[go: up one dir, main page]

CN119961912A - Cross-service permission management method, device, equipment and medium based on single sign-on - Google Patents

Cross-service permission management method, device, equipment and medium based on single sign-on Download PDF

Info

Publication number
CN119961912A
CN119961912A CN202411834442.6A CN202411834442A CN119961912A CN 119961912 A CN119961912 A CN 119961912A CN 202411834442 A CN202411834442 A CN 202411834442A CN 119961912 A CN119961912 A CN 119961912A
Authority
CN
China
Prior art keywords
tenant
permission
information
authority
operation request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202411834442.6A
Other languages
Chinese (zh)
Inventor
孔浩东
何亚伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Artificial Intelligence Technology Beijing Co ltd
Original Assignee
China Telecom Artificial Intelligence Technology Beijing Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Artificial Intelligence Technology Beijing Co ltd filed Critical China Telecom Artificial Intelligence Technology Beijing Co ltd
Priority to CN202411834442.6A priority Critical patent/CN119961912A/en
Publication of CN119961912A publication Critical patent/CN119961912A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/41User authentication where a single sign-on provides access to a plurality of computers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a cross-service authority management method, device, equipment and medium based on single sign-on, which relate to the technical field of computer software, wherein an authority management component at least comprises an authentication server, an authority interceptor, an authority service module and a database; when a tenant sends a first operation request, acquiring identity information of the tenant according to a global session token through a right interceptor, intercepting the first operation request through the right interceptor, determining a first right point mapped by the first operation request, acquiring notes on the first right point, judging whether target right information corresponding to the notes exists in a plurality of right information corresponding to the tenant stored in a database according to the identity information of the tenant through a right service module, and allowing the first operation request of the tenant when the target right information is valid.

Description

Cross-service authority management method, device, equipment and medium based on single sign-on
Technical Field
The present application relates to the field of computer software technologies, and in particular, to a cross-service authority management method, apparatus, device, and medium based on single sign-on.
Background
With the rapid development of information technology, enterprise business systems are becoming more and more complex, and generally comprise a plurality of services that are independent of each other but need to cooperate. The traditional authority management mode is often realized in each service independently, so that authority data is scattered and managed complex, and unified authority control and audit are difficult to realize. Meanwhile, in a multi-tenant environment, service logic and authority requirements of different tenants are different, and an authority management mechanism capable of being flexibly configured and expanded is needed.
Although the single sign-on technology solves the problem that users repeatedly log in between different services, how to realize cross-service rights management on the basis of single sign-on, especially for rights control in a multi-tenant scenario, is still a problem to be solved.
In the related art, although there are some rights management schemes based on single sign-on, these schemes often have the following problems:
1. rights data are distributed, wherein the rights data are usually stored in databases of various services, and unified rights management and audit are difficult to realize.
2. The authority strategy is inflexible, namely, the authority strategy is usually hard-coded and realized in the service, and is difficult to flexibly configure and expand according to the requirements of different tenants.
3. Rights control is not fine, and rights control is usually only to a service level, but not deep to a specific functional point or resource level.
4. The manager needs to log in to the management interface of each service to carry out authority configuration, and the manager is complex in operation and easy to make mistakes.
Disclosure of Invention
Accordingly, embodiments of the present application provide a single sign-on-based cross-service rights management method, apparatus, device and medium, so as to overcome or at least partially solve the above-mentioned problems.
The first aspect of the embodiment of the application provides a cross-service authority management method based on single sign-on, which is applied to an authority management assembly, wherein the authority management assembly at least comprises an authentication server, an authority interceptor, an authority service module and a database, and the method comprises the following steps:
When a tenant logs in any one of a plurality of systems, verifying identity information of the tenant through the authentication server, and generating a global session token;
When the tenant sends a first operation request aiming at a first target interface in target systems in the systems, acquiring identity information of the tenant according to the global session token through the authority interceptor;
Intercepting the first operation request through the permission interceptor, determining a first permission point mapped by the first operation request in a plurality of permission points corresponding to a first target interface, and acquiring an annotation on the first permission point, wherein the annotation is used for determining permission information required by executing the first operation request;
judging whether target authority information corresponding to the annotation exists in a plurality of authority information corresponding to the tenant stored in a database according to the identity information of the tenant through the authority service module;
And when the target authority information corresponding to the annotation is valid, allowing the first operation request of the tenant.
Optionally, the rights management component further comprises a tenant management module, and the method further comprises:
creating and/or deleting tenants for users of the systems through the tenant management module, and registering a plurality of roles corresponding to the tenants under the systems;
creating tenants for administrators of the systems through the tenant management module, and configuring project information, wherein the project information at least comprises project names, domain names and API interfaces;
generating a corresponding tenant ID for each tenant through the tenant management module;
and performing isolation management on a plurality of authority information of the tenant according to the tenant ID in the database, wherein the authority information of each tenant under the system is associated with a corresponding role under the system.
Optionally, the rights management component further comprises an annotation library, the method further comprising:
The annotation library is used for storing a plurality of annotations, and the annotations comprise predefined annotations in the authority management component and custom annotations set by the tenant according to own requirements.
Optionally, the method further comprises:
when a target system in the systems is used for downloading one system deployed on other servers, managing the system deployed on the other servers through the authority management component, and adding notes on a second target interface of the system deployed on the other servers;
After logging in the target system, when the tenant sends out a second operation request aiming at a second target interface of the system deployed on other servers, acquiring identity information of the tenant according to the global session token through the permission interceptor;
Intercepting the second operation request through the permission interceptor, determining a second permission point mapped by the second operation request in a plurality of permission points corresponding to a second target interface, and acquiring annotation on the second permission point, wherein the annotation on the second permission point is used for determining permission information required by executing the second operation request;
Judging whether target authority information corresponding to the annotation on the second authority point exists in a plurality of authority information corresponding to the tenant stored in a database according to the identity information of the tenant through the authority service module;
And allowing a second operation request of the tenant when the target authority information corresponding to the annotation on the second authority point is valid.
Optionally, the method further comprises:
configuring a plurality of pieces of authority information of the tenant through the tenant management module, wherein the plurality of pieces of authority information of the tenant comprise authority information configured by the tenant by using the authority points in the authority point library table of the authority management component and/or authority information of the authority points customized by the tenant;
configuring validity periods of authority points corresponding to a plurality of authority information of the tenant, configuring login time on a plurality of systems corresponding to the tenant and configuring role-related information of a plurality of roles corresponding to the tenant through the tenant management module;
The method comprises the steps of storing valid period of a user, limiting the service life of authority points of the user, wherein the valid period is used for limiting the service life of the authority points of the user, the login time is used for limiting the login time ranges of the user or a plurality of roles corresponding to the user on a plurality of systems, and the role association information is used for configuring the authority information corresponding to the authority points of the plurality of roles corresponding to the user, so that the roles are associated with the authority points.
Optionally, the method further comprises:
And rejecting access requests of the tenant or the multiple roles corresponding to the tenant by the permission interceptor when the validity period of the tenant expires and/or when the tenant or the multiple roles corresponding to the tenant log in the corresponding system in the non-login time.
Optionally, the rights management system further includes a log audit module, and the method includes:
And recording the authority use conditions of each authority point of the tenant on the systems through the log audit module, wherein the authority use conditions at least comprise login time, login IP, access time, access resource and operation results, so that the manager can check the authority use conditions through a background management interface.
The second aspect of the embodiment of the application provides a cross-service authority management device based on single sign-on, which is applied to an authority management assembly, wherein the authority management assembly at least comprises an authentication server, an authority interceptor, an authority service module and a database, and the device comprises:
The identity authentication module is used for verifying the identity information of the tenant through the authentication server when the tenant logs in any one of a plurality of systems, and generating a global session token;
The first identity information acquisition module is used for acquiring the identity information of the tenant according to the global session token through the right interceptor when the tenant sends out a first operation request aiming at a first target interface in a target system in the systems;
The first interception request module is used for intercepting the first operation request through the permission interceptor, determining a first permission point mapped by the first operation request in a plurality of permission points corresponding to a first target interface, and acquiring an annotation on the first permission point, wherein the annotation is used for determining permission information required by executing the first operation request;
The first permission judging module is used for judging whether target permission information corresponding to the annotation exists in a plurality of permission information corresponding to the tenant stored in a database according to the identity information of the tenant through the permission service module;
and the first execution module is used for allowing the first operation request of the tenant when the target authority information corresponding to the annotation is valid.
In a third aspect of the embodiment of the present application, there is provided an electronic device including a memory, a processor, and a computer program stored on the memory, wherein the processor executes the computer program to implement the method according to the first aspect.
In a fourth aspect of embodiments of the application, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the method according to the first aspect.
In a fifth aspect of embodiments of the present application, a computer-readable storage medium is provided, on which a computer program is stored, wherein the computer program, when being executed by a processor, implements the method according to the first aspect.
The application has the beneficial effects that:
The embodiment of the application provides a cross-service authority management method, device, equipment and medium based on single sign-on, wherein an authority management assembly at least comprises an authentication server, an authority interceptor, an authority service module and a database; when the tenant sends a first operation request aiming at a first target interface in a target system in the systems, acquiring identity information of the tenant according to the global session token through the authority interceptor, intercepting the first operation request through the authority interceptor, determining a first authority point mapped by the first operation request in a plurality of authority points corresponding to the first target interface, acquiring an annotation on the first authority point, wherein the annotation is used for determining authority information required for executing the first operation request, judging whether target authority information corresponding to the annotation exists in a plurality of authority information stored in a database and corresponding to the tenant according to the identity information of the tenant, and allowing the first operation request of the tenant when the target authority information corresponding to the annotation is valid.
By implementing the technical scheme, a single sign-on mechanism is adopted, a tenant can access in a plurality of systems in a seamless manner through a global session token only by performing identity verification once, the experience of the tenant is greatly improved, the inconvenience of repeated sign-on is reduced, secondly, by accurately mapping between the annotation of a method level and the authority information of an authority point, the fact that only the tenant with corresponding authority can execute a specific operation request is ensured, the safety of the system is enhanced, and finally, the authority information of all the tenants in the plurality of systems is stored and managed by a unified database, so that the authority management flow is simplified, unified audit and monitoring are facilitated, and the manageability of the system is improved. In summary, the technical scheme not only optimizes the user experience, but also strengthens the security and manageability of the multi-system architecture, and provides an effective solution for rights management in a multi-tenant environment.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain the application.
In order to more clearly illustrate the technical solutions of the present application, the drawings that are needed in the description of the present application will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort to a person skilled in the art.
FIG. 1 is a schematic diagram of a cross-service rights management method based on single sign-on according to an embodiment of the present application;
FIG. 2 is an architecture diagram of a rights management component, shown in accordance with one embodiment of the present application;
FIG. 3 is a timing diagram of a cross-service rights management method based on single sign-on according to an embodiment of the present application;
FIG. 4 is a flow chart illustrating an authentication process of the tenant login system according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a cross-service rights management unit based on single sign-on according to an embodiment of the present application;
fig. 6 is a schematic diagram of an electronic device according to an embodiment of the present application.
Detailed Description
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other.
Single sign-On (SSO, single Sign-On), an authentication mechanism that allows a user to access multiple related but independent applications or services after logging On once in a centralized authentication system without having to log On separately in each system.
Tenant Tenant in a multi-tenant architecture, a tenant refers to an independent entity that rents and uses system resources, which may be a company, organization, or individual. The data and configuration of each tenant is typically isolated from other tenants.
Permission Point (Permission Point) a specific Permission in the system, such as accessing a certain page, performing a certain operation or viewing certain data. Rights points define specific actions that a user or character can perform.
Custom annotations (Custom Annotation) in programming, annotations are a grammatical structure for adding metadata (i.e., data of data) to code. Custom annotations allow a developer to define its own annotation type and apply it to classes, methods, fields, etc. in code to achieve a particular function or behavior.
Components in software development, components are the basic units of a software architecture, encapsulating specific functions or services, and designed to work with other components to build more complex applications or services.
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
An embodiment of the present application provides a cross-service rights management method based on single sign-on, which is applied to a rights management component, wherein the rights management component at least comprises an authentication server, a rights interceptor, a rights service module and a database, fig. 1 is a schematic diagram of the cross-service rights management method based on single sign-on shown in an embodiment of the present application, fig. 2 is an architecture diagram of the rights management component shown in an embodiment of the present application, and fig. 3 is a timing diagram of the cross-service rights management method based on single sign-on shown in an embodiment of the present application, as shown in fig. 1, the method comprises:
Step S101, when a tenant logs in any one of a plurality of systems, verifying identity information of the tenant through the authentication server, and generating a global session token;
step S102, when the tenant sends out a first operation request aiming at a first target interface in target systems in the systems, acquiring identity information of the tenant according to the global session token through the authority interceptor;
Step S103, intercepting the first operation request through the permission interceptor, determining a first permission point mapped by the first operation request among a plurality of permission points corresponding to a first target interface, and acquiring an annotation on the first permission point, wherein the annotation is used for determining permission information required for executing the first operation request;
Step S104, judging whether target authority information corresponding to the annotation exists in a plurality of authority information corresponding to the tenant stored in a database according to the identity information of the tenant through the authority service module;
Step S105, when the target authority information corresponding to the annotation is valid, allowing the first operation request of the tenant.
The present application provides a rights management component, as shown in fig. 3, which can be integrated between a plurality of systems, such as application systems or services, to provide rights management services for items in each system in the form of tenants, and by centralizing rights management of each system in the rights management component, unified management and flexible configuration of rights of tenants under the plurality of systems are achieved, and the rights management component is based on single sign-on, therefore, the tenant only needs to log in and verify in one system, can realize cross-service authority verification and access control among a plurality of systems, and simultaneously supports a self-defined annotation mode to formulate authority strategies of a plurality of authority points of the tenant under the plurality of systems, so that personalized requirements of different tenants on different business scenes are met, and the authority management component improves the security of each system under unified management through strict authority management and access control.
Firstly, in this embodiment, the rights management component at least includes an authentication server, a rights interceptor, a rights service module and a database, as shown in fig. 3, in step S101, the tenant corresponds to a specific user, and the rights management component can manage rights of multiple tenants on multiple systems, where the authentication server is a central server and is responsible for verifying identity information of each tenant. The authentication server comprises a user database and stores login credentials of all tenants, so that global identity authentication of the tenants under a plurality of systems associated with the right management component is realized, and when the tenants try to log in any one of the plurality of systems associated with the right management component, the authentication server intervenes and verifies identity information provided by the tenants, such as a user name and a password, so as to determine whether the identity information of the tenants is valid or not, and ensure that only users with registered tenant identities can enter the system. After the identity information is verified successfully, the authentication server generates a global session token, namely token, for the tenant. The global session token is a unique identifier of the user in the plurality of systems for tracking and verifying the identity of the tenant in the plurality of systems. The global session token is generated after the tenant logs in and is used in the subsequent request of the tenant to verify the identity of the tenant, which can be understood as the identity credential of the tenant in a plurality of systems, so that the tenant can seamlessly access a plurality of systems associated with the rights management component after single sign-on one system and/or seamlessly access each service under the system in which the tenant has logged in.
Optionally, fig. 4 is a flowchart of an authentication process of a tenant login system according to an embodiment of the present application, as shown in fig. 4, an interceptor intercepts a login request of a tenant in a process of logging in a target system by a user, determines whether the tenant is a registered tenant according to identity information of the tenant, if not, performs a process of tenant registration, if yes, determines whether the tenant has configured authority information, if not, prompts the tenant to configure or configures the authority information of the tenant by an administrator, and if so, generates a global session token of the tenant, indicating that the tenant login is successful.
By way of example, assuming that the plurality of systems associated in the rights management component includes an e-commerce system, an inventory management system, and a financial system, when a tenant attempts to log in to the e-commerce system, the e-commerce system transmits the identity information of the user to an authentication server, and after verifying that the identity information is correct, a global session token, such as "token123456," is generated and returned to the tenant, so that the tenant can then use this token to access the e-commerce system, inventory management system, and financial system.
Further, in step S102, when the tenant issues a first operation request for the first target interface of the target system, the rights interceptor may obtain identity information of the tenant, such as a tenant ID, according to the global session token, where the tenant ID may represent current role information of the tenant when the tenant has multiple roles under the target system.
The target system refers to a system in which a first target interface required to be requested by a tenant in a plurality of systems is located, the target system is not necessarily a system in which the tenant performs single sign-on initially, the first target interface refers to a destination for executing a first operation request, and the first operation request carries a global session token of the tenant and a target permission point for executing the first operation request, namely a first permission point mapped in a plurality of permission points corresponding to the first target interface. The permission interceptor is used for intercepting the operation request before the operation request reaches the target interface and checking the permission of the tenant of the request. Ensuring that only operation requests with rights can continue execution.
Illustratively, the user accesses some interface of the e-commerce system using "token 123456". The rights interceptor examines the token in the request and uses it to obtain identity information of the tenant, e.g. the tenant ID is "user_001".
Further, in step S103, the rights interceptor intercepts the first operation request and determines a rights point corresponding to the first operation request. The permission points are specific permissions required to perform a particular operation, such as "view order", "delete order", and the like. The permission interceptor may also obtain annotations associated with the permission point, the annotations being used in the code to mark special tags required by the particular permission. Annotations provide a way to declare the metadata of code, which can be read and processed at runtime. In this embodiment, the annotation contains rights information required to perform the operation corresponding to the rights point.
Illustratively, the tenant requests that an order be deleted on the order interface (i.e., the first target interface), the rights interceptor determines that the point of authority to which this first operation request maps is "delete order" and obtains the annotation on that point of authority as @ RequirePermission ("delete_list"). This note indicates that only tenants/roles with "delete_list" rights can perform the delete commodity operation.
For example, in the code of the e-commerce system, the permission policy is formulated by using a custom annotation mode. For example, an @ PermissionClassRequired ("view_ prodUct _list") or @ PermissionMethodRequired ("view_product_list") annotation is added to the interface of the merchandise list, indicating that only users with view_product_list permission points can access the interface of the merchandise list. Likewise, custom annotations may also be used in code of the financial management system to formulate entitlement policies.
The code for formulating the entitlement policy by annotation is as follows:
@PermissionClassRequired("view_product_list")
publicclassviewFinancialReport(){
Class//
}
@PermissionMethodRequired("view_product_list")
publicvoidviewFinancialMethodReport(){
Content of the method
}
Further, in step S104, the rights service module queries, according to the identity information of the tenant, a plurality of rights information corresponding to the tenant stored in the database, each rights information corresponding to one rights point, so as to determine whether there is target rights information corresponding to the annotation of the rights point among the plurality of rights information. This step is the core of the rights verification, which ensures that only users with the proper rights can perform certain operations.
For example, the rights service module queries the database to check whether the tenant's "user_001" rights information has "delete_list" rights information or not.
Finally, in step S105, when valid target authority information corresponding to the annotation on the authority point corresponding to the first operation request exists in the database, that is, it is determined that the tenant has the authority required to execute the first operation request on the authority point, in this process, the authority service module compares the target authority information with the annotation to determine whether the target authority information is valid, if so, the authority interceptor will allow the first operation request of the tenant, otherwise, the authority interceptor will intercept the first operation request and reject the first operation request of the tenant.
For example, when tenant "user_001" does have "delete_list" rights, the rights service module will allow the tenant to perform the operation of deleting the order. If the tenant does not have the authority, an error message corresponding to a first operation request is returned to the tenant through the target system, for example, "you do not have the authority to execute the operation".
Through the steps, the technical scheme of the embodiment realizes the following technical effects:
1. And the tenant only needs to log in once, and can access a plurality of systems through the global session token, so that the user experience is improved, and the requirement of repeated login is reduced.
2. Fine granularity authority control, namely, fine granularity control on operation is realized through the combination of annotation and authority points, so that only users with corresponding authorities can execute specific operation, and the safety of the system is enhanced.
3. The security is enhanced, namely, the security of the system is enhanced through a strict authority verification process, unauthorized access is prevented, and sensitive data and operation are protected.
4. And the unified authority management is that the authority information of all tenants in a plurality of systems is stored in the same database, so that the unified management and audit are convenient, and the complexity of the authority management is simplified.
By the cross-service authority management method based on single sign-on, user experience is improved, and safety and manageability of an authority management framework of multi-tenants under a multi-system are enhanced.
Optionally, the rights management component further comprises a tenant management module, and the method further comprises:
creating and/or deleting tenants for users of the systems through the tenant management module, and registering a plurality of roles corresponding to the tenants under the systems;
creating tenants for administrators of the systems through the tenant management module, and configuring project information, wherein the project information at least comprises project names, domain names and API interfaces;
generating a corresponding tenant ID for each tenant through the tenant management module;
and performing isolation management on a plurality of authority information of the tenant according to the tenant ID in the database, wherein the authority information of each tenant under the system is associated with a corresponding role under the system.
In an alternative embodiment, the rights management component may further include a tenant management module, where the tenant management module is configured to implement configuration of adding or removing tenants in multiple systems, and define and register roles for tenants in each system, where the roles determine identities of tenants under different systems, and corresponding rights, access levels, and the like, and may be operated by an administrator according to service requirements, or by a user.
First, the tenant management module provides functionality to create and delete tenants, allowing configuration of tenants for users in multiple systems. Meanwhile, a corresponding role is registered for each tenant under each system, so that each tenant is ensured to at least correspond to one role under each system.
Further, in the creation process of the tenants, project information needs to be configured for each tenant through the tenant management module, and the information at least includes a project name, a domain name and an API interface. The project names are names used for identifying and distinguishing different projects, the domain name is a website used by tenants when accessing the system, and the API interface defines rules and formats of data exchange between the systems. Such project information is critical to the tenant to properly interact with the system.
Further, after the tenants are created, the tenant management module generates a unique tenant ID for each tenant. The tenant ID is used as a key identifier for uniquely identifying each tenant in each system, so that the related data and authority setting of the tenant can be tracked and managed later.
Wherein, in the database, a plurality of authority information of each tenant under a plurality of systems is isolated and managed according to the ID of each tenant. That is, the authority information of each tenant is independently stored in the database and separated from the authority information of other tenants, so that the isolation and the security of the authority information are ensured, and meanwhile, the authority of the tenant is convenient to manage and audit.
The method for storing the authority information of each tenant in the database is to store the authority information of each tenant in a plurality of systems and the roles corresponding to the tenant in a correlated manner. This way of associative storage ensures that the distribution of rights information is role-based, making rights management more flexible and efficient. When the authority of a role is changed, the authorities of all tenants allocated to the role are correspondingly updated, so that the requirements of centralized management of the authorities and quick response to service change are realized.
By way of example, the e-commerce system includes roles of a sales department and a research and development department;
1. The tenant information is as follows:
Tenant ID, TC001
2. Item information:
project name-internal management system for certain product
Domain name XXX.com
API interfaces-interfaces defining how the tenant interacts with the system, such as obtaining customer data, submitting work reports, etc.
3. Role and rights information:
1. Sales department
Role 1 sales representative (SALES REPRESENTATIVE)
Authority information of the role 1, namely, checking client information, creating a sales order and deleting the sales order;
2. Research and development department
Role 1 developer
The authority information of the role 1 comprises the steps of accessing a source code library, submitting code change, creating and modifying test cases;
role 2 project manager
And accessing all project source codes, approving code release and managing project timelines by the authority information of the role 2.
Through the technical scheme of the embodiment, the centralized management of the tenants under the multi-system is realized by introducing the tenant management module, including creation, deletion and role registration of the tenants. By configuring project information and generating unique tenant IDs for each tenant, personalized services are provided and isolation management of data is ensured. In addition, by associating the authority information with the roles and isolating management in the database, not only is the security of data such as tenants, roles and authority information improved, but also the flexibility and response speed of the authority management are enhanced. The requirements for personalized rights management and data isolation in a multi-tenant environment are met, and therefore user experience and safety of the whole system are improved.
Optionally, the rights management component further comprises an annotation library, the method further comprising:
The annotation library is used for storing a plurality of annotations, and the annotations comprise predefined annotations in the authority management component and custom annotations set by the tenant according to own requirements.
In particular, in an alternative embodiment, the rights management component further comprises an annotation library, which is a collection in which various annotations for defining the rights policy are stored. The annotation library is part of the rights management component, allowing developers and administrators to declare rights requirements in the code through annotations, while also allowing tenants to add annotations in a custom manner. Thus, the annotations stored in the annotation library are used to define the permission policies required by the tenant or role to execute the operation request on the permission point, and one annotation may indicate what permission information the tenant or role needs to have to execute the operation request on a certain permission point.
And, the annotations in the annotation library include predefined annotations and custom annotations.
The standardized annotations provided by the rights management component are predefined for common rights settings, such as @ ReadOnly, @ AdministratorOnly, etc.
Custom notes-tenants can create new notes according to their specific needs. For example, an e-commerce tenant may need an @ CanProcessPayments annotation to restrict who can process payment transactions.
By the technical scheme shown in the embodiment, complex authority policies can be flexibly configured and managed for different tenants and roles through annotation, so that only proper personnel can access sensitive data and execute key operations. The use of annotation libraries provides a declarative way to handle rights, making rights management more intuitive and centralized.
Optionally, the method further comprises:
when a target system in the systems is used for downloading one system deployed on other servers, managing the system deployed on the other servers through the authority management component, and adding notes on a second target interface of the system deployed on the other servers;
After logging in the target system, when the tenant sends out a second operation request aiming at a second target interface of the system deployed on other servers, acquiring identity information of the tenant according to the global session token through the permission interceptor;
Intercepting the second operation request through the permission interceptor, determining a second permission point mapped by the second operation request in a plurality of permission points corresponding to a second target interface, and acquiring annotation on the second permission point, wherein the annotation on the second permission point is used for determining permission information required by executing the second operation request;
Judging whether target authority information corresponding to the annotation on the second authority point exists in a plurality of authority information corresponding to the tenant stored in a database according to the identity information of the tenant through the authority service module;
And allowing a second operation request of the tenant when the target authority information corresponding to the annotation on the second authority point is valid.
In an alternative embodiment, when a target system of the multiple systems downloads a system deployed on another server, that is, the target system and the system of the other server are not in the same server, the system deployed on the other server may also be managed by the rights management component and an annotation is added on a second target interface, where the target system refers to one of the multiple systems associated with the rights management component, such as an e-commerce system, the system deployed on the other server refers to another system different from the target system, such as an inventory management system, and the second target interface refers to one of the interfaces deployed on the system of the other server, such as an inventory interface.
Further, after the tenant successfully logs in on the target system, when the tenant issues a second operation request for a second target interface of the system deployed on the other server (the second operation request refers to an operation request initiated by the tenant for the system deployed on the other server, for example, a request for querying inventory information), the identity information of the tenant is obtained from the second operation request according to a global session token of the tenant through the permission interceptor, and a second permission point mapped by the second operation request in a plurality of permission points corresponding to the second target interface is determined, and an annotation on the second permission point, for example, a "query inventory" permission is obtained.
Further, judging whether target authority information corresponding to the annotation on the second authority point exists in a plurality of authority information corresponding to the tenant stored in the database according to the identity information of the tenant through the authority service module, and allowing a second operation request of the tenant when the target authority information corresponding to the annotation on the second authority point is valid.
By means of the method, the system deployed on different servers is accessed by the tenant through unified authority management of the tenant, and safety and flexibility of the system are enhanced.
Optionally, the method further comprises:
configuring a plurality of pieces of authority information of the tenant through the tenant management module, wherein the plurality of pieces of authority information of the tenant comprise authority information configured by the tenant by using the authority points in the authority point library table of the authority management component and/or authority information of the authority points customized by the tenant;
configuring validity periods of authority points corresponding to a plurality of authority information of the tenant, configuring login time on a plurality of systems corresponding to the tenant and configuring role-related information of a plurality of roles corresponding to the tenant through the tenant management module;
The method comprises the steps of storing valid period of a user, limiting the service life of authority points of the user, wherein the valid period is used for limiting the service life of the authority points of the user, the login time is used for limiting the login time ranges of the user or a plurality of roles corresponding to the user on a plurality of systems, and the role association information is used for configuring the authority information corresponding to the authority points of the plurality of roles corresponding to the user, so that the roles are associated with the authority points.
In an alternative embodiment, in order to implement personalized setting of authority information of the tenant, multiple authority information of the tenant may also be configured through the tenant management module.
In this process, the tenant management module is used to configure the authority information for each tenant. The authority information comprises the authority information configured by using the authority points in the authority point library table of the authority management component, and the authority information of the authority points customized by the tenant. The permission point library table is a predefined set of permission points provided in the permission management component for direct use by the tenant. The customized authority point is a specific authority point created by the tenant according to the service requirement of the tenant.
In this process, a tenant, such as an administrator, having a valid period setting authority may set valid periods of authority points by a plurality of tenants to limit the service lives of the tenants or the authority points of roles corresponding to the tenants. The validity period designates that the permission point is valid for a specific time period, beyond which the permission point will automatically fail. The tenant with login time setting authority can set login time ranges of multiple tenants or roles corresponding to the tenants on multiple systems, and the login time designates that the tenant or the role corresponding to the tenant can log in the system in a specific time period, such as 9:00 to 17:00 of a working day. Meanwhile, the association between the roles and the permission points can be configured, so that the permission information configuration between the roles and the permission points is realized, and the permission range of the roles is determined.
By way of example, an example involving an e-commerce system and an inventory management system is described:
assume that an e-commerce company a uses a multi-tenant rights management component to manage access rights for different departments. The company has two main systems, an e-commerce system and an inventory management system. An administrator configures authority information for the two systems through the tenant management module.
1. E-commerce system permission point:
① Rights points in the rights point library table of the rights management component are used, such as "view order", "process payment".
② Custom permission points, such as "create promotional campaigns," are operations specific to the e-commerce system.
2. Inventory management system permission point:
① Rights points in the rights point library table of the rights management component are used, such as "view inventory", "update inventory level".
② Custom permission points, such as "schedule logistics", are operations specific to the inventory management system.
A tenant (e.g., an administrator) that sets rights for a particular expiration date needs to ensure that certain rights points are valid only for a particular time. For example:
The "Create promotional Activity" permission point is valid only during the promotional season.
The "schedule logistics" authority point is valid only within a specific shipping window.
The manager sets these validity periods through the tenant management module to limit the service life of the tenant to these authority points.
Administrators may also configure the login time of different tenants or roles to limit their login time scope on the e-commerce system and inventory management system. For example:
the "customer service" role can only log into the e-commerce system on weekdays 9:00 to 17:00 to handle customer consultation.
The "warehouse manager" role can only log into the inventory management system on weekdays 8:00 to 16:00 for daily inventory management.
In addition, the administrator configures the association between the roles and the permission points to realize the permission information configuration between the roles and the permission points.
For example, in an e-commerce system, a "marketing manager" role is associated with a "create promotional program" permission point, allowing them to create and manage promotional programs. In an inventory management system, a "warehouse manager" role is associated with a "view inventory" permission point and an "update inventory level" permission point, allowing them to monitor and adjust inventory levels.
Optionally, the method further comprises:
And rejecting access requests of the tenant or the multiple roles corresponding to the tenant by the permission interceptor when the validity period of the tenant expires and/or when the tenant or the multiple roles corresponding to the tenant log in the corresponding system in the non-login time.
Specifically, in an alternative embodiment, in the rights management system, for each tenant and its corresponding role, the validity period of the rights point and the allowed login time may be set. When the validity period of the authority point setting of one tenant is over, or the tenant or the role thereof tries to log in the system outside the set login time range, the authority interceptor recognizes the conditions and prevents the access request of the tenant, thereby ensuring that the authorities of the tenant and the role are subjected to strict time and access restriction and maintaining the security and regularity of the system.
Optionally, the rights management system further includes a log audit module, and the method includes:
And recording the authority use conditions of each authority point of the tenant on the systems through the log audit module, wherein the authority use conditions at least comprise login time, login IP, access time, access resource and operation results, so that the manager can check the authority use conditions through a background management interface.
Specifically, in an alternative embodiment, the rights management component further includes a log audit module. The log audit module is used for tracking and recording details of the tenant using each authority point on a plurality of systems. Specifically, the log audit module records the permissions of the tenant on each system, such as login time (i.e., when the user logged into the system), login IP (network address when the user logged into), access time (when the user accesses a particular resource or performs an operation), access resources (which system resources the user accessed), and operation results (whether the user's operation was successful). After the rights use cases are recorded in detail, an administrator can check at any time through a background management interface, so that auditing and monitoring can be performed. Such logging functionality is critical to detecting and preventing unauthorized access, understanding user behavior patterns, and troubleshooting upon occurrence of a security event. In short, the log audit module provides a comprehensive record of activity to assist the administrator in maintaining the security of the system.
Through the above embodiments, the technical solution of the present application includes the following technical effects:
an innovative single sign-on mechanism realizes seamless connection of different services and greatly simplifies operation based on modern identity verification standards.
And the powerful custom annotation support is that authority management is more flexible and easy to use through an annotation mechanism, and development and maintenance cost is reduced.
Flexible authority management, supporting multiple authority designs, and conveniently adding and modifying authority control through annotation.
The security is enhanced, a one-time authentication, expiration management and abnormal kicking mechanism are realized, and the security protection capability of the system is improved.
The user experience is improved, the user can access a plurality of system modules only by logging in once, the login operation is reduced, and the working efficiency is improved.
And cross-tenant resource sharing, namely realizing intelligent sharing of rights under the same tenant, and simplifying rights planning and operation and maintenance cost.
And the comprehensive authority monitoring and management is realized by integrating the authority monitoring function, timely finding out the non-compliance operation and ensuring the safety of the system.
Modular design, the modular structure is convenient to integrate, and different modules can be flexibly expanded or replaced according to requirements.
Based on the same inventive concept, another embodiment of the present application further provides a cross-service rights management device based on single sign-on, which is applied to a rights management component, where the rights management component at least includes an authentication server, a rights interceptor, a rights service module and a database, and fig. 5 is a schematic frame diagram of a cross-service rights management device based on single sign-on according to an embodiment of the present application, as shown in fig. 5, where the device includes:
The identity authentication module 11 is configured to verify identity information of a tenant through the authentication server when the tenant logs in any one of a plurality of systems, and generate a global session token;
A first identity information obtaining module 12, configured to obtain, when the tenant issues a first operation request for a first target interface in a target system in the multiple systems, identity information of the tenant according to the global session token through the rights interceptor;
A first interception request module 13, configured to intercept, by using the rights interceptor, the first operation request, determine a first rights point mapped by the first operation request among a plurality of rights points corresponding to a first target interface, and obtain an annotation on the first rights point, where the annotation is used to determine rights information required for executing the first operation request;
a first authority judging module 14, configured to judge, by using the authority service module, whether target authority information corresponding to the annotation exists in a plurality of authority information corresponding to the tenant stored in a database according to identity information of the tenant;
And the first execution module 15 is used for allowing the first operation request of the tenant when the target authority information corresponding to the annotation is valid.
Optionally, the rights management component further includes a tenant management module, and the apparatus further includes:
The configuration module is used for creating and/or deleting tenants for users of the systems through the tenant management module and registering a plurality of roles corresponding to the tenants under the systems;
the project information configuration module is used for creating tenants for administrators of the systems through the tenant management module and configuring project information, wherein the project information at least comprises a project name, a domain name and an API interface;
The tenant ID generation module is used for generating a corresponding tenant ID for each tenant through the tenant management module;
and the authority information association module is used for carrying out isolation management on a plurality of authority information of the tenant according to the tenant ID in the database, wherein the authority information of each tenant under the system is associated with the corresponding role under the system.
Optionally, the rights management component further comprises an annotation library, the apparatus further comprising:
And the annotation storage module is used for storing a plurality of annotations through the annotation library, wherein the annotations comprise predefined annotations in the authority management component and custom annotations set by the tenant according to own requirements.
Optionally, the apparatus further comprises:
The management module is used for managing the systems deployed on other servers through the authority management component when a target system in the systems downloads one system deployed on the other servers, and adding comments on a second target interface of the system deployed on the other servers;
The second identity information acquisition module is used for acquiring the identity information of the tenant according to the global session token through the authority interceptor when the tenant sends a second operation request aiming at a second target interface of the system deployed on other servers after logging in the target system;
The second interception request module is used for intercepting the second operation request through the permission interceptor, determining a second permission point mapped by the second operation request in a plurality of permission points corresponding to a second target interface, and acquiring annotation on the second permission point, wherein the annotation on the second permission point is used for determining permission information required by executing the second operation request;
The second permission judging module is used for judging whether target permission information corresponding to the annotation on the second permission point exists in a plurality of permission information corresponding to the tenant stored in the database according to the identity information of the tenant through the permission service module;
and the second execution module is used for allowing the second operation request of the tenant when the target authority information corresponding to the annotation on the second authority point is valid.
Optionally, the apparatus further comprises:
The system comprises a tenant management module, a permission information management module and a user interface module, wherein the tenant management module is used for configuring a plurality of pieces of permission information of the tenant, and the plurality of pieces of permission information of the tenant comprise permission information for configuring permission points in a permission point library table of the tenant by using the permission management module and/or permission information of the permission points defined by the tenant;
The management system comprises a management module, a time limit setting module and a role management module, wherein the management module is used for managing the valid period of authority points corresponding to a plurality of authority information of a tenant, configuring login time on a plurality of systems corresponding to the tenant and configuring role related information of a plurality of roles corresponding to the tenant;
The method comprises the steps of storing valid period of a user, limiting the service life of authority points of the user, wherein the valid period is used for limiting the service life of the authority points of the user, the login time is used for limiting the login time ranges of the user or a plurality of roles corresponding to the user on a plurality of systems, and the role association information is used for configuring the authority information corresponding to the authority points of the plurality of roles corresponding to the user, so that the roles are associated with the authority points.
Optionally, the apparatus further comprises:
And the third execution module is used for rejecting access requests of the tenant or the multiple roles corresponding to the tenant through the permission interceptor when the validity period of the tenant expires and/or when the tenant or the multiple roles corresponding to the tenant log in the corresponding system in the non-login time.
Optionally, the rights management system further includes a log audit module, and the apparatus includes:
and the audit module is used for recording the authority use condition of each authority point of the tenant on the systems through the log audit module, wherein the authority use condition at least comprises login time, login IP, access time, access resource and operation result, so that the manager can check the authority use condition through a background management interface.
Based on the same inventive concept, another embodiment of the present application further provides an electronic device, including a memory, a processor, and a computer program stored on the memory, where the processor executes the computer program to implement the cross-service rights management method based on single sign-on according to any one of the above embodiments.
Referring to fig. 6, fig. 6 is a schematic diagram of an electronic device according to an embodiment of the present application. As shown in fig. 6, the electronic device 600 includes a memory 610 and a processor 620, where the memory 610 and the processor 620 are connected by a bus communication, and a computer program is stored in the memory 610, and the computer program can run on the processor 620, so as to implement the steps in the cross-service rights management method based on single sign-on disclosed in the foregoing embodiment of the present application.
Based on the same inventive concept, another embodiment of the present application also provides a computer program product, including a computer program, where the computer program is executed by a processor to perform the cross-service rights management method based on single sign-on according to any of the above embodiments.
Based on the same inventive concept, another embodiment of the present application further provides a computer readable storage medium, on which a computer program is stored, wherein the program, when executed by a processor, implements the cross-service rights management method based on single sign-on according to any one of the embodiments above.
For the device, since it is substantially similar to the method embodiment, the description is relatively simple, and reference is made to the description of the method embodiment for relevant points.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the application.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one does not exclude the presence of additional like elements in a process, method, article, or terminal device comprising the element.
The foregoing describes the present application in detail the method, apparatus, device and medium for cross-service rights management based on single sign-on, and specific examples are provided herein to illustrate the principles and embodiments of the present application, and the description of the foregoing examples is only for aiding in understanding the method and core concept of the present application, and meanwhile, for those skilled in the art, according to the concept of the present application, there are variations in the specific embodiments and application ranges, and in summary, the present disclosure should not be construed as limiting the present application.

Claims (10)

1.一种基于单点登录的跨服务权限管理方法,其特征在于,应用于权限管理组件,所述权限管理组件至少包括:认证服务器、权限拦截器、权限服务模块和数据库,所述方法包括:1. A cross-service permission management method based on single sign-on, characterized in that it is applied to a permission management component, the permission management component at least includes: an authentication server, a permission interceptor, a permission service module and a database, and the method includes: 当租户登录多个系统中任意一个系统时,通过所述认证服务器对所述租户的身份信息进行验证,并生成全局会话令牌;When a tenant logs in to any one of the multiple systems, the tenant's identity information is verified by the authentication server and a global session token is generated; 当所述租户发出针对所述多个系统中的目标系统中的第一目标接口的第一操作请求时,通过所述权限拦截器,根据所述全局会话令牌,获取所述租户的身份信息;When the tenant issues a first operation request for a first target interface in a target system among the multiple systems, obtaining the identity information of the tenant according to the global session token through the permission interceptor; 通过所述权限拦截器,对所述第一操作请求进行拦截,确定所述第一操作请求在第一目标接口对应的多个权限点中映射的第一权限点,并获取所述第一权限点上的注解,所述注解用于确定执行所述第一操作请求所需的权限信息;The first operation request is intercepted by the permission interceptor, a first permission point mapped to the first operation request among a plurality of permission points corresponding to the first target interface is determined, and an annotation on the first permission point is obtained, where the annotation is used to determine permission information required to execute the first operation request; 通过所述权限服务模块,根据所述租户的身份信息,判断数据库存储的与所述租户对应的多个权限信息中,是否存在与所述注解对应的目标权限信息;By means of the permission service module, according to the identity information of the tenant, it is determined whether there is target permission information corresponding to the annotation among the plurality of permission information corresponding to the tenant stored in the database; 当与所述注解对应的目标权限信息有效时,允许所述租户的第一操作请求。When the target permission information corresponding to the annotation is valid, the first operation request of the tenant is allowed. 2.根据权利要求1所述的基于单点登录的跨服务权限管理方法,其特征在于,所述权限管理组件还包括租户管理模块,所述方法还包括:2. The cross-service permission management method based on single sign-on according to claim 1, characterized in that the permission management component also includes a tenant management module, and the method further includes: 通过所述租户管理模块,针对所述多个系统的用户,创建和/或删除租户,以及对所述租户在多个系统下对应的多个角色进行注册;所述租户在每个系统下至少对应一个角色;Through the tenant management module, for users of the multiple systems, tenants are created and/or deleted, and multiple roles corresponding to the tenants in the multiple systems are registered; the tenant corresponds to at least one role in each system; 通过所述租户管理模块,对所述多个系统的管理员进行租户创建,并配置项目信息,所述项目信息至少包括项目名称、域名、API接口;Through the tenant management module, the administrators of the multiple systems create tenants and configure project information, where the project information includes at least a project name, a domain name, and an API interface; 通过所述租户管理模块,为每个租户生成对应的租户ID;Generate a corresponding tenant ID for each tenant through the tenant management module; 通过所述数据库中,按照所述租户ID,对所述租户的多个权限信息进行隔离管理,其中,每个租户在所述系统下的权限信息与所述系统下对应的角色关联。Through the database, multiple permission information of the tenant is isolated and managed according to the tenant ID, wherein the permission information of each tenant under the system is associated with the corresponding role under the system. 3.根据权利要求2所述的基于单点登录的跨服务权限管理方法,其特征在于,所述权限管理组件还包括注解库,所述方法还包括:3. The cross-service permission management method based on single sign-on according to claim 2, characterized in that the permission management component also includes an annotation library, and the method further includes: 所述注解库用于存储多个注解,所述注解包括所述权限管理组件中的预定义注解以及所述租户根据自身需求设置的自定义注解。The annotation library is used to store multiple annotations, including predefined annotations in the rights management component and custom annotations set by the tenant according to its own needs. 4.根据权利要求1所述的基于单点登录的跨服务权限管理方法,其特征在于,所述方法还包括:4. The cross-service permission management method based on single sign-on according to claim 1, characterized in that the method further comprises: 当所述多个系统中的目标系统下挂载一个部署在其他服务器的系统时,通过所述权限管理组件对所述部署在其他服务器的系统进行管理,并在所述部署在其他服务器的系统的第二目标接口上添加注解;When a system deployed on other servers is mounted under the target system among the multiple systems, the system deployed on other servers is managed by the authority management component, and annotations are added to the second target interface of the system deployed on other servers; 在所述租户登录所述目标系统之后,当所述租户发出针对所述部署在其他服务器的系统的第二目标接口的第二操作请求时,通过所述权限拦截器,根据所述全局会话令牌,获取所述租户的身份信息;After the tenant logs in to the target system, when the tenant issues a second operation request for the second target interface of the system deployed on the other server, the identity information of the tenant is obtained according to the global session token through the permission interceptor; 通过所述权限拦截器,对所述第二操作请求进行拦截,确定所述第二操作请求在第二目标接口对应的多个权限点中所映射的第二权限点,获取所述第二权限点上的注解,所述第二权限点上的注解用于确定执行所述第二操作请求所需的权限信息;The second operation request is intercepted by the permission interceptor, a second permission point mapped to the second operation request among the plurality of permission points corresponding to the second target interface is determined, and an annotation on the second permission point is obtained, where the annotation on the second permission point is used to determine permission information required to execute the second operation request; 通过所述权限服务模块,根据所述租户的身份信息,判断数据库存储的与所述租户对应的多个权限信息中,是否存在与所述第二权限点上的注解对应的目标权限信息;By means of the permission service module, according to the identity information of the tenant, determining whether there is target permission information corresponding to the annotation on the second permission point among multiple permission information corresponding to the tenant stored in the database; 当与所述第二权限点上的注解对应的目标权限信息有效时,允许所述租户的第二操作请求。When the target permission information corresponding to the annotation on the second permission point is valid, the second operation request of the tenant is allowed. 5.根据权利要求2所述的基于单点登录的跨服务权限管理方法,其特征在于,所述方法还包括:5. The cross-service permission management method based on single sign-on according to claim 2, characterized in that the method further comprises: 通过所述租户管理模块,对所述租户的多个权限信息进行配置,所述租户的多个权限信息包括:所述租户使用所述权限管理组件自带的权限点库表中的权限点进行配置的权限信息,和/或所述租户自定义的权限点的权限信息;Through the tenant management module, multiple permission information of the tenant is configured, wherein the multiple permission information of the tenant includes: permission information configured by the tenant using the permission points in the permission point library table provided by the permission management component, and/or permission information of the permission points customized by the tenant; 通过所述租户管理模块,对所述租户的多个权限信息所对应的权限点的有效期进行配置、对所述租户对应的多个系统上的登录时间进行配置、以及对所述租户对应的多个角色的角色关联信息进行配置;Through the tenant management module, the validity period of the permission points corresponding to the plurality of permission information of the tenant is configured, the login time on the plurality of systems corresponding to the tenant is configured, and the role association information of the plurality of roles corresponding to the tenant is configured; 其中,所述有效期用于对所述租户的权限点的使用期限进行限制;所述登录时间用于设置运行所述租户或所述租户对应的多个角色在所述多个系统上的登录时间范围进行限制;所述角色关联信息用于对所述租户对应的多个角色进行权限点对应的权限信息的配置,实现所述角色与权限点之间的关联。Among them, the validity period is used to limit the usage period of the tenant's permission points; the login time is used to set a login time range for running the tenant or multiple roles corresponding to the tenant on the multiple systems to limit the login time range; the role association information is used to configure the permission information corresponding to the permission points of the multiple roles corresponding to the tenant, so as to realize the association between the roles and the permission points. 6.根据权利要求5所述的基于单点登录的跨服务权限管理方法,其特征在于,所述方法还包括:6. The cross-service permission management method based on single sign-on according to claim 5, characterized in that the method further comprises: 当所述租户的有效期到期,和/或当所述租户或所述租户对应的多个角色在非所述登录时间内登录对应的系统时,通过所述权限拦截器拒绝所述租户或所述租户对应的多个角色的访问请求。When the validity period of the tenant expires, and/or when the tenant or multiple roles corresponding to the tenant log in to the corresponding system outside the login time, the access request of the tenant or multiple roles corresponding to the tenant is rejected by the permission interceptor. 7.根据权利要求1-6任一所述的基于单点登录的跨服务权限管理方法,其特征在于,所述权限管理系统还包括日志审计模块,所述方法包括:7. The cross-service permission management method based on single sign-on according to any one of claims 1 to 6, characterized in that the permission management system also includes a log audit module, and the method includes: 通过所述日志审计模块,记录所述租户的在所述多个系统上的各个权限点的权限使用情况,所述权限使用情况至少包括登录时间、登录IP、访问时间、访问资源、操作结果,以使所述管理员通过后台管理界面查看所述权限使用情况。The log audit module records the tenant's permission usage at each permission point on the multiple systems. The permission usage includes at least login time, login IP, access time, access resources, and operation results, so that the administrator can view the permission usage through the background management interface. 8.一种基于单点登录的跨服务权限管理装置,其特征在于,应用于权限管理组件,所述权限管理组件至少包括:认证服务器、权限拦截器、权限服务模块和数据库,所述装置包括:8. A cross-service permission management device based on single sign-on, characterized in that it is applied to a permission management component, the permission management component at least includes: an authentication server, a permission interceptor, a permission service module and a database, and the device includes: 身份认证模块,用于当租户登录多个系统中任意一个系统时,通过所述认证服务器对所述租户的身份信息进行验证,并生成全局会话令牌;An identity authentication module, used to verify the identity information of the tenant through the authentication server when the tenant logs in to any of the multiple systems, and generate a global session token; 第一身份信息获取模块,用于当所述租户发出针对所述多个系统中的目标系统中的第一目标接口的第一操作请求时,通过所述权限拦截器,根据所述全局会话令牌,获取所述租户的身份信息;A first identity information acquisition module, configured to acquire the identity information of the tenant according to the global session token through the permission interceptor when the tenant issues a first operation request for a first target interface in a target system among the multiple systems; 第一拦截请求模块,用于通过所述权限拦截器,对所述第一操作请求进行拦截,确定所述第一操作请求在第一目标接口对应的多个权限点中映射的第一权限点,并获取所述第一权限点上的注解,所述注解用于确定执行所述第一操作请求所需的权限信息;A first interception request module, configured to intercept the first operation request through the permission interceptor, determine a first permission point mapped to the first operation request among multiple permission points corresponding to the first target interface, and obtain an annotation on the first permission point, wherein the annotation is used to determine permission information required to execute the first operation request; 第一权限判断模块,用于通过所述权限服务模块,根据所述租户的身份信息,判断数据库存储的与所述租户对应的多个权限信息中,是否存在与所述注解对应的目标权限信息;A first permission judgment module, configured to judge, through the permission service module and according to the identity information of the tenant, whether there is target permission information corresponding to the annotation among multiple permission information corresponding to the tenant stored in the database; 第一执行模块,用于当与所述注解对应的目标权限信息有效时,允许所述租户的第一操作请求。The first execution module is used to allow the first operation request of the tenant when the target permission information corresponding to the annotation is valid. 9.一种电子设备,其特征在于,包括存储器、处理器以及存储在存储器上的计算机程序,其中,所述处理器执行所述计算机程序以实现如权利要求1-7中任一项所述的基于单点登录的跨服务权限管理方法。9. An electronic device, characterized in that it comprises a memory, a processor, and a computer program stored in the memory, wherein the processor executes the computer program to implement the cross-service permission management method based on single sign-on as described in any one of claims 1-7. 10.一种计算机可读存储介质,其特征在于,其上存储有计算机程序,其中,所述计算机程序被处理器执行时实现如权利要求1-7中任一项所述的基于单点登录的跨服务权限管理方法。10. A computer-readable storage medium, characterized in that a computer program is stored thereon, wherein when the computer program is executed by a processor, the cross-service permission management method based on single sign-on as described in any one of claims 1 to 7 is implemented.
CN202411834442.6A 2024-12-12 2024-12-12 Cross-service permission management method, device, equipment and medium based on single sign-on Pending CN119961912A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202411834442.6A CN119961912A (en) 2024-12-12 2024-12-12 Cross-service permission management method, device, equipment and medium based on single sign-on

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202411834442.6A CN119961912A (en) 2024-12-12 2024-12-12 Cross-service permission management method, device, equipment and medium based on single sign-on

Publications (1)

Publication Number Publication Date
CN119961912A true CN119961912A (en) 2025-05-09

Family

ID=95585043

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202411834442.6A Pending CN119961912A (en) 2024-12-12 2024-12-12 Cross-service permission management method, device, equipment and medium based on single sign-on

Country Status (1)

Country Link
CN (1) CN119961912A (en)

Similar Documents

Publication Publication Date Title
US20200067791A1 (en) Client account versioning metadata manager for cloud computing environments
US10055561B2 (en) Identity risk score generation and implementation
US9565260B2 (en) Account state simulation service for cloud computing environments
US8856077B1 (en) Account cloning service for cloud computing environments
US8805971B1 (en) Client-specified schema extensions in cloud computing environments
US8224873B1 (en) System and method for flexible security access management in an enterprise
US9210178B1 (en) Mixed-mode authorization metadata manager for cloud computing environments
US9432350B2 (en) System and method for intelligent workload management
KR102355480B1 (en) System and method for supporting security in a multitenant application server environment
RU2598324C2 (en) Means of controlling access to online service using conventional catalogue features
US12095621B2 (en) Managed remediation of non-compliant resources
CN111680310B (en) Authority control method and device, electronic equipment and storage medium
US20090276840A1 (en) Unified access control system and method for composed services in a distributed environment
CN104769911A (en) Multi-Domain Identity Management System
JP2012137931A (en) Information processing device, authority management method, program and storage medium
US10333778B2 (en) Multiuser device staging
CN116980166A (en) Internet-based data transmission management system
CN118368120B (en) Data management method and device of operation and maintenance platform, electronic equipment and medium
US20250007709A1 (en) System and method for secret rotation using contextual management of machine identities
US8019992B2 (en) Method for granting user privileges in electronic commerce security domains
US20220353267A1 (en) Framework for automated operator access to infrastructure in a cloud service
CN119961912A (en) Cross-service permission management method, device, equipment and medium based on single sign-on
JP2005310161A (en) System, method and computer program for managing exchange among a plurality of business units
US10862747B2 (en) Single user device staging
US10346149B1 (en) System and method for managing asset-side offering modules

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination