CN119203088A - Rights management method, device, computer equipment and storage medium - Google Patents
Rights management method, device, computer equipment and storage medium Download PDFInfo
- Publication number
- CN119203088A CN119203088A CN202411244146.0A CN202411244146A CN119203088A CN 119203088 A CN119203088 A CN 119203088A CN 202411244146 A CN202411244146 A CN 202411244146A CN 119203088 A CN119203088 A CN 119203088A
- Authority
- CN
- China
- Prior art keywords
- service
- information
- sub
- authority
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Medical Informatics (AREA)
- Mathematical Physics (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
本申请公开了一种权限管理方法、装置、计算机设备及存储介质。方法在接收到预设系统上传的权限请求时,解析权限请求,获取权限请求对应的用户标识和业务内容;解析业务内容,获取业务内容对应的多个子业务信息和每个子业务信息对应的业务顺序;将每个子业务信息输入至预训练的权限确认模型,权限确认模型解析每个子业务信息,输出每个子业务信息对应的业务权限范围和业务权限时长;根据用户标识在预设系统中获取用户的当前权限范围,根据每个业务权限范围和当前权限范围生成多个授权权限范围;根据多个授权权限范围、每个授权权限范围对应的业务权限时长和业务顺序生成权限授予信息;根据用户标识和权限授予信息完成对用户权限的管理。
The present application discloses a permission management method, device, computer equipment and storage medium. When receiving a permission request uploaded by a preset system, the method parses the permission request, obtains the user identification and business content corresponding to the permission request; parses the business content, obtains multiple sub-business information corresponding to the business content and the business sequence corresponding to each sub-business information; inputs each sub-business information into a pre-trained permission confirmation model, and the permission confirmation model parses each sub-business information, outputs the business permission scope and business permission duration corresponding to each sub-business information; obtains the current permission scope of the user in the preset system according to the user identification, generates multiple authorized permission scopes according to each business permission scope and the current permission scope; generates permission granting information according to multiple authorized permission scopes, the business permission duration and business sequence corresponding to each authorized permission scope; and completes the management of user permissions according to the user identification and permission granting information.
Description
Technical Field
The application relates to the technical field of artificial intelligence, and is applied to the financial field, in particular to a rights management method, a device, computer equipment and a storage medium.
Background
The financial service system has frequent service interaction, service personnel frequently need to temporarily authorize access rights to control, namely temporarily raise the service personnel limit to a specific level, authorize specific temporary resource interaction, and restore rights to the original level after completing tasks.
The traditional authority management method mainly distributes users in the system to different roles based on the needs of different positions, and each role has specific authority and operation range, so that the authority management of each user is completed.
However, in the conventional mode, when the used role contains a plurality of rights which are not needed to be used by the user, there is a risk that the user obtains related privacy data by using the rights, but if the user is not given the rights of the corresponding role, huge workload is brought to the corresponding upper manager, so that the current rights management method has a plurality of problems of potential safety hazards of rights data, risk of data leakage, non-uniform rights system standard and the like.
Disclosure of Invention
The application provides a rights management method, a device, computer equipment and a storage medium, which aim to solve the problems that in the traditional mode, when a role for use contains rights which are not needed by a plurality of users, the users have risks of acquiring related privacy data by using the rights, but if the rights of the corresponding roles of the users are not granted, huge workload is brought to corresponding superior management personnel, and potential safety hazards of rights data, risks of data leakage, non-uniform standards of a rights system and the like exist. The method can form a complete, standard and safe automatic authority management scheme, and ensures that the preset system can be operated safely while the service is responded quickly.
In a first aspect, the present application provides a rights management method, including:
When receiving a permission request uploaded by a preset system, analyzing the permission request, and acquiring a user identifier corresponding to the permission request and service content corresponding to the permission request;
analyzing the service content, and acquiring a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information;
inputting each piece of sub-service information into a pre-trained authority confirmation model, analyzing each piece of sub-service information by the authority confirmation model, and outputting a service authority range and service authority duration corresponding to each piece of sub-service information;
acquiring a current authority range of a user from a preset system according to a user identifier, and generating a plurality of authorized authority ranges according to each service authority range and the current authority range;
generating authority grant information according to a plurality of authority ranges, service authority duration corresponding to each authority range and service sequence;
and finishing the management of the user rights according to the user identification and the rights granting information.
In some embodiments, generating a plurality of authorized authority ranges according to each service authority range and the current authority range comprises acquiring a difference authority range corresponding to each service authority range and the current authority range, acquiring target service information corresponding to each difference authority range in each sub-service information, acquiring necessity factors of each target service information and corresponding sub-service information, and generating the authorized authority range according to the difference authority range if the target service information is confirmed to be necessary service in the sub-service information according to the necessity factors.
In some embodiments, after the management of the user rights according to the user identifier and the rights granting information is completed, the method further comprises the steps of obtaining an audit log of the user in a preset system during the rights granting, wherein the audit log at least comprises actual operation information of the user, generating preset operation information according to the sub-service information, the service sequence corresponding to each sub-service information and the service rights duration to judge whether the preset operation information is consistent with the actual operation information, generating a rights revocation instruction if the preset operation information is inconsistent with the actual operation information, and sending the rights revocation instruction to the preset system to cancel the rights granting of the user.
In some embodiments, before analyzing the service content, acquiring a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information, the method further comprises the steps of acquiring post information of a user in a preset system according to a user identifier, extracting service characteristic information corresponding to the service content, acquiring matching degree corresponding to the post information and the service characteristic information, and returning an authority request if the matching degree is lower than the preset matching degree.
In some embodiments, before generating the permission grant information according to the multiple authorization permission ranges, the service permission duration corresponding to each authorization permission range and the service sequence, the method further comprises the steps of inquiring finished service information of a user in a preset system according to user identifications, wherein the finished service information comprises finished service content, service types corresponding to the finished service content and finishing duration, generating a duration prediction model corresponding to the user according to the finished service content, the service types corresponding to the finished service content and the finishing duration, acquiring the service types corresponding to each piece of sub-service information, inputting the service types corresponding to each piece of sub-service information and the service content into the duration prediction model, outputting predicted finishing duration corresponding to each piece of sub-service information by the duration prediction model, and updating the service permission duration according to the predicted finishing duration corresponding to each piece of sub-service information.
In some embodiments, analyzing the service content, acquiring a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information includes acquiring service coding information corresponding to the service content, inputting the service coding information into a pre-trained sub-service extraction model, and outputting the sub-service information and the service sequence corresponding to the service coding information by the sub-service extraction model.
The method comprises the steps of obtaining a plurality of pieces of history service information corresponding to a preset system and history sub-service information and history service sequences corresponding to each piece of history service information before the service coding information is input into a pre-trained sub-service extraction model, inputting the history service information into the sub-service extraction model to be trained, analyzing the history service information by the sub-service extraction model, outputting predicted sub-service information and predicted service sequences, and completing training of the sub-service extraction model according to the history sub-service information and the predicted service information, the history service sequences and the predicted service sequences.
In a second aspect, the present application provides a rights management unit comprising:
the request receiving module is used for analyzing the permission request when receiving the permission request uploaded by the preset system, and acquiring a user identifier corresponding to the permission request and service content corresponding to the permission request;
The service analysis module is used for analyzing the service content and acquiring a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information;
The range output module is used for inputting each piece of sub-service information into the pre-trained authority confirmation model, analyzing each piece of sub-service information by the authority confirmation model and outputting a service authority range and service authority duration corresponding to each piece of sub-service information;
The range confirmation module is used for acquiring the current authority range of the user in a preset system according to the user identification and generating a plurality of authorized authority ranges according to each service authority range and the current authority range;
The information generation module is used for generating authority grant information according to a plurality of authority ranges, service authority duration corresponding to each authority range and service sequence;
and the permission granting module is used for completing the management of the user permission according to the user identification and the permission granting information.
In a third aspect, the present application also provides a computer device comprising:
A memory and a processor;
the memory is used for storing a computer program;
the processor is configured to execute the computer program and implement the steps of the rights management method as described in the first aspect above when the computer program is executed.
In a fourth aspect, the present application also provides a computer readable storage medium storing a computer program which, when executed by a processor, causes the processor to implement the steps of the rights management method as described in the first aspect above.
The application discloses a right management method, a right management device, computer equipment and a storage medium. The method comprises the steps of when a permission request uploaded by a preset system is received, analyzing the permission request, obtaining a user identification corresponding to the permission request and service content corresponding to the permission request, analyzing the service content, obtaining a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information, inputting each sub-service information into a pre-trained permission confirmation model, analyzing each sub-service information by the permission confirmation model, outputting a service permission range and service permission duration corresponding to each sub-service information, obtaining a current permission range of a user in the preset system according to the user identification, generating a plurality of authorized permission ranges according to each service permission range and the current permission range, generating permission grant information according to the plurality of authorized permission ranges, the service permission duration corresponding to each authorized permission range and the service sequence, and completing management of the user permission according to the user identification and the permission grant information.
And the provided method splits a plurality of sub-service information by analyzing the service content corresponding to the user, and confirms the service authority range and the service authority duration of each sub-service information through the authority confirmation model. And determining the authorization authority range of the user according to the current authority range of the user, so as to generate authority grant information for the service authority duration, the authorization authority range and the service sequence of each piece of sub-service information. The user authority management is performed, and the dynamic authority accurate grant to the user is realized. So as to ensure the safety of the system while ensuring the normal operation of the service.
At the same time, the provided method has the following advantages:
1. A complete, standard and safe temporary authorization management scheme is formed, and temporary system permission is supported for a user. This way it is ensured that the authorization is reasonable and necessary and that all authorized operations are tracked, preventing misuse. Meanwhile, self-service authorization is supported, a user can apply for the self-service authorization, and corresponding temporary permission is obtained after verification. This approach not only simplifies the authorization process, but also improves the operational efficiency.
2. The authorized security risk is controllable, multi-level authority control is supported, a plurality of levels of authority control are set in a preset system, and authorities of different levels are distributed according to the positions, roles and the like of users. When a user needs to perform a task that is not within the responsibility of the daily work, the required access rights can be obtained by requesting authorization from the superordinate manager.
3. Supporting automatic revocation of time restrictions, a time restriction may be set for a user who needs to temporarily obtain rights to have the required rights for a preset period of time. Once this time is exceeded, the user's rights are automatically retracted. Information leakage problems caused by excessive unauthorized access and operation can be prevented.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic flow chart of steps of a rights management method according to an embodiment of the present application;
FIG. 2 is a schematic flow chart of steps of a method for generating an authorization right range according to an embodiment of the present application;
FIG. 3 is a schematic flow chart of steps of a rights grant cancellation method provided by an embodiment of the present application;
FIG. 4 is a schematic diagram of a rights management unit according to an embodiment of the present application;
fig. 5 is a schematic block diagram of a computer device according to an embodiment of the present application.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application as claimed.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The flow diagrams depicted in the figures are merely illustrative and not necessarily all of the elements and operations/steps are included or performed in the order described. For example, some operations/steps may be further divided, combined, or partially combined, so that the order of actual execution may be changed according to actual situations.
It should be understood that, in order to clearly describe the technical solutions of the embodiments of the present invention, in the embodiments of the present invention, the words "first", "second", etc. are used to distinguish identical items or similar items having substantially the same function and effect. It will be appreciated by those of skill in the art that the words "first," "second," and the like do not limit the amount and order of execution, and that the words "first," "second," and the like do not necessarily differ.
It is to be understood that the terminology used in the description of the application herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this specification and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
It should also be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
Some embodiments of the present application are described in detail below with reference to the accompanying drawings. The following embodiments and features of the embodiments may be combined with each other without conflict.
The financial service system has frequent service interaction, service personnel frequently need to temporarily authorize access rights to control, namely temporarily raise the service personnel limit to a specific level, authorize specific temporary resource interaction, and restore rights to the original level after completing tasks.
The traditional authority management method mainly distributes users in the system to different roles based on the needs of different positions, and each role has specific authority and operation range, so that the authority management of each user is completed.
However, in the conventional mode, when the used role contains a plurality of rights which are not needed to be used by the user, there is a risk that the user obtains related privacy data by using the rights, but if the user is not given the rights of the corresponding role, huge workload is brought to the corresponding upper manager, so that the current rights management method has a plurality of problems of potential safety hazards of rights data, risk of data leakage, non-uniform rights system standard and the like.
In order to solve the above-mentioned problems, please refer to fig. 1, fig. 1 is a schematic flowchart of a rights management method according to an embodiment of the present application. The rights management method may be implemented by a computer device that may be deployed on a single server or a cluster of servers. The method can also be deployed in a handheld terminal, a notebook computer, a wearable device or a robot, etc.
To solve the above problems, please refer to fig. 1. Specifically, as shown in fig. 1, the provided method includes steps S101 to S106. The details are as follows:
S101, when receiving a permission request uploaded by a preset system, analyzing the permission request, and acquiring a user identifier corresponding to the permission request and service content corresponding to the permission request.
Specifically, when the server receives the permission request uploaded by the preset system, if any employee in the preset financial system uploads the permission request to apply for a larger permission due to the service requirement, the server firstly analyzes the permission request at this time, and obtains the user representation and the service content corresponding to the applied permission request. That is, the server automatically analyzes and checks each authority request through the provided method, and grants corresponding authorities to the user after the verification is passed. And further, efficient management of user rights of a preset system is realized.
It should be noted that, in some embodiments, the preset system may be a financial system, a medical system, or a management system with various kinds of traffic. The authority management efficiency of various systems can be greatly improved by the method, and the stability and the safety of the operation of the system business are further improved.
S102, analyzing service contents, and acquiring a plurality of sub-service information corresponding to the service contents and a service sequence corresponding to each sub-service information.
Specifically, the server can obtain a plurality of sub-service information corresponding to each service content and a service sequence corresponding to each sub-service information by analyzing the service content, where the sub-service information may correspond to a step, such as checking a certain item, referring to a certain data, modifying a certain file code, etc., and the embodiment of the present application does not limit the scope of the sub-service information. By splitting the business content, the application can accurately and precisely analyze the authority actually required by the business content.
In some embodiments, before analyzing the service content, acquiring a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information, the method further comprises the steps of acquiring post information of a user in a preset system according to a user identifier, extracting service characteristic information corresponding to the service content, acquiring matching degree corresponding to the post information and the service characteristic information, and returning an authority request if the matching degree is lower than the preset matching degree.
In order to avoid the user from compiling the service content, the server calculates the matching degree by acquiring the post information of the user and the service characteristics corresponding to the service content in a preset system. If the post information is sales post and the business content is the checking of experimental data, the post is too different from the business, and the server returns the permission request to avoid data leakage. Or the business content with the matching degree lower than the preset matching degree is sent to a management end of the corresponding post of the business content for verification, namely if the A post needs to request the business corresponding to the B post, the authorization can be carried out only after the management verification corresponding to the B post is needed, and the safety of the system is further improved.
In some embodiments, analyzing the service content, acquiring a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information includes acquiring service coding information corresponding to the service content, inputting the service coding information into a pre-trained sub-service extraction model, and outputting the sub-service information and the service sequence corresponding to the service coding information by the sub-service extraction model.
By performing feature coding on the service content, the corresponding service coding information is obtained and input into a sub-service extraction model, such as a neural network model, so that the sub-service information and the service sequence corresponding to the service content can be rapidly extracted. And then the service authority can be quickly determined for subsequent operation.
The method comprises the steps of obtaining a plurality of pieces of history service information corresponding to a preset system and history sub-service information and history service sequences corresponding to each piece of history service information before the service coding information is input into a pre-trained sub-service extraction model, inputting the history service information into the sub-service extraction model to be trained, analyzing the history service information by the sub-service extraction model, outputting predicted sub-service information and predicted service sequences, and completing training of the sub-service extraction model according to the history sub-service information and the predicted service information, the history service sequences and the predicted service sequences.
By combining the historical service information and the historical sub-service information and the historical service sequence corresponding to each historical service information, a large number of traceable historical records of a preset system such as a financial system can be successfully used, and further a sub-service extraction model capable of accurately splitting service contents can be accurately trained.
S103, inputting each piece of sub-service information into a pre-trained authority confirmation model, analyzing each piece of sub-service information by the authority confirmation model, and outputting a service authority range and service authority duration corresponding to each piece of sub-service information.
Specifically, after the server splits the service content to obtain a plurality of sub-service information, the service authority range related to each sub-service information and the service authority duration corresponding to the sub-service information can be analyzed by inputting the sub-service information into the corresponding authority confirmation model. The method provided by the method can accurately authorize the user and control the authorization time length, and ensures the safe operation of the system and the normal operation of the service.
S104, acquiring the current authority range of the user in a preset system according to the user identification, and generating a plurality of authorized authority ranges according to each service authority range and the current authority range.
Specifically, the server queries the current authority range of the user in the preset system according to the user identification (such as any one of an ID, an employee number, a name and the like), and further can determine the authority range of the authorization to be granted to the user based on the comparison between the service authority range of each sub-service and the current authority range. Thereby realizing accurate authorization of the user.
In some embodiments, as shown in fig. 2, a plurality of authorized rights ranges are generated from each service rights range and the current rights range, including steps S104a to S104d.
S104a, acquiring a difference authority range corresponding to each service authority range and the current authority range;
S104b, acquiring target service information corresponding to each difference authority range from each piece of sub-service information;
s104c, obtaining the necessity factor of each target service information and the corresponding sub-service information;
and S104d, if the target service information is confirmed to be the necessary service in the sub-service information according to the necessity factor, generating an authorization authority range according to the difference authority range.
Because part of the service is unnecessary to the whole sub-service information, whether the sub-service is necessary or not is judged by calculating the duty ratio of the target service information in the sub-service information or the position or the service type of the target service information, the unnecessary service is not authorized, the corresponding difference authority range is determined for the necessary service to be authorized, and the security of the system is improved while the normal operation of the service is ensured.
S105, generating authority grant information according to the multiple authority ranges, the service authority duration corresponding to each authority range and the service sequence.
Specifically, the server can generate the right grant information for precisely authorizing the user after determining a plurality of right ranges corresponding to the time, the service right duration and the service sequence corresponding to each right range, thereby realizing the rapid determination of the user right.
In some embodiments, before generating the permission grant information according to the multiple authorization permission ranges, the service permission duration corresponding to each authorization permission range and the service sequence, the method further comprises the steps of inquiring finished service information of a user in a preset system according to user identifications, wherein the finished service information comprises finished service content, service types corresponding to the finished service content and finishing duration, generating a duration prediction model corresponding to the user according to the finished service content, the service types corresponding to the finished service content and the finishing duration, acquiring the service types corresponding to each piece of sub-service information, inputting the service types corresponding to each piece of sub-service information and the service content into the duration prediction model, outputting predicted finishing duration corresponding to each piece of sub-service information by the duration prediction model, and updating the service permission duration according to the predicted finishing duration corresponding to each piece of sub-service information.
Because the processing capability speeds of possible users are different, the situation that the users cannot finish other operations due to too high processing speed or too slow processing speed is avoided, the application constructs a duration prediction model corresponding to each user through a server, and further, the corresponding time length for the user to finish each piece of sub-service information can be determined based on the service content and the service type of each piece of sub-service information, and further, if the predicted finish time length is smaller than the service authority time length, the service authority time length is shortened, otherwise, if the predicted finish time length is longer, the service authority time length is properly increased. Thereby realizing flexible adjustment of the authorization time.
S106, management of the user rights is completed according to the user identification and the rights granting information.
Specifically, after generating the authority grant information corresponding to the request of the user, the provided method rapidly grants the authority to the user, and then tracks the user operation during the authorization period, so as to ensure that the system security is not compromised. Meanwhile, the condition authorization and the minimum authorization capability are considered, a certain user or a role can be given certain specific operation authority according to the working requirement, for example, a certain folder is accessed or certain data is modified, and after the specific condition is met, the authority is cancelled, so that the system authority abuse can be reduced only if necessary. And support and cancel, notify 2 kinds of guarantee mechanisms, when the authority reaches the predetermined time or condition, cancel the temporary authorization automatically, send the notice to the administrator through way such as the mail or short message, follow up the authority change situation in time, prevent the unexpected potential safety hazard.
In some embodiments, as shown in fig. 3, after the management of the user rights is completed according to the user identification and the rights granting information, steps S107a to S107d are further included.
S107a, acquiring an audit log of a user in a preset system during authority grant, wherein the audit log at least comprises actual operation information of the user;
s107b, generating preset operation information according to the sub-service information, the service sequence corresponding to each sub-service information and the service authority duration, so as to judge whether the preset operation information is consistent with the actual operation information;
s107c, if the preset operation information is inconsistent with the actual operation information, generating an authority withdrawal instruction;
and step S107d, sending the permission withdrawal instruction to a preset system to cancel permission grant to the user.
Through the steps, the server can trace each step of actual operation of the user, so that the information protection capability of the preset system is better. The method supports audit logs, can support actual operation information of users, including log-in time, place, used functions, data modification and other audit logs, can better protect the safety and controllability of a preset system, and prevents potential risks caused by temporary authorization.
The provided method splits a plurality of sub-service information by analyzing the service content corresponding to the user, and confirms the service authority range and the service authority duration of each sub-service information through the authority confirmation model. And determining the authorization authority range of the user according to the current authority range of the user, so as to generate authority grant information for the service authority duration, the authorization authority range and the service sequence of each piece of sub-service information. The user authority management is performed, and the dynamic authority accurate grant to the user is realized. So as to ensure the safety of the system while ensuring the normal operation of the service.
At the same time, the provided method has the following advantages:
1. A complete, standard and safe temporary authorization management scheme is formed, and temporary system permission is supported for a user. This way it is ensured that the authorization is reasonable and necessary and that all authorized operations are tracked, preventing misuse. Meanwhile, self-service authorization is supported, a user can apply for the self-service authorization, and corresponding temporary permission is obtained after verification. This approach not only simplifies the authorization process, but also improves the operational efficiency.
2. The authorized security risk is controllable, multi-level authority control is supported, a plurality of levels of authority control are set in a preset system, and authorities of different levels are distributed according to the positions, roles and the like of users. When a user needs to perform a task that is not within the responsibility of the daily work, the required access rights can be obtained by requesting authorization from the superordinate manager.
3. Supporting automatic revocation of time restrictions, a time restriction may be set for a user who needs to temporarily obtain rights to have the required rights for a preset period of time. Once this time is exceeded, the user's rights are automatically retracted. Information leakage problems caused by excessive unauthorized access and operation can be prevented.
Referring to fig. 4, fig. 4 is a schematic diagram of a rights management device 200 according to an embodiment of the application. The rights management unit 200 is used to perform the steps of the rights management method shown in the above embodiments. The rights management unit 200 may be a single server or a cluster of servers, or the rights management unit 200 may be a terminal, which may be a handheld terminal, a notebook, a wearable device, a robot, or the like.
As shown in fig. 4, the rights management unit 200 includes:
the request receiving module 201 is configured to parse the permission request when receiving the permission request uploaded by the preset system, and obtain a user identifier corresponding to the permission request and service content corresponding to the permission request;
The service analysis module 202 is configured to analyze the service content, and obtain a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information;
The scope output module 203 is configured to input each piece of sub-service information into a pre-trained authority confirmation model, where the authority confirmation model analyzes each piece of sub-service information, and output a service authority scope and a service authority duration corresponding to each piece of sub-service information;
the scope confirming module 204 is configured to obtain a current authority scope of a user in a preset system according to a user identifier, and generate a plurality of authorized authority scopes according to each service authority scope and the current authority scope;
an information generating module 205, configured to generate rights granting information according to a plurality of authority ranges, a service authority duration corresponding to each authority range, and a service sequence;
the rights granting module 206 is configured to complete management of the rights of the user according to the user identifier and the rights granting information.
It should be noted that, for convenience and brevity of description, specific working processes of the rights management device and each module described above may refer to corresponding processes in the embodiments of the rights management method described in the above embodiments, which are not described herein again.
The rights management method described above may be implemented in the form of a computer program that can be run on a device as shown in fig. 4.
Referring to fig. 5, fig. 5 is a schematic block diagram of a computer device according to an embodiment of the present application. The computer device includes a processor, a memory, and a network interface connected by a device bus, where the memory may include storage media and internal memory.
The storage medium may store an operating device and a computer program. The computer program comprises program instructions that, when executed, cause a processor to perform any of a number of rights management methods.
The processor is used to provide computing and control capabilities to support the operation of the entire computer device.
The internal memory provides an environment for the execution of a computer program in a non-volatile storage medium that, when executed by a processor, causes the processor to perform any of a number of rights management methods.
The network interface is used for network communication such as transmitting assigned tasks and the like. It will be appreciated by those skilled in the art that the architecture shown in fig. 5 is merely a block diagram of a portion of the architecture in connection with the present inventive arrangements and is not limiting of the terminal to which the present inventive arrangements are applicable, and that a particular computer device may include more or less components than those shown, or may combine some of the components, or have a different arrangement of components.
It should be appreciated that the Processor may be a central processing unit (Central Processing Unit, CPU), it may also be other general purpose processors, digital signal processors (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field-Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. Wherein the general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Wherein in one embodiment the processor is configured to run a computer program stored in the memory to implement the steps of:
When receiving a permission request uploaded by a preset system, analyzing the permission request, and acquiring a user identifier corresponding to the permission request and service content corresponding to the permission request;
analyzing the service content, and acquiring a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information;
inputting each piece of sub-service information into a pre-trained authority confirmation model, analyzing each piece of sub-service information by the authority confirmation model, and outputting a service authority range and service authority duration corresponding to each piece of sub-service information;
acquiring a current authority range of a user from a preset system according to a user identifier, and generating a plurality of authorized authority ranges according to each service authority range and the current authority range;
generating authority grant information according to a plurality of authority ranges, service authority duration corresponding to each authority range and service sequence;
and finishing the management of the user rights according to the user identification and the rights granting information.
In some embodiments, generating a plurality of authorized authority ranges according to each service authority range and the current authority range comprises acquiring a difference authority range corresponding to each service authority range and the current authority range, acquiring target service information corresponding to each difference authority range in each sub-service information, acquiring necessity factors of each target service information and corresponding sub-service information, and generating the authorized authority range according to the difference authority range if the target service information is confirmed to be necessary service in the sub-service information according to the necessity factors.
In some embodiments, after the management of the user rights according to the user identifier and the rights granting information is completed, the method further comprises the steps of obtaining an audit log of the user in a preset system during the rights granting, wherein the audit log at least comprises actual operation information of the user, generating preset operation information according to the sub-service information, the service sequence corresponding to each sub-service information and the service rights duration to judge whether the preset operation information is consistent with the actual operation information, generating a rights revocation instruction if the preset operation information is inconsistent with the actual operation information, and sending the rights revocation instruction to the preset system to cancel the rights granting of the user.
In some embodiments, before analyzing the service content, acquiring a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information, the method further comprises the steps of acquiring post information of a user in a preset system according to a user identifier, extracting service characteristic information corresponding to the service content, acquiring matching degree corresponding to the post information and the service characteristic information, and returning an authority request if the matching degree is lower than the preset matching degree.
In some embodiments, before generating the permission grant information according to the multiple authorization permission ranges, the service permission duration corresponding to each authorization permission range and the service sequence, the method further comprises the steps of inquiring finished service information of a user in a preset system according to user identifications, wherein the finished service information comprises finished service content, service types corresponding to the finished service content and finishing duration, generating a duration prediction model corresponding to the user according to the finished service content, the service types corresponding to the finished service content and the finishing duration, acquiring the service types corresponding to each piece of sub-service information, inputting the service types corresponding to each piece of sub-service information and the service content into the duration prediction model, outputting predicted finishing duration corresponding to each piece of sub-service information by the duration prediction model, and updating the service permission duration according to the predicted finishing duration corresponding to each piece of sub-service information.
In some embodiments, analyzing the service content, acquiring a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information includes acquiring service coding information corresponding to the service content, inputting the service coding information into a pre-trained sub-service extraction model, and outputting the sub-service information and the service sequence corresponding to the service coding information by the sub-service extraction model.
The method comprises the steps of obtaining a plurality of pieces of history service information corresponding to a preset system and history sub-service information and history service sequences corresponding to each piece of history service information before the service coding information is input into a pre-trained sub-service extraction model, inputting the history service information into the sub-service extraction model to be trained, analyzing the history service information by the sub-service extraction model, outputting predicted sub-service information and predicted service sequences, and completing training of the sub-service extraction model according to the history sub-service information and the predicted service information, the history service sequences and the predicted service sequences.
An embodiment of the present application further provides a computer readable storage medium, where a computer program is stored, where the computer program includes program instructions, and the processor executes the program instructions to implement the steps of the rights management method provided in the foregoing embodiments of the present application.
The computer readable storage medium may be an internal storage unit of the computer device according to the foregoing embodiment, for example, a hard disk or a memory of the computer device. The computer readable storage medium may also be an external storage device of the computer device, such as a plug-in hard disk, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD), or the like, which are provided on the computer device.
While the application has been described with reference to certain preferred embodiments, it will be understood by those skilled in the art that various changes and substitutions of equivalents may be made and equivalents will be apparent to those skilled in the art without departing from the scope of the application. Therefore, the protection scope of the application is subject to the protection scope of the claims.
Claims (10)
1. A rights management method, comprising:
When receiving a permission request uploaded by a preset system, analyzing the permission request, and acquiring a user identifier corresponding to the permission request and service content corresponding to the permission request;
analyzing the service content to obtain a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information;
inputting each piece of sub-service information into a pre-trained authority confirmation model, analyzing each piece of sub-service information by the authority confirmation model, and outputting a service authority range and service authority duration corresponding to each piece of sub-service information;
acquiring a current authority range of the user from the preset system according to the user identifier, and generating a plurality of authorized authority ranges according to each service authority range and the current authority range;
generating authority grant information according to a plurality of authority ranges, service authority duration corresponding to each authority range and service sequence;
and completing the management of the user rights according to the user identification and the rights granting information.
2. The method of claim 1, wherein said generating a plurality of authorized rights ranges from each of said service rights range and said current rights range comprises:
acquiring a difference authority range corresponding to each service authority range and the current authority range;
Acquiring target service information corresponding to each difference authority range from each piece of sub-service information;
acquiring the necessity factor of each target service information and the corresponding sub-service information;
And if the target service information is confirmed to be the necessary service in the sub-service information according to the necessity factors, generating the authorization authority range according to the difference authority range.
3. The method according to claim 1, further comprising, after said managing of said user rights according to said user identification and rights granting information is completed:
Obtaining an audit log of a user in the preset system during authority grant, wherein the audit log at least comprises actual operation information of the user;
Generating preset operation information according to the sub-service information, the service sequence corresponding to each sub-service information and the service authority duration, so as to judge whether the preset operation information is consistent with the actual operation information;
if the preset operation information is inconsistent with the actual operation information, generating an authority withdrawal instruction;
And sending the permission withdrawing instruction to a preset system to cancel permission grant to the user.
4. The method of claim 1, further comprising, prior to said parsing said service content to obtain a plurality of sub-service information corresponding to said service content and a service order corresponding to each of said sub-service information:
Acquiring post information of a user from the preset system according to the user identification;
Extracting service characteristic information corresponding to the service content;
acquiring the matching degree corresponding to the post information and the service characteristic information;
and if the matching degree is lower than the preset matching degree, returning the permission request.
5. The method of claim 1, further comprising, prior to said generating rights granting information based on the plurality of authorized rights ranges, the service rights duration and the service order corresponding to each authorized rights range:
Inquiring the completed service information of the user in the preset system according to the user identifier, wherein the completed service information comprises completed service content, service type corresponding to the completed service content and completion time length;
Generating a duration prediction model corresponding to a user according to the completed service content, the service type corresponding to the completed service content and the completion duration;
Acquiring a service type corresponding to each piece of sub-service information;
Inputting the service type and the service content corresponding to each piece of sub-service information into the duration prediction model, and outputting the predicted completion duration corresponding to each piece of sub-service information by the duration prediction model;
and updating the service authority duration according to the predicted completion duration corresponding to each piece of sub-service information.
6. The method of claim 1, wherein the parsing the service content to obtain a plurality of sub-service information corresponding to the service content and a service order corresponding to each sub-service information comprises:
acquiring service coding information corresponding to the service content;
and inputting the service coding information into a pre-trained sub-service extraction model, and outputting sub-service information and service sequence corresponding to the service coding information by the sub-service extraction model.
7. The method of claim 6, further comprising, prior to said inputting said traffic encoding information into a pre-trained sub-traffic extraction model:
Acquiring a plurality of pieces of history service information corresponding to the preset system and history sub-service information and history service sequences corresponding to each piece of history service information;
Inputting the history service information into a sub-service extraction model to be trained, analyzing the history service information by the sub-service extraction model, and outputting predicted sub-service information and predicted service sequence;
And training the sub-service extraction model according to the historical sub-service information, the predicted service information, the historical service sequence and the predicted service sequence.
8. A rights management unit, comprising:
The request receiving module is used for analyzing the authority request when receiving the authority request uploaded by the preset system, and acquiring a user identifier corresponding to the authority request and service content corresponding to the authority request;
The service analysis module is used for analyzing the service content and acquiring a plurality of sub-service information corresponding to the service content and a service sequence corresponding to each sub-service information;
The range output module is used for inputting each piece of sub-service information into a pre-trained authority confirmation model, analyzing each piece of sub-service information by the authority confirmation model and outputting a service authority range and service authority duration corresponding to each piece of sub-service information;
The range confirmation module is used for acquiring the current authority range of the user from the preset system according to the user identifier and generating a plurality of authorized authority ranges according to each service authority range and the current authority range;
The information generation module is used for generating authority grant information according to a plurality of authority ranges, service authority duration corresponding to each authority range and service sequence;
And the permission granting module is used for completing the management of the user permission according to the user identification and the permission granting information.
9. A computer device, the computer device comprising a memory and a processor;
the memory is used for storing a computer program;
The processor for executing the computer program and for implementing the method according to any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program which, when executed by a processor, causes the processor to implement the method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411244146.0A CN119203088A (en) | 2024-09-04 | 2024-09-04 | Rights management method, device, computer equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411244146.0A CN119203088A (en) | 2024-09-04 | 2024-09-04 | Rights management method, device, computer equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119203088A true CN119203088A (en) | 2024-12-27 |
Family
ID=94073302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411244146.0A Pending CN119203088A (en) | 2024-09-04 | 2024-09-04 | Rights management method, device, computer equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119203088A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119475300A (en) * | 2025-01-15 | 2025-02-18 | 北京芯盾时代科技有限公司 | A user data management system and method based on data analysis |
-
2024
- 2024-09-04 CN CN202411244146.0A patent/CN119203088A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN119475300A (en) * | 2025-01-15 | 2025-02-18 | 北京芯盾时代科技有限公司 | A user data management system and method based on data analysis |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8590052B2 (en) | Enabling granular discretionary access control for data stored in a cloud computing environment | |
| EP3120290B1 (en) | Techniques to provide network security through just-in-time provisioned accounts | |
| EP2767030B1 (en) | Multi-repository key storage and selection | |
| CN111552936B (en) | Cross-system access right control method and system based on scheduling mechanism level | |
| CN111783075A (en) | Authority management method, device and medium based on secret key and electronic equipment | |
| CN111526111B (en) | Control method, device and equipment for logging in light application and computer storage medium | |
| US20120297176A1 (en) | Method and apparatus for process enforced configuration management | |
| CN108289098B (en) | Authority management method and device of distributed file system, server and medium | |
| EP3123692A1 (en) | Techniques to operate a service with machine generated authentication tokens | |
| US12299106B2 (en) | Project-based permission system | |
| CN105262717A (en) | Network service security management method and device | |
| CN113328979B (en) | Method and device for recording access behaviors | |
| CN110708310B (en) | Tenant-level authority management method, device and equipment | |
| CN113360868A (en) | Application program login method and device, computer equipment and storage medium | |
| CN113271296A (en) | Login authority management method and device | |
| CN110661779B (en) | Block chain network-based electronic certificate management method, system, device and medium | |
| CN113051614B (en) | Information access processing method, device, equipment and system | |
| CN119203088A (en) | Rights management method, device, computer equipment and storage medium | |
| US8495730B2 (en) | Dynamically constructed capability for enforcing object access order | |
| CN118972178B (en) | A method, device, storage medium and electronic device for user authority management | |
| KR102757793B1 (en) | Method and system for tokenization of personal information through depersonalization, and the requesting and authorization of the tokenized personal information | |
| US20250209191A1 (en) | Rules based policy driven engine and methods of use | |
| CN106603460B (en) | Authentication method and device | |
| CN121077793A (en) | Horizontal authentication control method and device | |
| CN116232666A (en) | Identity authentication method and system based on total province mutual trust |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |