CN119066673B - Permission control method, device, storage medium and computer program product - Google Patents
Permission control method, device, storage medium and computer program productInfo
- Publication number
- CN119066673B CN119066673B CN202411031336.4A CN202411031336A CN119066673B CN 119066673 B CN119066673 B CN 119066673B CN 202411031336 A CN202411031336 A CN 202411031336A CN 119066673 B CN119066673 B CN 119066673B
- Authority
- CN
- China
- Prior art keywords
- user
- authority
- information
- permission
- login
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
本申请公开了一种权限控制方法、设备、存储介质及计算机程序产品,涉及系统运维技术领域,公开了权限控制方法,包括:获取目标用户的用户登录信息,并基于所述用户登录信息进行用户认证;在所述目标用户认证通过的情况下,创建角色缓存器;获取所述目标用户的用户权限信息,并将所述用户权限信息保存在所述角色缓存器中;在检测到所述目标用户发起的访问请求时,拦截所述访问请求并获取所述访问请求的请求权限;从所述角色缓存器中获取所述用户权限信息,并在所述请求权限与所述用户权限信息一致的情况下,按照所述访问请求进行资源访问。本申请可以减少因业务调整而导致的权限模块重复开发问题,降低搭建权限模块时对计算资源浪费。
The present application discloses a permission control method, device, storage medium and computer program product, which relates to the field of system operation and maintenance technology, and discloses a permission control method, including: obtaining user login information of a target user, and performing user authentication based on the user login information; creating a role cache when the target user authentication is passed; obtaining user permission information of the target user, and storing the user permission information in the role cache; when an access request initiated by the target user is detected, intercepting the access request and obtaining the request permission of the access request; obtaining the user permission information from the role cache, and performing resource access according to the access request when the request permission is consistent with the user permission information. The present application can reduce the problem of repeated development of permission modules caused by business adjustments, and reduce the waste of computing resources when building permission modules.
Description
Technical Field
The present application relates to the field of system operation and maintenance technologies, and in particular, to a rights control method, a device, a storage medium, and a computer program product.
Background
The authority module is a core component in the service platform and is responsible for controlling and managing the capacity of users to access system resources, ensuring that each user can only access functions or data authorized by the users, and the design of the authority module is usually required to be tightly combined with specific service logic so as to meet specific requirements of users with different roles, such as an administrator, common staff, clients and the like, and the content seen and operated by each role is different.
The service platform may need different authority control granularity and rules in different service scenarios, when a new service is online or an existing service is adjusted, the existing authority module of the service platform may not meet all customization requirements, so when the service adjustment occurs to the service platform, the authority module is usually required to be redeveloped, the process involves repeatedly creating similar infrastructure components, such as resetting a database table structure, reconstructing authentication service, and the like, and the process of repeatedly creating the authority module needs to occupy computing resources, so that the computing resources are wasted.
The foregoing is provided merely for the purpose of facilitating understanding of the technical solutions of the present application and is not intended to represent an admission that the foregoing is prior art.
Disclosure of Invention
The application mainly aims to provide a permission control method, permission control equipment, a storage medium and a computer program product, and aims to solve the technical problem of resource waste when a permission module of a service platform is built.
In order to achieve the above object, the present application provides a rights control method, which includes:
Acquiring user login information of a target user, and performing user authentication based on the user login information;
Creating a role buffer under the condition that the target user authentication passes;
Acquiring user authority information of the target user, and storing the user authority information in the role buffer;
When an access request initiated by the target user is detected, intercepting the access request and acquiring the request authority of the access request;
And acquiring the user authority information from the role buffer, and performing resource access according to the access request under the condition that the request authority is consistent with the user authority information.
In one embodiment, the step of performing user authentication based on the user login information includes:
the user login information is sent to a security manager;
Sending a verification request to an authenticator through the security manager;
querying a relational database by the authenticator based on the user identifier carried by the verification request;
if the authenticator inquires the user authority information corresponding to the user identifier, determining that the target user identity authentication passes;
And if the authenticator does not inquire the user permission information, determining that the identity authentication of the target user is not passed.
In one embodiment, after the step of querying, by the authenticator, a relational database based on the user identification carried by the verification request, the method further comprises:
transmitting the user authority information to a cache database through the authenticator;
Before the step of obtaining the user right information from the role buffer, the method further includes:
And acquiring the user authority information from the cache database according to a first preset period, and storing the user authority information acquired last time in the role cache.
In one embodiment, after the step of sending the user rights information to a cache database by the authenticator, the method further comprises:
when the user permission information is detected to reach a preset life cycle, the user permission information is migrated to the relational database;
and backing up the data in the cache database to a distributed search engine or a data warehouse according to a second preset period.
In one embodiment, the method further comprises:
obtaining and storing a login operation log and an authority operation log of the target user according to a third preset period;
Under the condition that triggering permission rechecking is determined, acquiring login operation information and permission operation information from the login operation log and the permission operation log;
Performing authority rechecking on the target user based on the login operation information and the authority operation information;
and processing the role authority under the condition that the authority review is not passed.
In an embodiment, the step of performing authority rechecking on the target user based on the login operation information and the authority operation information includes:
Determining a user login operation of the target user based on the login operation information, and determining a user authority operation of the target user based on the authority operation information;
if the user login operation or the user authority operation is consistent with a preset abnormal behavior, determining that the target user authority review is not passed;
and if the user login operation and the user authority operation are inconsistent with the preset abnormal behavior, determining that the target user authority passes the rechecking.
In an embodiment, the step of processing the role authority includes:
determining abnormal operation consistent with the preset abnormal behavior from the user login operation and the user authority operation;
and determining the operation type of the abnormal operation, and processing the target user according to the operation type.
In addition, in order to achieve the above object, the present application also proposes a rights control device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the computer program being configured to implement the steps of the rights control method as described above.
In addition, to achieve the above object, the present application also proposes a storage medium that is a computer-readable storage medium, on which a computer program is stored, which when executed by a processor implements the steps of the rights control method as described above.
Furthermore, to achieve the above object, the present application provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the rights control method as described above.
The method comprises the steps of obtaining user login information of a target user and carrying out user authentication based on the user login information, creating a role buffer when the target user authentication passes, obtaining user authority information of the target user and storing the user authority information in the role buffer, intercepting an access request and obtaining request authority of the access request when the access request initiated by the target user is detected, obtaining the user authority information from the role buffer, and carrying out resource access according to the access request when the request authority is consistent with the user authority information.
In the application, the user authentication and the authority allocation are decoupled by introducing the role caching mechanism and the dynamic authority checking flow, even if the role authority is changed due to the service adjustment, only the authority information corresponding to the role is updated without changing the authentication logic, thereby simplifying the authority management flow, reducing the possibility of reconstructing the authority module due to the service adjustment, further effectively reducing the repeated development problem of the authority module due to the service adjustment, and reducing the dependence and waste on computing resources.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the application and together with the description, serve to explain the principles of the application.
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a schematic flow chart of a rights control method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of a second embodiment of the rights control method of the present application;
Fig. 3 is a schematic diagram of a service platform architecture according to an embodiment of the present application;
FIG. 4 is an authentication timing diagram of a centralized authentication mechanism according to an embodiment of the present application;
FIG. 5 is a flow chart of authorization and interface level control provided by an embodiment of the present application;
FIG. 6 is a schematic diagram of an architecture of a rights system according to an embodiment of the present application;
FIG. 7 is a schematic flow chart of authority review provided by an embodiment of the present application;
FIG. 8 is a schematic diagram of a micro-service architecture according to an embodiment of the present application;
FIG. 9 is a schematic diagram of a data storage structure according to an embodiment of the present application;
FIG. 10 is a schematic flow chart of a configuration center according to an embodiment of the present application;
FIG. 11 is a schematic diagram of an interface for editing a gray-scale distribution task according to an embodiment of the present application;
Fig. 12 is a schematic device structure diagram of a hardware operating environment related to a rights control method in an embodiment of the present application.
The achievement of the objects, functional features and advantages of the present application will be further described with reference to the accompanying drawings, in conjunction with the embodiments.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the technical solution of the present application and are not intended to limit the present application.
For a better understanding of the technical solution of the present application, the following detailed description will be given with reference to the drawings and the specific embodiments.
The main solution of the embodiment of the application is that user login information of a target user is obtained and user authentication is carried out based on the user login information, a role buffer is created under the condition that the target user authentication is passed, user authority information of the target user is obtained and stored in the role buffer, when an access request initiated by the target user is detected, the access request is intercepted and the request authority of the access request is obtained, the user authority information is obtained from the role buffer, and resource access is carried out according to the access request under the condition that the request authority is consistent with the user authority information.
In this embodiment, for convenience of description, the following description will be made with the rights control apparatus as an execution subject.
With the continuous expansion of business platforms in the industry and the construction of tool platforms of developers, how to quickly access an authority system suitable for the industry is a quite troublesome problem. The authority module is a core component in the service platform and is responsible for controlling and managing the capacity of users to access system resources, ensuring that each user can only access functions or data authorized by the users, and the design of the authority module is usually required to be tightly combined with specific service logic so as to meet specific requirements of users with different roles, such as an administrator, common staff, clients and the like, and the content seen and operated by each role is different.
The service platform may need different authority control granularity and rules in different service scenarios, when a new service is online or an existing service is adjusted, the existing authority module of the service platform may not meet all customization requirements, so when the service adjustment occurs to the service platform, the authority module is usually required to be redeveloped, the process involves repeatedly creating similar infrastructure components, such as resetting a database table structure, reconstructing authentication service, and the like, and the process of repeatedly creating the authority module needs to occupy computing resources, so that the computing resources are wasted.
In addition, as the authority module and the service module are coupled too deeply, the authority module is difficult to realize configuration and take effect after being built, and the authority management is easy to be confused, and a flexible authority management scheme is lacked.
In the embodiment of the application, the user authentication and the authority allocation are decoupled by introducing the role caching mechanism and the dynamic authority checking flow, and even if the role authority is changed due to the service adjustment, only the authority information corresponding to the role is updated without changing the authentication logic, so that the authority management flow is simplified, the possibility of reconstructing the authority module due to the service adjustment is reduced, the repeated development problem of the authority module due to the service adjustment is effectively reduced, and the dependence and the waste on computing resources are reduced.
Moreover, due to the fact that logics such as user authentication, role management and authority verification are separated, roles and authority configuration can be added and modified more flexibly when the system is on line or in the existing service adjustment, an authority module does not need to be built from the beginning each time, maintainability and expansibility of the system are improved, and timeliness of authority configuration is improved.
It should be noted that, the execution body of the embodiment may be a computing service device having functions of data processing, network communication and program running, such as a tablet computer, a personal computer, a mobile phone, or an electronic device, a rights control device, or the like, which can implement the above functions. The present embodiment and the following embodiments will be described below by taking a rights control apparatus as an example.
Based on this, an embodiment of the present application provides a rights control method, and referring to fig. 1, a flowchart of a first embodiment of the rights control method of the present application is shown.
In this embodiment, the authority control method includes steps S10 to S50.
Step S10, user login information of the target user is obtained, and user authentication is performed based on the user login information.
It should be noted that, the target user is any user logged in the service platform, and the user login information is identity information, such as a user name and a password, provided when the target user logs in the service platform.
When a user tries to log in the system, the authority control device firstly receives and verifies login information provided by the user, and then authenticates the user login information to confirm the authenticity of the user identity, so that the legal user can enter the service platform, the security of the service platform is enhanced, and unauthorized access is prevented.
The manner in which user authentication is performed based on user login information is not described herein, and reference may be made to a conventional user authentication process. In a possible implementation, the process of performing user authentication based on the user login information may be:
a1, the user login information is sent to the security manager.
When a user tries to log in, the authority control device collects user login information input by the user, and then forwards the user login information to a security manager in the authority control device, wherein the security manager is used as a central coordination component and is responsible for processing tasks related to security, and security transactions are processed in a centralized way through the security manager, so that unified security policy management can be realized, the system architecture is simplified, and the security is improved.
A2, sending a verification request to the authenticator through the security manager.
After receiving the user login information, the security manager sends a verification request to the authenticator, wherein the verification request generally contains user identification information and is used for subsequent permission inquiry.
By setting the responsibility separation of the security manager and the authenticator, each component is focused on the own functional field, and the maintainability and expansibility of the system are improved.
A3, inquiring the relational database by the authenticator based on the user identification carried by the verification request.
After the authenticator receives the verification request, the user identification (such as a user name) of the verification request is used for searching the corresponding user record in the relational database, and the inquiring process aims at verifying whether the user exists or not and acquiring the preset authority information of the user.
And a4, if the authenticator inquires the user authority information corresponding to the user identifier, determining that the identity authentication of the target user passes.
If the database query results show that the user exists and has corresponding permission records, the authenticator can judge that the identity authentication of the user is successful, and the target user can continue to access the system.
And a5, if the authenticator does not inquire the user authority information, determining that the identity authentication of the target user is not passed.
If no record is found in the database that matches the submitted user identification, or if the found record lacks the necessary authorization information, the authenticator will assume that authentication failed.
By setting the user login authentication mechanism, the user with legal account and corresponding authority can be ensured to enter the system, so that the unregistered user or the user with the authority revoked can be effectively prevented from accessing the system, the security of the system is further enhanced, and illegal invasion is prevented.
Step S20, in the case that the target user authentication is passed, a role buffer is created.
In the event that the target user is successfully authenticated, the entitlement control device creates a role buffer for the target user for temporarily storing role information associated with the user. This is done to reduce the overhead of database queries for subsequent quick access and permission checks.
It should be noted that, by creating the role buffer, after the user succeeds in authentication for the first time, the role information is stored in the buffer, and the subsequent access request only needs to query the buffer instead of the database, so that the pressure of the database is reduced, the response speed of the system is improved, the dependence on the database is reduced, and the user experience and the system efficiency are improved.
Step S30, obtaining user authority information of the target user, and storing the user authority information in the role buffer.
The system inquires the corresponding roles according to the user identification of the authenticated user, and writes the role information into the previously created role buffer.
It should be noted that, the roles define the authority range of the user in the system, the target user can be allocated to the roles and positions, and can have multiple roles and multiple positions, one position is used as the role abstract set, multiple roles can be allocated to each position, and each role corresponds to different authority resources (such as pages, buttons and other authorities), so that decoupling of the user authority and the roles is realized, the authority allocation is convenient to manage and adjust, and the complexity of authority management is simplified.
Step S40, when the access request initiated by the target user is detected, the access request is intercepted and the request authority of the access request is obtained.
When an authenticated user attempts to access a particular resource or perform an operation, the rights control device may intercept the request via middleware or rights control module to analyze the rights requirements contained in the request, i.e., determine what rights are required for the resource or the operation the user is attempting to access.
Step S50, user authority information is obtained from the role buffer, and resource access is performed according to the access request under the condition that the request authority is consistent with the user authority information.
The authority control device compares the authority required by the access request with the authority possessed by the user authority information in the role buffer, if the matching is successful, the user has the authority to execute the operation, the system allows the access, otherwise, the access request is refused.
It should be noted that, the embodiment can realize fine-granularity authority control, ensure that each user can only access and operate the authorized resources, effectively prevent authority abuse and data leakage, and maintain safe and stable operation of the system.
In this embodiment, by introducing the role caching mechanism and the dynamic permission checking flow, even if the role permission changes due to the service adjustment, only the permission information corresponding to the role is updated, without changing the authentication logic, so that the permission management flow is simplified, the possibility of reconstructing the permission module due to the service adjustment is reduced, the problem of repeated development of the permission module due to the service adjustment is effectively reduced, and the dependence and waste on computing resources are reduced.
Moreover, due to the logic separation of user authentication, role management, authority verification and the like, the role and the authority configuration can be added and modified more flexibly when the system is on line or regulated by the existing service, and an authority module does not need to be built from the beginning each time, so that the maintainability and the expansibility of the system are enhanced.
In a possible implementation manner, after the step of querying, by the authenticator, the relational database based on the user identifier carried by the verification request, the rights control method further includes:
step S60, the user right information is sent to the cache database through the authenticator.
The authenticator inquires the user authority information corresponding to the user identifier in the relational database, and sends the inquired user authority information to the cache database for storage. The cache database is usually an in-memory database or a cache system, is designed for quickly reading data, reduces direct access to the main database, and can remarkably improve the speed of subsequent authority verification, reduce system delay and improve user experience by storing frequently queried user authority information in the cache database.
It should be noted that, the user permission information refers to information characterizing a user permission range, and includes at least a user role, and may also include permission resources of the user role, and the like, which is not limited herein.
In this embodiment, the rights control method further includes step S70 before the user rights information is acquired from the role buffer in step S40.
Step S70, user authority information is obtained from a cache database according to a first preset period, and the user authority information obtained last time is stored in a role cache.
A fixed period (i.e. a first preset period) is preset, user permission information is automatically retrieved from the cache database in the period, and contents in the role cache are updated, so that the user permission information stored in the role cache is ensured to be up to date, and the user permission can be timely reflected even if the user's role permission changes in the background.
By updating the user authority information in the role buffer, the dynamic update of the user authority information is realized, the real-time performance and accuracy of authority control are ensured, the frequency of directly inquiring the main database is reduced, the system performance is further optimized, and the flexibility and the safety of authority management are ensured. By means of regular synchronization, the system can adapt to the instant adjustment of the user permission, permission misjudgment caused by information hysteresis is avoided, and the reliability and response capability of the system are improved.
In a possible implementation manner, after the user permission information is sent to the cache database through the authenticator in step S60, the permission control method further includes steps S80 to S90.
And S80, when the user permission information is detected to reach the preset life cycle, migrating the user permission information to a relational database.
In order to maintain consistency and durability of data, a preset life cycle is preset, wherein the preset life cycle is an effective cycle of user permission information in a cache database. When the time of storing the user permission information in the cache database reaches a preset life cycle, the user permission information is moved from the cache database to the relational database for storage.
It should be noted that, by migrating the user authority information to the relational database, it is ensured that even if the cache database loses data for some reasons, long-term recording of the user authority is not affected, and reliability of the data is enhanced. Meanwhile, the use efficiency of the cache space is optimized by cleaning the outdated cache data, and the high efficiency of the system operation is maintained.
Step S90, backing up the data in the cache database to the distributed search engine or the data warehouse according to a second preset period.
A second preset period is preset, and data in the cache database is backed up to a distributed search engine or a data warehouse (ES) according to the period timing.
In this embodiment, an additional data security layer is provided by backing up data to the ES, so that even if a primary database and a cache database fail at the same time in an extreme case, the authority information can be quickly recovered by backing up data, thereby reducing the risk of data loss. In addition, the high-efficiency retrieval capability of the ES is also convenient for data analysis and audit, so that a system administrator is helped to better understand the authority use condition and discover potential security threats or abnormal behaviors in time, and the overall security management level and decision-making efficiency of the system are improved. Summarizing, these two steps together promote the performance of the rights control system in terms of data management, security and operational efficiency by enhancing the persistence, recoverability and analytic capabilities of the data.
In the second embodiment of the present application, the same or similar content as in the first embodiment of the present application may be referred to the description above, and will not be repeated. On the basis, referring to fig. 2, the authority control method further includes steps a 10-a 40.
And step A10, acquiring and storing a login operation log and a permission operation log of the target user according to a third preset period.
The permission control device obtains and stores the login operation log and the permission operation log of the target user according to a third preset period, and specifically may be stored in the ES.
The log operation log is a log activity record of the target user, such as log time, IP address (Internet Protocol Address ) and the like, and the authority operation log is an authority operation record of the target user, such as resources, operation types and the like which the user tries to access, and log data is important for monitoring user behaviors, audit and security analysis.
By storing the operation log, the user activity can be conveniently examined afterwards, abnormal login or unauthorized operation can be found, and the safety and compliance of the system are enhanced.
And step A20, acquiring login operation information and authority operation information from the login operation log and the authority operation log under the condition that the triggering authority recheck is determined.
When the permission control device detects that permission review is required, for example, a preset rule is triggered, a specific time point is set, suspicious behaviors are found, and operation information of a target user, namely, login operation information and permission operation information, is extracted from a login operation log and the permission operation log, wherein the login operation information comprises but is not limited to the frequency, time and place of login, and the permission operation information comprises but is not limited to specific permission operation of the user.
By actively identifying the scene to be reviewed, the potential risk can be responded in time, the occurrence of security holes is reduced, and the response speed to abnormal behaviors is improved.
And step A30, performing authority rechecking on the target user based on the login operation information and the authority operation information.
By utilizing the collected login and authority operation information, the authority control device re-evaluates whether the behavior of the user accords with the granted authority, thereby realizing dynamic authority management, ensuring the correctness and timeliness of the authority of the user, preventing the abuse of the authority and increasing the security of the system.
It should be noted that, the authority rechecking process is not limited herein, and may be set according to actual requirements. For example, in one possible embodiment, the login operation information and the authority operation information may be compared with preset abnormal behaviors to perform the authority review, and in another possible embodiment, the login operation information and the authority operation information may be input into a pre-trained abnormality recognition model, which is obtained by training a training tag with login operation information (hereinafter referred to as historical login information) and authority operation information (hereinafter referred to as historical authority information) having known abnormality detection results as input data and abnormality detection results corresponding to the historical login information and the historical authority information.
Specifically, in one possible implementation, the process of performing the permission review on the target user based on the login operation information and the permission operation information may be:
b1, determining a user login operation of the target user based on the login operation information, and determining a user authority operation of the target user based on the authority operation information.
Information in the login operation log, such as login time, login location (IP address), login device, and the like, is analyzed to identify a login pattern of the user. For example, if a user typically logs in from a corporate network during work hours, a sudden late night login attempt from a different place may be considered abnormal.
The rights operation log is reviewed to see if the operations actually performed by the user match the rights they are given. For example, if an average user attempts to access sensitive data that can only be viewed by an administrator, this may be marked as a rights operation exception.
And b2, if the user login operation or the user authority operation is consistent with the preset abnormal behavior, determining that the target user authority review is not passed.
If any login behavior or authority operation of the user coincides with a preset abnormal behavior pattern (such as frequently failed login attempt, non-working time login, operation beyond the authority range, etc.), the authority control device may determine that the authority check-back fails this time, which means that there may be a security risk or illegal behavior.
And b3, if the user login operation and the user authority operation are inconsistent with the preset abnormal behavior, determining that the target user authority passes the review.
If the login and the authority operation records of the user are both displayed as normal behaviors, and any preset abnormal behavior rule is not violated, the authority control equipment considers that the authority check-back smoothly passes, and indicates that the login and the operation authority of the user are used in a compliance and safety manner.
And step A40, processing the color authority under the condition that the authority review is not passed.
If the authority check finds that the user's behavior exceeds the due authority range or the user's state is not satisfactory (e.g. the account has been disabled), the authority control device will take corresponding processing measures to ensure the system security, including but not limited to limiting or revoking part of the authority, forcing the user to re-authenticate, recording illegal operations and alarming, etc.
It should be noted that, through the authority rechecking, the misuse or improper use of the authority can be corrected in time, the system resource is protected from the threat of unauthorized access, meanwhile, the internal security management and control is strengthened, and the stable operation and the data security of the system are ensured. And by continuously monitoring and analyzing the user behaviors, potential unauthorized access and permission abuse can be timely discovered and dealt with, and security threat can be effectively prevented. The user activities are ensured to follow the security policy and compliance requirements of the organization, the illegal operations are reduced, and the compliance level of the organization is improved. In addition, the security threshold is adjusted according to the actual operation behavior by dynamically adjusting the authority auditing strategy, so that the adaptability and the defensive capability of the system can be improved.
In a possible embodiment, step a10, processing the color rights includes:
Step A101, determining abnormal operation consistent with preset abnormal behavior from user login operation and user authority operation.
The entitlement control device first analyzes the login operation log and the entitlement operation log to identify those operations that match the preset abnormal behavior pattern. Abnormal operations may include, but are not limited to, frequent failed login attempts, login for unusual periods of time (e.g., late at night), login from unknown or high risk areas, attempts to access unauthorized resources, and the like. Through an algorithm or preset rules, the system automatically screens out the operations deviating from the normal behavior mode and marks the operations as abnormal operations.
And step A102, determining the operation type of the abnormal operation, and processing the target user according to the operation type.
In the event that abnormal operations are identified, the entitlement control device will further categorize the nature or type of these operations. For example, abnormal operations are classified into different categories such as login-related anomalies, rights abuse anomalies, and the like. Depending on the type of abnormal operation, the entitlement control device will take different handling measures.
For example, if there is a login-related anomaly, the account may be temporarily locked, requiring the user to re-activate through a secondary authentication, and if there is a rights abuse anomaly, the rights control device may immediately revoke or restrict the user's specific rights while notifying the rights control device administrator or security team of the intervention survey.
According to the embodiment, under the condition that the abnormality is detected during the authority rechecking, the abnormal operation is automatically identified and classified, the system can rapidly take targeted measures, potential security threat is effectively restrained, and loss is reduced. And the processing scheme is customized according to the specific type of the abnormal operation, so that the normal user can be effectively prevented from being accidentally injured, the malicious behavior can be precisely beaten, and the effectiveness of the safety measures is improved.
For example, in order to facilitate understanding of the technical concept or principle of authority control after the present embodiment is combined with the first embodiment and the second embodiment, the service platform in this embodiment may provide a distributed pressure measurement engine service, and referring to fig. 3, the overall framework of the service platform may include a user center, a resource center, an authority management center, an approval center, an audit center, an open capability module, and a basic service.
The user center mainly comprises the functions of authority searching, authority self-service application, authority intelligent recommendation, unified authority view and the like. The authority search may be used for searching and managing authority information of the user, the authority self-service application allows the user to apply for required authority, the intelligent authority recommendation may be based on some algorithm to recommend proper authority to the user, and the unified authority view provides one comprehensive view to view and manage all the authority.
Resource center this part encompasses menu resources, button resources, url (Uniform Resource Locator ) resources, data resources, and custom resources. These are all objects that can be accessed and controlled within the system, for example, menu resources may refer to various functional options within an application, button resources refer to specific interactive elements, url resources represent accessible web page addresses, data resources relate to data access rights of the system, and custom resources may refer to some special resources that a user can customize according to his own needs.
And the rights management center is composed of a user system, functional rights and data rights. The user system may involve the creation, management and maintenance of user accounts, the functional rights are restrictions on the operations that the user can perform, and the data rights are focused on the user's access and operational rights to specific data. In addition, there is ETL (Extract-Transform-Load) full-volume synchronization, which is commonly used in the construction of data warehouses to Extract, transform, and then Load data from different sources into a target store.
The approval center provides the functions of approval template management, role post approval, API (Application Programming Interface ) approval and approval flow check. The approval template management may be used for setting and managing standard templates of approval processes, role post approval may involve approval authority setting of different roles and posts, API approval may be used for approving access to an application program interface, and approval process checking is convenient for a user to know and track approval processes.
And the audit center comprises audit rules, audit log reporting, audit alarm and audit result query. The audit rule defines how to monitor and evaluate the system activities, the audit log reporting is responsible for collecting and reporting the logs of the activities, the audit alarm gives a warning when abnormal conditions are found, and the user can inquire and analyze the audit result.
And the opening capability module displays interfaces and services provided by the system externally, including authentication service, role authority, post role, micro front end, style isolation, authority configuration, data layer event, one-number pass, operation organization and interface authentication. These functions may be used for integration with other systems or for use by third party developers.
Basic services finally, the basic services section includes tenant isolation, front end component packaging, interface authentication, and STARTERKIT toolkits (referring to a collection of basic components, documents, example code, and tutorials provided to help a user to quickly start a project, using a platform or technology). Tenant isolation is a security measure under a multi-tenant architecture, data and resource isolation among different users is guaranteed, front-end component packaging can be used for constructing and deploying a front-end interface, interface authentication is used for authorizing and authenticating a system interface, and STARTERKIT tool kit can be a tool set for helping a developer to quickly enter and use.
1.1, The service platform adopts a centralized authorization mechanism and interface authority control with zero service code invasion. Specifically:
(1) Referring to fig. 4, the authentication procedure of the centralized authentication and authorization mechanism may be:
the user initiates a Login request (Login) and sends a message to the unified Login.
After the unified login receives the request, the request is forwarded to the security manager for authentication (i.e. the user login information is sent to the security manager).
After receiving the authentication request, the security manager sends a verification request to the authenticator (i.e., sends a verification request to the authenticator through the security manager).
The authenticator obtains the user authority information from the relational database, authenticates based on the user authority information and returns the result to the security manager (namely, the relational database is queried by the authenticator based on the user identification carried by the verification request).
If the authentication is successful, the security manager returns a Token to the target user, and if the authentication is failed, the security manager returns 401 (i.e., if the authenticator inquires the user authority information corresponding to the user identification, the target user identity authentication is determined to pass, and if the authenticator does not inquire the user authority information, the target user identity authentication is determined to not pass).
At the same time, the authenticator caches slave user rights information from the relational database to the cache database. If the authentication is successful, the security manager creates a Session (role buffer), and the Session manager caches the user permission information from the cache database to the role buffer (that is, sends the user permission information to the cache database through the authenticator, acquires the user permission information from the cache database according to a first preset period, and stores the user permission information acquired last time in the role buffer).
(2) Referring to fig. 5, the process of authorization and interface level control may be:
1) A system interface is accessed. 2) The authorizer intercepts the access request. 3) And judging whether the user carried by the access request is in the white list or not. If within the white list, access is allowed. 4) If not, it is determined whether or not a Session exists. If no Session exists, access is denied. 5) If a Session exists, it is checked whether the Session user has permission notes for the corresponding resource, post and role. 6) Access is denied if the Session user does not have permission notes for the corresponding resource, post, or role, and access is allowed if the Session user has permission notes for the corresponding resource, post, and role. (namely, when the access request initiated by the target user is detected, the access request is intercepted, the request authority of the access request is obtained, the user authority information is obtained from the role buffer, and the resource access is carried out according to the access request under the condition that the request authority is consistent with the user authority information).
When the background service of the access system is called, an authorizer of the SDK (Software Development Kit ) security manager can intercept to realize interface level verification. All interfaces except the whitelist interface (configured by the access party) need to check the Session, i.e. the authenticated user. The SDK provides interface-level permission notes @ RequiresRoles (possessing roles), @ RequiresPosts (possessing posts), @ RequiresPermissions (possessing resource permissions), and interface permission control is achieved by adding different notes on the interface. In order to improve the authorization efficiency, a permission distributed buffer is introduced to buffer the personal permission of the user, and finally, whether the access is successful or the access is not authorized is returned after the permission verification.
1.2, In this embodiment, the authority module of the service platform further includes an intelligent authority audit policy, specifically:
(1) The rights operation log is automatically expanded. Referring to fig. 6, the architecture of the generic rights backend system mainly includes the following parts:
SDKs there are three different SDKs (SDK 1, SDK2, SDK 3) that are integrated into different applications respectively for implementing interaction with the generic rights backend system.
Kafka (open source distributed stream processing platform) journals, which are sent to the message queue of Kafka, are reported when an application performs an operation using the SDK, resulting in corresponding journals.
The log collecting service consists of Server1, server2 and Server3 (Server), which consume log messages from Kafka and process them.
And audit monitoring, namely analyzing the collected logs, including alarm rule configuration, abnormal login detection, repeated login detection, operation audit and the like.
Type (class) in ES index the processed log is stored in the elastic search, a new index is automatically generated per month per application, and a type is automatically generated per class of operation log.
ES, as a data store and service provider at the bottom, stores all log data, and provides search and analysis functions for upper applications.
The main workflow based on the system architecture is that an application program communicates with a universal authority background through an SDK, generated logs are transmitted through Kafka, a log collecting server receives and processes the logs, then the processing result is sent to an audit monitoring link, and finally all log data are stored in an elastic search to facilitate subsequent inquiry and analysis.
The platform provides a universal log-in and entitlement operation log storage service to facilitate subsequent audit needs. The SDK automatically reports login operation logs through the kafka asynchronously, the operation of the authorities is uniformly reported by a background of a universal authority system, and the logs fall into an elastic search and are stored according to types. In order to meet the continuous growth of the docking systems, the log data model layer supports automatic expansion, wherein each docking system corresponds to one appKey (Application Key ), each appkey automatically creates an index according to the template date and supports automatic expansion, each type of log corresponds to one type in the elastic search index, and when an authority operation log is newly added, the type is automatically created.
(2) And (5) intelligent authority rechecking. Referring to fig. 7, the authority information of the system access party is checked back at the end of the day. The review rule comprises the steps of cleaning off-staff, logging in abnormally, mismatching data authority with the mechanism and repeating authority. Specifically, the process of authority review may be:
1) And configuring the authority rechecking rule, wherein default support comprises the steps of cleaning off-staff, logging in abnormally, mismatching data authority with an organization and repeating authority. 2) The timing scheduler schedules the task review. 3) The rule analyzer acquires the authority information and judges whether the rechecking rule is hit or not. 4) Notifying the target user. 5) The access party confirms (namely, under the condition that the permission rechecking is determined to be triggered, login operation information and permission operation information are obtained from the login operation log and the permission operation log, the permission rechecking is carried out on the target user based on the login operation information and the permission operation information, and under the condition that the permission rechecking is not passed, the diagonal permission is processed).
1.3, The authority module of the service platform can also realize high availability and stability of the authority API interface. In particular, the method comprises the steps of,
(1) Referring to fig. 8, in order to guarantee stability and high availability of the rights API service module, the general rights platform splits the module with the micro service architecture and separates the external API interface service of the core from the internal non-core service. Micro services are deployed with multiple AZ (Availability Zone ) multiple instances, preventing service unavailability due to single instance failure.
(2) Referring to the structure diagram of the data storage shown in fig. 9, the authority data high-performance scheme specifically refers to that each micro service data is stored in a separate database by using Mysql (relational database), and mycat (names of database middleware items of sources are used for database separate table, read-write separation, data routing and the like) is adopted to perform read-write separation, and support the fusing degradation of the service so as to ensure the high availability of the service. The use of Redis as a cache for hot spot data such as roles, resources, etc. has improved API interface performance and automatically sunk to Mysql queries when Redis (cache) cache is not available. Inactive data such as entitlement operation records, log-in operation logs, and daily history backup data is landed on the elastic search for auditing and degradation spam. Supporting fusing at the same time when service is not available to ensure availability of core service
(3) And realizing the high-performance gateway gray based on Nacos, specifically realizing the high-performance gateway gray based on Nacos (Nacos Config Service, open-source distributed configuration management platform), wherein a Starter is introduced into the Spring Cloud Gateway gateway, and the gateway can have a gray release function.
Referring to the flow chart shown in fig. 10, the flow of Nacos configuration centers may be:
The management end edits the gray level publishing task. The interface for editing the grayscale distribution task may be as shown in fig. 11, and the specific grayscale distribution content includes gateway service, source address, grayscale address, and grayscale rule.
Nacos configuration center synchronization configuration Nacos configuration files, after configuration is completed, a check of the data MD5 value (MESSAGE DIGEST Algorithm 5, a commonly used hash function, used to generate a digest or checksum of the message) is performed. And judging whether MD5 changes or not, if not, returning to continue checking the MD5 value of the data, and if so, updating the local cache at the gateway side.
The gateway side starts the gateway, registers gateway Filter (component) to perform gray verification, registers Nacos Config Service (i.e. Nacos) to the gateway, acquires Nacos configuration and registers a monitor, updates the local cache under the condition that the MD5 value changes, then filters the user request through a Filter, and the gateway reads gray rules and updates the router object.
Because Nacos configuration centers are adopted to store gray rules, the gateway side monitors the change of configuration files under a designated Namespace (name space) through Nacos CLIENT API (Nacos click interface), and acquires change data to a local cache in a quasi-real-time mode through a long polling mode, compared with the scheme adopting Redis, the gray configuration performance of the embodiment is more excellent. Meanwhile, due to the fact that only the local cache is read, service unavailability caused by the downtime of the Redis in the Redis gray scale scheme is avoided.
In the embodiment, the method and the device realize 1) decoupling authority and service realization, provide modular service support secondary development, 2) one-stop authority center service, provide rapid access of SAAS tenant (Software AS A SERVICE ), 3) integration of a classical authority model and an in-line authority system, and 4) intelligent authority management and audit service.
It should be noted that the foregoing examples are only for understanding the present application, and are not to be construed as limiting the rights control method of the present application, and that many forms of simple changes based on this technical idea are within the scope of the present application.
The application also provides a permission control device, which can solve the problem of resource waste when constructing the permission module of the service platform by adopting the permission control method in the embodiment. Compared with the prior art, the rights control device provided by the application has the same beneficial effects as the rights control method provided by the embodiment, and other technical features in the rights control device are the same as the features disclosed by the method of the embodiment, and are not repeated herein.
The application provides a right control device which comprises at least one processor and a memory in communication connection with the at least one processor, wherein the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor so that the at least one processor can execute the right control method in the first embodiment.
Referring now to FIG. 12, a schematic diagram of a configuration of a rights control device suitable for use in implementing embodiments of the application is shown. The rights control apparatus in the embodiment of the present application may include, but is not limited to, mobile terminals such as mobile phones, notebook computers, digital broadcast receivers, PDAs (Personal DIGITAL ASSISTANT: personal digital assistants), PADs (Portable Application Description: tablet computers), PMPs (Portable MEDIA PLAYER: portable multimedia players), vehicle-mounted terminals (e.g., car navigation terminals), and the like, and fixed terminals such as digital TVs, desktop computers, and the like. The rights control apparatus shown in fig. 12 is only one example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present application.
As shown in fig. 12, the rights control apparatus may include a processing device 1001 (e.g., a central processing unit, a graphics processor, etc.), which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1002 or a program loaded from a storage device 1003 into a random access Memory (RAM: random Access Memory) 1004. In the RAM1004, various programs and data necessary for the operation of the rights control apparatus are also stored. The processing device 1001, the ROM1002, and the RAM1004 are connected to each other by a bus 1005. An input/output (I/O) interface 1006 is also connected to the bus. In general, a system including an input device 1007 such as a touch screen, a touch pad, a keyboard, a mouse, an image sensor, a microphone, an accelerometer, a gyroscope, etc., an output device 1008 including a Liquid crystal display (LCD: liquid CRYSTAL DISPLAY), a speaker, a vibrator, etc., a storage device 1003 including a magnetic tape, a hard disk, etc., and a communication device 1009 may be connected to the I/O interface 1006. The communication means 1009 may allow the rights control device to communicate wirelessly or by wire with other devices to exchange data. While the figures illustrate a rights control apparatus having various systems, it should be understood that not all illustrated systems are required to be implemented or provided. More or fewer systems may alternatively be implemented or provided.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through a communication device, or installed from the storage device 1003, or installed from the ROM 1002. The above-described functions defined in the method of the disclosed embodiment of the application are performed when the computer program is executed by the processing device 1001.
The permission control equipment provided by the application adopts the permission control method in the embodiment, and can solve the resource waste when the permission module of the service platform is built. Compared with the prior art, the rights control device provided by the application has the same beneficial effects as the rights control method provided by the embodiment, and other technical features in the rights control device are the same as those disclosed by the method of the previous embodiment, and are not repeated herein.
It is to be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof. In the description of the above embodiments, particular features, structures, materials, or characteristics may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
The present application provides a computer-readable storage medium having computer-readable program instructions (i.e., a computer program) stored thereon for performing the rights control method in the above-described embodiments.
The computer readable storage medium provided by the present application may be, for example, a U disk, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, or device, or a combination of any of the foregoing. More specific examples of a computer-readable storage medium may include, but are not limited to, an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access Memory (RAM: random Access Memory), a Read-Only Memory (ROM), an erasable programmable Read-Only Memory (EPROM: erasable Programmable Read Only Memory or flash Memory), an optical fiber, a portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this embodiment, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to electrical wiring, fiber optic cable, RF (Radio Frequency) and the like, or any suitable combination of the foregoing.
The above-mentioned computer-readable storage medium may be contained in the rights control apparatus or may exist alone without being incorporated in the rights control apparatus.
The computer readable storage medium carries one or more programs, and when the one or more programs are executed by the permission control device, the permission control device obtains user login information of a target user and performs user authentication based on the user login information, creates a role buffer when the target user authentication is passed, obtains user permission information of the target user and stores the user permission information in the role buffer, intercepts an access request and obtains a request permission of the access request when the access request initiated by the target user is detected, obtains the user permission information from the role buffer, and performs resource access according to the access request when the request permission is consistent with the user permission information.
Computer program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of remote computers, the remote computer may be connected to the user's computer through any kind of network, including a local area network (LAN: local Area Network) or a wide area network (WAN: wide Area Network), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present application may be implemented in software or in hardware. Wherein the name of the module does not constitute a limitation of the unit itself in some cases.
The readable storage medium provided by the application is a computer readable storage medium, and the computer readable storage medium stores computer readable program instructions (namely computer programs) for executing the authority control method, so that the resource waste during construction of the authority module of the service platform can be solved. Compared with the prior art, the beneficial effects of the computer readable storage medium provided by the application are the same as those of the authority control method provided by the above embodiment, and are not described herein.
The application also provides a computer program product comprising a computer program which, when executed by a processor, implements the steps of the rights control method as described above.
The computer program product provided by the application can solve the problem of resource waste when the authority module of the service platform is built. Compared with the prior art, the beneficial effects of the computer program product provided by the application are the same as those of the authority control method provided by the above embodiment, and are not described herein.
The foregoing description is only a partial embodiment of the present application, and is not intended to limit the scope of the present application, and all the equivalent structural changes made by the description and the accompanying drawings under the technical concept of the present application, or the direct/indirect application in other related technical fields are included in the scope of the present application.
Claims (9)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411031336.4A CN119066673B (en) | 2024-07-30 | 2024-07-30 | Permission control method, device, storage medium and computer program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411031336.4A CN119066673B (en) | 2024-07-30 | 2024-07-30 | Permission control method, device, storage medium and computer program product |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN119066673A CN119066673A (en) | 2024-12-03 |
| CN119066673B true CN119066673B (en) | 2025-09-12 |
Family
ID=93643712
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411031336.4A Active CN119066673B (en) | 2024-07-30 | 2024-07-30 | Permission control method, device, storage medium and computer program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119066673B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN120354459B (en) * | 2025-06-25 | 2025-09-02 | 江苏卓顿信息科技有限公司 | Multi-role collaborative management system based on RBAC+HIS synchronization |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615849A (en) * | 2020-12-15 | 2021-04-06 | 平安科技(深圳)有限公司 | Micro-service access method, device, equipment and storage medium |
| CN115840847A (en) * | 2022-09-27 | 2023-03-24 | 珠海市新德汇信息技术有限公司 | Universal dynamic data retrieval configuration method and system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20200342449A1 (en) * | 2019-04-29 | 2020-10-29 | Salesforce.Com, Inc. | Systems, methods, and apparatuses for implementing an api gateway to authorize and charge a fee for a transaction between cloud computing customers using distributed ledger technologies (dlt) |
-
2024
- 2024-07-30 CN CN202411031336.4A patent/CN119066673B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112615849A (en) * | 2020-12-15 | 2021-04-06 | 平安科技(深圳)有限公司 | Micro-service access method, device, equipment and storage medium |
| CN115840847A (en) * | 2022-09-27 | 2023-03-24 | 珠海市新德汇信息技术有限公司 | Universal dynamic data retrieval configuration method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN119066673A (en) | 2024-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2019206006B2 (en) | System and method for biometric protocol standards | |
| CN111935165B (en) | Access control method, device, electronic device and medium | |
| US11647026B2 (en) | Automatically executing responsive actions based on a verification of an account lineage chain | |
| US8141138B2 (en) | Auditing correlated events using a secure web single sign-on login | |
| US9602515B2 (en) | Enforcing alignment of approved changes and deployed changes in the software change life-cycle | |
| US10375054B2 (en) | Securing user-accessed applications in a distributed computing environment | |
| US9934392B2 (en) | Continuous Monitoring of Access of Computing Resources | |
| US8769605B2 (en) | System and method for dynamically enforcing security policies on electronic files | |
| CN102246180B (en) | Method and system for impersonating a user | |
| KR20220160021A (en) | Low Trust Privilege Access Management | |
| JP5789390B2 (en) | Business information protection device, business information protection method, and program | |
| US8869234B2 (en) | System and method for policy based privileged user access management | |
| US12192291B2 (en) | Automatically executing responsive actions upon detecting an incomplete account lineage chain | |
| US12242600B2 (en) | Abnormally permissive role definition detection systems | |
| CN115801472B (en) | Authority management method and system based on authentication gateway | |
| CN119066673B (en) | Permission control method, device, storage medium and computer program product | |
| CN112837194A (en) | Intelligent system | |
| JP2008117317A (en) | Business information protection device | |
| JP2008117316A (en) | Business information protection device | |
| JP2008015733A (en) | Log management computer | |
| JP2020095750A (en) | Business information protection device, business information protection method, and program | |
| US20260057063A1 (en) | Systems and Methods for Synchronizing Provisioning and Managing Credentials for Enterprise Machines | |
| Fraser | System and Security Management Tools |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |