binary value carry out respectively mutually and operation, obtain the three or two into
Value processed;
If all positions of the third binary value are not zero, it is determined that the target roles have institute to the target resource
State permission access authority;
If all positions of the third binary value are zero, it is determined that the target roles have the target resource described
Forbid access authority.
2. the method according to claim 1, wherein the role set in each user role, according to phase
Assign different role attribute values respectively with mode.
3. a kind of device of determining access privilege characterized by comprising
Target roles determination unit, for the request in response to target user's access target resource, determination assigns the mesh in advance
Mark the target roles of user, wherein the target roles are one of role's set user role, and the target resource is money
A resource items to be visited in the set of source, the resource items to be visited are configured with an access authorization for resource value, the access authorization for resource value
In imply each user role to the current accessed permission of the resource items to be visited;The access authorization for resource value is each
The sum of corresponding role's value of the user role, role's value are the product of the first numerical value and second value, described the
One numerical value is the user role to the authority credentials of the current accessed permission of the resource items to be visited, and the second value is institute
State the corresponding role attribute value of user role, the n times side that the corresponding role attribute value of the user role is 2, n is the user
The corresponding unique character coding of role;The current accessed permission is to allow access authority or forbid access authority, described to forbid
The corresponding authority credentials of access authority is 0, and the corresponding authority credentials of the permissions access authority is 1;
Access authority determination unit determines the target roles pair for analyzing the corresponding access authorization for resource value of the target resource
The current accessed permission of the target resource;
The access authority determination unit includes:
Binary value obtains subelement, corresponding first binary value of role attribute value for obtaining the target roles;It obtains
Take corresponding second binary value of the access authorization for resource value of the target resource;
With position phase and operation subelement, for by the identical bits of first binary value and second binary value respectively into
Row phase and operation, obtain third binary value;
Access authority determines subelement, if all positions for the third binary value are not zero, it is determined that the target
Role has the permission access authority to the target resource;If all positions of the third binary value are zero, really
The fixed target roles forbid access authority with described to the target resource.
4. device according to claim 3, which is characterized in that each user role in role's set, according to phase
Assign different role attribute values respectively with mode.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710165821.4A CN106878325B (en) | 2017-03-20 | 2017-03-20 | A kind of method and device of determining access privilege |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710165821.4A CN106878325B (en) | 2017-03-20 | 2017-03-20 | A kind of method and device of determining access privilege |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106878325A CN106878325A (en) | 2017-06-20 |
| CN106878325B true CN106878325B (en) | 2019-08-06 |
Family
ID=59171588
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710165821.4A Active CN106878325B (en) | 2017-03-20 | 2017-03-20 | A kind of method and device of determining access privilege |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106878325B (en) |
Families Citing this family (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108256314A (en) * | 2018-01-11 | 2018-07-06 | 深圳市沃特沃德股份有限公司 | Right management method and device |
| CN108664811A (en) * | 2018-05-11 | 2018-10-16 | 北京汉能光伏投资有限公司 | A kind of right management method and device |
| US11895120B2 (en) * | 2018-05-31 | 2024-02-06 | Vivek Kapoor | Multiparty binary access controls |
| CN109733444B (en) * | 2018-09-19 | 2020-05-19 | 比亚迪股份有限公司 | Database system and train monitoring and management equipment |
| CN109598117A (en) * | 2018-10-24 | 2019-04-09 | 平安科技(深圳)有限公司 | Right management method, device, electronic equipment and storage medium |
| CN109347866A (en) * | 2018-11-26 | 2019-02-15 | 珠海格力电器股份有限公司 | Login method, device, system and computer readable storage medium |
| CN109815735A (en) * | 2019-01-23 | 2019-05-28 | 浙江安点科技有限责任公司 | To the management-control method and system of different user access same asset file permission |
| CN110290112B (en) * | 2019-05-30 | 2022-08-12 | 平安科技(深圳)有限公司 | Authority control method and device, computer equipment and storage medium |
| CN114091044A (en) * | 2020-09-17 | 2022-02-25 | 北京沃东天骏信息技术有限公司 | System authority management method and device |
| CN115994345B (en) * | 2022-11-30 | 2025-09-19 | 山东通汇资本投资集团有限公司 | Dynamic authority management method and system based on authority limit under micro-service architecture |
| CN116628112A (en) * | 2023-06-16 | 2023-08-22 | 中国银行股份有限公司 | Data processing method, device and equipment |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102231693A (en) * | 2010-04-22 | 2011-11-02 | 北京握奇数据系统有限公司 | Method and apparatus for managing access authority |
| CN102595211A (en) * | 2012-02-28 | 2012-07-18 | 华为技术有限公司 | Method and system for presenting network television programs based on social network |
| CN103179126A (en) * | 2013-03-26 | 2013-06-26 | 山东中创软件商用中间件股份有限公司 | Access control method and device |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN106295265A (en) * | 2015-05-22 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of method and device of user authority management |
-
2017
- 2017-03-20 CN CN201710165821.4A patent/CN106878325B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102231693A (en) * | 2010-04-22 | 2011-11-02 | 北京握奇数据系统有限公司 | Method and apparatus for managing access authority |
| CN102595211A (en) * | 2012-02-28 | 2012-07-18 | 华为技术有限公司 | Method and system for presenting network television programs based on social network |
| CN103179126A (en) * | 2013-03-26 | 2013-06-26 | 山东中创软件商用中间件股份有限公司 | Access control method and device |
| CN103701801A (en) * | 2013-12-26 | 2014-04-02 | 四川九洲电器集团有限责任公司 | Resource access control method |
| CN106295265A (en) * | 2015-05-22 | 2017-01-04 | 阿里巴巴集团控股有限公司 | A kind of method and device of user authority management |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106878325A (en) | 2017-06-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106878325B (en) | A kind of method and device of determining access privilege | |
| US7299171B2 (en) | Method and system for processing grammar-based legality expressions | |
| US9459849B2 (en) | Adaptive cloud aware just-in-time (JIT) compilation | |
| US9032076B2 (en) | Role-based access control system, method and computer program product | |
| CN112532632B (en) | Resource allocation method and device for multi-level cloud platform and computer equipment | |
| US6678682B1 (en) | Method, system, and software for enterprise access management control | |
| CN110197079B (en) | Secure regions in knowledge graph | |
| EP3805962B1 (en) | Project-based permission system | |
| CN113711216A (en) | Policy-based triggering of revisions of access control information | |
| CN103593602A (en) | User authorization management method and system | |
| EP2659412B1 (en) | A system and method for using partial evaluation for efficient remote attribute retrieval | |
| CN102231693A (en) | Method and apparatus for managing access authority | |
| CN108334595B (en) | Data sharing method and device | |
| CN101379504A (en) | Virtual character | |
| US10831906B1 (en) | Techniques for automatic bucket access policy generation | |
| US9323751B2 (en) | Controlling access to documents by parties | |
| WO2008100797A1 (en) | Dynamically associating attribute values with objects | |
| CN103514412B (en) | Method and cloud server for constructing role-based access control system | |
| JP6322967B2 (en) | Data protection apparatus, method, and program | |
| Abdallah et al. | Formal Z specifications of several flat role-based access control models | |
| CN114282591B (en) | A real-time division method for dynamic security levels, terminal equipment and storage medium | |
| CN114884733A (en) | Authority management method and device, electronic equipment and storage medium | |
| US20240095390A1 (en) | Scalable access control mechanism | |
| CN120012149A (en) | A method, device, equipment and medium for controlling asset access | |
| CN115189943A (en) | Authority management method and system based on network address |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |