CN112101890A - Authority control method, device, equipment and medium based on role and cloud function - Google Patents
Authority control method, device, equipment and medium based on role and cloud function Download PDFInfo
- Publication number
- CN112101890A CN112101890A CN202010736575.5A CN202010736575A CN112101890A CN 112101890 A CN112101890 A CN 112101890A CN 202010736575 A CN202010736575 A CN 202010736575A CN 112101890 A CN112101890 A CN 112101890A
- Authority
- CN
- China
- Prior art keywords
- function
- user
- role
- authority
- roles
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 67
- 230000006870 function Effects 0.000 claims abstract description 201
- 230000008520 organization Effects 0.000 claims abstract description 75
- 230000001960 triggered effect Effects 0.000 claims abstract description 24
- 238000012795 verification Methods 0.000 claims description 8
- 238000012217 deletion Methods 0.000 claims description 5
- 230000037430 deletion Effects 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 claims description 4
- 238000012550 audit Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 13
- 230000006872 improvement Effects 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 238000012545 processing Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 5
- 238000007726 management method Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000011217 control strategy Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 229920001296 polysiloxane Polymers 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/10—Office automation; Time management
- G06Q10/103—Workflow collaboration or project management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Physics & Mathematics (AREA)
- Human Resources & Organizations (AREA)
- Strategic Management (AREA)
- General Physics & Mathematics (AREA)
- Entrepreneurship & Innovation (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Quality & Reliability (AREA)
- Tourism & Hospitality (AREA)
- Operations Research (AREA)
- General Business, Economics & Management (AREA)
- Marketing (AREA)
- Economics (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a method, a device, equipment and a medium for authority control based on roles and cloud functions, wherein the method comprises the following steps: receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered; inquiring a role set containing the function authority; verifying whether the user's organization owns a role in the set of roles; and if the user is verified to have the roles in the role set in the organization, executing the function. The embodiment of the specification can achieve the purpose of triggering all functional authorities through the cloud function, and the authority control method can be more flexible by combining roles.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method, an apparatus, and a medium for controlling permissions based on roles and cloud functions.
Background
Related authority of an Enterprise Resource Planning system (ERP) is uniformly managed along with the online of projects, so that after the ERP system is online, the control of the related authority of the ERP system is strictly formulated, and therefore, the access safety and the operation safety of related data are guaranteed.
The existing ERP system can not directly acquire all the authorities in the system, and is only limited to the simplest added, deleted, modified and checked authority when the authority control is carried out on a user, so that the existing ERP system authority control method has limitation.
Disclosure of Invention
In view of this, embodiments of the present application provide an authority control method, device and medium based on roles and cloud functions, so as to solve the problem that the existing authority control method of the ERP system has limitations.
The embodiment of the application adopts the following technical scheme:
the embodiment of the application provides an authority control method based on roles and cloud functions, and the method comprises the following steps:
receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered;
inquiring a role set containing the function authority;
verifying whether the user's organization owns a role in the set of roles;
and if the user is verified to have the roles in the role set in the organization, executing the function.
It should be noted that, in the embodiments of the present specification, the purpose of triggering all function permissions can be achieved through a cloud function, and the permission control method can be more flexible by combining roles. In addition, because the function authority corresponding to the role in the user organization is set by the system, the role set containing the function authority required to be triggered is firstly inquired in the system, and then whether the role in the role set is owned in the user organization is verified, if the verification is passed, the function authority corresponding to the function sent by the user is set by the system, and is a legal function authority, the system can execute the function, and the authority control method of the ERP system can be better through the method.
Further, before receiving the permission operation request sent by the user, the method further includes:
creating users and organizations, and distributing the organizations to corresponding users according to the attributes of the organizations;
creating roles, configuring functional authority for the roles according to organization requirements of users, and distributing the roles to organizations of the users.
It should be noted that, in the function permission allocation method in the embodiment of the present specification, the function permission to which the user belongs can be better divided by the function permission allocation method, so that the system runs more smoothly.
Further, the configuring the functional authority to the role according to the organization requirement of the user specifically includes:
and acquiring a function corresponding to the function permission through the cloud function, and configuring the function permission for the role according to the organization requirement of the user.
It should be noted that, the foregoing specifically discloses a method for configuring functional rights to roles, and all functional rights can be read through a cloud function, so that all functional rights can be controlled, and the rights control method can be more flexible in combination with roles.
Further, before receiving the permission operation request sent by the user, the method further includes:
and when a user enters or refreshes the main interface of the system for the first time, displaying the functional authority which can be triggered by the user according to the menu authority of the user.
It should be noted that, when each user creates the system, the system may set the function authority that each user can trigger, and by setting the menu authority of each user, when the user first performs the system or refreshes the system homepage, all the function authorities that the user can trigger will be displayed
Further, the functional authority includes one or more items of creation, deletion, editing, inquiry, submission, revocation and auditing.
Further, after the user's organization is verified to have the roles in the role set and the function is executed, the method further includes:
if the function authority corresponding to the role in the user organization needs to be forbidden, adding and deleting a state column of the role in the role information;
and if the function authority corresponding to the user needs to be forbidden, adding and deleting the state column of the user in the information of the user.
It should be noted that, in the embodiment of the present specification, by the foregoing manner, the status column is added in the information corresponding to the user, so that the availability of the user for accessing the system can be dynamically controlled, and the functional authority of a certain role of the user or the functional authority of the whole user can be conveniently cancelled.
Further, if it is verified that the user's organization does not have a role in the set of roles, the method further comprises:
and popping up a prompt of the function authority corresponding to the function without the authority.
The embodiment of the present application further provides an authority control device based on roles and cloud functions, where the device includes:
the analysis unit is used for receiving the function sent by the user, analyzing the function through the cloud function and determining the function authority to be triggered;
the query unit is used for querying the role set containing the function authority;
the verification unit is used for verifying whether the user organization has the roles in the role set;
and the execution unit is used for executing the function if the user organization is verified to have the roles in the role set.
An embodiment of the present application further provides an authority control device based on roles and cloud functions, where the device includes:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered;
inquiring a role set containing the function authority;
verifying whether the user's organization owns a role in the set of roles;
and if the user is verified to have the roles in the role set in the organization, executing the function.
The embodiment of the present application further provides an authority control medium based on roles and cloud functions, in which computer-executable instructions are stored, and the computer-executable instructions are set as:
receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered;
inquiring a role set containing the function authority;
verifying whether the user's organization owns a role in the set of roles;
and if the user is verified to have the roles in the role set in the organization, executing the function.
The embodiment of the application adopts at least one technical scheme which can achieve the following beneficial effects: the embodiment of the specification can achieve the purpose of triggering all functional authorities through the cloud function, and the authority control method can be more flexible by combining roles. In addition, because the function authority corresponding to the role in the user organization is set by the system, the role set containing the function authority required to be triggered is firstly inquired in the system, and then whether the role in the role set is owned in the user organization is verified, if the verification is passed, the function authority corresponding to the function sent by the user is set by the system, and is a legal function authority, the system can execute the function, and the authority control method of the ERP system can be better through the method.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart of an authority control method based on roles and cloud functions according to a first embodiment of the present disclosure;
fig. 2 is a schematic flowchart of an authority control method based on roles and cloud functions according to a second embodiment of the present specification;
fig. 3 is a schematic diagram of relationships between users, organizations, roles, and permissions provided in a second embodiment of the present specification;
fig. 4 is a schematic view of an actual scene of a relationship between a user, an organization, a role and a right provided in a second embodiment of the present specification;
fig. 5 is a schematic structural diagram of an authority control device based on roles and cloud functions according to a third embodiment of this specification.
Detailed Description
Related authority of an Enterprise Resource Planning system (ERP) is uniformly managed along with the online of projects, so that after the ERP system is online, the control of the related authority of the ERP system is strictly formulated, and therefore, the access safety and the operation safety of related data are guaranteed. Meanwhile, different roles can be set for different enterprise posts.
There are generally three methods for controlling permissions in an enterprise environment:
1. autonomous access control is a control strategy that defines the rights based on the identity of the principal and the group to which it belongs.
2. Mandatory right control means that the system enforces that the subject obeys a pre-established right control policy.
3. Role-based privilege control by partitioning users into roles consistent with their organization to reduce the complexity of authorization management, reduce management overhead, and provide administrators with a better environment for implementing complex security policies
The third method mostly used by the current ERP software authority is also carried out on the basis of the third method. Role-Based Access Control (RBAC) generally includes: user (User), Role (Role), Privilege (Privilege), and Data Object (Data Object). The interrelationship between each entity is: the user is the master for sending access operation and access request, and is the Subject (Subject) for operating the data object; the right is the right to perform a certain operation on a certain data object; data objects, i.e., objects (objects) for access control, typically called programs or accessed data accesses; the role is the set of operations that the user can perform in the system, and is an important concept introduced in the RBAC. The role is used as an intermediate bridge for contacting the user and the authority, the contact between one role and the authority can be regarded as a set of authority owned by the role, the contact between the role and the authority can be regarded as a set of a plurality of users with the same identity, and the relationship between the user and the role and the relationship between the role and the authority are many-to-many. A user logged on a system can verify the accessible system resources and the operation which can be carried out on the system resources through the authority of the role which the user has. For better understanding in an ERP system, a role may be referred to as a position or a job, the position being designed according to the business needs of an enterprise, and a particular job represents the right to handle certain matters in daily work. Therefore, the communication between the programmer and the client is facilitated, the authority management operation of the administrator is simplified, and the readability of the system is enhanced. It should be noted that the above-mentioned rights may refer to functional rights.
The existing ERP system can not directly acquire all the authorities in the system, is only limited to the simplest addition, deletion, modification and check authority when carrying out authority control on a user, can not control other authorities, and has insufficient functions.
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flowchart of a permission control method based on roles and cloud functions according to an embodiment of the present specification, where the following steps may be executed by an execution unit of an ERP system in the embodiment of the present specification, and the specific steps may include:
step S101, receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered.
In step S101 in this embodiment of the present description, if a user needs to perform a certain specific operation on a certain data object, the user may send a function corresponding to the specific operation to the ERP system, and the cloud function may analyze the function to determine a function authority that needs to be triggered. The functional authority may include one or more of creation, deletion, editing, query, submission, revocation and auditing.
And step S102, inquiring the role set containing the function authority.
In step S101 in this embodiment of the present specification, all roles including the function authority may be queried in the ERP system, and all roles constitute a role set.
Step S103, verifying whether the user organization has the roles in the role set.
In step S103 of the embodiment of the present specification, it is verified whether the current user has a role in the role set in the organization.
And step S104, if the user organization is verified to have the roles in the role set, executing the function.
In step S104 of this embodiment, if it is verified that the user' S organization does not have a role in the role set, the method further includes:
and popping up a prompt of the function authority corresponding to the function without the authority.
It should be noted that, because the function permission corresponding to the role in the user organization is set by the system, the system first queries the role set containing the function permission to be triggered, and then verifies whether the user organization has the role in the role set, if the verification is passed, it can be stated that the function permission corresponding to the function sent by the user is set by the system, and the system can execute the function as a legal function permission.
Corresponding to the first embodiment of the present specification, fig. 2 is a schematic flowchart of a rights control method based on a role and a cloud function provided in the second embodiment of the present specification, and the following steps may be executed by an execution unit of an ERP system in the embodiment of the present specification, and the specific steps may include:
step S201, creating a user and an organization, and distributing the organization to the corresponding user according to the attribute of the organization.
In step S201 of the embodiment of the present specification, each user may include an organization of a plurality of different attributes. Multiple users and multiple organizations may be created, with the multiple organizations assigned to corresponding users according to the attributes of the organizations.
Step S202, a role is created, a function authority is configured to the role according to the organization requirement of a user, and the role is distributed to the organization of the user.
In step S202 in the embodiment of this specification, configuring a function authority for the role according to an organization requirement of a user specifically includes:
and acquiring a function corresponding to the function permission through the cloud function, and configuring the function permission for the role according to the organization requirement of the user.
It should be noted that each organization may correspond to a plurality of functional rights.
Referring to fig. 3, a schematic diagram of relationships between users, organizations, roles, and permissions is shown, where one user may correspond to a plurality of organizations with different attributes, each organization may correspond to a different role, and each role corresponds to a plurality of functional permissions. In addition, a user may also correspond to an organization, which may also correspond to a role, which may also correspond to a functional right. The relationship between the user, organization, role and authority can be set according to the requirement. In order to more clearly display the relationship between the user, the organization, the role and the authority, fig. 4 shows an actual scene schematic diagram of the relationship between the user, the organization, the role and the authority.
Step S203, receiving the function sent by the user, analyzing the function through the cloud function, and determining the function authority required to be triggered.
In step S203 in this embodiment of the present description, if a user needs to perform a certain specific operation on a certain data object, the user may send a function corresponding to the specific operation to the ERP system, and the cloud function may analyze the function to determine a function authority that needs to be triggered. The functional authority may include one or more of creation, deletion, editing, query, submission, revocation and auditing.
And step S204, inquiring the role set containing the function authority.
In step S204 of this embodiment, all roles having the function authority may be queried in the ERP system, and all roles constitute a role set.
Step S205, verifying whether the user' S organization has the role in the role set.
In step S205 of the embodiment of the present specification, it is verified whether the current user has a role in the role set in the organization.
Step S206, if it is verified that the user organization has the role in the role set, executing the function.
In step S206 of this embodiment, if it is verified that the user' S organization does not have a role in the role set, the method further includes:
and popping up a prompt of the function authority corresponding to the function without the authority.
It should be noted that, because the function permission corresponding to the role in the user organization is set by the system, the system first queries the role set containing the function permission to be triggered, and then verifies whether the user organization has the role in the role set, if the verification is passed, it can be stated that the function permission corresponding to the function sent by the user is set by the system, and the system can execute the function as a legal function permission.
Further, before receiving an authority operation request sent by a user, the method further includes:
and when a user enters or refreshes the main interface of the system for the first time, displaying the functional authority which can be triggered by the user according to the menu authority of the user.
It should be noted that, when each user creates the system, the system may set the function right that each user can trigger, and by setting the menu right of each user, when the user first performs the system or refreshes the system homepage, all the function rights that the user can trigger may be displayed, and the function rights that the user cannot send may be hidden, or the function rights that the user cannot trigger may be displayed in gray scale. The triggering herein may also be referred to as an operation.
Further, after the role in the role set is verified to be owned by the user's organization and the function is executed, the method further includes: if the function authority corresponding to the role in the user organization needs to be forbidden, adding and deleting a state column of the role in the role information; if the function authority corresponding to the user needs to be forbidden, adding and deleting a state column of the user in the information of the user; and if the function authority corresponding to the user organization needs to be forbidden, adding and deleting the state column of the user in the information of the user organization. In the embodiment of the present specification, by adding the status column to the information corresponding to the user in the manner described above, the usability of the user in accessing the system can be dynamically controlled, and the functional permission of a certain role of the user, the functional permission of a certain organization of the user, or the functional permission of the whole user can be cancelled conveniently. The function permission corresponding to the forbidden user can be used for processing the special conditions such as employee leaving, the related permission of the user can be conveniently and rapidly cancelled, and the data security is effectively improved. In addition, enterprises mostly have intermediate suppliers for upstream customers and downstream customers, so customers often log in the system. These clients and some trainees are staged users, and their access timeliness is controlled for security. The embodiment of the specification can add a status column in the corresponding information of the user, so as to dynamically control the availability of the user for accessing the system.
It should be noted that, if a plurality of users have the same identity, the same organization may be assigned to different users according to the attribute of the organization, and the same role may be assigned to different users.
It should be noted that, in the embodiment of the present specification, the purpose of controlling all functional permissions on a document can be achieved based on a cloud function, the purpose of dynamically and flexibly configuring can be achieved through roles, and any functional permission of any document can be configured for each role by combining the two parties. And all the functional authorities on the controllable document are all the functional authorities which can be triggered.
Corresponding to the second embodiment of this specification, fig. 5 is a schematic structural diagram of an authority control device based on roles and cloud functions provided in the third embodiment of this specification, where the authority control device includes: the device comprises an analysis unit 1, a query unit 2, a verification unit 3 and an execution unit 4.
The analysis unit 1 is used for receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered;
the query unit 2 is used for querying the role set containing the function authority;
the verification unit 3 is used for verifying whether the user has the roles in the role set in the organization;
the execution unit 4 is configured to execute the function if it is verified that the user's organization has the role in the role set.
An embodiment of the present application further provides an authority control device based on roles and cloud functions, where the device includes:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered;
inquiring a role set containing the function authority;
verifying whether the user's organization owns a role in the set of roles;
and if the user is verified to have the roles in the role set in the organization, executing the function.
The embodiment of the present application further provides an authority control medium based on roles and cloud functions, in which computer-executable instructions are stored, and the computer-executable instructions are set as:
receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered;
inquiring a role set containing the function authority;
verifying whether the user's organization owns a role in the set of roles;
and if the user is verified to have the roles in the role set in the organization, executing the function.
In the 90 s of the 20 th century, improvements in a technology could clearly distinguish between improvements in hardware (e.g., improvements in circuit structures such as diodes, transistors, switches, etc.) and improvements in software (improvements in process flow). However, as technology advances, many of today's process flow improvements have been seen as direct improvements in hardware circuit architecture. Designers almost always obtain the corresponding hardware circuit structure by programming an improved method flow into the hardware circuit. Thus, it cannot be said that an improvement in the process flow cannot be realized by hardware physical modules. For example, a Programmable Logic Device (PLD), such as a Field Programmable Gate Array (FPGA), is an integrated circuit whose Logic functions are determined by programming the Device by a user. A digital system is "integrated" on a PLD by the designer's own programming without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Furthermore, nowadays, instead of manually making an Integrated Circuit chip, such Programming is often implemented by "logic compiler" software, which is similar to a software compiler used in program development and writing, but the original code before compiling is also written by a specific Programming Language, which is called Hardware Description Language (HDL), and HDL is not only one but many, such as abel (advanced Boolean Expression Language), ahdl (alternate Hardware Description Language), traffic, pl (core universal Programming Language), HDCal (jhdware Description Language), lang, Lola, HDL, laspam, hardward Description Language (vhr Description Language), vhal (Hardware Description Language), and vhigh-Language, which are currently used in most common. It will also be apparent to those skilled in the art that hardware circuitry that implements the logical method flows can be readily obtained by merely slightly programming the method flows into an integrated circuit using the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer-readable medium storing computer-readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, an Application Specific Integrated Circuit (ASIC), a programmable logic controller, and an embedded microcontroller, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, Atmel AT91SAM, Microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic for the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller as pure computer readable program code, the same functionality can be implemented by logically programming method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers and the like. Such a controller may thus be considered a hardware component, and the means included therein for performing the various functions may also be considered as a structure within the hardware component. Or even means for performing the functions may be regarded as being both a software module for performing the method and a structure within a hardware component.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. One typical implementation device is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smartphone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices, or any other non-transmission medium which can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. An authority control method based on roles and cloud functions is characterized by comprising the following steps:
receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered;
inquiring a role set containing the function authority;
verifying whether the user's organization owns a role in the set of roles;
and if the user is verified to have the roles in the role set in the organization, executing the function.
2. The method for controlling authority based on roles and cloud functions according to claim 1, wherein before receiving the authority operation request sent by the user, the method further comprises:
creating users and organizations, and distributing the organizations to corresponding users according to the attributes of the organizations;
creating roles, configuring functional authority for the roles according to organization requirements of users, and distributing the roles to organizations of the users.
3. The role and cloud function-based permission control method according to claim 2, wherein the configuring of the functional permission for the role according to the organization requirement of the user specifically comprises:
and acquiring a function corresponding to the function permission through the cloud function, and configuring the function permission for the role according to the organization requirement of the user.
4. The method for controlling authority based on roles and cloud functions according to claim 1, wherein before receiving the authority operation request sent by the user, the method further comprises:
and when a user enters or refreshes the main interface of the system for the first time, displaying the functional authority which can be triggered by the user according to the menu authority of the user.
5. The role and cloud function based privilege control method according to claim 1, wherein the function privilege comprises one or more of creation, deletion, editing, query, submission, revocation and audit.
6. The method for controlling authority based on roles and cloud functions according to claim 1, wherein after the role in the set of roles is verified to be owned by the user's organization, the method further comprises:
if the function authority corresponding to the role in the user organization needs to be forbidden, adding and deleting a state column of the role in the role information;
and if the function authority corresponding to the user needs to be forbidden, adding and deleting the state column of the user in the information of the user.
7. The method of claim 1, wherein if it is verified that the user's organization does not have a role in the set of roles, the method further comprises:
and popping up a prompt of the function authority corresponding to the function without the authority.
8. An authority control apparatus based on roles and cloud functions, the apparatus comprising:
the analysis unit is used for receiving the function sent by the user, analyzing the function through the cloud function and determining the function authority to be triggered;
the query unit is used for querying the role set containing the function authority;
the verification unit is used for verifying whether the user organization has the roles in the role set;
and the execution unit is used for executing the function if the user organization is verified to have the roles in the role set.
9. An authority control device based on roles and cloud functions, the device comprising:
at least one processor; and the number of the first and second groups,
a memory communicatively coupled to the at least one processor; wherein,
the memory stores instructions executable by the at least one processor to enable the at least one processor to:
receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered;
inquiring a role set containing the function authority;
verifying whether the user's organization owns a role in the set of roles;
and if the user is verified to have the roles in the role set in the organization, executing the function.
10. A role and cloud function based entitlement control media having stored thereon computer-executable instructions configured to:
receiving a function sent by a user, analyzing the function through a cloud function, and determining a function authority required to be triggered;
inquiring a role set containing the function authority;
verifying whether the user's organization owns a role in the set of roles;
and if the user is verified to have the roles in the role set in the organization, executing the function.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010736575.5A CN112101890A (en) | 2020-07-28 | 2020-07-28 | Authority control method, device, equipment and medium based on role and cloud function |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010736575.5A CN112101890A (en) | 2020-07-28 | 2020-07-28 | Authority control method, device, equipment and medium based on role and cloud function |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112101890A true CN112101890A (en) | 2020-12-18 |
Family
ID=73749725
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010736575.5A Pending CN112101890A (en) | 2020-07-28 | 2020-07-28 | Authority control method, device, equipment and medium based on role and cloud function |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112101890A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP4328778A1 (en) * | 2022-08-22 | 2024-02-28 | Tata Consultancy Services Limited | Method and system for privacy-preserving workflow validations in serverless clouds |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571821A (en) * | 2012-02-22 | 2012-07-11 | 浪潮电子信息产业股份有限公司 | Cloud security access control model |
| CN106997440A (en) * | 2017-04-10 | 2017-08-01 | 中经汇通电子商务有限公司 | A kind of role access control method |
| CN108712392A (en) * | 2018-04-25 | 2018-10-26 | 浙江长投云联信息科技有限公司 | A kind of cloud data managing method and cloud system |
| CN109979443A (en) * | 2017-12-27 | 2019-07-05 | 深圳市优必选科技有限公司 | Authority management control method and device for robot |
| CN110113369A (en) * | 2019-06-27 | 2019-08-09 | 无锡华云数据技术服务有限公司 | A kind of method for authenticating of based role permission control |
| CN110750766A (en) * | 2019-10-12 | 2020-02-04 | 平安医疗健康管理股份有限公司 | Authority verification method and device, computer equipment and storage medium |
| CN110928801A (en) * | 2019-12-11 | 2020-03-27 | 天津开心生活科技有限公司 | Role authority test method and device, computer medium and electronic equipment |
| CN111147572A (en) * | 2019-12-24 | 2020-05-12 | 中国建设银行股份有限公司 | Cloud customer service platform management system and method |
| CN111309304A (en) * | 2020-02-11 | 2020-06-19 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for generating IDL file |
| CN111431843A (en) * | 2019-01-10 | 2020-07-17 | 中国科学院电子学研究所 | Access control method based on trust and attribute in cloud computing environment |
-
2020
- 2020-07-28 CN CN202010736575.5A patent/CN112101890A/en active Pending
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102571821A (en) * | 2012-02-22 | 2012-07-11 | 浪潮电子信息产业股份有限公司 | Cloud security access control model |
| CN106997440A (en) * | 2017-04-10 | 2017-08-01 | 中经汇通电子商务有限公司 | A kind of role access control method |
| CN109979443A (en) * | 2017-12-27 | 2019-07-05 | 深圳市优必选科技有限公司 | Authority management control method and device for robot |
| CN108712392A (en) * | 2018-04-25 | 2018-10-26 | 浙江长投云联信息科技有限公司 | A kind of cloud data managing method and cloud system |
| CN111431843A (en) * | 2019-01-10 | 2020-07-17 | 中国科学院电子学研究所 | Access control method based on trust and attribute in cloud computing environment |
| CN110113369A (en) * | 2019-06-27 | 2019-08-09 | 无锡华云数据技术服务有限公司 | A kind of method for authenticating of based role permission control |
| CN110750766A (en) * | 2019-10-12 | 2020-02-04 | 平安医疗健康管理股份有限公司 | Authority verification method and device, computer equipment and storage medium |
| CN110928801A (en) * | 2019-12-11 | 2020-03-27 | 天津开心生活科技有限公司 | Role authority test method and device, computer medium and electronic equipment |
| CN111147572A (en) * | 2019-12-24 | 2020-05-12 | 中国建设银行股份有限公司 | Cloud customer service platform management system and method |
| CN111309304A (en) * | 2020-02-11 | 2020-06-19 | 北京字节跳动网络技术有限公司 | Method, device, medium and electronic equipment for generating IDL file |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP4328778A1 (en) * | 2022-08-22 | 2024-02-28 | Tata Consultancy Services Limited | Method and system for privacy-preserving workflow validations in serverless clouds |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110990804B (en) | Resource access method, device and equipment | |
| US8326874B2 (en) | Model-based implied authorization | |
| US9460303B2 (en) | Operating large scale systems and cloud services with zero-standing elevated permissions | |
| CN108363920B (en) | System call policy for containers | |
| US11475147B2 (en) | Implementing policy-based container-level encryption | |
| US10091212B2 (en) | Policy management, enforcement, and audit for data security | |
| WO2015163983A1 (en) | Version control of applications | |
| WO2017035260A1 (en) | System, method, and apparatus for data access in a cloud computing environment | |
| US9454592B2 (en) | Managing, importing, and exporting teamspace templates and teamspaces in content repositories | |
| US20190260753A1 (en) | Implementing a separation of duties for container security | |
| US11200218B2 (en) | Providing consistent data masking using causal ordering | |
| US20140280129A1 (en) | Self provisioning and applying role-based security to teamspaces in content repositories | |
| US9760734B2 (en) | Catalog-based user authorization to access to multiple applications | |
| WO2019006174A2 (en) | Access policies based on hdfs extended attributes | |
| CN112101890A (en) | Authority control method, device, equipment and medium based on role and cloud function | |
| US11093628B2 (en) | Cross-domain content-lifecycle management | |
| US10810601B2 (en) | Legislation aware system | |
| US10467207B2 (en) | Handling changes in automatic sort | |
| US20240169085A1 (en) | System and method for role based access control for data | |
| US20190197250A1 (en) | Data license manager | |
| CN112580090A (en) | Permission configuration method and device, storage medium and electronic equipment | |
| CN112231757B (en) | Privacy protection method, device and equipment for embedded application | |
| US12045365B2 (en) | Governed database connectivity (GDBC) through and around data catalog to registered data sources | |
| US20220350507A1 (en) | Dynamic Management of Data Storage for Applications Based on Data Classification | |
| US20230342486A1 (en) | Permissions management for queries in a graph |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |