[go: up one dir, main page]

CN115689135A - Role allocation method, device, computer equipment and storage medium - Google Patents

Role allocation method, device, computer equipment and storage medium Download PDF

Info

Publication number
CN115689135A
CN115689135A CN202110832864.XA CN202110832864A CN115689135A CN 115689135 A CN115689135 A CN 115689135A CN 202110832864 A CN202110832864 A CN 202110832864A CN 115689135 A CN115689135 A CN 115689135A
Authority
CN
China
Prior art keywords
role
candidate
roles
risk
target
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110832864.XA
Other languages
Chinese (zh)
Inventor
李伯瀚
郑磊
徐庆
王星汉
陈利
田小红
李研
刘雨薇
王静
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Petrochina Co Ltd
Original Assignee
Petrochina Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Petrochina Co Ltd filed Critical Petrochina Co Ltd
Priority to CN202110832864.XA priority Critical patent/CN115689135A/en
Publication of CN115689135A publication Critical patent/CN115689135A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

The application discloses a role distribution method, a role distribution device, computer equipment and a storage medium, and relates to the technical field of computers. The method comprises the following steps: in response to a selection operation on a first candidate role in the set of candidate roles, adding the first candidate role to the set of selected roles; determining target roles in the candidate role sets based on the selected role sets and the risk role sets, wherein the objects having all roles in the risk role sets have responsibility separation risks, and at least one risk role set exists and is a subset of the selected role sets after the target roles are added; removing the first candidate role and the target role from the candidate role set; in response to a confirmation operation on the selected set of characters, a role assignment is made based on the selected set of characters. By adopting the method provided by the embodiment of the application, the distributed system roles can meet the management requirement of role separation, and the role distribution efficiency is improved.

Description

角色分配方法、装置、计算机设备及存储介质Role allocation method, device, computer equipment and storage medium

技术领域technical field

本申请实施例涉及计算机技术领域,特别涉及一种角色分配方法、装置、计算机设备及存储介质。The embodiments of the present application relate to the technical field of computers, and in particular, to a role assignment method, device, computer equipment, and storage medium.

背景技术Background technique

角色分配用于信息系统管理,通常根据用户的岗位职责或功能为用户分配指定的角色,不同角色具备不同的信息管理权限,而职责分离则是企业内控管理遵循的一项重要原则,它要求不相容的职务互相分离,合理设置企业中工作岗位,明确职责权限,形成相互制衡机制。Role assignment is used for information system management. Users are usually assigned specified roles according to their job responsibilities or functions. Different roles have different information management permissions. Separation of duties is an important principle followed by the internal control management of enterprises. It requires different Compatible positions are separated from each other, reasonable setting of jobs in the enterprise, clear responsibilities and authorities, and forming a mutual check and balance mechanism.

相关技术中,通常使用专门的权限检查工具进行职责分离风险检查,管理员在做系统角色分配时,需要根据管理要求多次调整分配具体角色,并反复执行风险检查来验证分配的系统角色是否满足职责分离的管理要求。In related technologies, special permission checking tools are usually used to check the risk of separation of duties. When assigning system roles, administrators need to adjust and assign specific roles multiple times according to management requirements, and repeatedly perform risk checks to verify whether the assigned system roles meet the requirements. Management requirements for separation of duties.

发明内容Contents of the invention

本申请实施例提供了一种角色分配方法、装置、计算机设备及存储介质。本申请实施例提供的技术方案如下:Embodiments of the present application provide a role allocation method, device, computer equipment, and storage medium. The technical scheme provided by the embodiments of the present application is as follows:

一方面,本申请实施例提供一种角色分配方法,该方法包括:On the one hand, an embodiment of the present application provides a role assignment method, the method includes:

响应于对候选角色集合中第一候选角色的选择操作,将所述第一候选角色添加至已选角色集合;In response to a selection operation on a first candidate role in the set of candidate roles, adding the first candidate role to the set of selected roles;

基于所述已选角色集合以及风险角色集合,确定所述候选角色集合中的目标角色,其中,同时具有所述风险角色集合中各个角色的对象存在职责分离风险,且存在至少一个所述风险角色集合是添加所述目标角色后的所述已选角色集合的子集;Determine a target role in the candidate role set based on the selected role set and the risk role set, wherein there is a risk of separation of duties for an object having each role in the risk role set, and there is at least one of the risk roles The set is a subset of the selected role set after adding the target role;

从所述候选角色集合中移除所述第一候选角色和所述目标角色;removing the first candidate role and the target role from the set of candidate roles;

响应于对所述已选角色集合的确认操作,基于所述已选角色集合进行角色分配。In response to the confirmation operation on the selected role set, role allocation is performed based on the selected role set.

另一方面,本申请实施例提供一种角色分配装置,该装置包括:On the other hand, an embodiment of the present application provides a device for assigning roles, which includes:

添加模块,用于响应于对候选角色集合中第一候选角色的选择操作,将所述候选角色添加至已选角色集合;An adding module, configured to add the candidate role to the selected role set in response to a selection operation on the first candidate role in the candidate role set;

第一确定模块,用于基于所述已选角色集合以及风险角色集合,确定所述候选角色集合中的目标角色,其中,同时具有所述风险角色集合中各个角色的对象存在职责分离风险,且存在至少一个风险角色集合是添加所述目标角色后的所述已选角色集合的子集;The first determination module is configured to determine a target role in the candidate role set based on the selected role set and the risk role set, wherein there is a risk of separation of duties for an object having each role in the risk role set, and There is at least one risk role set that is a subset of the selected role set after adding the target role;

第一移除模块,用于从所述候选角色集合中所述第一候选角色和移除所述目标角色;A first removing module, configured to remove the first candidate role and the target role from the set of candidate roles;

角色分配模块,用于响应于对所述已选角色集合的确认操作,基于所述已选角色集合进行角色分配。A role allocation module, configured to perform role allocation based on the selected role set in response to the confirmation operation on the selected role set.

另一方面,本申请实施例提供了一种计算机设备,该计算机设备包括处理器和存储器,存储器中存储有至少一段程序,至少一段程序由处理器加载并执行以实现上述方面提供的角色分配方法。On the other hand, an embodiment of the present application provides a computer device, the computer device includes a processor and a memory, at least one program is stored in the memory, at least one program is loaded and executed by the processor to implement the role assignment method provided by the above aspect .

另一方面,本申请实施例提供了一种计算机可读存储介质,该计算机可读存储介质存储有至少一条指令,至少一条指令用于被处理器执行以实现如上述方面提供的角色分配方法。On the other hand, the embodiment of the present application provides a computer-readable storage medium, the computer-readable storage medium stores at least one instruction, and the at least one instruction is used to be executed by a processor to implement the role assignment method provided in the above aspect.

另一方面,本申请实施例提供了一种计算机程序产品或计算机程序,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。计算机设备的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该计算机设备执行上述方面提供的角色分配方法。On the other hand, an embodiment of the present application provides a computer program product or computer program, where the computer program product or computer program includes computer instructions, and the computer instructions are stored in a computer-readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions, so that the computer device executes the role assignment method provided in the above aspects.

本申请实施例提供的技术方案带来的有益效果至少包括:The beneficial effects brought by the technical solutions provided by the embodiments of the present application at least include:

本申请实施例中,当进行角色分配时,可以通过候选集合选择第一候选角色,并将第一候选角色添加到已选角色集合中;进而基于已选角色集合以及风险角色集合确定出候选角色集合中的目标角色,由于目标角色与已选角色集合的组合会产生职责分离风险,因而将目标角色和第一候选角色从候选角色集合中移除后,在后续选择时已选角色集合不会产生职责分离风险。相较于现有技术中先进行角色分配,然后再进行风险验证的方式,其可以减少手动进行风险验证的次数,提高角色分配的效率。In this embodiment of the application, when assigning roles, the first candidate role can be selected through the candidate set, and the first candidate role can be added to the selected role set; then the candidate role can be determined based on the selected role set and the risk role set The target role in the set, because the combination of the target role and the selected role set will create a risk of separation of duties, so after the target role and the first candidate role are removed from the candidate role set, the selected role set will not Risk of segregation of duties. Compared with the way of assigning roles first and then verifying risks in the prior art, it can reduce the number of manual risk verifications and improve the efficiency of role assignment.

附图说明Description of drawings

图1示出了本申请一个示例性实施例提供的角色分配方法的流程图;FIG. 1 shows a flowchart of a method for assigning roles provided in an exemplary embodiment of the present application;

图2是本申请一个示例性实施例示出的添加第一候选角色的示意图;Fig. 2 is a schematic diagram of adding a first candidate role shown in an exemplary embodiment of the present application;

图3示出了本申请另一个示例性实施例提供的角色分配方法的流程图;FIG. 3 shows a flowchart of a method for assigning roles provided in another exemplary embodiment of the present application;

图4是本申请一个示例性实施例示出的显示角色分配界面的界面示意图;Fig. 4 is an interface diagram showing a role assignment interface shown in an exemplary embodiment of the present application;

图5是本申请一个示例性实施例示出的生成待检角色集合的示意图;Fig. 5 is a schematic diagram of generating a set of characters to be checked according to an exemplary embodiment of the present application;

图6示出了本申请另一个示例性实施例提供的角色分配方法的流程图;FIG. 6 shows a flow chart of a method for assigning roles provided in another exemplary embodiment of the present application;

图7是本申请一个示例性实施例示出的确定职能集合的示意图;Fig. 7 is a schematic diagram of determining a set of functions shown in an exemplary embodiment of the present application;

图8是本申请一个示例性实施例示出的确定风险角色集合的示意图;Fig. 8 is a schematic diagram of determining a risk role set according to an exemplary embodiment of the present application;

图9是本申请一个示例性实施例示出的更新候选角色集合的界面示意图;FIG. 9 is a schematic diagram of an interface for updating a candidate role set according to an exemplary embodiment of the present application;

图10是本申请一个示例性实施例示出的显示提示信息的界面示意图;Fig. 10 is a schematic diagram of an interface showing prompt information according to an exemplary embodiment of the present application;

图11示出了本申请另一个示例性实施例提供的角色分配方法的流程图;Fig. 11 shows a flow chart of a role allocation method provided by another exemplary embodiment of the present application;

图12是本申请一个示例性实施例示出的移除已选角色的界面示意图;Fig. 12 is a schematic diagram of an interface for removing a selected character shown in an exemplary embodiment of the present application;

图13示出了本申请另一个示例性实施例提供的角色分配方法的原理示意图;Fig. 13 shows a schematic diagram of the principle of a method for assigning roles provided by another exemplary embodiment of the present application;

图14示出了本申请一个示例性实施例示出的角色分配装置的结构框图;Fig. 14 shows a structural block diagram of an apparatus for assigning roles according to an exemplary embodiment of the present application;

图15示出了本申请一个示例性实施例示出的计算机设备的结构框图。Fig. 15 shows a structural block diagram of a computer device shown in an exemplary embodiment of the present application.

具体实施方式Detailed ways

为使本申请的目的、技术方案和优点更加清楚,下面将结合附图对本申请实施方式作进一步的详细描述。In order to make the purpose, technical solution and advantages of the present application clearer, the implementation manners of the present application will be further described in detail below in conjunction with the accompanying drawings.

为了方便理解,下面对本申请实施例中涉及的名词进行说明。For the convenience of understanding, the nouns involved in the embodiments of the present application are described below.

职责分离:职责分离是指企业各业务部门及业务操作人员之间责任和权限的相互分离机制,在通过信息管理系统进行角色分配时,需要根据用户的具体岗位职责或业务功能对用户帐号设置相应的使用权限或功能权限,确保不同岗位职责或业务功能的用户帐号具备各自对应的操作功能,避免某些相关联的职责同时集中在同一用户帐号,导致业务出错率增加和舞弊的情况发生。Separation of responsibilities: Separation of responsibilities refers to the mutual separation mechanism of responsibilities and authorities among various business departments and business operators of the enterprise. To ensure that user accounts with different job responsibilities or business functions have their own corresponding operation functions, and avoid certain related responsibilities being concentrated on the same user account at the same time, resulting in increased business error rates and fraud.

相关技术中,企业管理人员通常根据用户的职位分配固定的角色,但对于体系较大的信息系统,往往会涉及较多的业务部门和用户,且同一职位也可能会有不同的业务分工,这样会导致不同用户帐号之间可能会存在职责分离风险。因此就需要通过专门的权限检查工具对已进行角色分配的用户帐号进行职责分离风险检查,而且,权限检查工具只能对已进行角色分配的用户帐号进行风险检查,却无法对风险进行治理。管理员在进行角色分配时并不能确保不会出现角色分离风险,若分配后检查出风险,则需要重新进行角色分配,确保为用户帐号分配的系统角色不会出现职责分离的风险,因此,进行角色分配的效率不高。In related technologies, enterprise managers usually assign fixed roles according to users' positions, but for information systems with a large system, more business departments and users are often involved, and the same position may also have different business divisions. There may be a risk of separation of duties between different user accounts. Therefore, it is necessary to use a special permission checking tool to check the risk of separation of duties on user accounts that have been assigned roles. Moreover, the permission checking tool can only perform risk checks on user accounts that have been assigned roles, but cannot manage risks. The administrator cannot ensure that there will be no risk of role separation when assigning roles. If risks are detected after assignment, the role assignment needs to be performed again to ensure that the system roles assigned to user accounts will not have the risk of separation of duties. The role assignment is not efficient.

本申请实施例提供的方案,管理员在进行角色分配时,无需多次手动通过风险检查工具对创建的对象进行风险验证,而是在通过角色分配系统选择具体的系统角色过程中,自动将会产生职责分离风险的系统角色进行过滤,确保在候选角色集合中选择的系统角色都能满足职责分离的管理要求,因此进行角色分配的效率更高。According to the solution provided by the embodiment of this application, when assigning roles, the administrator does not need to manually verify the risks of the created objects through the risk inspection tool multiple times, but automatically selects the specific system roles through the role assignment system. Filter the system roles that cause the risk of separation of duties to ensure that the system roles selected in the candidate role set can meet the management requirements of separation of duties, so the efficiency of role assignment is higher.

图1是本申请一个示例性实施例提供的角色分配方法的流程图,该方法包括:Fig. 1 is a flowchart of a role assignment method provided in an exemplary embodiment of the present application, the method including:

步骤101,响应于对候选角色集合中第一候选角色的选择操作,将第一候选角色添加至已选角色集合。Step 101, in response to a selection operation on the first candidate character in the set of candidate roles, add the first candidate character to the set of selected roles.

当需要为用户帐号分配相应的操作权限时,首先需要获取角色分配系统中的候选集合,候选集合中包含有供管理员选择的第一候选角色。管理员可以根据需要进行角色分配的用户的岗位职责或需要执行的业务功能从候选角色集合中选择第一候选角色,当接收到对候选集合中第一候选角色的选择操作时,将对应的第一候选角色添加到已选角色集合中。已选角色集合是已选角色组成的集合,而且,已选角色集合和候选角色集合在内容上是不相同的两个集合。When it is necessary to assign a corresponding operation authority to a user account, it is first necessary to obtain a candidate set in the role allocation system, and the candidate set includes a first candidate role for an administrator to select. The administrator can select the first candidate role from the candidate role set according to the job responsibilities of users who need to assign roles or the business functions that need to be performed. When receiving the selection operation for the first candidate role in the candidate set, the corresponding No. A candidate role is added to the set of selected roles. The selected role set is a set of selected roles, and the selected role set and the candidate role set are two different sets in content.

示意性的,如图2所示,候选角色集合210中显示有供管理员进行选选择的第一候选角色211,已选角色集合220中显示有已选角色221,当从候选角色集合210中选择第一候选角色211后,将该第一候选角色211加入到已选角色集合220中。Schematically, as shown in FIG. 2 , the first candidate role 211 for the administrator to select is displayed in the candidate role set 210 , and the selected role 221 is displayed in the selected role set 220 . After the first candidate role 211 is selected, the first candidate role 211 is added to the selected role set 220 .

步骤102,基于已选角色集合以及风险角色集合,确定候选角色集合中的目标角色,其中,同时具有风险角色集合中各个角色的对象存在职责分离风险,且存在至少一个风险角色集合是添加目标角色后的已选角色集合的子集。Step 102, based on the selected role set and the risk role set, determine the target role in the candidate role set, wherein the object with each role in the risk role set has a risk of separation of duties, and there is at least one risk role set that is to add the target role A subset of the selected character collection after.

在向已选角色集合中添加第一候选角色时,角色分配系统还会获取风险角色集合,风险角色集合是经过风险检查后输出的所有能够出现职责分离风险的角色集合,当角色分配系统中包含有较多的系统角色时,风险角色集合可以有多个,每个风险角色集合由至少一个系统角色组成,风险角色集合中各个系统角色的组合存在职责分离风险。When adding the first candidate role to the selected role set, the role allocation system will also obtain a risk role set, which is a set of all roles that may have the risk of separation of duties output after risk inspection. When the role allocation system includes When there are many system roles, there can be multiple risk role sets, and each risk role set consists of at least one system role, and the combination of various system roles in the risk role set has the risk of separation of duties.

由于先进行角色分配,然后再进行风险验证的方式需要重复多次进行验证,分配效率低下,因此可以在向已选角色集合中添加第一候选集合后,根据已选角色集合以及风险角色集合,从候选角色集合中确定出目标角色。该目标角色和已选角色集合的组合至少包含一个风险角色集合,也就是说,目标角色和已选角色集合的组合包含风险角色集合,也就意味着将该目标角色和已选角色集合进行组合后会产生职责分离风险,也是后续进行选择时应排除的选择对象。Since the method of assigning roles first and then performing risk verification needs to be repeated multiple times, the allocation efficiency is low. Therefore, after adding the first candidate set to the selected role set, according to the selected role set and the risk role set, Determine the target role from the set of candidate roles. The combination of the target role and the selected role set contains at least one risk role set, that is, the combination of the target role and the selected role set contains the risk role set, which means that the target role and the selected role set are combined In the end, there will be a risk of separation of duties, and it is also an object that should be excluded in the subsequent selection.

步骤103,从候选角色集合中移除第一候选角色和目标角色。Step 103, removing the first candidate role and the target role from the set of candidate roles.

由于将目标角色添加到已选角色集合中会产生职责分离风险,因此,在确定出目标角色集合后,将目标角色集合从候选角色集合中移除。此外,由于已经向已选角色集合中添加了第一候选角色集合,为避免后续出现重复选择的情况,同时还需选中的第一候选角色从候选角色集合中移除。Since adding the target role to the selected role set will cause a risk of separation of duties, after the target role set is determined, the target role set is removed from the candidate role set. In addition, since the first candidate role set has been added to the selected role set, in order to avoid subsequent repeated selection, the selected first candidate role needs to be removed from the candidate role set at the same time.

步骤104,响应于对已选角色集合的确认操作,基于已选角色集合进行角色分配。Step 104, in response to the confirmation operation on the selected role set, role allocation is performed based on the selected role set.

当已选角色集合中添加的已选角色还无法实现相应的业务功能或不具备相应的操作权限时,则需要继续向已选角色集合中继续添加已选角色,直至添加的已选角色能够实现对应的业务功能或具备相应的操作权限。进而在接收到对已选角色集合的确认操作后,基于已选角色集合进行角色分配,获得角色分配的用户帐号仅能实现已选角色集合所限定的业务功能,不会出现越权管理的操作行为,且为用户帐号分配的系统角色符合职责分离原则。When the selected role added in the selected role set cannot realize the corresponding business function or does not have the corresponding operation authority, it is necessary to continue to add the selected role to the selected role set until the added selected role can realize Corresponding business functions or corresponding operation authority. Then, after receiving the confirmation operation of the selected role set, the role assignment is performed based on the selected role set, and the user account that has obtained the role assignment can only realize the business functions limited by the selected role set, and there will be no operation behavior of unauthorized management , and the system role assigned to the user account complies with the principle of separation of duties.

综上所述,本申请实施例中,当进行角色分配时,可以通过候选集合选择第一候选角色,并将第一候选角色添加到已选角色集合中;进而基于已选角色集合以及风险角色集合确定出候选角色集合中的目标角色,由于目标角色与已选角色集合的组合会产生职责分离风险,因而将目标角色和第一候选角色从候选角色集合中移除后,在后续选择时已选角色集合不会产生职责分离风险。相较于现有技术中先进行角色分配,然后再进行风险验证的方式,其可以减少手动进行风险验证的次数,提高角色分配的效率。To sum up, in the embodiment of this application, when assigning roles, the first candidate role can be selected through the candidate set, and the first candidate role can be added to the selected role set; then based on the selected role set and the risk role The set determines the target role in the candidate role set. Because the combination of the target role and the selected role set will cause the risk of separation of duties, after the target role and the first candidate role are removed from the candidate role set, the subsequent selection has been completed. Selecting a set of roles does not create a separation of duties risk. Compared with the way of assigning roles first and then verifying risks in the prior art, it can reduce the number of manual risk verifications and improve the efficiency of role assignment.

图3是本申请另一个示例性实施例提供的角色分配方法的流程图,该方法包括以下步骤:Fig. 3 is a flow chart of a role assignment method provided by another exemplary embodiment of the present application, the method includes the following steps:

步骤301,显示角色分配界面,角色分配界面中显示有候选角色集合、已选角色集合和角色选择控件,角色选择控件用于将候选角色集合中的第一候选角色添加至已选角色集合。Step 301 , displaying a role allocation interface. The role allocation interface displays a set of candidate roles, a set of selected roles, and a role selection control. The role selection control is used to add the first candidate role in the set of candidate roles to the set of selected roles.

当管理员需要对用户帐号进行角色分配时,可以登录角色分配系统,并通过角色分配系统显示角色分配界面。角色分配界面中显示有候选角色集合、已选角色集合以及角色选择控件。其中,已选角色集合中显示有管理员添加的已选角色,候选角色集合中则显示有可供选择的第一候选角色,此外,角色选择界面中还显示有角色选择控件,该角色选择控件用于将选中的第一候选角色添加至已选角色集合中。When the administrator needs to assign roles to user accounts, he can log in to the role assignment system and display a role assignment interface through the role assignment system. The role assignment interface displays a set of candidate roles, a set of selected roles, and a role selection control. Among them, the selected roles added by the administrator are displayed in the selected role collection, and the first candidate roles that can be selected are displayed in the candidate role collection. In addition, a role selection control is also displayed in the role selection interface, and the role selection control Used to add the selected first candidate role to the selected role set.

示意性的,如图4所示,在角色分配界面中,候选角色集合410中显示有第一候选角色411,第一候选角色411右上角显示有对应的角色选择控件412,管理员可以通过勾选该角色选择控件412选中对应的第一候选角色411。此外,角色分配界面中还显示有角色分配控件430,角色分配控件430中显示有需要进行角色分配的用户帐号。此外,角色分配界面还显示有权限检查控件440,权限检查控件可以查询对应用户帐号已分配的系统角色,同时也便于在业务调整时对系统角色进行重新分配。Schematically, as shown in Figure 4, in the role assignment interface, the first candidate role 411 is displayed in the candidate role set 410, and the corresponding role selection control 412 is displayed in the upper right corner of the first candidate role 411, and the administrator can check the Selecting the role selection control 412 selects the corresponding first candidate role 411 . In addition, a role allocation control 430 is also displayed in the role allocation interface, and the user account that needs to be assigned a role is displayed in the role allocation control 430 . In addition, the role assignment interface also displays an authority checking control 440, which can query the assigned system roles of corresponding user accounts, and also facilitates the reassignment of system roles during business adjustments.

步骤302,响应于对已选角色集合中第一候选角色对应角色选择控件的触发操作,将第一候选角色添加到已选角色集合中。Step 302: Add the first candidate character to the selected role set in response to a trigger operation on the role selection control corresponding to the first candidate role in the selected role set.

如图4所示的候选角色集合410,当管理员勾选第一候选角色411对应的角色选择控件412时,进而将该第一候选角色411添加到已选角色集合420中,且已选角色集合420中的所有已选角色都是从候选角色集合410中添加得到。Candidate role set 410 as shown in FIG. All selected roles in set 420 are added from candidate role set 410 .

在另一种可能的实施方式中,已选角色集合的已选角色和候选角色集合中的第一候选角色是以列举的方式显示,但在候选集合的内容较多,无法完全显示时,可以通过下拉列表或搜索的方式进行显示,如在候选角色集合中设置搜索框,根据输入的搜索内容显示第一候选角色,然后再通过触发操作将第一候选角色添加到已选角色集合中。In another possible implementation manner, the first candidate role in the selected role set and the candidate role set in the selected role set is displayed in an enumerated manner, but when the content of the candidate set is too large to be fully displayed, you can Display by drop-down list or search, such as setting a search box in the candidate role set, displaying the first candidate role according to the input search content, and then adding the first candidate role to the selected role set by triggering an operation.

需要说明的是,在管理员向已选角色集合中添加的第一候选角色是第一个添加对象时,候选角色集合中的包含的内容是全部的系统角色,当第一候选角色并非第一个添加对象时,则候选角色集合包含的内容是能和已选角色集合进行组合的第一候选角色,且组合后的已选角色集合不会发生职责分离风险。It should be noted that when the first candidate role added by the administrator to the selected role set is the first added object, the content contained in the candidate role set is all system roles. When the first candidate role is not the first When an object is added, the candidate role set contains the first candidate role that can be combined with the selected role set, and the combined selected role set will not have the risk of separation of duties.

步骤303,将候选角色集合中的第二候选角色与已选角色集合进行组合,获得待检角色集合,第二候选角色不同于第一候选角色。Step 303: Combine the second candidate character in the candidate character set with the selected character set to obtain a character set to be checked. The second candidate character is different from the first candidate character.

将第一候选集合添加到已选角色集合中后,需要对候选角色集合中除第一候选角色外的第二候选角色进行验证,将第二候选角色与已选角色集合进行组合,获得待检角色集合,当存在较多第二候选角色时,则分别将每个第二候选角色和已选角色集合进行组合,获得多个待检角色集合,并以列表的形式存储多个待检角色集合,其中,待检角色集合是需要进行职责分离风险验证的集合。After adding the first candidate set to the selected role set, it is necessary to verify the second candidate role in the candidate role set except the first candidate role, combine the second candidate role with the selected role set, and obtain the pending Role set, when there are many second candidate roles, combine each second candidate role with the selected role set to obtain multiple sets of roles to be checked, and store multiple sets of roles to be checked in the form of a list , where the set of roles to be checked is a set that requires separation of duties risk verification.

示意性的,如图5所示,为了方便描述,以系统角色全集内容为角色01至角色07,角色04即为添加到已选角色集合510中的第一候选角色511,则候选角色集合520中的第二候选角色521即为除角色04外的其他六个系统角色,分别以每个第二候选角色521和已选角色集合520进行组合,并形成待检角色集合列表530,待检角色集合列表530中包含有组合的六个待检角色集合531。Schematically, as shown in FIG. 5 , for the convenience of description, the contents of the complete set of system roles are role 01 to role 07, role 04 is the first candidate role 511 added to the selected role set 510, and the candidate role set 520 The second candidate role 521 in is the other six system roles except role 04, and each second candidate role 521 is combined with the selected role set 520 respectively to form a checklist role set list 530, the checklist role The set list 530 contains six combined sets 531 of characters to be checked.

步骤304,基于风险角色集合对待检角色集合进行风险验证,确定候选角色集合中的目标角色,目标角色和已选角色集合的组合存在职责分离风险。In step 304, risk verification is performed on the set of candidate roles based on the set of risk roles, and a target role in the set of candidate roles is determined. The combination of the target role and the set of selected roles has a risk of separation of duties.

将已选角色集合与第二候选角色组合生成待检角色集合后,进而需要对每个待检角色集合进行风险验证,与以往选择完所有需要的系统角色后再进行角色分配和风险检查的方式不同,当向已选角色集合中添加第一候选角色后,会自动根据风险角色集合对待检角色集合进行风险验证,筛选出候选角色集合中的目标角色,该目标角色与已选角色集合的组合存在职责分离风险,也就是说,包含目标角色的待检角色集合会产生职责分离风险。其中,风险角色集合是按照职责分离原则对所有的系统角色进行组合后得到的集合,也是在进行角色分配时不能选择的角色集合。如图6所示,获取风险角色集合以及确定目标角色的过程包括以下步骤。After the selected role set is combined with the second candidate role set to generate the role set to be checked, risk verification needs to be performed on each role set to be checked, which is different from the previous method of role assignment and risk check after all required system roles are selected Different, when the first candidate role is added to the selected role set, risk verification will be automatically performed on the pending role set according to the risk role set, and the target role in the candidate role set will be screened out. The combination of the target role and the selected role set There is a segregation of duties risk, that is, the collection of pending roles that includes the target role creates a segregation of duties risk. Among them, the risk role set is a set obtained by combining all system roles according to the principle of separation of duties, and it is also a set of roles that cannot be selected when assigning roles. As shown in FIG. 6 , the process of obtaining a set of risk roles and determining a target role includes the following steps.

步骤304A,获取风险角色集合,并将待检角色集合与风险角色集合进行比较。Step 304A, obtain a set of risk roles, and compare the set of roles to be checked with the set of risk roles.

在获得待检角色集合后,还需要获取风险角色集合,风险角色集合可以在进行角色分配前,通过风险检查获得所有可能存在的风险角色集合。After obtaining the set of roles to be checked, it is also necessary to obtain the set of risk roles, which can obtain all possible risk role sets through risk inspection before performing role assignment.

示意性的,如图4所示,角色分配界面显示有风险检查控件450,当管理员点击风险检查控件450后,角色分配系统会获取系统角色全集,并根据职责分离原则确定出所有能够出现职责分离原则的风险角色集合。其中,获取风险角色集合的原理包括如下步骤:Schematically, as shown in Figure 4, the role allocation interface displays a risk check control 450. When the administrator clicks the risk check control 450, the role allocation system will obtain the complete set of system roles, and determine all possible responsibilities according to the principle of separation of duties. Set of risk roles for separation principles. Among them, the principle of obtaining the set of risk roles includes the following steps:

一、获取角色分配系统中的系统角色,并根据业务功能或业务权限生成职能集合,职能集合中包含的系统角色用于实现相应业务功能或业务权限。1. Obtain the system roles in the role allocation system, and generate a function set according to the business functions or business permissions. The system roles included in the function set are used to realize the corresponding business functions or business permissions.

在执行风险检查时,角色分配系统首先会获取系统角色全集,系统角色全集包含所有的系统角色,由于系统角色是角色分配中最基础的组成部分,每个系统角色都赋予特定的功能权限,当对系统角色进行组合时,需要按照具体的功能构建出职能集合,避免组成无效集合,无法实现具体的功能。When performing risk checks, the role assignment system will first obtain the complete set of system roles, which includes all system roles. Since system roles are the most basic part of role assignment, each system role is endowed with specific functional permissions. When combining system roles, it is necessary to construct a function set according to specific functions, so as to avoid forming an invalid set and failing to realize specific functions.

示意性的,所图7所示,角色01和角色02表示对表格的浏览编辑权限,角色03和角色04表示对视频的浏览编辑权限。则在组合角色职能集合时,角色01和角色02组成第一职能集合701,用于实现对表格的浏览编辑操作;角色03和角色04组成第二职能集合702,用于实现对视频的浏览编辑操作。而将角色01和角色03进行组合则无法实现对表格或视频的任何操作,属于无效组合,同样的道理,对于角色02和角色04也属于无效组合。Schematically, as shown in FIG. 7 , roles 01 and 02 represent the browsing and editing rights to tables, and roles 03 and 04 represent the browsing and editing rights to videos. Then, when combining role function sets, role 01 and role 02 form the first function set 701, which is used to realize browsing and editing operations on tables; role 03 and role 04 form the second function set 702, which is used to realize browsing and editing of videos operate. The combination of role 01 and role 03 cannot realize any operation on the form or video, which is an invalid combination. The same reason is also an invalid combination for role 02 and role 04.

按照具体的业务功能组合职能集合的方式可以减少角色集合的数量,在进行风险检查时,可以有效降低数据运算量,同时也可以提高检查的准确性。Combining function sets according to specific business functions can reduce the number of role sets, effectively reduce the amount of data calculations, and improve the accuracy of checks when performing risk checks.

二、根据职责分离原则确定职能集合构成职责分离风险的风险角色集合。2. According to the principle of segregation of duties, determine the risk role set whose function set constitutes the risk of segregation of duties.

从上述内容可知,不同的职能集合分别用于实现对应的业务功能,但对于一些在职责上具有关联的业务功能,若不进行分离,则会增减业务出错率和舞弊的现象。From the above content, we can see that different function sets are used to realize the corresponding business functions, but for some business functions with related responsibilities, if they are not separated, the business error rate and fraud will increase or decrease.

示意性的,如图8所示,第三职能集合801表示制作账单的业务功能,第四职能集合802表示账单汇款的业务功能,虽然两者在业务职责上互不相容,但在业务操作中由存在一定的关联性,因而第三职能集合801和第四职能集合802的组合就构成一个风险角色集合810,在进行角色分配时,当出现某一用户帐号同时分配到角色11至角色14时,则同时具备制作账单和汇款的权限,在业务上出现权限集中的情况,即违反了职责分离原则。Schematically, as shown in Figure 8, the third function set 801 represents the business function of making bills, and the fourth function set 802 represents the business function of bill remittance. Therefore, the combination of the third function set 801 and the fourth function set 802 constitutes a risk role set 810. When assigning roles, when a certain user account is simultaneously assigned to roles 11 to 14 At the same time, it has the authority to make bills and remittances at the same time, and the concentration of authority occurs in the business, which violates the principle of separation of duties.

按照职责分离原则对所有职能集合进行风险检查,根据至少两个相关联的职能集合确定出一个风险角色集合,直至获得所有会产生职责分离风险的风险角色集合,并存储到风险角色集合列表中。管理员可以通过调取风险角色集合列表查看所有的风险角色集合和风险类型。According to the principle of segregation of duties, risk checks are performed on all function sets, and a risk role set is determined based on at least two related function sets until all risk role sets that may cause the risk of separation of duties are obtained and stored in the list of risk role sets. Administrators can view all risk role sets and risk types by calling the list of risk role sets.

步骤304B,响应于存在风险角色集合是待检角色集合的子集,将待检角色集合中的第二候选角色确定为目标角色。Step 304B, in response to the fact that the set of risky roles is a subset of the set of characters to be checked, determine the second candidate role in the set of roles to be checked as the target role.

在获取到风险角色集合后,将风险集合列表中的每个风险角色集合分别与组合的待检角色集合进行比较,当风险集合列表中存在风险角色集合是待检角色集合的子集时,则将组成待检角色集合的第二候选角色确定为目标角色。After obtaining the risk role set, compare each risk role set in the risk set list with the combination of the role sets to be checked. When there is a risk role set in the risk set list that is a subset of the role set to be checked, then The second candidate character forming the set of characters to be checked is determined as the target character.

示意性的,如图5所示,风险角色集合列表540中共包含有4个风险角色集合541,将每个风险角色集合和待检集合列表530中的每个待检角色集合与待检角色集合列表530中的每个待检角色集合531进行比较,最终确定出两个待检角色集合531与风险角色集合541的内容相同,即角色04与角色05组成的待检角色集合以及角色04与角色07组成的待检角色集合存在职责分离风险。角色05和角色07即为目标角色。Schematically, as shown in FIG. 5 , the risk role set list 540 contains four risk role sets 541 in total, and each risk role set and each waiting role set in the waiting set list 530 are combined with the waiting role set Each set of unchecked roles 531 in the list 530 is compared, and finally two sets of unchecked roles 531 and risky role sets 541 are determined to have the same content, that is, the set of unchecked roles composed of role 04 and role 05 and the set of unchecked roles composed of role 04 and role There is a risk of separation of duties in the set of roles to be inspected composed of 07. Character 05 and Character 07 are the target characters.

需要说明的是,当判断出存在风险角色集合是待检角色集合的子集时,确定出会产生职责分离风险的目标角色,若不存在风险角色集合是待检角色集合的子集时,则候选角色集合中不存在满足职责分离风险的目标角色,因此,在步骤304A之后,还可以包括步骤304C。It should be noted that when it is determined that the set of risky roles is a subset of the set of roles to be checked, the target role that will cause the risk of separation of duties is determined; if the set of roles without risk is a subset of the set of roles to be checked, then There is no target role satisfying the risk of separation of duties in the set of candidate roles, therefore, after step 304A, step 304C may also be included.

步骤304C,响应于不存在风险角色集合是待检角色集合的子集,从候选角色集合中移除第一候选角色。Step 304C, in response to the fact that the set of risky roles is not a subset of the set of to-be-checked roles, remove the first candidate role from the set of candidate roles.

当风险角色集合列表中所有风险角色集合都不是待检角色结合的子集时,表示候选角色集合中的第二候选角色和已选角色集合组成的待检角色集合不构成职责分离风险,即不存在目标角色,此时,只需将第一候选角色从候选角色集合中移除即可。When all risk role sets in the risk role set list are not a subset of the combination of roles to be checked, it means that the role set to be checked composed of the second candidate role in the candidate role set and the selected role set does not constitute a separation of duties risk, that is, it does not There is a target role, and at this point, it is only necessary to remove the first candidate role from the set of candidate roles.

步骤305,从候选角色集合中移除第一候选角色和目标角色。Step 305, removing the first candidate role and the target role from the set of candidate roles.

当从第二候选角色中确定出目标角色后,需要将目标角色和第一候选角色从候选角色集合中移除。After the target role is determined from the second candidate roles, the target role and the first candidate role need to be removed from the candidate role set.

示意性的,如图9所示,在确定出目标角色后,需要对候选角色集合910进行一次更新,将第一候选角色和目标角色从互选角色中移除,并在候选角色集合910中显示剩余的可选角色。Schematically, as shown in FIG. 9 , after the target role is determined, the set of candidate roles 910 needs to be updated once, and the first candidate role and the target role are removed from the mutually selected roles, and are included in the set of candidate roles 910 Displays the remaining available roles.

在步骤304过程中,当确定出候选角色集合中的第二候选角色全部都是目标角色时,则移除第一候选角色和目标角色后的候选角色集合为空集。此时,可以在候选角色集合区域显示提示信息,提示信息用于指示候选角色集合中不存在满足业务功能或业务权限的可选角色。In step 304, when it is determined that all the second candidate characters in the candidate character set are target characters, the candidate role set after removing the first candidate character and the target character is an empty set. At this time, prompt information may be displayed in the candidate role set area, and the prompt information is used to indicate that there is no optional role satisfying the business function or business authority in the candidate role set.

示意性的,如图10所示,已选角色集合1010中添加了角色02、角色04和角色06,此时候选角色集合1020为空集,并显示“不能再选了!”等形式的提示信息1021,指示候选角色集合1020中已经不存在满足业务功能或业务权限的可选角色。Schematically, as shown in FIG. 10, role 02, role 04, and role 06 are added to the selected role set 1010. At this time, the candidate role set 1020 is an empty set, and a prompt in the form of "can no longer be selected!" is displayed. The information 1021 indicates that there is no optional role satisfying the business function or business authority in the candidate role set 1020 .

在一种可能的实施方式中,在确定出目标角色后,可以将其移入不可选角色集合,管理员通过不可选角色集合查看构成职责分离风险的待检角色以及对应的风险类型。In a possible implementation, after the target role is determined, it can be moved into the non-selectable role set, and the administrator can view the roles to be checked that constitute the separation of duties risk and the corresponding risk type through the non-selectable role set.

步骤306,响应于对已选角色集合的确认操作,基于已选角色集合进行角色分配。Step 306, in response to the confirmation operation on the selected role set, perform role assignment based on the selected role set.

在接收到对已选角色的确认操作时,表示已选角色集合中的已选角色可以实现所需的业务功能,进而可以基于已选角色集合进行角色分配。When the confirmation operation on the selected role is received, it means that the selected role in the selected role set can realize the required business function, and then role assignment can be performed based on the selected role set.

如图4所示,当已选角色集合420中添加的已选角色能够实现所需的业务功能后,通过点击角色确定控件431,向指定的用户帐号进行角色分配。As shown in FIG. 4 , after the selected roles added in the selected role set 420 can realize the required business functions, the roles are allocated to the designated user accounts by clicking the role determination control 431 .

本申请实施例中,当需要对用户帐号进行角色分配时,通过将选中的第一候选角色添加到已选角色集合中,并将候选角色集合中的第二候选角色与已选角色集合进行组合,获得待检角色集合,便于后续将风险角色集合与待检角色集合进行比较,确定出会产生职责分离风险的目标角色;In this embodiment of the application, when it is necessary to assign roles to user accounts, the selected first candidate role is added to the selected role set, and the second candidate role in the candidate role set is combined with the selected role set , to obtain the set of roles to be checked, so as to compare the set of risk roles with the set of roles to be checked, and determine the target role that will cause the risk of separation of duties;

由于目标角色与已选角色集合的组合会产生职责分离风险,因而将目标角色和第一候选角色从候选角色集合中移除后,可以继续从候选角色集合中选择,且不会产生职责分离风险,进而在接收到对角色分配的确认操作后,基于已选角色集合进行角色分配。本方案相较于以往直接进行角色分配,然后再进行风险验证的方式,无需重复进行多次角色分配,角色分配的效率更高。Since the combination of the target role and the selected role set creates a risk of separation of duties, after the target role and the first candidate role are removed from the set of candidate roles, they can continue to be selected from the set of candidate roles without risk of separation of duties , and then perform role assignment based on the selected role set after receiving the confirmation operation on role assignment. Compared with the previous method of directly assigning roles and then performing risk verification, this solution does not need to repeatedly assign roles, and the efficiency of role assignment is higher.

在上述实施例中,在用户选择第一候选角色后,会直接将第一候选角色加入到已选角色集合中,并对候选角色集合进行一次更新,但在实际操作中,可能会出现误操作行为,此时需要将已选角色集合中对应的已选角色删除,并重新从候选角色集合中选择。因此,可以在已选角色集合中设置角色删除控件,用于删除指定的已选角色,并对候选角色集合进行更新。如图11所示,在步骤305之后,还可以包括如下步骤:In the above embodiment, after the user selects the first candidate role, the first candidate role will be directly added to the selected role set, and the candidate role set will be updated once, but in actual operation, misoperation may occur In this case, the corresponding selected role in the selected role set needs to be deleted and reselected from the candidate role set. Therefore, a role deletion control can be set in the selected role set to delete the specified selected role and update the candidate role set. As shown in Figure 11, after step 305, the following steps may also be included:

步骤307,接收对角色删除控件的选择操作,将选中的已选角色从已选角色集合中移除。Step 307, receiving a selection operation on the character deletion control, and removing the selected selected character from the selected character set.

对于已选角色集合中的已选角色,为方便移除已选角色,可以在已选角色上添加角色删除控件,在已选角色集合中添加较多可选角色的情况下,可以针对性的移除指定可选角色,而无需清空已选角色集合,再重新选择,相比之下,可以进一步提高角色分配的效率。For the selected role in the selected role set, in order to remove the selected role conveniently, you can add a role delete control on the selected role. Remove the specified optional role without clearing the selected role set and re-selecting it. In contrast, the efficiency of role allocation can be further improved.

如图12所示,已选角色集合1210中的角色04上设置有角色删除控件1211,当管理员需要删除角色04时,通过点击对应的角色删除控件1211,将角色04从已选角色集合1210中移除。As shown in Figure 12, a role deletion control 1211 is set on the role 04 in the selected role set 1210. When the administrator needs to delete the role 04, by clicking the corresponding role deletion control 1211, the role 04 is removed from the selected role set 1210. removed from the .

步骤308,将移除的已选角色重新添加至候选角色集合,并基于移除已选角色后的已选角色集合以及风险角色集合更新候选角色集合。Step 308, adding the removed selected role to the candidate role set, and updating the candidate role set based on the selected role set and the risk role set after the selected role is removed.

在移除已选角色后,将该已选角色重新添加到候选角色集合中,此外,由于该已选角色在添加到已选角色集合时,还会从候选角色集合中移除对应的目标角色,因此,重新添加该已选角色的同时,还需要将移除的目标角色重新添加到候选角色集合中。此处的目标角色可以基于移除已选角色后的已选角色集合以及风险角色集合更新候选角色集合确定并进行更新。After removing the selected character, add the selected character back to the candidate character collection. In addition, since the selected character is added to the selected character collection, the corresponding target character will also be removed from the candidate character collection , therefore, while re-adding the selected role, it is also necessary to add the removed target role to the set of candidate roles. Here, the target role may be determined and updated based on the set of selected roles after the selected role is removed and the set of risky roles to update the set of candidate roles.

此外,从上述步骤305可知,在确定出目标角色后,会将第一候选角色以及目标角色从候选角色集合中移除,但为了方便在本步骤中能够及时确定出移除的目标角色,可以在步骤305过程中设置目标角色集合,将移除的候选角色移入目标角色集合中,并且将目标角色与添加到已选角色集合中的第一候选角色进行关联存储。当移除可选角色时,直接从目标角色集合中选取对应的目标角色,并重新添加到已选角色集合中。In addition, it can be known from the above step 305 that after the target character is determined, the first candidate character and the target character will be removed from the set of candidate characters, but in order to facilitate timely determination of the removed target character in this step, you can In the process of step 305 , the target role set is set, the removed candidate roles are moved into the target role set, and the target role is stored in association with the first candidate role added to the selected role set. When removing an optional character, directly select the corresponding target character from the target character set, and re-add it to the selected character set.

如图12所示,将已选角色集合1210中的角色04移除后,重新将角色04添加到候选角色集合1220中,同时将移除的目标角色重新添加到候选角色集合1220中。As shown in FIG. 12 , after the character 04 in the selected character set 1210 is removed, the character 04 is added to the candidate character set 1220 , and the removed target character is re-added to the candidate character set 1220 .

步骤309,响应于对已选角色集合的确认操作,基于已选角色集合进行角色分配。Step 309, in response to the confirmation operation on the selected role set, perform role assignment based on the selected role set.

本步骤的实施方式可以参考步骤306,本实施例在此不做赘述。For the implementation manner of this step, reference may be made to step 306, and details are not described here in this embodiment.

本申请实施示例中,通过在已选角色上设置角色删除控件,可以将已选角色集合中指定的已选角色重新移入候选角色集合中,同时,通过设置目标角色集合,可以及时将移除的目标角色重新移入到候选角色集合中。相比误操作时清空已选角色集合的方式,可以进一步提高角色分配的效率。In the implementation example of this application, by setting the role deletion control on the selected role, the selected role specified in the selected role set can be moved back into the candidate role set, and at the same time, by setting the target role set, the removed character can be promptly removed The target role is moved back into the set of candidate roles. Compared with the method of clearing the selected role collection when misoperation, the efficiency of role assignment can be further improved.

下面结合具体案例说明上述实施例中进行个角色分配的具体过程。如图13,其示出了本申请一个示例性实施例提供的角色分配方法的原理图。The specific process of assigning roles in the above embodiment will be described below with reference to specific cases. FIG. 13 shows a schematic diagram of a method for assigning roles provided by an exemplary embodiment of the present application.

在第一阶段,将角色04加入到已选角色集合中,可以确定出角色04和角色05组成的风险角色集合以及角色04和角色07组成的风险角色集合是待检角色集合列表中两个待检角色集合的子集,进而将角色04和角色07确定为目标角色,并从候选角色集合中移除,更新后的候选角色集合显示有角色01,角色02,角色03以及角色06。In the first stage, role 04 is added to the selected role set, and it can be determined that the risk role set composed of role 04 and role 05 and the risk role set composed of role 04 and role 07 are two to-be-checked role set lists. Then, character 04 and character 07 are determined as target characters and removed from the candidate role set. The updated candidate role set includes character 01, character 02, character 03 and character 06.

在第二阶段,继续将角色06添加到已选角色集合中,风险角色集合列表中不存在风险角色集合是待检角色集合的子集,因而不存在目标角色,仅需将角色06从候选角色集合中移除即可。In the second stage, continue to add role 06 to the selected role set. There is no risk role set in the risk role set list. The risk role set is a subset of the role set to be checked, so there is no target role, and only need to add role 06 from the candidate role can be removed from the collection.

在第三阶段,继续将角色02添加到已选角色集合中,与第二阶段类似的,仅需将角色02从候选角色集合中移除,此时,候选角色集合中包含有角色01和角色02,若已选角色集合已经可以实现所需的业务功能,可以对用户帐号进行角色分配,若还未能实现所需的业务功能,则继续执行第四阶段。In the third stage, continue to add character 02 to the selected character set, similar to the second stage, only need to remove character 02 from the candidate role set, at this time, the candidate role set contains character 01 and character 02. If the selected role set can realize the required business functions, user accounts can be assigned roles. If the required business functions cannot be realized, continue to execute the fourth stage.

在第四阶段,继续将角色01添加到已选角色集合中,由于风险角色集合列表中角色01,角色02和角色03组成的风险角色集合是待检角色集合的子集,则将角色03确定为目标角色,并从候选角色集合中移除,移除角色03和角色角色01后的候选角色集合为空集,对应在角色分配界面显示提示信息,若此时已选角色集合已经能够实现所需的业务功能,则可以对用户帐号进行角色分配。In the fourth stage, continue to add role 01 to the selected role set, because the risk role set composed of role 01, role 02 and role 03 in the risk role set list is a subset of the role set to be checked, then determine role 03 is the target role, and is removed from the candidate role set. The candidate role set after removing role 03 and role 01 is an empty set, corresponding to the prompt information displayed on the role assignment interface. If the selected role set can already realize the If required business functions are required, roles can be assigned to user accounts.

参考图14,其示出了本申请一个实施例提供的角色分配装置的结构框图。Referring to FIG. 14 , it shows a structural block diagram of an apparatus for assigning roles provided by an embodiment of the present application.

该装置包括:The unit includes:

添加模块1401,用于响应于对候选角色集合中第一候选角色的选择操作,将所述候选角色添加至已选角色集合;Adding module 1401, configured to add the candidate role to the selected role set in response to a selection operation on the first candidate role in the candidate role set;

第一确定模块1402,用于基于所述已选角色集合以及风险角色集合,确定所述候选角色集合中的目标角色,其中,同时具有所述风险角色集合中各个角色的对象存在职责分离风险,且存在至少一个风险角色集合是添加所述目标角色后的所述已选角色集合的子集;The first determining module 1402 is configured to determine a target role in the candidate role set based on the selected role set and the risk role set, wherein there is a risk of separation of duties for an object having each role in the risk role set at the same time, And there is at least one risk role set that is a subset of the selected role set after adding the target role;

第一移除模块1403,用于从所述候选角色集合中所述第一候选角色和移除所述目标角色;A first removing module 1403, configured to remove the first candidate role and the target role from the set of candidate roles;

角色分配模块1404,用于响应于对所述已选角色集合的确认操作,基于所述已选角色集合进行角色分配。A role allocation module 1404, configured to perform role allocation based on the selected role set in response to the confirmation operation on the selected role set.

可选的,所述第一确定模块1402,包括:Optionally, the first determining module 1402 includes:

第一获取单元,用于将所述候选角色集合中的第二候选角色与所述已选角色集合进行组合,获得待检角色集合,所述第二候选角色不同于所述第一候选角色;A first acquiring unit, configured to combine a second candidate character in the set of candidate characters with the set of selected characters to obtain a set of characters to be checked, where the second candidate character is different from the first candidate character;

确定单元,用于基于所述风险角色集合对所述待检角色集合进行风险验证,确定所述候选角色集合中的所述目标角色,所述目标角色和所述已选角色集合的组合存在职责分离风险。A determination unit, configured to perform risk verification on the set of roles to be checked based on the set of risk roles, determine the target role in the set of candidate roles, and the combination of the target role and the set of selected roles has responsibilities Separate risk.

可选的,所述确定单元,用于:Optionally, the determining unit is used for:

获取所述风险角色集合,并将所述待检角色集合与所述风险角色集合进行比较;Obtaining the set of risk roles, and comparing the set of roles to be checked with the set of risk roles;

响应于存在所述风险角色集合是所述待检角色集合的子集,将所述待检角色集合中的所述第二候选角色确定为所述目标角色。In response to the fact that the set of risk roles is a subset of the set of roles to be checked, the second candidate role in the set of roles to be checked is determined as the target role.

可选的,所述装置还包括:Optionally, the device also includes:

第二移除模块,用于响应于不存在所述风险角色集合是所述待检角色集合的子集,从所述候选角色集合中移除所述第一候选角色。A second removing module is configured to remove the first candidate role from the set of candidate roles in response to the fact that the set of risk roles is not a subset of the set of roles to be checked.

可选的,所述装置还包括:Optionally, the device also includes:

第二获取模块,用于获取角色分配系统中的系统角色,并根据业务功能或业务权限生成职能集合,所述职能集合中包含的所述系统角色用于实现相应业务功能或业务权限;The second acquisition module is used to acquire system roles in the role assignment system, and generate a function set according to business functions or business permissions, and the system roles included in the function set are used to realize corresponding business functions or business permissions;

第二确定模块,用于根据职责分离原则确定所述职能集合构成职责分离风险的所述风险角色集合。The second determination module is configured to determine the set of risk roles for which the set of functions constitutes a risk of separation of duties according to the principle of separation of duties.

可选的,所述装置还包括:Optionally, the device also includes:

显示模块,用于显示角色分配界面,所述角色分配界面中显示有所述候选角色集合、所述已选角色集合和角色选择控件,所述角色选择控件用于将所述候选角色集合中的所述第一候选角色添加至所述已选角色集合;A display module, configured to display a role allocation interface, where the candidate role set, the selected role set, and a role selection control are displayed on the role allocation interface, and the role selection control is used to select the candidate role set from the candidate role set. The first candidate role is added to the set of selected roles;

所述添加模块1401,包括:The adding module 1401 includes:

添加单元,用于响应于对所述已选角色集合中所述第一候选角色对应所述角色选择控件的触发操作,将所述第一候选角色添加到所述已选角色集合中;An adding unit, configured to add the first candidate character to the selected character set in response to a trigger operation that the first candidate character in the selected character set corresponds to the character selection control;

可选的,所述装置还包括:Optionally, the device also includes:

提示模块,用于响应于所述候选角色集合为空集,显示提示信息,所述提示信息用于指示所述候选角色集合中不存在满足业务功能或业务权限的可选角色。A prompt module, configured to display prompt information in response to the set of candidate roles being an empty set, the prompt information being used to indicate that there is no optional role that satisfies business functions or business permissions in the set of candidate roles.

所述角色分配界面显示有角色删除控件,所述角色删除控件用于删除所述已选角色集合中的已选角色;The role assignment interface displays a role deletion control, and the role deletion control is used to delete the selected role in the selected role set;

所述装置还包括:The device also includes:

删除模块,用于接收对所述角色删除控件的选择操作,将选中的所述已选角色从所述已选角色集合中移除;A deletion module, configured to receive a selection operation on the character deletion control, and remove the selected selected character from the selected character set;

更新模块,用于将移除的所述已选角色重新添加至所述候选角色集合,并基于移除所述已选角色后的所述已选角色集合以及所述风险角色集合更新所述候选角色集合。An update module, configured to re-add the removed selected role to the candidate role set, and update the candidate based on the selected role set and the risk role set after the selected role is removed A collection of characters.

本申请实施例中,当需要对用户帐号进行角色分配时,通过将选中的第一候选角色添加到已选角色集合中,并将候选角色集合中的第二候选角色与已选角色集合进行组合,获得待检角色集合,便于后续将风险角色集合与待检角色集合进行比较,确定出会产生职责分离风险的目标角色;In this embodiment of the application, when it is necessary to assign roles to user accounts, the selected first candidate role is added to the selected role set, and the second candidate role in the candidate role set is combined with the selected role set , to obtain the set of roles to be checked, so as to compare the set of risk roles with the set of roles to be checked, and determine the target role that will cause the risk of separation of duties;

由于目标角色与已选角色集合的组合会产生职责分离风险,因而将目标角色和第一候选角色从候选角色集合中移除后,可以继续从候选角色集合中选择,且不会产生职责分离风险,进而在接收到对角色分配的确认操作后,基于已选角色集合进行角色分配。本方案相较于以往直接进行角色分配,然后再进行风险验证的方式,无需重复进行多次角色分配,角色分配的效率更高。Since the combination of the target role and the selected role set creates a risk of separation of duties, after the target role and the first candidate role are removed from the set of candidate roles, they can continue to be selected from the set of candidate roles without risk of separation of duties , and then perform role assignment based on the selected role set after receiving the confirmation operation on role assignment. Compared with the previous method of directly assigning roles and then performing risk verification, this solution does not need to repeatedly assign roles, and the efficiency of role assignment is higher.

请参考图15,其示出了本申请一个示例性实施例提供的计算机设备的结构示意图。具体来讲:计算机设备包括中央处理单元(Central Processing Unit,CPU)1501、包括随机存取存储器1502和只读存储器1503的系统存储器1504,以及连接系统存储器1504和中央处理单元1501的系统总线1505。计算机设备1500还包括帮助计算机内的各个器件之间传输信息的基本输入/输出系统(Input/Output,I/O系统)1506,和用于存储操作系统1513、应用程序1514和其他程序模块1515的大容量存储设备1507。Please refer to FIG. 15 , which shows a schematic structural diagram of a computer device provided by an exemplary embodiment of the present application. Specifically: the computer device includes a central processing unit (Central Processing Unit, CPU) 1501, a system memory 1504 including a random access memory 1502 and a read-only memory 1503, and a system bus 1505 connecting the system memory 1504 and the central processing unit 1501. The computer equipment 1500 also includes a basic input/output system (Input/Output, I/O system) 1506 that helps to transmit information between various devices in the computer, and a storage system 1515 for storing operating systems 1513, application programs 1514 and other program modules 1515. mass storage device 1507 .

基本输入/输出系统1506包括有用于显示信息的显示器1508和用于用户输入信息的诸如鼠标、键盘之类的输入设备1509。其中显示器1508和输入设备15015都通过连接到系统总线1505的输入输出控制器1510连接到中央处理单元1501。基本输入/输出系统1506还可以包括输入输出控制器1510以用于接收和处理来自键盘、鼠标、或电子触控笔等多个其他设备的输入。类似地,输入输出控制器1510还提供输出到显示屏、打印机或其他类型的输出设备。The basic input/output system 1506 includes a display 1508 for displaying information and input devices 1509 such as a mouse and a keyboard for users to input information. Both the display 1508 and the input device 15015 are connected to the central processing unit 1501 through the input and output controller 1510 connected to the system bus 1505 . The basic input/output system 1506 may also include an input output controller 1510 for receiving and processing input from a number of other devices such as a keyboard, mouse, or electronic stylus. Similarly, input output controller 1510 also provides output to a display screen, printer, or other type of output device.

大容量存储设备1507通过连接到系统总线1505的大容量存储控制器(未示出)连接到中央处理单元1501。大容量存储设备1507及其相关联的计算机可读介质为计算机设备1500提供非易失性存储。也就是说,大容量存储设备1507可以包括诸如硬盘或者驱动器之类的计算机可读介质(未示出)。Mass storage device 1507 is connected to central processing unit 1501 through a mass storage controller (not shown) connected to system bus 1505 . Mass storage device 1507 and its associated computer-readable media provide non-volatile storage for computer device 1500 . That is, mass storage device 1507 may include computer-readable media (not shown), such as hard disks or drives.

不失一般性,计算机可读介质可以包括计算机存储介质和通信介质。计算机存储介质包括以用于存储诸如计算机可读指令、数据结构、程序模块或其他数据等信息的任何方法或技术实现的易失性和非易失性、可移动和不可移动介质。计算机存储介质包括随机存取记忆体(RAM,Random Access Memory)、只读存储器(ROM,Read Only Memory)、闪存或其他固态存储其技术,只读光盘(Compact Disc Read-Only Memory,CD-ROM)、数字通用光盘(Digital Versatile Disc,DVD)或其他光学存储、磁带盒、磁带、磁盘存储或其他磁性存储设备。当然,本领域技术人员可知计算机存储介质不局限于上述几种。上述的系统存储器1504和大容量存储设备1507可以统称为存储器。Without loss of generality, computer-readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media include random access memory (RAM, Random Access Memory), read-only memory (ROM, Read Only Memory), flash memory or other solid-state storage technologies, and compact discs (Compact Disc Read-Only Memory, CD-ROM) ), Digital Versatile Disc (DVD) or other optical storage, tape cartridge, tape, magnetic disk storage or other magnetic storage device. Certainly, those skilled in the art know that the computer storage medium is not limited to the above-mentioned ones. The above-mentioned system memory 1504 and mass storage device 1507 may be collectively referred to as memory.

存储器存储有一个或多个程序,一个或多个程序被配置成由一个或多个中央处理单元1501执行,一个或多个程序包含用于实现上述方法的指令,中央处理单元1501执行该一个或多个程序实现上述各个方法实施例提供的方法。One or more programs are stored in the memory, one or more programs are configured to be executed by one or more central processing units 1501, one or more programs include instructions for implementing the above method, and the central processing unit 1501 executes the one or more Multiple programs implement the methods provided by the above method embodiments.

根据本申请的各种实施例,计算机设备1500还可以通过诸如因特网等网络连接到网络上的远程计算机运行。也即计算机设备1500可以通过连接在系统总线1505上的网络接口单元1511连接到网络1512,或者说,也可以使用网络接口单元1511来连接到其他类型的网络或远程计算机系统(未示出)。According to various embodiments of the present application, computer device 1500 may also operate on a remote computer connected to a network through a network such as the Internet. That is, the computer device 1500 can be connected to the network 1512 through the network interface unit 1511 connected to the system bus 1505, or can use the network interface unit 1511 to connect to other types of networks or remote computer systems (not shown).

存储器还包括一个或者一个以上的程序,一个或者一个以上程序存储于存储器中,一个或者一个以上程序包含用于进行本申请实施例提供的方法中由计算机设备所执行的步骤。The memory also includes one or more programs, one or more programs are stored in the memory, and one or more programs include the steps executed by the computer device in the method provided by the embodiment of the present application.

除此之外,本领域技术人员可以理解,上述附图所示出的电子设备的结构并不构成对电子设备的限定,电子设备可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。比如,电子设备中还包括射频电路、输入单元、传感器、服务器、电源等部件,在此不再赘述。In addition, those skilled in the art can understand that the structure of the electronic device shown in the above drawings does not constitute a limitation on the electronic device, and the electronic device may include more or less components than those shown in the illustration, or combine certain some components, or a different arrangement of components. For example, electronic equipment also includes components such as radio frequency circuits, input units, sensors, servers, and power supplies, which will not be repeated here.

本申请提供了一种计算机可读存储介质,存储介质中存储有至少一条指令,至少一条指令由处理器加载并执行以实现上述各个方法实施例提供的角色分配方法。The present application provides a computer-readable storage medium, at least one instruction is stored in the storage medium, and the at least one instruction is loaded and executed by a processor to implement the role assignment method provided by the above method embodiments.

本申请还提供了一种计算机程序产品或计算机程序,该计算机程序产品或计算机程序包括计算机指令,该计算机指令存储在计算机可读存储介质中。终端的处理器从计算机可读存储介质读取该计算机指令,处理器执行该计算机指令,使得该终端执行上述实施例中任一的角色分配方法。The present application also provides a computer program product or computer program, the computer program product or computer program comprising computer instructions stored in a computer-readable storage medium. The processor of the terminal reads the computer instruction from the computer-readable storage medium, and the processor executes the computer instruction, so that the terminal executes the method for assigning roles in any one of the above embodiments.

上述本申请实施例序号仅仅为了描述,不代表实施例的优劣。The serial numbers of the above embodiments of the present application are for description only, and do not represent the advantages and disadvantages of the embodiments.

本领域普通技术人员可以理解实现上述实施例的全部或部分步骤可以通过硬件来完成,也可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,上述提到的存储介质可以是只读存储器,磁盘或光盘等。Those of ordinary skill in the art can understand that all or part of the steps for implementing the above embodiments can be completed by hardware, and can also be completed by instructing related hardware through a program. The program can be stored in a computer-readable storage medium. The above-mentioned The storage medium mentioned may be a read-only memory, a magnetic disk or an optical disk, and the like.

以上仅为本申请的可选实施例,并不用以限制本申请,凡在本申请的精神和原则之内,所作的任何修改、等同替换、改进等,均应包含在本申请的保护范围之内。The above are only optional embodiments of the application, and are not intended to limit the application. Any modifications, equivalent replacements, improvements, etc. made within the spirit and principles of the application shall be included in the protection scope of the application. Inside.

Claims (10)

1. A method for assigning roles, the method comprising:
in response to a selection operation of a first candidate role in a candidate role set, adding the first candidate role to the selected role set;
determining target roles in the candidate role sets based on the selected role sets and risk role sets, wherein objects having all roles in the risk role sets simultaneously have responsibility separation risks, and at least one risk role set exists and is a subset of the selected role sets after the target roles are added;
removing the first candidate role and the target role from the set of candidate roles;
and responding to the confirmation operation of the selected character set, and performing character allocation based on the selected character set.
2. The method of claim 1, wherein determining the target character from the set of candidate characters based on the set of selected characters and the set of risk characters comprises:
combining a second candidate role in the candidate role set with the selected role set to obtain a role set to be detected, wherein the second candidate role is different from the first candidate role;
and performing risk verification on the role set to be detected based on the risk role set, and determining the target role in the candidate role set, wherein the combination of the target role and the selected role set has a role separation risk.
3. The method of claim 2, wherein the risk verifying the set of roles to be checked based on the set of risk roles, and determining the target role in the set of candidate roles comprises:
acquiring the risk role set, and comparing the role set to be detected with the risk role set;
in response to there being a subset of the set of roles that are at risk that is the set of roles that are to be checked, determining the second candidate role in the set of roles that are to be checked as the target role.
4. The method of claim 3, wherein after comparing the suspected character set with the risk character set, the method further comprises:
in response to there being no subset of the set of at risk roles that is the set of suspected roles, removing the first candidate role from the set of candidate roles.
5. The method of any of claims 1 to 4, further comprising:
acquiring system roles in a role distribution system, and generating a function set according to business functions or business permissions, wherein the system roles contained in the function set are used for realizing corresponding business functions or business permissions;
and determining the risk role set of which the function set forms a role separation risk according to a role separation principle.
6. The method of any of claims 1-4, wherein prior to adding the first candidate character to the set of selected characters, the method further comprises:
displaying a role distribution interface, wherein the candidate role set, the selected role set and a role selection control are displayed in the role distribution interface, and the role selection control is used for adding the first candidate role in the candidate role set to the selected role set;
the adding a first candidate character in the set of candidate characters to the selected set of characters in response to a selection operation of the first candidate character comprises:
in response to a trigger operation of the first candidate role in the selected role set corresponding to the role selection control, adding the first candidate role to the selected role set;
after removing the first candidate role and the target role from the set of candidate roles, the method further comprises:
and responding to the condition that the candidate role set is an empty set, and displaying prompt information, wherein the prompt information is used for indicating that no optional role meeting the service function or the service authority exists in the candidate role set.
7. The method of claim 6, wherein the role assignment interface displays a role deletion control for deleting a selected role in the set of selected roles;
the method further comprises the following steps:
receiving a selection operation of the role deletion control, and removing the selected role from the selected role set;
re-adding the removed selected character to the set of candidate characters, and updating the set of candidate characters based on the set of selected characters after removing the selected character and the set of risk characters.
8. A character assigning apparatus, the apparatus comprising:
an adding module, configured to add a candidate role to a selected role set in response to a selection operation on a first candidate role in the candidate role set;
a first determining module, configured to determine a target role in the candidate role set based on the selected role set and a risk role set, where there is a risk of separating roles for objects having roles in the risk role set at the same time, and there is at least one risk role set that is a subset of the selected role set after the target role is added;
a first removal module to remove the first candidate role from the set of candidate roles and to remove the target role;
and the role distribution module is used for responding to the confirmation operation of the selected role set and carrying out role distribution based on the selected role set.
9. A computer device, characterized in that the terminal comprises a processor and a memory, in which at least one instruction, at least one program, a set of codes, or a set of instructions is stored, which is loaded and executed by the processor to implement the role assignment method according to any one of claims 1 to 7.
10. A computer readable storage medium having stored therein at least one instruction, at least one program, a set of codes, or a set of instructions, which is loaded and executed by a processor to implement the role assignment method according to any one of claims 1 to 7.
CN202110832864.XA 2021-07-22 2021-07-22 Role allocation method, device, computer equipment and storage medium Pending CN115689135A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110832864.XA CN115689135A (en) 2021-07-22 2021-07-22 Role allocation method, device, computer equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110832864.XA CN115689135A (en) 2021-07-22 2021-07-22 Role allocation method, device, computer equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115689135A true CN115689135A (en) 2023-02-03

Family

ID=85044359

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110832864.XA Pending CN115689135A (en) 2021-07-22 2021-07-22 Role allocation method, device, computer equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115689135A (en)

Similar Documents

Publication Publication Date Title
US10565236B1 (en) Data processing systems for generating and populating a data inventory
KR100781730B1 (en) System and method for electronically managing composite documents
US11307770B2 (en) Capacity forecasting based on capacity policies and transactions
JP4733461B2 (en) Computer system, management computer, and logical storage area management method
CN114416667B (en) Method and device for rapidly sharing network disk file, network disk and storage medium
US20100211949A1 (en) Management computer and processing management method
CN110825694A (en) Data processing method, device, equipment and storage medium
CN111324606B (en) Data slicing method and device
WO2020073515A1 (en) Data analysis-based vendor selection method, apparatus, and computer device
CN104363112A (en) Parameter management method and parameter management device
US8812467B2 (en) Information processing apparatus and computer readable medium for performing history cancellation processing
CN115062080A (en) Data auditing method, device, equipment and storage medium
CN119168582A (en) System change processing method and device
CN115689135A (en) Role allocation method, device, computer equipment and storage medium
CN117527785B (en) Method and system for supporting space engineering file data uploading and full link management
KR20120124931A (en) User-definable Process-based Management System for Urban Planning and Recording Media for the Same
US9852166B2 (en) Task handling in a multisystem environment
US11561979B2 (en) Dynamically detecting and correcting errors in queries
CN112528192B (en) Information processing method, information display method and information display device
CN114417789A (en) Data reference method and device, electronic equipment and storage medium
CN116643794B (en) Information processing method and device and electronic equipment
JP2008052347A (en) Document processor and document processing program
KR20250092156A (en) Data governance system and data management method thereof
WO2019023510A1 (en) Data processing systems for generating and populating a data inventory
CN120257351A (en) Application page generation method, device, equipment, medium and product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination