[go: up one dir, main page]

WO2024235206A1 - Permission management method and apparatus, device, storage medium, and program product - Google Patents

Permission management method and apparatus, device, storage medium, and program product Download PDF

Info

Publication number
WO2024235206A1
WO2024235206A1 PCT/CN2024/092936 CN2024092936W WO2024235206A1 WO 2024235206 A1 WO2024235206 A1 WO 2024235206A1 CN 2024092936 W CN2024092936 W CN 2024092936W WO 2024235206 A1 WO2024235206 A1 WO 2024235206A1
Authority
WO
WIPO (PCT)
Prior art keywords
target
application
permission
group
organization
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/CN2024/092936
Other languages
French (fr)
Chinese (zh)
Inventor
庞云洁
侯闻达
李永海
张东明
柯海娟
孙云鹏
钟诗航
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Volcano Engine Technology Co Ltd
Original Assignee
Beijing Volcano Engine Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Volcano Engine Technology Co Ltd filed Critical Beijing Volcano Engine Technology Co Ltd
Publication of WO2024235206A1 publication Critical patent/WO2024235206A1/en
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software

Definitions

  • Example embodiments of the present disclosure generally relate to the computer field, and more particularly, to a method, apparatus, device, computer-readable storage medium, and program product for rights management.
  • Software or application usage management is an important task within an enterprise or organization.
  • An enterprise or organization may obtain a predetermined number of installation or usage permissions for some applications, which may lead to unauthorized use or installation beyond the predetermined number, thus bringing potential risks to the enterprise or organization.
  • a method for permission management includes: determining a target application to be configured in a permission configuration interface for managing users and/or devices in a target organization; obtaining a permission policy to be applied to the target application using the permission configuration interface, the permission policy at least indicating a target scope in the target organization that is authorized to use the target application and a disposal policy for using the target application outside the target scope, the target scope including a group of target users and/or a group of target devices; and managing the execution of the target application in the target organization based on the permission policy.
  • a device for permission management includes: a determination module configured in a permission configuration interface for managing users and/or devices in a target organization, determining a target application to be configured; an acquisition module configured to A permission configuration interface is used to obtain a permission policy to be applied to a target application, wherein the permission policy at least indicates a target scope in a target organization that is authorized to use the target application and a disposal policy for using the target application outside the target scope, wherein the target scope includes a group of target users and/or a group of target devices; and a management module is configured to manage the execution of the target application in the target organization based on the permission policy.
  • an electronic device in a third aspect of the present disclosure, includes at least one processing unit; and at least one memory, the at least one memory is coupled to the at least one processing unit and stores instructions for execution by the at least one processing unit. When the instructions are executed by the at least one processing unit, the device executes the method of the first aspect.
  • a computer-readable storage medium wherein a computer program is stored on the computer-readable storage medium, and the computer program can be executed by a processor to implement the method of the first aspect.
  • a computer program product which is tangibly stored in a computer storage medium and comprises computer executable instructions, which when executed by a device cause the device to perform the method according to the first aspect.
  • FIG1 shows a schematic diagram of an example environment in which embodiments according to the present disclosure may be implemented
  • FIG2 shows a flow chart of an example process of rights management according to some embodiments of the present disclosure
  • FIG. 3A to 3F illustrate example permission configurations according to some embodiments of the present disclosure. interface
  • FIG4 shows a schematic structural block diagram of an apparatus for rights management according to some embodiments of the present disclosure.
  • FIG5 shows a block diagram of an electronic device capable of implementing various embodiments of the present disclosure.
  • the embodiments of the present disclosure may involve user data, data acquisition and/or use, etc. These aspects shall comply with the relevant laws, regulations and provisions. In the embodiments of the present disclosure, all data collection, acquisition, processing, processing, forwarding, use, etc. are carried out under the premise that the user knows and confirms. Accordingly, when implementing the embodiments of the present disclosure, the data or information that may be involved shall be disclosed in an appropriate manner in accordance with the relevant laws and regulations. The type, scope of use, and usage scenario of the device may be notified to the user and the user's authorization may be obtained. The specific notification and/or authorization method may vary according to the actual situation and application scenario, and the scope of the present disclosure is not limited in this respect.
  • the embodiments of the present disclosure propose a scheme for permission management.
  • the target application to be configured can be determined in the permission configuration interface for managing users and/or devices in the target organization.
  • the permission configuration interface can be used to obtain the permission policy to be applied to the target application, and the permission policy at least indicates the target scope of the target organization that is authorized to use the target application and the disposal policy for using the target application outside the target scope, and the target scope includes a group of target users and/or a group of target devices. Accordingly, the execution of the target application in the target organization can be managed based on the permission policy.
  • embodiments of the present disclosure may support unified and standardized management of usage permissions of applications in an organization, thereby improving the efficiency of application permission management and reducing risks associated with unauthorized use.
  • FIG1 shows a schematic diagram of an example environment 100 in which embodiments of the present disclosure can be implemented.
  • the environment 100 may include a management device 110 .
  • the management device 110 may be configured to manage the usage rights of the application 130 within the organization.
  • An “organization” may include a group consisting of multiple users such as a company, department, institution, etc.
  • An "application” may include an application that can be installed and used by a terminal device. Any suitable program product for use may also be referred to as software in some contexts.
  • the management device 110 can use the permission configuration interface 160 provided by the terminal device 120 to implement permission management for the application 130.
  • a terminal device 120 may correspond to an electronic device used by an administrator in an organization, for example. It should be understood that although in FIG. 1 , the management device 110 and the terminal device 120 are shown as separate boxes, they may also be implemented in the same electronic device.
  • the management device 110 may use the permission configuration interface 160 to determine the target scope of the authorized scope, for example, a group of devices 140 of the authorized scope and/or a group of users 150 of the authorized scope.
  • a permission configuration interface 160 may be used to manage users and/or devices in the target organization.
  • the management device 110 may also manage the handling measures for using the application 130 outside the target scope. For example, the management device 110 may disable the application 130 for users and/or devices in the organization that are not within the target scope according to the configuration information obtained by the permission configuration interface 160 .
  • the terminal device 120 can be any type of mobile terminal, fixed terminal or portable terminal, including mobile phones, desktop computers, laptop computers, notebook computers, netbook computers, tablet computers, media computers, multimedia tablets, personal communication system (PCS) devices, personal navigation devices, personal digital assistants (PDAs), audio/video players, digital cameras/camcorders, positioning devices, television receivers, radio broadcast receivers, e-book devices, gaming devices, or any combination of the foregoing, including accessories and peripherals of these devices or any combination thereof.
  • the management device 110 can be, for example, various types of computing systems/servers that can provide computing capabilities, including but not limited to mainframes, edge computing nodes, computing devices in cloud environments, and the like.
  • FIG2 shows a flow chart of an example process 200 for rights management according to some embodiments of the present disclosure.
  • Process 200 may be implemented at terminal device 120 (or in combination with management device 120). Process 200 is described below with reference to FIG1.
  • the terminal device 120 determines the target application 130 to be configured using the permission configuration interface 160 for managing users and/or devices in the target organization.
  • the terminal device 120 may provide a permission configuration interface 300A as shown in FIG. 3A for a management user within an organization, for example.
  • the terminal device 120 can present a group of candidate applications (for example, candidate applications 310-1 to candidate applications 310-4, individually or collectively referred to as candidate applications 310) in the permission configuration interface 300A, and determine the target application to be configured based on the selection operation of the management user on a group of candidate applications.
  • candidate applications for example, candidate applications 310-1 to candidate applications 310-4, individually or collectively referred to as candidate applications 310
  • such a set of candidate applications 310 may include a set of preset candidate applications.
  • the terminal device 120 and/or the management device 110 may configure a set of commonly used preset applications in the organization as candidate applications that can be used for management according to the usage needs in the organization.
  • such a set of candidate applications 310 may also be determined based on procurement information of the organization and include a set of applications that the organization has already procured.
  • the management user may also trigger the selection of other applications by, for example, operating the add control 305 .
  • terminal device 120 may present interface 300B, for example.
  • terminal device 120 may present a group of candidate applications 315 determined based on application installation information within the organization.
  • application installation information may be reported by users within the organization, or determined based on uploaded information of user devices within the organization with the knowledge and permission of the users.
  • the management user may add such candidate applications 315 to the management application list shown in FIG3A .
  • the terminal device 120 can also provide management users with Detect the determined set of candidate applications. As shown in FIG3C , the terminal device 120 may also provide an interface 300C as shown in FIG3C .
  • the terminal device 120 may, for example, provide a group of candidate applications 320 determined based on real-time reference detection within the organization. Accordingly, the management device 120 may also add such candidate applications to the management application list shown in FIG. 3A .
  • the terminal device 120 can also support, for example, managing the target application that the user inputs the expected configuration.
  • the terminal device 120 can present, for example, an interface 300D as shown in FIG. 3D .
  • the interface 300D may allow the user to input application description information in the interface 300D.
  • application description information may include, for example, the name of the application, the operating system of the application, the BUNDLE ID (bundle identifier) of the application, the version number of the application, etc.
  • the terminal device 120 may support adding the target application determined based on the input application description information to the management application list as shown in FIG. 3A .
  • the embodiments of the present disclosure can support multi-channel configuration application addition, thereby facilitating unified management of applications within an organization and improving the efficiency of application management.
  • the terminal device 120 uses the permission configuration interface 160 to obtain a permission policy to be applied to the target application 130, wherein the permission policy at least indicates a target scope in the target organization that is authorized to use the target application and a disposal policy for using the target application outside the target scope, and the target scope includes a group of target users and/or a group of target devices.
  • an application 310 - 1 in the management application list is used as an example of a selected target application.
  • the management user can select the target application 310 - 1 as the target application to be managed by, for example, clicking “Open Permission”.
  • the terminal device 120 may allow the management user to complete the configuration of the permissions for the target application according to the “per-device authorization” and “per-user authorization” methods.
  • the terminal device 120 may present a configuration component 300E as shown in FIG. 3E .
  • the terminal device 120 may present a group of candidate devices 335 in the configuration component 300E.
  • Such a group of candidate devices may include, for example, a group of candidate devices preset in the organization, for example, a set of devices that the current management user has the authority to manage.
  • the configuration component 300E may further include a search entry 330, and the management user may enter a search term through the search entry 330 to implement screening or filtering of candidate devices.
  • a search term may be associated with device description information of the device, such as the device identifier, the device type, the user corresponding to the device, and the like.
  • configuration component 300E can allow the administrative user to add one or more devices from the candidate devices 335 as target devices authorized to use the target application within the organization.
  • the configuration component 300E can also be used to configure the upper limit of devices in the organization that are allowed to use the target application.
  • Such an upper limit can be determined based on the application purchase information of the organization, which can be less than or equal to the total purchase amount.
  • the terminal device 120 may, for example, provide a configuration component 300F as shown in FIG. 3F .
  • the terminal device 120 may present a group of candidate users in the configuration component 300F.
  • a group of candidate users may include, for example, a group of candidate users 345 preset in the organization, for example, a set of users that the current management user has the authority to manage.
  • the configuration component 300E may further include a search entry 340, through which the management user may enter a search term to screen or filter the candidate users.
  • a search term may be associated with the user description information of the user, such as the user's ID, the user's role, the user's department, etc.
  • configuration component 300E can allow the administrative user to add one or more devices from the candidate users 345 as target users within the organization who are authorized to use the target application.
  • the embodiments of the present disclosure can further provide flexibility in application permission management and better match different licensing modes of application-based licensing and user-based licensing, thereby increasing the scope of application of the solution.
  • the terminal device 120 may also support managing the handling policy input by the user regarding the use of the target application outside the target range.
  • the target application 310 - 1 in FIG. 1 is taken as an example.
  • the terminal device 120 may adopt a default handling strategy when no specific input from the user is received.
  • a default handling strategy may be appropriately configured according to organizational needs, for example, to prohibit unauthorized users or devices from using the target application.
  • the management user can also implement permission configuration for the target application 310-1 by, for example, clicking on the entry “Disable Software”. For example, after receiving the selection of “Disable Software”, the terminal device 110 can determine that the disposal policy selected by the management user indicates that the target application is disabled outside the target range. In this case, even if an unauthorized user and/or device installs the target application 310-1, it cannot start the target application.
  • the management user may also configure, for example, reminders regarding unauthorized use or unauthorized attempts to use. For example, the management user may configure that when an unauthorized user attempts to launch the target application or attempts to launch the target application in an unauthorized device, the target application will not be launched, and the management user may control the device to provide a reminder that the current device and/or current user is not authorized to use the application.
  • the management user may also configure to generate a reminder during the first unauthorized use of a user and/or device. That is, when an unauthorized user attempts to launch a target application or attempts to launch a target application in an unauthorized device, the target application may be launched normally for the first time, and the device may provide a reminder during use that the current device and/or current user is not authorized to use the application and should obtain authorization as soon as possible.
  • a reminder for unauthorized use and/or attempted use of the target application outside the target scope may also be generated for the management user.
  • a reminder for unauthorized use or attempted use within the organization may be provided to the management user via appropriate means such as email, office system message, instant messaging message, etc.
  • the terminal device 120 may also receive a designation of an upper limit on authorized devices and/or authorized users. In some embodiments, the terminal device 120 may also receive a configuration for managing an excess number and/or an excess ratio of a management user.
  • such excess amount and/or excess percentage may be determined based on the organization's application procurement information.
  • the information is appropriately configured to, for example, reduce the risk of usage beyond the scope of purchase.
  • the administrative user can configure the upper limit of the number of devices authorized to use the target application within the organization to 100, and can configure the excess ratio to 15% (for example, the organization purchases 120 devices).
  • a reminder about exceeding the quota can be sent to the administrative user of the target organization through appropriate means such as email, office system message, instant messaging message, etc., so that the administrative user's terminal device displays the reminder.
  • such an excess reminder can occur, for example, when the administrative user has not disabled usage outside the target scope.
  • the embodiments of the present disclosure can support detailed configuration of the permission policy for the target application to specify the authorized users and/or devices within the organization, and can specify the disposal policy for unauthorized ones. Based on this approach, the embodiments of the present disclosure can greatly reduce the difficulty of the management party in managing applications within the organization and improve management efficiency.
  • the terminal device 120 manages the execution of the target application in the target organization based on the permission policy.
  • the terminal device 120 can determine the user or device in the organization that is authorized to use the target application according to the permission policy, and enable the device in the organization to respond to the permission policy.
  • the device in the organization can allow the user to install or use the target application if it is determined that the device is an authorized device or the logged-in user is an authorized user.
  • the device in the organization can determine whether to prohibit the user from starting or using the target application according to the permission policy. For example, the device may not respond when the user double-clicks to start the application, and may generate a reminder that the current device and/or the current user is not authorized to use the application. Alternatively, the device may generate a reminder that authorization needs to be obtained as soon as possible after the application is normally started.
  • the embodiments of the present disclosure can provide a unified configuration interface for application permission management within an organization, can allow target applications to be added from multiple sources, and can manage the use of target applications within the organization through multiple permission policies. Therefore, the embodiments of the present disclosure can improve the uniformity of application management and reduce the time cost of application permission management.
  • the permission configuration interface 300A may further provide application statistics information, where the application statistics information indicates a comparison between authorized usage of at least one application within the target organization and total usage.
  • the information in the column "Allowed/All" may indicate, for example, the comparison result of the number of devices or users that the management party has authorized (for example, number C) and the number of all devices or users that have installed or used the application in the organization (for example, number B).
  • the permission configuration interface 300A may also directly provide information on the ratio of number C to number B, instead of providing specific values of the two.
  • the terminal device 120 may provide risk description information generated based on the comparison result, which may indicate whether the use of a specific application within the target organization has a risk of exceeding the permission or being unauthorized. For example, when the number B is greater than the number C, the application may be determined to have a risk of unauthorized use. Accordingly, the permission configuration interface 300A may, for example, indicate that the application may currently have a risk through the "Software Risk" column.
  • the terminal device 120 may also provide a purchase suggestion for the application 310 - 2 according to the comparison result. For example, when the number B is greater than the number C, the terminal device 120 may generate a purchase suggestion for additional purchase of the application 310 - 2 .
  • the embodiments of the present disclosure can also achieve information aggregation for applications to be managed within an organization, thereby further improving the efficiency of application management within the organization.
  • the embodiments of the present disclosure also provide corresponding devices for implementing the above methods or processes.
  • FIG. 4 shows a schematic structural block diagram of an apparatus 400 for rights management according to some embodiments of the present disclosure.
  • the apparatus 400 may be implemented as or included in the terminal device 120.
  • Each module/component in the apparatus 400 may be implemented by hardware, software, firmware or any combination thereof.
  • the apparatus 400 includes a determination module 410 configured to determine the permissions to be configured in a permission configuration interface for managing users and/or devices in a target organization.
  • Target application an acquisition module 420, configured to use a permission configuration interface to obtain a permission policy to be applied to the target application, the permission policy at least indicating a target scope in the target organization that is authorized to use the target application and a disposal policy for using the target application outside the target scope, the target scope including a group of target users and/or a group of target devices; and a management module 430, configured to manage the execution of the target application in the target organization based on the permission policy.
  • the determination module 410 is further configured to: display a group of candidate applications in the permission configuration interface; and receive a selection of a target application from the group of candidate applications.
  • the group of candidate applications includes at least one of the following: a preset first group of applications, a second group of applications determined based on application installation information, and a third group of applications determined based on real-time application detection.
  • the determination module 410 is further configured to: obtain input application description information in the permission configuration interface; and determine the target application based on the application description information.
  • the acquisition module 420 is further configured to: provide a first configuration component corresponding to the device configuration in the permission configuration interface, the first configuration component displaying a group of candidate devices; and determine the target scope in the target organization that is authorized to use the target application based on the selection of at least one device from the group of candidate devices.
  • a group of candidate devices includes: a first group of candidate devices preset in a target organization, a second group of candidate devices matching a first search term, and the first search term is associated with device description information of the device.
  • the acquisition module 420 is also configured to: provide a second configuration component corresponding to the user configuration in the permission configuration interface, and the first configuration component displays a group of candidate users; and based on the selection of at least one user from the group of candidate users, determine the target scope in the target organization that is authorized to use the target application.
  • a group of candidate users includes: a first group of candidate users preset in the target organization, a second group of candidate users matching a second search term, and the second search term is associated with user description information of the user.
  • the acquisition module 420 is further configured to: receive input of a handling policy for using the target application outside the target scope using the permission configuration interface, wherein the handling policy includes at least one of the following: a first handling policy indicating that the target application is used outside the target scope; Disable; a second handling policy indicating generation of a first reminder for unauthorized use and/or attempted use of a target application outside a target scope, so that a first device associated with the unauthorized use and/or attempted use displays the first reminder; and/or, a third handling policy indicating generation of a second reminder for unauthorized use exceeding a predetermined number so that a terminal device associated with an administrative user of the target organization displays the second reminder, wherein the predetermined number is configured using a permission configuration interface.
  • the handling policy includes at least one of the following: a first handling policy indicating that the target application is used outside the target scope; Disable; a second handling policy indicating generation of a first reminder for unauthorized use and/or attempted use of a target application outside a target scope, so that a
  • the apparatus 400 further includes a display module configured to: display application statistics information in the permission configuration interface, wherein the application statistics information indicates a comparison result between authorized usage of at least one application in the target organization and all usage.
  • the presentation module is further configured to: provide risk description information for at least one application, where the risk description information is generated based on the comparison result.
  • FIG5 shows a block diagram of an electronic device 500 in which one or more embodiments of the present disclosure may be implemented. It should be understood that the electronic device 500 shown in FIG5 is merely exemplary and should not constitute any limitation on the functionality and scope of the embodiments described herein. The electronic device 500 shown in FIG5 may be used to implement the terminal device 120 and/or the management device 110 of FIG1 .
  • the electronic device 500 is in the form of a general electronic device.
  • the components of the electronic device 500 may include, but are not limited to, one or more processors or processing units 510, a memory 520, a storage device 530, one or more communication units 540, one or more input devices 550, and one or more output devices 560.
  • the processing unit 510 may be an actual or virtual processor and is capable of performing various processes according to a program stored in the memory 520. In a multi-processor system, multiple processing units execute computer executable instructions in parallel to improve the parallel processing capability of the electronic device 500.
  • the electronic device 500 typically includes a plurality of computer storage media. Such media may be any accessible media that is accessible to the electronic device 500, including but not limited to volatile and nonvolatile media, removable and non-removable media.
  • the memory 520 may be a volatile memory (e.g., registers, cache, random access memory (RAM)), a nonvolatile memory (e.g., read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory), or some combination thereof.
  • the storage device 530 may be a removable
  • the electronic device 500 may be removable or non-removable and may include machine-readable media such as a flash drive, a disk, or any other media that may be capable of storing information and/or data (e.g., training data for training) and may be accessed within the electronic device 500.
  • machine-readable media such as a flash drive, a disk, or any other media that may be capable of storing information and/or data (e.g., training data for training) and may be accessed within the electronic device 500.
  • the electronic device 500 may further include additional removable/non-removable, volatile/non-volatile storage media.
  • a disk drive for reading or writing from a removable, non-volatile disk e.g., a “floppy disk”
  • an optical drive for reading or writing from a removable, non-volatile optical disk may be provided.
  • each drive may be connected to a bus (not shown) by one or more data media interfaces.
  • the memory 520 may include a computer program product 525 having one or more program modules configured to perform various methods or actions of various embodiments of the present disclosure.
  • the communication unit 540 implements communication with other electronic devices through a communication medium. Additionally, the functions of the components of the electronic device 500 can be implemented in a single computing cluster or multiple computing machines that can communicate through a communication connection. Therefore, the electronic device 500 can operate in a networked environment using a logical connection with one or more other servers, a network personal computer (PC), or another network node.
  • PC network personal computer
  • the input device 550 may be one or more input devices, such as a mouse, a keyboard, a tracking ball, etc.
  • the output device 560 may be one or more output devices, such as a display, a speaker, a printer, etc.
  • the electronic device 500 may also communicate with one or more external devices (not shown) through the communication unit 540 as needed, such as a storage device, a display device, etc., communicate with one or more devices that allow a user to interact with the electronic device 500, or communicate with any device that allows the electronic device 500 to communicate with one or more other electronic devices (e.g., a network card, a modem, etc.). Such communication may be performed via an input/output (I/O) interface (not shown).
  • I/O input/output
  • a computer-readable storage medium on which computer-executable instructions are stored, wherein the computer-executable instructions are executed by a processor to implement the method described above.
  • a computer program product is also provided, which is tangibly stored on a non-transitory computer-readable medium and includes computer-executable instructions, and the computer-executable instructions are executed by a processor to implement the method described above. Execute to implement the method described above.
  • These computer-readable program instructions can be provided to a processing unit of a general-purpose computer, a special-purpose computer, or other programmable data processing device, thereby producing a machine, so that when these instructions are executed by the processing unit of the computer or other programmable data processing device, a device that implements the functions/actions specified in one or more boxes in the flowchart and/or block diagram is generated.
  • These computer-readable program instructions can also be stored in a computer-readable storage medium, and these instructions cause the computer, programmable data processing device, and/or other equipment to work in a specific manner, so that the computer-readable medium storing the instructions includes a manufactured product, which includes instructions for implementing various aspects of the functions/actions specified in one or more boxes in the flowchart and/or block diagram.
  • Computer-readable program instructions can be loaded onto a computer, other programmable data processing apparatus, or other device so that a series of operational steps are performed on the computer, other programmable data processing apparatus, or other device to produce a computer-implemented process, so that the instructions executed on the computer, other programmable data processing apparatus, or other device implement the functions/actions specified in one or more boxes in the flowchart and/or block diagram.
  • each box in the flowchart or block diagram may represent a module, a program segment or a portion of an instruction, and a module, a program segment or a portion of an instruction contains one or more executable instructions for implementing the specified logical functions.
  • the functions marked in the boxes may also occur in an order different from that marked in the accompanying drawings. For example, two consecutive boxes can actually be executed substantially in parallel, and they may sometimes be executed in the opposite order, depending on the functions involved.
  • each box in the block diagram and/or flowchart, and the combination of boxes in the block diagram and/or flowchart can be implemented with a dedicated hardware-based system that performs the specified function or action, or can be implemented with dedicated hardware and computer instructions. combination to achieve this.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

Embodiments of the present disclosure relate to a permission management method and apparatus, a device, a storage medium, and a computer program product. The method provided herein comprises: in a permission configuration interface for managing users and/or devices in a target organization, determining a target application to be configured; using the permission configuration interface to acquire a permission policy to be applied to the target application, wherein the permission policy at least indicates a target range of the target application authorized to be used in the target organization and a handling policy for use of the target application outside the target range, and the target range comprises a group of target users and/or a group of target devices; and on the basis of the permission policy, managing the execution of the target application in the target organization.

Description

权限管理的方法、装置、设备、存储介质和程序产品Method, device, equipment, storage medium and program product for rights management

本申请要求2023年05月16日递交的申请号为202310554413.3、标题为“权限管理的方法、装置、设备和存储介质”的中国发明专利申请的优先权,该申请的全部内容通过引用结合在本申请中。This application claims priority to the Chinese invention patent application with application number 202310554413.3 filed on May 16, 2023 and titled “Method, apparatus, device and storage medium for rights management”, the entire contents of which are incorporated by reference into this application.

技术领域Technical Field

本公开的示例实施例总体涉及计算机领域,特别地涉及权限管理的方法、装置、设备、计算机可读存储介质和程序产品。Example embodiments of the present disclosure generally relate to the computer field, and more particularly, to a method, apparatus, device, computer-readable storage medium, and program product for rights management.

背景技术Background Art

软件或应用的使用管理是企业或组织内部的一项重要任务。企业或者组织可能针对一些应用获取了预定数量的安装或使用权限,这可能导致超出该预定数量外的使用或安装构成未授权的行为,从而可能给企业或组织带来潜在的风险。Software or application usage management is an important task within an enterprise or organization. An enterprise or organization may obtain a predetermined number of installation or usage permissions for some applications, which may lead to unauthorized use or installation beyond the predetermined number, thus bringing potential risks to the enterprise or organization.

发明内容Summary of the invention

在本公开的第一方面,提供了一种权限管理的方法。该方法包括:在用于对目标组织中的用户和/或设备进行管理的权限配置界面中,确定待配置的目标应用;利用权限配置界面获取待应用于目标应用的权限策略,权限策略至少指示目标组织中被授权使用目标应用的目标范围以及在目标范围外使用目标应用的处置策略,目标范围包括一组目标用户和/或一组目标设备;以及基于权限策略,管理目标应用在目标组织的执行。In a first aspect of the present disclosure, a method for permission management is provided. The method includes: determining a target application to be configured in a permission configuration interface for managing users and/or devices in a target organization; obtaining a permission policy to be applied to the target application using the permission configuration interface, the permission policy at least indicating a target scope in the target organization that is authorized to use the target application and a disposal policy for using the target application outside the target scope, the target scope including a group of target users and/or a group of target devices; and managing the execution of the target application in the target organization based on the permission policy.

在本公开的第二方面,提供了一种用于权限管理的装置。该装置包括:确定模块,被配置在用于对目标组织中的用户和/或设备进行管理的权限配置界面中,确定待配置的目标应用;获取模块,被配置为 利用权限配置界面获取待应用于目标应用的权限策略,权限策略至少指示目标组织中被授权使用目标应用的目标范围以及在目标范围外使用目标应用的处置策略,目标范围包括一组目标用户和/或一组目标设备;以及管理模块,被配置为基于权限策略,管理目标应用在目标组织的执行。In a second aspect of the present disclosure, a device for permission management is provided. The device includes: a determination module configured in a permission configuration interface for managing users and/or devices in a target organization, determining a target application to be configured; an acquisition module configured to A permission configuration interface is used to obtain a permission policy to be applied to a target application, wherein the permission policy at least indicates a target scope in a target organization that is authorized to use the target application and a disposal policy for using the target application outside the target scope, wherein the target scope includes a group of target users and/or a group of target devices; and a management module is configured to manage the execution of the target application in the target organization based on the permission policy.

在本公开的第三方面,提供了一种电子设备。该设备包括至少一个处理单元;以及至少一个存储器,至少一个存储器被耦合到至少一个处理单元并且存储用于由至少一个处理单元执行的指令。指令在由至少一个处理单元执行时使设备执行第一方面的方法。In a third aspect of the present disclosure, an electronic device is provided. The device includes at least one processing unit; and at least one memory, the at least one memory is coupled to the at least one processing unit and stores instructions for execution by the at least one processing unit. When the instructions are executed by the at least one processing unit, the device executes the method of the first aspect.

在本公开的第四方面,提供了一种计算机可读存储介质。该计算机可读存储介质上存储有计算机程序,计算机程序可由处理器执行以实现第一方面的方法。In a fourth aspect of the present disclosure, a computer-readable storage medium is provided, wherein a computer program is stored on the computer-readable storage medium, and the computer program can be executed by a processor to implement the method of the first aspect.

在本公开的第五方面,提供了一种计算机程序产品,所述计算机程序产品被有形地存储在计算机存储介质中并且包括计算机可执行指令,计算机可执行指令在由设备执行时使设备执行根据第一方面的方法。In a fifth aspect of the present disclosure, there is provided a computer program product, which is tangibly stored in a computer storage medium and comprises computer executable instructions, which when executed by a device cause the device to perform the method according to the first aspect.

应当理解,本内容部分中所描述的内容并非旨在限定本公开的实施例的关键特征或重要特征,也不用于限制本公开的范围。本公开的其它特征将通过以下的描述而变得容易理解。It should be understood that the contents described in this content section are not intended to limit the key features or important features of the embodiments of the present disclosure, nor are they intended to limit the scope of the present disclosure. Other features of the present disclosure will become easily understood through the following description.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

结合附图并参考以下详细说明,本公开各实施例的上述和其他特征、优点及方面将变得更加明显。在附图中,相同或相似的附图标记表示相同或相似的元素,其中:The above and other features, advantages and aspects of the embodiments of the present disclosure will become more apparent with reference to the following detailed description in conjunction with the accompanying drawings. In the accompanying drawings, the same or similar reference numerals represent the same or similar elements, wherein:

图1示出了其中可以实施根据本公开的实施例的示例环境的示意图;FIG1 shows a schematic diagram of an example environment in which embodiments according to the present disclosure may be implemented;

图2示出了根据本公开的一些实施例的权限管理的示例过程的流程图;FIG2 shows a flow chart of an example process of rights management according to some embodiments of the present disclosure;

图3A至图3F示出了根据本公开的一些实施例的示例权限配置 界面;3A to 3F illustrate example permission configurations according to some embodiments of the present disclosure. interface;

图4示出了根据本公开的一些实施例的用于权限管理的装置的示意性结构框图;以及FIG4 shows a schematic structural block diagram of an apparatus for rights management according to some embodiments of the present disclosure; and

图5示出了能够实施本公开的多个实施例的电子设备的框图。FIG5 shows a block diagram of an electronic device capable of implementing various embodiments of the present disclosure.

具体实施方式DETAILED DESCRIPTION

下面将参照附图更详细地描述本公开的实施例。虽然附图中示出了本公开的某些实施例,然而应当理解的是,本公开可以通过各种形式来实现,而且不应该被解释为限于这里阐述的实施例,相反,提供这些实施例是为了更加透彻和完整地理解本公开。应当理解的是,本公开的附图及实施例仅用于示例性作用,并非用于限制本公开的保护范围。Embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although certain embodiments of the present disclosure are shown in the accompanying drawings, it should be understood that the present disclosure can be implemented in various forms and should not be construed as being limited to the embodiments set forth herein. On the contrary, these embodiments are provided to provide a more thorough and complete understanding of the present disclosure. It should be understood that the drawings and embodiments of the present disclosure are only for exemplary purposes and are not intended to limit the scope of protection of the present disclosure.

需要注意的是,本文中所提供的任何节/子节的标题并不是限制性的。本文通篇描述了各种实施例,并且任何类型的实施例都可以包括在任何节/子节下。此外,在任一节/子节中描述的实施例可以以任何方式与同一节/子节和/或不同节/子节中描述的任何其他实施例相结合。It should be noted that the titles of any sections/subsections provided herein are not restrictive. Various embodiments are described throughout this article, and any type of embodiment may be included under any section/subsection. In addition, the embodiments described in any section/subsection may be combined in any manner with any other embodiments described in the same section/subsection and/or different sections/subsections.

在本公开的实施例的描述中,术语“包括”及其类似用语应当理解为开放性包含,即“包括但不限于”。术语“基于”应当理解为“至少部分地基于”。术语“一个实施例”或“该实施例”应当理解为“至少一个实施例”。术语“一些实施例”应当理解为“至少一些实施例”。下文还可能包括其他明确的和隐含的定义。术语“第一”、“第二”等可以指代不同的或相同的对象。下文还可能包括其他明确的和隐含的定义。In the description of the embodiments of the present disclosure, the term "including" and similar terms should be understood as open inclusion, that is, "including but not limited to". The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The term "some embodiments" should be understood as "at least some embodiments". Other explicit and implicit definitions may be included below. The terms "first", "second", etc. may refer to different or the same objects. Other explicit and implicit definitions may be included below.

本公开的实施例中可能涉及用户的数据、数据的获取和/或使用等。这些方面均遵循相应的法律法规及相关规定。在本公开的实施例中,所有数据的采集、获取、处理、加工、转发、使用等,都是在用户知晓并且确认的前提下进行的。相应地,在实现本公开的各实施例时,均应根据相关法律法规通过适当的方式,将可能所涉及的数据或信息 的类型、使用范围、使用场景等告知用户并获得用户的授权。具体的告知和/或授权方式可以根据实际情况和应用场景而变化,本公开的范围在此方面不受限制。The embodiments of the present disclosure may involve user data, data acquisition and/or use, etc. These aspects shall comply with the relevant laws, regulations and provisions. In the embodiments of the present disclosure, all data collection, acquisition, processing, processing, forwarding, use, etc. are carried out under the premise that the user knows and confirms. Accordingly, when implementing the embodiments of the present disclosure, the data or information that may be involved shall be disclosed in an appropriate manner in accordance with the relevant laws and regulations. The type, scope of use, and usage scenario of the device may be notified to the user and the user's authorization may be obtained. The specific notification and/or authorization method may vary according to the actual situation and application scenario, and the scope of the present disclosure is not limited in this respect.

本说明书及实施例中方案,如涉及个人信息处理,则均会在具备合法性基础(例如征得个人信息主体同意,或者为履行合同所必需等)的前提下进行处理,且仅会在规定或者约定的范围内进行处理。用户拒绝处理基本功能所需必要信息以外的个人信息,不会影响用户使用基本功能。In this specification and the embodiments, if personal information processing is involved, it will be processed on the premise of having a legal basis (such as obtaining the consent of the subject of personal information, or it is necessary to perform a contract, etc.), and will only be processed within the scope of regulations or agreements. If a user refuses to process personal information other than the necessary information for basic functions, it will not affect the user's use of basic functions.

如前文所简要提及的,对于企业或其它类型组织而言,管理应用在组织内的合规使用是一项重要的任务。组织需要管理组织内的成员在授权的范围内进行使用,这给组织带来了较大的管理难度。As briefly mentioned above, for enterprises or other types of organizations, managing the compliance of application use within the organization is an important task. Organizations need to manage members within the organization to use within the scope of authorization, which brings great management difficulties to the organization.

本公开的实施例提出了一种用于权限管理的方案。根据该方案,可以在用于对目标组织中的用户和/或设备进行管理的权限配置界面中,确定待配置的目标应用。进一步地,可以利用权限配置界面获取待应用于目标应用的权限策略,权限策略至少指示目标组织中被授权使用目标应用的目标范围以及在目标范围外使用目标应用的处置策略,目标范围包括一组目标用户和/或一组目标设备。相应地,可以基于权限策略,管理目标应用在目标组织的执行。The embodiments of the present disclosure propose a scheme for permission management. According to the scheme, the target application to be configured can be determined in the permission configuration interface for managing users and/or devices in the target organization. Furthermore, the permission configuration interface can be used to obtain the permission policy to be applied to the target application, and the permission policy at least indicates the target scope of the target organization that is authorized to use the target application and the disposal policy for using the target application outside the target scope, and the target scope includes a group of target users and/or a group of target devices. Accordingly, the execution of the target application in the target organization can be managed based on the permission policy.

以此方式,本公开的实施例可以支持对组织中的应用的使用权限进行统一的标准化管理,从而可以提高应用权限管理的效率,并降低与未授权使用相关的风险。In this way, embodiments of the present disclosure may support unified and standardized management of usage permissions of applications in an organization, thereby improving the efficiency of application permission management and reducing risks associated with unauthorized use.

以下进一步结合附图来详细描述该方案的各种示例实现。Various example implementations of the solution are described in detail below in conjunction with the accompanying drawings.

示例环境Example Environment

图1示出了本公开的实施例能够在其中实现的示例环境100的示意图。如图1所示,环境100可以包括管理设备110。FIG1 shows a schematic diagram of an example environment 100 in which embodiments of the present disclosure can be implemented. As shown in FIG1 , the environment 100 may include a management device 110 .

如下文将详细介绍的,管理设备110例如可以被配置为管理组织内的应用130的使用权限。“组织”可以包括诸如公司、部门、机构等由多用户构成的团体。“应用”可以包括可以由终端设备安装并使 用的任何适当程序产品,在一些场景中,也可以成为软件。As will be described in detail below, the management device 110 may be configured to manage the usage rights of the application 130 within the organization. An "organization" may include a group consisting of multiple users such as a company, department, institution, etc. An "application" may include an application that can be installed and used by a terminal device. Any suitable program product for use may also be referred to as software in some contexts.

例如,管理设备110可以利用由终端设备120所提供的权限配置界面160来实现针对应用130的权限管理。这样的终端设备120例如可以对应于组织内的管理员所使用的电子设备。应当理解,虽然在图1中,管理设备110和终端设备120被示出为分离的框,但是其也可以被实施在同一电子设备中。For example, the management device 110 can use the permission configuration interface 160 provided by the terminal device 120 to implement permission management for the application 130. Such a terminal device 120 may correspond to an electronic device used by an administrator in an organization, for example. It should be understood that although in FIG. 1 , the management device 110 and the terminal device 120 are shown as separate boxes, they may also be implemented in the same electronic device.

示例性地,管理设备110可以利用权限配置界面160来确定被授权范围的目标范围,例如,被授权范围的一组设备140和/或被授权范围的一组用户150。这样的权限配置界面160可以用于对目标组织中的用户和/或设备进行管理。Exemplarily, the management device 110 may use the permission configuration interface 160 to determine the target scope of the authorized scope, for example, a group of devices 140 of the authorized scope and/or a group of users 150 of the authorized scope. Such a permission configuration interface 160 may be used to manage users and/or devices in the target organization.

附加地,管理设备110还可以管理关于在目标范围外使用该应用130的处置措施。例如,管理设备110可以根据权限配置界面160所获取的配置信息,以使得组织中未在目标范围内的用户和/或设备将禁用该应用130。Additionally, the management device 110 may also manage the handling measures for using the application 130 outside the target scope. For example, the management device 110 may disable the application 130 for users and/or devices in the organization that are not within the target scope according to the configuration information obtained by the permission configuration interface 160 .

关于权限配置的具体过程在将下文参考图2详细描述。The specific process of permission configuration will be described in detail below with reference to FIG. 2 .

在一些实施例中,终端设备120可以是任意类型的移动终端、固定终端或便携式终端,包括移动手机、台式计算机、膝上型计算机、笔记本计算机、上网本计算机、平板计算机、媒体计算机、多媒体平板、个人通信系统(PCS)设备、个人导航设备、个人数字助理(PDA)、音频/视频播放器、数码相机/摄像机、定位设备、电视接收器、无线电广播接收器、电子书设备、游戏设备或者前述各项的任意组合,包括这些设备的配件和外设或者其任意组合。管理设备110例如可以是能够提供计算能力的各种类型的计算系统/服务器,包括但不限于大型机、边缘计算节点、云环境中的计算设备,等等。In some embodiments, the terminal device 120 can be any type of mobile terminal, fixed terminal or portable terminal, including mobile phones, desktop computers, laptop computers, notebook computers, netbook computers, tablet computers, media computers, multimedia tablets, personal communication system (PCS) devices, personal navigation devices, personal digital assistants (PDAs), audio/video players, digital cameras/camcorders, positioning devices, television receivers, radio broadcast receivers, e-book devices, gaming devices, or any combination of the foregoing, including accessories and peripherals of these devices or any combination thereof. The management device 110 can be, for example, various types of computing systems/servers that can provide computing capabilities, including but not limited to mainframes, edge computing nodes, computing devices in cloud environments, and the like.

应当理解,仅出于示例性的目的描述环境100中各个元素的结构和功能,而不暗示对于本公开的范围的任何限制。It should be understood that the structure and function of the various elements in the environment 100 are described for exemplary purposes only and do not imply any limitation on the scope of the present disclosure.

以下将继续参考附图描述本公开的一些示例实施例。Some example embodiments of the present disclosure will be described below with continued reference to the accompanying drawings.

示例过程Example Process

图2示出了根据本公开的一些实施例的用于权限管理的示例过程200的流程图。过程200可以被实现在终端设备120(或与管理设备120的组合)处。下面参考图1来描述过程200。FIG2 shows a flow chart of an example process 200 for rights management according to some embodiments of the present disclosure. Process 200 may be implemented at terminal device 120 (or in combination with management device 120). Process 200 is described below with reference to FIG1.

如图2所示,在框210,终端设备120利用在用于对目标组织中的用户和/或设备进行管理的权限配置界面160中,确定待配置的目标应用130。As shown in FIG. 2 , in box 210 , the terminal device 120 determines the target application 130 to be configured using the permission configuration interface 160 for managing users and/or devices in the target organization.

如图3A所示,终端设备120例如可以为组织内的管理用户提供如图3A所示的权限配置界面300A。As shown in FIG. 3A , the terminal device 120 may provide a permission configuration interface 300A as shown in FIG. 3A for a management user within an organization, for example.

以图3A作为示例,终端设备120例如可以权限配置界面300A中呈现一组候选应用(例如,候选应用310-1至候选应用310-4,单独或统一成为候选应用310),并根据管理用户对于一组候选应用的选择操作,来确定待配置的目标应用。Taking Figure 3A as an example, the terminal device 120 can present a group of candidate applications (for example, candidate applications 310-1 to candidate applications 310-4, individually or collectively referred to as candidate applications 310) in the permission configuration interface 300A, and determine the target application to be configured based on the selection operation of the management user on a group of candidate applications.

示例性地,这样的一组候选应用310可以包括一组预设的候选应用。例如,终端设备120和/或管理设备110可以根据组织内的使用需要而将组织内一组常用的预设应用配置作为能够用于管理的候选应用。Exemplarily, such a set of candidate applications 310 may include a set of preset candidate applications. For example, the terminal device 120 and/or the management device 110 may configure a set of commonly used preset applications in the organization as candidate applications that can be used for management according to the usage needs in the organization.

或者,这样的一组候选应用310也可以基于组织的采购信息而被确定,并包括组织已经采购的一组应用。Alternatively, such a set of candidate applications 310 may also be determined based on procurement information of the organization and include a set of applications that the organization has already procured.

在一些实施例中,如果管理用户期望配置的应用不在该列表中,管理用户例如还可以通过操作添加控件305来触发对于其他应用的选择。In some embodiments, if the application that the management user desires to configure is not in the list, the management user may also trigger the selection of other applications by, for example, operating the add control 305 .

示例性地,在接收到对于添加控件305的选择的情况下,终端设备120例如可以呈现界面300B。如图3B所示,在界面300B中,终端设备120可以呈现根据组织内的应用安装信息所确定的一组候选应用315。这样的应用安装信息例如可以是由组织内的用户所上报的,或者在用户知晓并许可的情况下根据组织内的用户设备的上传信息所确定的。管理用户例如可以将这样的候选应用315添加至如图3A所示的管理应用列表中。Exemplarily, in the case of receiving a selection for adding control 305, terminal device 120 may present interface 300B, for example. As shown in FIG3B , in interface 300B, terminal device 120 may present a group of candidate applications 315 determined based on application installation information within the organization. Such application installation information may be reported by users within the organization, or determined based on uploaded information of user devices within the organization with the knowledge and permission of the users. For example, the management user may add such candidate applications 315 to the management application list shown in FIG3A .

在一些实施例中,终端设备120例如还可以为管理用户提供通过 检测所确定的一组候选应用。如图3C所示,终端设备120例如还可以提供如图3C所示的界面300C。In some embodiments, the terminal device 120 can also provide management users with Detect the determined set of candidate applications. As shown in FIG3C , the terminal device 120 may also provide an interface 300C as shown in FIG3C .

在界面300C中,终端设备120例如可以提供基于组织内的实时引用检测所确定的一组候选应用320。相应地,管理设备120也可以将这样的候选应用添加至如图3A所示的管理应用列表中。In the interface 300C, the terminal device 120 may, for example, provide a group of candidate applications 320 determined based on real-time reference detection within the organization. Accordingly, the management device 120 may also add such candidate applications to the management application list shown in FIG. 3A .

附加地,在以上候选应用都不包括期望配置的目标应用的情况下,终端设备120例如还可以支持管理用户输入期望配置的目标应用。示例性地,在接收到对于如图3C所示的添加入口325的选择后,终端设备120例如可以呈现如图3D所示的界面300D。Additionally, in the case where none of the above candidate applications include the target application that is expected to be configured, the terminal device 120 can also support, for example, managing the target application that the user inputs the expected configuration. Exemplarily, after receiving a selection for adding an entry 325 as shown in FIG. 3C , the terminal device 120 can present, for example, an interface 300D as shown in FIG. 3D .

如图3D所示,界面300D例如可以允许用户在该界面300D输入的应用描述信息。这样的应用描述信息例如可以包括应用的名称、应用的操作系统、应用的BUNDLE ID(捆绑标识符)、应用的版本号等等。As shown in FIG3D , the interface 300D may allow the user to input application description information in the interface 300D. Such application description information may include, for example, the name of the application, the operating system of the application, the BUNDLE ID (bundle identifier) of the application, the version number of the application, etc.

在完成这样的应用描述信息后,终端设备120可以支持将基于所输入的应用描述信息确定的目标应用添加至如图3A所示的管理应用列表中。After completing such application description information, the terminal device 120 may support adding the target application determined based on the input application description information to the management application list as shown in FIG. 3A .

以此方式,本公开的实施例能够支持多渠道的配置应用添加,从而能够方便关于组织内的应用的统一管理,提高应用管理的效率。In this way, the embodiments of the present disclosure can support multi-channel configuration application addition, thereby facilitating unified management of applications within an organization and improving the efficiency of application management.

继续参考图2,在框220,终端设备120利用所述权限配置界面160获取待应用于所述目标应用130的权限策略,其中所述权限策略至少指示目标组织中被授权使用所述目标应用的目标范围以及在所述目标范围外使用所述目标应用的处置策略,所述目标范围包括一组目标用户和/或一组目标设备。Continuing with reference to Figure 2, in box 220, the terminal device 120 uses the permission configuration interface 160 to obtain a permission policy to be applied to the target application 130, wherein the permission policy at least indicates a target scope in the target organization that is authorized to use the target application and a disposal policy for using the target application outside the target scope, and the target scope includes a group of target users and/or a group of target devices.

继续参考图3A所示的示例,以管理应用列表中的应用310-1作为所选择的目标应用的示例。管理用户例如可以通过点击“打开许可”来将该目标应用310-1选择作为待管理的目标应用。3A , an application 310 - 1 in the management application list is used as an example of a selected target application. The management user can select the target application 310 - 1 as the target application to be managed by, for example, clicking “Open Permission”.

进一步地,终端设备120可以允许管理用户根据“按设备授权”和“按用户授权”的方式来完成对于该目标应用的权限的配置。Furthermore, the terminal device 120 may allow the management user to complete the configuration of the permissions for the target application according to the “per-device authorization” and “per-user authorization” methods.

进一步地,终端设备120可以呈现如图3E所示的配置组件300E。 如图3E所示,终端设备120可以在配置组件300E中呈现一组候选设备335。这样的一组候选设备例如可以包括组织内预设的一组候选设备,例如,当前管理用户有权限管理的设备集合。Further, the terminal device 120 may present a configuration component 300E as shown in FIG. 3E . As shown in Fig. 3E, the terminal device 120 may present a group of candidate devices 335 in the configuration component 300E. Such a group of candidate devices may include, for example, a group of candidate devices preset in the organization, for example, a set of devices that the current management user has the authority to manage.

备选地或附加地,配置组件300E例如还可以包括搜索入口330,管理用户可以通过搜索入口330来输入搜索词,从而实现对于候选设备的筛选或过滤。例如,这样的搜索词可以与设备的设备描述信息相关联,例如,设备的标识、设备的类型、设备所对应的用户等等。Alternatively or additionally, the configuration component 300E may further include a search entry 330, and the management user may enter a search term through the search entry 330 to implement screening or filtering of candidate devices. For example, such a search term may be associated with device description information of the device, such as the device identifier, the device type, the user corresponding to the device, and the like.

进一步地,配置组件300E可以允许管理用户从候选设备335中添加一个或多个设备以作为组织内授权使用目标应用的目标设备。Further, the configuration component 300E can allow the administrative user to add one or more devices from the candidate devices 335 as target devices authorized to use the target application within the organization.

在一些示例中,如图3E所示,配置组件300E例如还可以用于配置组织内被允许使用该目标应用的设备的上限。这样的上限例如可以根据组织的应用采购信息而被确定,其可以小于或等于全部采购数目。In some examples, as shown in Figure 3E, the configuration component 300E can also be used to configure the upper limit of devices in the organization that are allowed to use the target application. Such an upper limit can be determined based on the application purchase information of the organization, which can be less than or equal to the total purchase amount.

在又一些实施例中,在管理用户选择“按用户授权”进行权限配置的情况下,终端设备120例如可以提供如图3F所示的配置组件300F。In some other embodiments, when the management user selects "per user authorization" to configure permissions, the terminal device 120 may, for example, provide a configuration component 300F as shown in FIG. 3F .

如图3F所示,终端设备120可以在配置组件300F中呈现一组候选用户。这样的一组候选用户例如可以包括组织内预设的一组候选用户345,例如,当前管理用户有权限管理的用户集合。As shown in Fig. 3F, the terminal device 120 may present a group of candidate users in the configuration component 300F. Such a group of candidate users may include, for example, a group of candidate users 345 preset in the organization, for example, a set of users that the current management user has the authority to manage.

备选地或附加地,配置组件300E例如还可以包括搜索入口340,管理用户可以通过搜索入口340来输入搜索词,从而实现对于候选用户的筛选或过滤。例如,这样的搜索词可以与用户的用户描述信息相关联,例如,用户的标识、用户的角色、用户所在的部门等等。Alternatively or additionally, the configuration component 300E may further include a search entry 340, through which the management user may enter a search term to screen or filter the candidate users. For example, such a search term may be associated with the user description information of the user, such as the user's ID, the user's role, the user's department, etc.

进一步地,配置组件300E可以允许管理用户从候选用户345中添加一个或多个设备以作为组织内授权使用目标应用的目标用户。Further, the configuration component 300E can allow the administrative user to add one or more devices from the candidate users 345 as target users within the organization who are authorized to use the target application.

通过以上所讨论的方式,本公开的实施例能够进一步提供应用权限管理的灵活性,并且更加匹配应用按设备许可和按用户许可的不同许可模式,从而提高方案的适用范围。Through the above-discussed approach, the embodiments of the present disclosure can further provide flexibility in application permission management and better match different licensing modes of application-based licensing and user-based licensing, thereby increasing the scope of application of the solution.

在又一些实施例中,终端设备120还可以支持管理用户输入关于在所述目标范围外使用所述目标应用的所述处置策略。继续以图3A 中的目标应用310-1作为示例。In some other embodiments, the terminal device 120 may also support managing the handling policy input by the user regarding the use of the target application outside the target range. The target application 310 - 1 in FIG. 1 is taken as an example.

在一些实施例中,终端设备120例如可以在未接收到用户的特定输入的情况下,采用默认的处置策略。这样的默认处理策略例如可以根据组织需要而被适当的配置,例如,可以禁止未经授权的用户或设备使用该目标应用。In some embodiments, the terminal device 120 may adopt a default handling strategy when no specific input from the user is received. Such a default handling strategy may be appropriately configured according to organizational needs, for example, to prohibit unauthorized users or devices from using the target application.

在一些实施例中,如图3A所示,管理用户例如还可以通过点击入口“禁用软件”来实现对于目标应用310-1的权限配置。例如,在接收到“禁用软件”的选择后,终端设备110可以确定管理用户选择的处置策略指示所述目标应用在所述目标范围外被禁用。在这种情况下,未经授权的用户和/或设备就算安装了目标应用310-1,其也无法启动该目标应用。In some embodiments, as shown in FIG3A , the management user can also implement permission configuration for the target application 310-1 by, for example, clicking on the entry “Disable Software”. For example, after receiving the selection of “Disable Software”, the terminal device 110 can determine that the disposal policy selected by the management user indicates that the target application is disabled outside the target range. In this case, even if an unauthorized user and/or device installs the target application 310-1, it cannot start the target application.

在一些实施例中,管理用户例如还可以配置关于未授权的使用或未授权的尝试使用进行提醒。例如,管理用户可以配置在当未经授权的用户尝试启动目标应用或者在未经授权的设备中尝试启动目标应用时,目标应用将无法被启动,并且可以控制该设备提供关于当前设备和/或当前用户未被授权使用该应用的提醒。In some embodiments, the management user may also configure, for example, reminders regarding unauthorized use or unauthorized attempts to use. For example, the management user may configure that when an unauthorized user attempts to launch the target application or attempts to launch the target application in an unauthorized device, the target application will not be launched, and the management user may control the device to provide a reminder that the current device and/or current user is not authorized to use the application.

作为另一示例,管理用户也可以配置为使得在用户和/或设备首次未经授权的使用过程中生成提醒。也即,在当未经授权的用户尝试启动目标应用或者在未经授权的设备中尝试启动目标应用时,目标应用首次例如可以正常启动,并且该设备可以在使用过程中提供关于当前设备和/或当前用户未被授权使用该应用并应尽快获得授权的提醒。As another example, the management user may also configure to generate a reminder during the first unauthorized use of a user and/or device. That is, when an unauthorized user attempts to launch a target application or attempts to launch a target application in an unauthorized device, the target application may be launched normally for the first time, and the device may provide a reminder during use that the current device and/or current user is not authorized to use the application and should obtain authorization as soon as possible.

在一些实施例中,还可以为管理用户生成针对所述目标应用在所述目标范围外的未授权使用和/或尝试使用的提醒。例如,可以通过诸如邮件、办公系统消息、即时通讯消息等适当的方式来向管理用户提供关于组织内存在未经授权使用或尝试使用的提醒。In some embodiments, a reminder for unauthorized use and/or attempted use of the target application outside the target scope may also be generated for the management user. For example, a reminder for unauthorized use or attempted use within the organization may be provided to the management user via appropriate means such as email, office system message, instant messaging message, etc.

在又一些实施例中,如上文所讨论的,终端设备120还可以接收关于授权设备和/或授权用户的上限的指定。在一些实施例中,终端设备120还可以接收管理用户管理超额数目和/或超额比例的配置。In some other embodiments, as discussed above, the terminal device 120 may also receive a designation of an upper limit on authorized devices and/or authorized users. In some embodiments, the terminal device 120 may also receive a configuration for managing an excess number and/or an excess ratio of a management user.

例如,这样的超额数目和/或超额比例可以根据组织的应用采购信 息而被适当的配置,以例如降低超出采购范围的使用的风险。作为一个示例,管理用户例如可以配置组织内授权使用目标应用的设备上限为100台,并且可以配置超额比例为15%(例如,组织采购数量为120台)。由此,在组织内部授权使用以及未授权使用的总设备数量超过115台时,可以通过诸如邮件、办公系统消息、即时通讯消息等适当的方式向目标组织的管理用户发送关于超过配额的提醒,以使得管理用户的终端设备展示该提醒。在一些示例中,这样的超额提醒例如可以发生在管理用户未对目标范围外的使用进行禁用的情况下。For example, such excess amount and/or excess percentage may be determined based on the organization's application procurement information. The information is appropriately configured to, for example, reduce the risk of usage beyond the scope of purchase. As an example, the administrative user can configure the upper limit of the number of devices authorized to use the target application within the organization to 100, and can configure the excess ratio to 15% (for example, the organization purchases 120 devices). Thus, when the total number of devices authorized for use and unauthorized for use within the organization exceeds 115, a reminder about exceeding the quota can be sent to the administrative user of the target organization through appropriate means such as email, office system message, instant messaging message, etc., so that the administrative user's terminal device displays the reminder. In some examples, such an excess reminder can occur, for example, when the administrative user has not disabled usage outside the target scope.

基于这样的方式,本公开的实施例能够支持对于目标应用的权限策略的详细配置,以指定组织内授权使用的用户和/或设备,并且可以指定针对未经授权的处置策略。基于这样的方式,本公开的实施例能够极大地降低管理方对于组织内应用管理的难度,提高管理效率。Based on this approach, the embodiments of the present disclosure can support detailed configuration of the permission policy for the target application to specify the authorized users and/or devices within the organization, and can specify the disposal policy for unauthorized ones. Based on this approach, the embodiments of the present disclosure can greatly reduce the difficulty of the management party in managing applications within the organization and improve management efficiency.

继续参考图2,在框230,终端设备120基于所述权限策略,管理所述目标应用在所述目标组织的执行。Continuing to refer to FIG. 2 , in block 230 , the terminal device 120 manages the execution of the target application in the target organization based on the permission policy.

例如,终端设备120可以根据权限策略确定组织内授权使用该目标应用的用户或设备,并使得组织内的设备能够根据对该权限策略进行相应。例如,组织内的设备可以在确定该设备属于授权设备或者已登录的用户属于授权用户的情况下,允许用户安装或使用目标应用。For example, the terminal device 120 can determine the user or device in the organization that is authorized to use the target application according to the permission policy, and enable the device in the organization to respond to the permission policy. For example, the device in the organization can allow the user to install or use the target application if it is determined that the device is an authorized device or the logged-in user is an authorized user.

相反,可以在确定该设备不属于授权设备且已登录的用户不属于授权用户的情况下,组织内的设备可以根据权限策略来确定是否禁止用户启动或使用该目标应用。例如,设备可以在用户双击启动该应用时不进行响应,并例如可以生成关于当前设备和/或当前用户未被授权使用该应用的提醒。或者,设备可以在应用正常启动后生成需要尽快获得授权的提醒。On the contrary, when it is determined that the device is not an authorized device and the logged-in user is not an authorized user, the device in the organization can determine whether to prohibit the user from starting or using the target application according to the permission policy. For example, the device may not respond when the user double-clicks to start the application, and may generate a reminder that the current device and/or the current user is not authorized to use the application. Alternatively, the device may generate a reminder that authorization needs to be obtained as soon as possible after the application is normally started.

通过以上过程,本公开的实施例能够为组织内的应用权限管理提供统一的配置界面,能够允许从多种来源添加待管理的目标应用,并可以通过多种权限策略来管理目标应用在组织内的使用。由此,本公开的实施例能够提高应用管理的统一性,降低应用权限管理的时间成本。 Through the above process, the embodiments of the present disclosure can provide a unified configuration interface for application permission management within an organization, can allow target applications to be added from multiple sources, and can manage the use of target applications within the organization through multiple permission policies. Therefore, the embodiments of the present disclosure can improve the uniformity of application management and reduce the time cost of application permission management.

在又一些实施例中,继续参考图3A,权限配置界面300A例如还可以提供应用统计信息,这样的所述应用统计信息指示至少一个应用在所述目标组织内的授权使用情况与和全部使用情况的比较。In some other embodiments, with continued reference to FIG. 3A , the permission configuration interface 300A may further provide application statistics information, where the application statistics information indicates a comparison between authorized usage of at least one application within the target organization and total usage.

以图3A中已经开启管理的应用310-2作为示例,栏目“已许可/全部”中的信息例如可以指示管理方已经授权的设备或用户的数目(例如,数目C)与组织内安装或使用了该应用的全部设备或用户的数目(例如,数目B)的比较结果。在一些示例中,权限配置界面300A例如也可以直接提供数目C与数目B的比值信息,而不是提供二者的具体数值。Taking the application 310-2 in FIG. 3A that has been enabled for management as an example, the information in the column "Allowed/All" may indicate, for example, the comparison result of the number of devices or users that the management party has authorized (for example, number C) and the number of all devices or users that have installed or used the application in the organization (for example, number B). In some examples, the permission configuration interface 300A may also directly provide information on the ratio of number C to number B, instead of providing specific values of the two.

在一些实施例中,终端设备120可以提供基于比较结果所生成的风险描述信息,该风险描述信息可以指示目标组织内的特定应用的使用情况是否存在超出许可或者未经许可的风险。示例性地,在数目B大于数目C的情况下,该应用可以被确定为存在未授权使用的风险。相应地,权限配置界面300A例如可以通过“软件风险”这一栏来提示该应用当前可能存在风险。In some embodiments, the terminal device 120 may provide risk description information generated based on the comparison result, which may indicate whether the use of a specific application within the target organization has a risk of exceeding the permission or being unauthorized. For example, when the number B is greater than the number C, the application may be determined to have a risk of unauthorized use. Accordingly, the permission configuration interface 300A may, for example, indicate that the application may currently have a risk through the "Software Risk" column.

在又一些实施例中,终端设备120例如还可以根据该比较结果来提供针对应用310-2的采购建议。例如,在数目B大于数目C的情况下,终端设备120可以生成关于追加采购应用310-2的采购建议。In some other embodiments, the terminal device 120 may also provide a purchase suggestion for the application 310 - 2 according to the comparison result. For example, when the number B is greater than the number C, the terminal device 120 may generate a purchase suggestion for additional purchase of the application 310 - 2 .

基于这样的方式,本公开的实施例还可以实现对于组织内待管理的应用的信息聚合,从而进一步提供了组织内应用管理的效率。Based on this approach, the embodiments of the present disclosure can also achieve information aggregation for applications to be managed within an organization, thereby further improving the efficiency of application management within the organization.

示例装置和设备Example devices and equipment

本公开的实施例还提供了用于实现上述方法或过程的相应装置。The embodiments of the present disclosure also provide corresponding devices for implementing the above methods or processes.

图4示出了根据本公开的某些实施例的用于权限管理的装置400的示意性结构框图。装置400可以被实现为或者被包括在终端设备120中。装置400中的各个模块/组件可以由硬件、软件、固件或者它们的任意组合来实现。4 shows a schematic structural block diagram of an apparatus 400 for rights management according to some embodiments of the present disclosure. The apparatus 400 may be implemented as or included in the terminal device 120. Each module/component in the apparatus 400 may be implemented by hardware, software, firmware or any combination thereof.

如图4所示,装置400包括确定模块410,被配置为在用于对目标组织中的用户和/或设备进行管理的权限配置界面中,确定待配置的 目标应用;获取模块420,被配置为利用权限配置界面获取待应用于目标应用的权限策略,权限策略至少指示目标组织中被授权使用目标应用的目标范围以及在目标范围外使用目标应用的处置策略,目标范围包括一组目标用户和/或一组目标设备;以及管理模块430,被配置为基于权限策略,管理目标应用在目标组织的执行。As shown in FIG. 4 , the apparatus 400 includes a determination module 410 configured to determine the permissions to be configured in a permission configuration interface for managing users and/or devices in a target organization. Target application; an acquisition module 420, configured to use a permission configuration interface to obtain a permission policy to be applied to the target application, the permission policy at least indicating a target scope in the target organization that is authorized to use the target application and a disposal policy for using the target application outside the target scope, the target scope including a group of target users and/or a group of target devices; and a management module 430, configured to manage the execution of the target application in the target organization based on the permission policy.

在一些实施例中,确定模块410还被配置为:在权限配置界面中展示一组候选应用;以及接收针对一组候选应用的目标应用的选择。In some embodiments, the determination module 410 is further configured to: display a group of candidate applications in the permission configuration interface; and receive a selection of a target application from the group of candidate applications.

在一些实施例中,一组候选应用包括以下至少一项:预设的第一组应用,基于应用安装信息确定的第二组应用,基于实时应用检测确定的第三组应用。In some embodiments, the group of candidate applications includes at least one of the following: a preset first group of applications, a second group of applications determined based on application installation information, and a third group of applications determined based on real-time application detection.

在一些实施例中,确定模块410还被配置为:在权限配置界面中,获取输入的应用描述信息;以及基于应用描述信息,确定目标应用。In some embodiments, the determination module 410 is further configured to: obtain input application description information in the permission configuration interface; and determine the target application based on the application description information.

在一些实施例中,获取模块420还被配置为:在权限配置界面中提供与设备配置对应的第一配置组件,第一配置组件展示一组候选设备;以及基于针对一组候选设备中的至少一个设备的选择,确定目标组织中被授权使用目标应用的目标范围。In some embodiments, the acquisition module 420 is further configured to: provide a first configuration component corresponding to the device configuration in the permission configuration interface, the first configuration component displaying a group of candidate devices; and determine the target scope in the target organization that is authorized to use the target application based on the selection of at least one device from the group of candidate devices.

在一些实施例中,一组候选设备包括:目标组织中预设的第一组候选设备,与第一检索词匹配的第二组候选设备,第一检索词与设备的设备描述信息相关联。In some embodiments, a group of candidate devices includes: a first group of candidate devices preset in a target organization, a second group of candidate devices matching a first search term, and the first search term is associated with device description information of the device.

在一些实施例中,获取模块420还被配置为:在权限配置界面中提供与用户配置对应的第二配置组件,第一配置组件展示一组候选用户;以及基于针对一组候选用户中的至少一个用户的选择,确定目标组织中被授权使用目标应用的目标范围。In some embodiments, the acquisition module 420 is also configured to: provide a second configuration component corresponding to the user configuration in the permission configuration interface, and the first configuration component displays a group of candidate users; and based on the selection of at least one user from the group of candidate users, determine the target scope in the target organization that is authorized to use the target application.

在一些实施例中,一组候选用户包括:目标组织中预设的第一组候选用户,与第二检索词匹配的第二组候选用户,第二检索词与用户的用户描述信息相关联。In some embodiments, a group of candidate users includes: a first group of candidate users preset in the target organization, a second group of candidate users matching a second search term, and the second search term is associated with user description information of the user.

在一些实施例中,获取模块420还被配置为:利用权限配置界面,接收关于在目标范围外使用目标应用的处置策略的输入,其中处置策略包括以下至少一种:第一处置策略,指示目标应用在目标范围外被 禁用;第二处置策略,指示生成针对目标应用在目标范围外的未授权使用和/或尝试使用的第一提醒,以使与未授权使用和/或尝试使用相关联的第一设备展示第一提醒;和/或,第三处置策略,指示生成针对超出预定数目的未授权使用的第二提醒以使与目标组织的管理用户相关联的终端设备展示第二提醒,其中预定数目是利用权限配置界面而被配置的。In some embodiments, the acquisition module 420 is further configured to: receive input of a handling policy for using the target application outside the target scope using the permission configuration interface, wherein the handling policy includes at least one of the following: a first handling policy indicating that the target application is used outside the target scope; Disable; a second handling policy indicating generation of a first reminder for unauthorized use and/or attempted use of a target application outside a target scope, so that a first device associated with the unauthorized use and/or attempted use displays the first reminder; and/or, a third handling policy indicating generation of a second reminder for unauthorized use exceeding a predetermined number so that a terminal device associated with an administrative user of the target organization displays the second reminder, wherein the predetermined number is configured using a permission configuration interface.

在一些实施例中,装置400还包括展示模块,被配置为:在权限配置界面中展示应用统计信息,应用统计信息指示至少一个应用在目标组织内的授权使用情况与和全部使用情况的比较结果。In some embodiments, the apparatus 400 further includes a display module configured to: display application statistics information in the permission configuration interface, wherein the application statistics information indicates a comparison result between authorized usage of at least one application in the target organization and all usage.

在一些实施例中,展示模块还被配置为:提供针对至少一个应用的风险描述信息,风险描述信息基于比较结果而被生成。In some embodiments, the presentation module is further configured to: provide risk description information for at least one application, where the risk description information is generated based on the comparison result.

图5示出了其中可以实施本公开的一个或多个实施例的电子设备500的框图。应当理解,图5所示出的电子设备500仅仅是示例性的,而不应当构成对本文所描述的实施例的功能和范围的任何限制。图5所示出的电子设备500可以用于实现图1的终端设备120和/或管理设备110。FIG5 shows a block diagram of an electronic device 500 in which one or more embodiments of the present disclosure may be implemented. It should be understood that the electronic device 500 shown in FIG5 is merely exemplary and should not constitute any limitation on the functionality and scope of the embodiments described herein. The electronic device 500 shown in FIG5 may be used to implement the terminal device 120 and/or the management device 110 of FIG1 .

如图5所示,电子设备500是通用电子设备的形式。电子设备500的组件可以包括但不限于一个或多个处理器或处理单元510、存储器520、存储设备530、一个或多个通信单元540、一个或多个输入设备550以及一个或多个输出设备560。处理单元510可以是实际或虚拟处理器并且能够根据存储器520中存储的程序来执行各种处理。在多处理器系统中,多个处理单元并行执行计算机可执行指令,以提高电子设备500的并行处理能力。As shown in FIG5 , the electronic device 500 is in the form of a general electronic device. The components of the electronic device 500 may include, but are not limited to, one or more processors or processing units 510, a memory 520, a storage device 530, one or more communication units 540, one or more input devices 550, and one or more output devices 560. The processing unit 510 may be an actual or virtual processor and is capable of performing various processes according to a program stored in the memory 520. In a multi-processor system, multiple processing units execute computer executable instructions in parallel to improve the parallel processing capability of the electronic device 500.

电子设备500通常包括多个计算机存储介质。这样的介质可以是电子设备500可访问的任何可以获取的介质,包括但不限于易失性和非易失性介质、可拆卸和不可拆卸介质。存储器520可以是易失性存储器(例如寄存器、高速缓存、随机访问存储器(RAM))、非易失性存储器(例如,只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、闪存)或它们的某种组合。存储设备530可以是可拆 卸或不可拆卸的介质,并且可以包括机器可读介质,诸如闪存驱动、磁盘或者任何其他介质,其可以能够用于存储信息和/或数据(例如用于训练的训练数据)并且可以在电子设备500内被访问。The electronic device 500 typically includes a plurality of computer storage media. Such media may be any accessible media that is accessible to the electronic device 500, including but not limited to volatile and nonvolatile media, removable and non-removable media. The memory 520 may be a volatile memory (e.g., registers, cache, random access memory (RAM)), a nonvolatile memory (e.g., read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory), or some combination thereof. The storage device 530 may be a removable The electronic device 500 may be removable or non-removable and may include machine-readable media such as a flash drive, a disk, or any other media that may be capable of storing information and/or data (e.g., training data for training) and may be accessed within the electronic device 500.

电子设备500可以进一步包括另外的可拆卸/不可拆卸、易失性/非易失性存储介质。尽管未在图5中示出,可以提供用于从可拆卸、非易失性磁盘(例如“软盘”)进行读取或写入的磁盘驱动和用于从可拆卸、非易失性光盘进行读取或写入的光盘驱动。在这些情况中,每个驱动可以由一个或多个数据介质接口被连接至总线(未示出)。存储器520可以包括计算机程序产品525,其具有一个或多个程序模块,这些程序模块被配置为执行本公开的各种实施例的各种方法或动作。The electronic device 500 may further include additional removable/non-removable, volatile/non-volatile storage media. Although not shown in FIG. 5 , a disk drive for reading or writing from a removable, non-volatile disk (e.g., a “floppy disk”) and an optical drive for reading or writing from a removable, non-volatile optical disk may be provided. In these cases, each drive may be connected to a bus (not shown) by one or more data media interfaces. The memory 520 may include a computer program product 525 having one or more program modules configured to perform various methods or actions of various embodiments of the present disclosure.

通信单元540实现通过通信介质与其他电子设备进行通信。附加地,电子设备500的组件的功能可以以单个计算集群或多个计算机器来实现,这些计算机器能够通过通信连接进行通信。因此,电子设备500可以使用与一个或多个其他服务器、网络个人计算机(PC)或者另一个网络节点的逻辑连接来在联网环境中进行操作。The communication unit 540 implements communication with other electronic devices through a communication medium. Additionally, the functions of the components of the electronic device 500 can be implemented in a single computing cluster or multiple computing machines that can communicate through a communication connection. Therefore, the electronic device 500 can operate in a networked environment using a logical connection with one or more other servers, a network personal computer (PC), or another network node.

输入设备550可以是一个或多个输入设备,例如鼠标、键盘、追踪球等。输出设备560可以是一个或多个输出设备,例如显示器、扬声器、打印机等。电子设备500还可以根据需要通过通信单元540与一个或多个外部设备(未示出)进行通信,外部设备诸如存储设备、显示设备等,与一个或多个使得用户与电子设备500交互的设备进行通信,或者与使得电子设备500与一个或多个其他电子设备通信的任何设备(例如,网卡、调制解调器等)进行通信。这样的通信可以经由输入/输出(I/O)接口(未示出)来执行。The input device 550 may be one or more input devices, such as a mouse, a keyboard, a tracking ball, etc. The output device 560 may be one or more output devices, such as a display, a speaker, a printer, etc. The electronic device 500 may also communicate with one or more external devices (not shown) through the communication unit 540 as needed, such as a storage device, a display device, etc., communicate with one or more devices that allow a user to interact with the electronic device 500, or communicate with any device that allows the electronic device 500 to communicate with one or more other electronic devices (e.g., a network card, a modem, etc.). Such communication may be performed via an input/output (I/O) interface (not shown).

根据本公开的示例性实现方式,提供了一种计算机可读存储介质,其上存储有计算机可执行指令,其中计算机可执行指令被处理器执行以实现上文描述的方法。根据本公开的示例性实现方式,还提供了一种计算机程序产品,计算机程序产品被有形地存储在非瞬态计算机可读介质上并且包括计算机可执行指令,而计算机可执行指令被处理器 执行以实现上文描述的方法。According to an exemplary implementation of the present disclosure, a computer-readable storage medium is provided, on which computer-executable instructions are stored, wherein the computer-executable instructions are executed by a processor to implement the method described above. According to an exemplary implementation of the present disclosure, a computer program product is also provided, which is tangibly stored on a non-transitory computer-readable medium and includes computer-executable instructions, and the computer-executable instructions are executed by a processor to implement the method described above. Execute to implement the method described above.

这里参照根据本公开实现的方法、装置、设备和计算机程序产品的流程图和/或框图描述了本公开的各个方面。应当理解,流程图和/或框图的每个方框以及流程图和/或框图中各方框的组合,都可以由计算机可读程序指令实现。Various aspects of the present disclosure are described herein with reference to the flowcharts and/or block diagrams of the methods, devices, equipment, and computer program products implemented according to the present disclosure. It should be understood that each box in the flowchart and/or block diagram and the combination of each box in the flowchart and/or block diagram can be implemented by computer-readable program instructions.

这些计算机可读程序指令可以提供给通用计算机、专用计算机或其他可编程数据处理装置的处理单元,从而生产出一种机器,使得这些指令在通过计算机或其他可编程数据处理装置的处理单元执行时,产生了实现流程图和/或框图中的一个或多个方框中规定的功能/动作的装置。也可以把这些计算机可读程序指令存储在计算机可读存储介质中,这些指令使得计算机、可编程数据处理装置和/或其他设备以特定方式工作,从而,存储有指令的计算机可读介质则包括一个制造品,其包括实现流程图和/或框图中的一个或多个方框中规定的功能/动作的各个方面的指令。These computer-readable program instructions can be provided to a processing unit of a general-purpose computer, a special-purpose computer, or other programmable data processing device, thereby producing a machine, so that when these instructions are executed by the processing unit of the computer or other programmable data processing device, a device that implements the functions/actions specified in one or more boxes in the flowchart and/or block diagram is generated. These computer-readable program instructions can also be stored in a computer-readable storage medium, and these instructions cause the computer, programmable data processing device, and/or other equipment to work in a specific manner, so that the computer-readable medium storing the instructions includes a manufactured product, which includes instructions for implementing various aspects of the functions/actions specified in one or more boxes in the flowchart and/or block diagram.

可以把计算机可读程序指令加载到计算机、其他可编程数据处理装置、或其他设备上,使得在计算机、其他可编程数据处理装置或其他设备上执行一系列操作步骤,以产生计算机实现的过程,从而使得在计算机、其他可编程数据处理装置、或其他设备上执行的指令实现流程图和/或框图中的一个或多个方框中规定的功能/动作。Computer-readable program instructions can be loaded onto a computer, other programmable data processing apparatus, or other device so that a series of operational steps are performed on the computer, other programmable data processing apparatus, or other device to produce a computer-implemented process, so that the instructions executed on the computer, other programmable data processing apparatus, or other device implement the functions/actions specified in one or more boxes in the flowchart and/or block diagram.

附图中的流程图和框图显示了根据本公开的多个实现的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段或指令的一部分,模块、程序段或指令的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个连续的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图和/或流程图中的每个方框、以及框图和/或流程图中的方框的组合,可以用执行规定的功能或动作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令 的组合来实现。The flowcharts and block diagrams in the accompanying drawings show the possible architectures, functions and operations of the systems, methods and computer program products according to multiple implementations of the present disclosure. In this regard, each box in the flowchart or block diagram may represent a module, a program segment or a portion of an instruction, and a module, a program segment or a portion of an instruction contains one or more executable instructions for implementing the specified logical functions. In some alternative implementations, the functions marked in the boxes may also occur in an order different from that marked in the accompanying drawings. For example, two consecutive boxes can actually be executed substantially in parallel, and they may sometimes be executed in the opposite order, depending on the functions involved. It should also be noted that each box in the block diagram and/or flowchart, and the combination of boxes in the block diagram and/or flowchart, can be implemented with a dedicated hardware-based system that performs the specified function or action, or can be implemented with dedicated hardware and computer instructions. combination to achieve this.

以上已经描述了本公开的各实现,上述说明是示例性的,并非穷尽性的,并且也不限于所公开的各实现。在不偏离所说明的各实现的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。本文中所用术语的选择,旨在最好地解释各实现的原理、实际应用或对市场中的技术的改进,或者使本技术领域的其他普通技术人员能理解本文公开的各个实现方式。 The above descriptions of various implementations of the present disclosure are exemplary, non-exhaustive, and not limited to the disclosed implementations. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described implementations. The selection of terms used herein is intended to best explain the principles of the implementations, practical applications, or improvements to the technology in the market, or to enable other persons of ordinary skill in the art to understand the various implementations disclosed herein.

Claims (15)

一种权限管理的方法,包括:A method for rights management, comprising: 在用于对目标组织中的用户和/或设备进行管理的权限配置界面中,确定待配置的目标应用;In a permission configuration interface for managing users and/or devices in a target organization, determining a target application to be configured; 利用所述权限配置界面获取待应用于所述目标应用的权限策略,所述权限策略至少指示所述目标组织中被授权使用所述目标应用的目标范围以及在所述目标范围外使用所述目标应用的处置策略,所述目标范围包括一组目标用户和/或一组目标设备;以及Acquiring a permission policy to be applied to the target application by using the permission configuration interface, the permission policy at least indicating a target scope in the target organization that is authorized to use the target application and a disposal policy for using the target application outside the target scope, the target scope including a group of target users and/or a group of target devices; and 基于所述权限策略,管理所述目标应用在所述目标组织的执行。Based on the permission policy, the execution of the target application in the target organization is managed. 根据权利要求1所述的方法,其中确定待配置的目标应用包括:The method according to claim 1, wherein determining the target application to be configured comprises: 在所述权限配置界面中展示一组候选应用;以及Displaying a group of candidate applications in the permission configuration interface; and 接收针对所述一组候选应用的所述目标应用的选择。A selection of the target application from the set of candidate applications is received. 根据权利要求2所述的方法,其中所述一组候选应用包括以下至少一项:The method according to claim 2, wherein the set of candidate applications includes at least one of the following: 预设的第一组应用,The first set of preset applications, 基于应用安装信息确定的第二组应用,A second group of applications determined based on the application installation information, 基于实时应用检测确定的第三组应用。A third group of applications is determined based on real-time application detection. 根据权利要求1所述的方法,其中确定待配置的目标应用包括:The method according to claim 1, wherein determining the target application to be configured comprises: 在所述权限配置界面中,获取输入的应用描述信息;以及In the permission configuration interface, obtaining input application description information; and 基于所述应用描述信息,确定所述目标应用。Based on the application description information, the target application is determined. 根据权利要求1所述的方法,其中利用所述权限配置界面获取待应用于所述目标应用的权限策略包括:The method according to claim 1, wherein using the permission configuration interface to obtain the permission policy to be applied to the target application comprises: 在所述权限配置界面中提供与设备配置对应的第一配置组件,所述第一配置组件展示一组候选设备;以及Providing a first configuration component corresponding to the device configuration in the permission configuration interface, wherein the first configuration component displays a group of candidate devices; and 基于针对所述一组候选设备中的至少一个设备的选择,确定所述目标组织中被授权使用所述目标应用的所述目标范围。 Based on the selection of at least one device from the group of candidate devices, the target scope in the target organization that is authorized to use the target application is determined. 根据权利要求5所述的方法,其中所述一组候选设备包括:The method according to claim 5, wherein the set of candidate devices comprises: 所述目标组织中预设的第一组候选设备,A first group of candidate devices preset in the target organization, 与第一检索词匹配的第二组候选设备,所述第一检索词与设备的设备描述信息相关联。A second group of candidate devices matching the first search term, wherein the first search term is associated with device description information of the device. 根据权利要求1所述的方法,其中利用所述权限配置界面获取待应用于所述目标应用的权限策略包括:The method according to claim 1, wherein using the permission configuration interface to obtain the permission policy to be applied to the target application comprises: 在所述权限配置界面中提供与用户配置对应的第二配置组件,所述第一配置组件展示一组候选用户;以及providing a second configuration component corresponding to the user configuration in the permission configuration interface, wherein the first configuration component displays a group of candidate users; and 基于针对所述一组候选用户中的至少一个用户的选择,确定所述目标组织中被授权使用所述目标应用的所述目标范围。Based on the selection of at least one user from the group of candidate users, the target scope in the target organization that is authorized to use the target application is determined. 根据权利要求7所述的方法,其中所述一组候选用户包括:The method according to claim 7, wherein the set of candidate users comprises: 所述目标组织中预设的第一组候选用户,A first group of candidate users preset in the target organization, 与第二检索词匹配的第二组候选用户,所述第二检索词与用户的用户描述信息相关联。A second group of candidate users matching a second search term, wherein the second search term is associated with user description information of the user. 根据权利要求1所述的方法,其中利用所述权限配置界面获取待应用于所述目标应用的权限策略包括:The method according to claim 1, wherein using the permission configuration interface to obtain the permission policy to be applied to the target application comprises: 利用所述权限配置界面,接收关于在所述目标范围外使用所述目标应用的所述处置策略的输入,receiving, by using the permission configuration interface, an input of the handling policy for using the target application outside the target scope, 其中所述处置策略包括以下至少一种:The treatment strategy includes at least one of the following: 第一处置策略,指示所述目标应用在所述目标范围外被禁用;A first handling policy indicating that the target application is disabled outside the target range; 第二处置策略,指示生成针对所述目标应用在所述目标范围外的未授权使用和/或尝试使用的第一提醒,以使与所述未授权使用和/或尝试使用相关联的第一设备展示所述第一提醒;A second handling policy instructs to generate a first reminder for unauthorized use and/or attempted use of the target application outside the target range, so that a first device associated with the unauthorized use and/or attempted use displays the first reminder; 第三处置策略,指示生成针对超出预定数目的未授权使用的第二提醒,以使与所述目标组织的管理用户相关联的终端设备展示所述第二提醒,其中所述预定数目是利用所述权限配置界面而被配置的。A third handling policy indicates generating a second reminder for unauthorized use exceeding a predetermined number, so that a terminal device associated with the management user of the target organization displays the second reminder, wherein the predetermined number is configured using the permission configuration interface. 根据权利要求1所述的方法,还包括:The method according to claim 1, further comprising: 在所述权限配置界面中展示应用统计信息,所述应用统计信息指示至少一个应用在所述目标组织内的授权使用情况与全部使用情况 的比较结果。Display application statistics in the permission configuration interface, the application statistics indicating the authorized use and total use of at least one application in the target organization The comparison results. 根据权利要求10所述的方法,还包括:The method according to claim 10, further comprising: 提供针对所述至少一个应用的风险描述信息,所述风险描述信息基于所述比较结果而被生成。Risk description information for the at least one application is provided, the risk description information being generated based on the comparison result. 一种用于权限管理的装置,包括:A device for rights management, comprising: 确定模块,被配置为在用于对目标组织中的用户和/或设备进行管理的权限配置界面中,确定待配置的目标应用;A determination module configured to determine a target application to be configured in a permission configuration interface for managing users and/or devices in a target organization; 获取模块,被配置为利用所述权限配置界面获取待应用于所述目标应用的权限策略,所述权限策略至少指示目标组织中被授权使用所述目标应用的目标范围以及在所述目标范围外使用所述目标应用的处置策略,所述目标范围包括一组目标用户和/或一组目标设备;以及an acquisition module configured to acquire, by using the permission configuration interface, a permission policy to be applied to the target application, the permission policy at least indicating a target scope in a target organization that is authorized to use the target application and a disposal policy for using the target application outside the target scope, the target scope including a group of target users and/or a group of target devices; and 管理模块,被配置为基于所述权限策略,管理所述目标应用在所述目标组织的执行。The management module is configured to manage the execution of the target application in the target organization based on the permission policy. 一种电子设备,包括:An electronic device, comprising: 至少一个处理单元;以及at least one processing unit; and 至少一个存储器,所述至少一个存储器被耦合到所述至少一个处理单元并且存储用于由所述至少一个处理单元执行的指令,所述指令在由所述至少一个处理单元执行时使所述电子设备执行根据权利要求1至11中任一项所述的方法。At least one memory, the at least one memory being coupled to the at least one processing unit and storing instructions for execution by the at least one processing unit, the instructions causing the electronic device to perform the method according to any one of claims 1 to 11 when executed by the at least one processing unit. 一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序可由处理器执行以实现根据权利要求1至11中任一项所述的方法。A computer-readable storage medium having a computer program stored thereon, wherein the computer program can be executed by a processor to implement the method according to any one of claims 1 to 11. 一种计算机程序产品,所述计算机程序产品被有形地存储在计算机存储介质中并且包括计算机可执行指令,所述计算机可执行指令在由设备执行时使所述设备执行根据权利要求1至11中任一项所述的方法。 A computer program product, the computer program product being tangibly stored in a computer storage medium and comprising computer executable instructions which, when executed by a device, cause the device to perform the method according to any one of claims 1 to 11.
PCT/CN2024/092936 2023-05-16 2024-05-13 Permission management method and apparatus, device, storage medium, and program product Pending WO2024235206A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202310554413.3 2023-05-16
CN202310554413.3A CN116561716A (en) 2023-05-16 2023-05-16 Rights management method, device, equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2024235206A1 true WO2024235206A1 (en) 2024-11-21

Family

ID=87503204

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2024/092936 Pending WO2024235206A1 (en) 2023-05-16 2024-05-13 Permission management method and apparatus, device, storage medium, and program product

Country Status (3)

Country Link
CN (1) CN116561716A (en)
AU (1) AU2024203273A1 (en)
WO (1) WO2024235206A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116561716A (en) * 2023-05-16 2023-08-08 北京火山引擎科技有限公司 Rights management method, device, equipment and storage medium
CN117725441B (en) * 2023-12-21 2025-03-11 北京火山引擎科技有限公司 Rights management method, device, readable storage medium and electronic device

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7627902B1 (en) * 2003-02-20 2009-12-01 Dell Marketing Usa, L.P. Method of managing a software item on a managed computer system
CN103400066A (en) * 2013-07-29 2013-11-20 王克 System and method for managing software
CN111124472A (en) * 2019-12-30 2020-05-08 宁波视睿迪光电有限公司 Terminal software management platform
CN114297590A (en) * 2021-12-09 2022-04-08 北京达佳互联信息技术有限公司 Authority management method, device, electronic equipment and storage medium
CN116561716A (en) * 2023-05-16 2023-08-08 北京火山引擎科技有限公司 Rights management method, device, equipment and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1237440C (en) * 2002-12-20 2006-01-18 泽浦科技股份有限公司 Method and system for controlling software usage
US20080134348A1 (en) * 2006-12-05 2008-06-05 Microsoft Corporation Conditional policies in software licenses

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7627902B1 (en) * 2003-02-20 2009-12-01 Dell Marketing Usa, L.P. Method of managing a software item on a managed computer system
CN103400066A (en) * 2013-07-29 2013-11-20 王克 System and method for managing software
CN111124472A (en) * 2019-12-30 2020-05-08 宁波视睿迪光电有限公司 Terminal software management platform
CN114297590A (en) * 2021-12-09 2022-04-08 北京达佳互联信息技术有限公司 Authority management method, device, electronic equipment and storage medium
CN116561716A (en) * 2023-05-16 2023-08-08 北京火山引擎科技有限公司 Rights management method, device, equipment and storage medium

Also Published As

Publication number Publication date
CN116561716A (en) 2023-08-08
AU2024203273A1 (en) 2024-12-05

Similar Documents

Publication Publication Date Title
US10757036B2 (en) Method and system for provisioning computing resources
WO2024235206A1 (en) Permission management method and apparatus, device, storage medium, and program product
SG186137A1 (en) Online service access controls using scale out directory features
US11477179B2 (en) Searching content associated with multiple applications
WO2025045002A9 (en) Method and apparatus for processing data table, and device and storage medium
WO2025176211A1 (en) Interaction method and apparatus, device, and storage medium
WO2020232158A1 (en) System and methods for securely storing data for efficient access by cloud-based computing instances
US12314425B2 (en) Privacy data management in distributed computing systems
CN110096547A (en) Supply synchronous method, device, computer equipment and the computer storage medium of data
WO2025218792A1 (en) Method and apparatus for posting work, device, and storage medium
WO2025051128A1 (en) Method and apparatus for determining interactive resources, and device and storage medium
US8832856B2 (en) Authority delegation for business objects
US12326949B2 (en) Privacy data management in distributed computing systems
WO2025189618A1 (en) Method and apparatus for editing code item, device, and storage medium
US11803460B1 (en) Automatic auditing of cloud activity
CN111611066A (en) Task execution method, task execution server and storage medium
US20250335162A1 (en) Creating an application
US20240061909A1 (en) Systems and methods for managing software provisioning based on adjusted usage conditions of software items
WO2025152450A1 (en) Method and apparatus for editing workflow, and device and storage medium
WO2025156861A1 (en) Method and apparatus for creating application, device, and storage medium
WO2025161696A1 (en) Media editing method and apparatus, device, and storage medium
WO2025175736A1 (en) Workflow editing method and apparatus, and device and storage medium
CN120832048A (en) Method, device, equipment and storage medium for form batch processing
WO2025152454A1 (en) Method and apparatus for integrated development environment, and device and storage medium
CN118646611A (en) Method, device, equipment and storage medium for creating a group

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24806557

Country of ref document: EP

Kind code of ref document: A1