CN110348183B - RBAC-based rapidly configurable permission configuration system, method and storage medium - Google Patents
RBAC-based rapidly configurable permission configuration system, method and storage medium Download PDFInfo
- Publication number
- CN110348183B CN110348183B CN201910451862.9A CN201910451862A CN110348183B CN 110348183 B CN110348183 B CN 110348183B CN 201910451862 A CN201910451862 A CN 201910451862A CN 110348183 B CN110348183 B CN 110348183B
- Authority
- CN
- China
- Prior art keywords
- configuration
- attribute
- data
- menu page
- permission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/70—Software maintenance or management
- G06F8/71—Version control; Configuration management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
- User Interface Of Digital Computer (AREA)
Abstract
The invention relates to a permission configuration system, a method and a storage medium capable of being rapidly configured, wherein the permission configuration system comprises: the application configuration module is used for newly adding applications or selecting stored applications; the menu page configuration module is used for configuring the newly added application or the menu and the page of the selected application together, establishing a tree structure by adding the same level menu page or the sub-level menu page, and automatically synchronizing the configured menu page to the attribute value under the attribute of the menu page; the data attribute configuration module is used for establishing data attributes under the newly added application or the selected application, establishing a flat structure or a tree structure by adding a peer attribute value or a sublevel attribute value, and configuring data attribute values; a permission configuration module for combining the operation with attribute values under the menu page attribute and under the data attribute to form a permission; and the authorization configuration module is used for adding the role, authorizing the permission to the role and authorizing the role to the user.
Description
Technical Field
The invention relates to the technical field of authority management of industrial application, in particular to a system, a method and a storage medium for rapidly configuring authority based on RBAC.
Background
Role-Based Access Control (RBAC) is a new way of rights management compared to traditional Access Control (autonomous Access, mandatory Access), and therefore receives much attention.
In RBAC, permissions are associated with roles, and users gain the permissions of the appropriate roles by becoming members of those roles, thereby greatly simplifying the configuration and management of permissions. In an organization, roles are created to accomplish various tasks, and users are assigned corresponding roles according to their responsibilities and qualifications, and users can be easily assigned from one role to another. Roles can be given new permissions according to new requirements and system combination, and permissions can be recovered from a role according to needs. The access rights granted to a user are typically determined by the role the user plays in an organization. The license in the RBAC is granted to the role, the role is granted to the user, and the user is not directly associated with the license. The authorization of the RBAC to the access authority is uniformly managed by an administrator, the RBAC utilizes the role of the user in the organization to carry out access authorization and control, the authorization regulation is imposed on the user, the user cannot autonomously transfer the access authority to other people, and the method is a non-autonomous centralized access control mode.
The authority configuration system aims at performing authority control on all object resources and data resources of the application system, such as function menus of the application system, buttons of each interface, files, columns of data display and various row-level data. The authority configuration system firstly needs to control the authority of the resources, and needs to control the classification and distribution of the authority of the resources if the resources are required to be controlled in a finer granularity. Second, the rights service needs to establish a user-role-license association. The permission is associated with the role, and the role is associated with the user, so that the logical separation of the user and the permission is realized. A license is a collection of a certain number of rights, which is the subject of the rights configuration system, including objects and operations. Objects are generally resources, which are simply summarized as static resources (menus, pages, page controls, and page elements) and dynamic resources (data), also referred to as object resources and data resources, respectively. Operations generally include add, delete, modify, query, delete, import, export operations, and the like. Permissions will be assigned roles, not users. When a role is assigned to a user, the user has permission that the role contains.
Currently, the existing permission configuration system generally has the following ten specific operations: 1) newly adding application; 2) adding a page and a page resource (an on-page control); 3) adding a menu node and associating with a corresponding page; 4) synchronizing the menu nodes and the pages to attribute values in the attributes, and adding data attribute values; 5) performing distribution operation on the attributes; 6) classifying the attributes for finer-grained control of resource permissions; 7) combining the attribute values and the operations to form a permit; 8) newly adding roles; 9) assigning permissions to roles; 10) the role is authorized to the user under the institution unit. However, in practice, due to the numerous configuration steps, the configuration flow and the implementation of the system are not familiar to the personnel who use the right configuration system for the first time, and the configuration is difficult to be performed quickly.
Disclosure of Invention
In order to solve the technical problems, the invention provides a system and a method for rapidly configuring permission based on RBAC, which simplify the configuration process of the existing permission configuration system, are convenient to rapidly and effectively authorize, and maintain permission resources.
According to an aspect of the present invention, there is provided a rights configuration system including:
the application configuration module is used for newly adding applications or selecting stored applications;
the menu page configuration module is used for configuring the newly added application or the menu and the page of the selected application together, establishing a tree structure by adding the same-level menu page or the sub-level menu page, and automatically synchronizing the configured menu page to an attribute value under the attribute of the menu page;
the data attribute configuration module is used for establishing data attributes under the newly added application or the selected application, establishing a flat structure or a tree structure by adding a same-level attribute value or a sub-level attribute value, and configuring data attribute values;
a permission configuration module for combining operations with attribute values under the menu page attribute and under the data attribute to form permissions; and
and the authorization configuration module is used for adding a new role, authorizing the permission to the role and authorizing the role to the user.
Preferably, the attribute value includes an ID and an encoding,
the menu page configuration module extracts the ID and code of the menu page as the attribute value under the menu page attribute,
and the data attribute configuration module extracts the ID and the code of the service data as the attribute value under the data attribute.
Preferably, the operations are predefined, which support dynamic augmentation, including but not limited to: add, delete, modify, query, import, and export,
the attribute values under the menu page attribute are configured with query operations by default,
and default configuration of attribute values under the data attributes is provided with adding, deleting, modifying and querying operations.
Preferably, each operation can be combined with one or more attribute values, and each attribute value can be combined with one or more operations.
Preferably, the roles can be made up of one or more users, each user being authorized to own one or more roles, each role being capable of owning one or more permissions, each permission being capable of being granted to one or more different roles.
Preferably, the system stores a menu page template and a data attribute template,
the menu page configuration module is also used for leading in the menu page template in batch when configuring the menu pages,
the data attribute configuration module is also used for importing the data attribute templates in batches when configuring the data attributes.
According to another aspect of the present invention, there is provided a RBAC-based rapidly configurable right configuration method, including:
an application configuration step, which is used for newly adding applications or selecting stored applications;
a menu page configuration step, which is used for the configuration of the newly added application or the menu and the page of the selected application together, establishes a tree structure by adding the same-level menu page or the sub-level menu page, and automatically synchronizes the configured menu page to the attribute value under the attribute of the menu page;
a data attribute configuration step, which is used for establishing data attributes under the newly added application or the selected application, establishing a flat structure or a tree structure by adding a same level or a sublevel attribute value, and configuring a data attribute value;
a permission configuration step for combining an operation with attribute values under the menu page attribute and under the data attribute to form a permission; and
and authorization configuration step, which is used for adding new roles, authorizing the permission to the roles and authorizing the roles to users.
Preferably, the attribute value includes an ID and an encoding,
the operations are predefined, which support dynamic augmentation, including but not limited to: add, delete, modify, query, import, and export,
the attribute values under the menu page attribute are configured with query operations by default,
and default configuration of attribute values under the data attributes is provided with adding, deleting, modifying and querying operations.
Preferably, in the configuration process, each configuration step is automatically saved after the configuration process is interrupted, so that the interrupted configuration process can be selected to continue the configuration.
According to another aspect of the present invention, there is provided a storage medium having stored thereon executable code, which, when executed by a processor, causes the processor to perform the RBAC-based rapidly configurable privilege configuration method provided by the present invention.
Compared with the prior art, one or more embodiments in the above scheme can have the following advantages or beneficial effects:
by applying the RBAC-based rapidly-configurable permission configuration system, the RBAC-based rapidly-configurable permission configuration method and the storage medium, the configuration process of the permission configuration system is optimized and improved, and five parts of application configuration, menu page configuration, data attribute configuration, permission configuration and authorization configuration are extracted to serve as rapidly-configured contents, so that a user can use the permission configuration system conveniently, the efficiency is improved, the application range is wide, and the operation is more flexible.
In the application configuration, a configurator can directly select an application stored in the database, or select a new application to operate the new application. In the configuration of the menu pages, for example, the same-level menu pages or sub-level menu pages can be added through dragging operation to establish a tree structure, and the menu pages are newly added one by one. Or adding new batch through import operation, automatically extracting ID and code of the configured menu page, and synchronizing the ID and code to the attribute value under the attribute of the menu page. In the data attribute configuration, a level structure or a tree structure can be established by adding the same level or sub-level attribute values through a new adding operation under the data attribute, and the data attribute values are gradually increased. The batch new increase can be carried out through the import operation, and the new increase can be remotely called by the service application system through the API interface. In the permission configuration, the operation is combined with the attribute value of the menu page attribute or the data attribute to form a permission. In the authorization configuration, the role information is filled in, the role is added, the permission is given to the role, and the role is authorized to the user. In summary, the fast configuration process of the permission configuration system and the permission configuration method provided by the embodiment of the invention is simple and clear compared with the configuration process of the existing permission configuration system, and is convenient for configuration personnel to operate and use.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The objectives and other advantages of the invention will be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention.
Fig. 1 schematically shows the RBAC model.
Fig. 2 schematically shows a schematic diagram of a conventional rights configuration system.
Fig. 3 schematically shows a block diagram of a RBAC-based rapidly configurable privilege configuration system according to an embodiment of the present invention.
Fig. 4 is a design diagram schematically illustrating an operation interface of an application configuration module of the RBAC-based rapidly configurable privilege configuration system according to an embodiment of the present invention.
Fig. 5 is a design view schematically illustrating an operation interface of a menu and page configuration module of a RBAC-based rapidly configurable permission configuration system according to an embodiment of the present invention.
Fig. 6 is a design diagram schematically illustrating an operation interface of a license configuration module of the RBAC-based rapidly configurable right configuration system according to an embodiment of the present invention.
Fig. 7 is a design diagram schematically illustrating an operation interface of an authorization configuration module of the RBAC-based rapidly configurable permission configuration system according to an embodiment of the present invention.
Detailed Description
The following detailed description of the embodiments of the present invention will be provided with reference to the drawings and examples, so that how to apply the technical means to solve the technical problems and achieve the technical effects can be fully understood and implemented. It should be noted that, as long as there is no conflict, the embodiments and the features of the embodiments of the present invention may be combined with each other, and the technical solutions formed are within the scope of the present invention.
In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced without these specific details or with a specific implementation described herein.
In order to better understand the system and the method for rapidly configuring the permission based on the RBAC. First, the principle of the RBAC model will be briefly described.
RBAC (Role-Based Access Control) supports the accepted security principles: a least privilege principle, a separation of responsibility principle, and a data abstraction principle. These three principles are explained in detail in the prior art and will not be described in detail here. The RBAC contains user (Users), role (rolls), Permissions (Permissions), object (Objects), Operations (Operations), Assignment (Assignment) and Session (Session) information, and the RBAC model is used to indicate the relationship between Users, Roles, access rights and sessions.
Fig. 1 schematically shows the RBAC model. As shown in fig. 1, five basic data elements of a user, a role, an object, an operation, and a permission are contained in the RBAC model. And a session represents a mapping between a user and a set of active roles.
In the RBAC model, a user refers to a person under an organization, and is a specific person, such as zhang san or lie si is a user. For any user, first, he must belong to a certain department, which is an administrative unit, and a certain department may also contain a plurality of users. For example, if a company has 10 employees in the market department, the market department is a department, and the 10 employees are 10 users, so that the relationship between the department and the users is a one-to-many relationship. The role is the carrier of the license with the aim of isolating the logical relationship of the user to the license. One role may include a plurality of users, and one user may also belong to a plurality of roles, so that the relationship between the role and the user is a many-to-many relationship.
For example, zhang san serves as both a research and development department manager and a vice head manager in a company, so that for zhang san, the user has two roles, one role is the research and development department manager, and the other role is the vice head manager, which means that the user mentioned above can belong to multiple roles. For another example, the chief deputy of the company has lie four and wang five in addition to zhang three, so that for the role of chief deputy, there are three users of zhang three, lie four and wang five, and that is, the above-mentioned role may contain multiple users.
A license is a collection of a certain number of rights, which is the subject of the rights configuration system, including objects and operations. Objects are generally resources, which are simply summarized as static resources (menus, pages, page controls, and page elements) and dynamic resources (data), also referred to as object resources and data resources, respectively. The operation is customizable, which supports dynamic augmentation, including but not limited to: add, delete, modify, query, delete, import, export operations, etc.
In the RBAC model, permissions are directly assigned to roles, rather than users. When a role is assigned to a user, the user has the rights that the role contains. In most cases, the relationship among the user, the role and the license can be regarded as a container, the container contains a plurality of users and a plurality of licenses, the user and the license are in many-to-many relationship, and the user is associated with the license through the role.
Fig. 2 schematically shows a schematic diagram of a conventional rights configuration system. As shown in fig. 2, the existing rights configuration system is divided into a resource server, a role server, and an authorization server. The resource server is used for configuring resources such as menus, pages, data and the like, the authorization server is mainly used for generating permission, and the role server is used for allocating the permission generated by the authorization server to a role (or mechanism) and then allocating the role (or mechanism) to a user or a tenant. The system is designed by using an access control model based on roles, embodies the safety principle of a minimum authority principle, a responsibility separation principle and a data abstraction principle, is suitable for providing unified authority management service under a multi-tenant and multi-application mode, and realizes management of mechanisms, users, menus, roles, operations, objects, relationships and the like and definition of related service interfaces.
However, the configuration steps of the authority configuration system are too many, and the configuration steps are dispersed among different servers, which causes great trouble and increases the workload of the configuration personnel. Especially for configurators who use the authority system for the first time, the configuration processes and the operation of the system are not very familiar, and the configuration is difficult to succeed at one time, and the configuration is often completed under the guidance of experienced configurators, which causes waste of human resources.
In order to solve the technical problems that the configuration steps of the permission configuration system in the prior art are too many and are not easy to configure, an embodiment of the invention provides a permission configuration system capable of being configured quickly based on RBAC.
The permission configuration system simplifies the configuration process of the existing permission configuration system, and can complete the configuration process of permission data through the configuration of the following five modules, thereby facilitating the quick and effective authorization of users and the maintenance of permission resources.
Fig. 3 schematically shows a block diagram of a RBAC-based rapidly configurable privilege configuration system according to an embodiment of the present invention. As shown in fig. 3, the rights configuration system includes: the system comprises an application configuration module, a menu page configuration module, a data attribute configuration module, a permission configuration module and an authorization configuration module. Specifically, the permission configuration system provided in an embodiment of the present invention is sequentially divided into five modules according to a configuration order, that is, an application configuration module, a menu page configuration module, a data attribute configuration module, a permission configuration module, and an authorization configuration module.
It can be seen that the privilege configuration system provided in an embodiment of the present invention clearly shows the sequence between the configuration modules on the system interface, which is helpful for a configurator to understand the whole configuration process of the system. Configuration personnel can sequentially complete the configuration of the authority according to the sequence of the modules divided by the authority configuration system, so that the time for configuring the authority is shortened, and the working efficiency is improved.
Specifically, the right management configuration system includes:
the application configuration module is used for newly adding applications or selecting stored applications;
the menu page configuration module is used for configuring the newly added application or the menu and the page of the selected application together, establishing a tree structure by adding the same-level menu page or the sub-level menu page, and automatically synchronizing the configured menu and page to the attribute value under the attribute of the menu page;
the data attribute configuration module is used for establishing data attributes under the newly added application or the selected application, establishing a flat structure or a tree structure by adding a same-level attribute value or a sub-level attribute value, and configuring data attribute values;
a permission configuration module for combining operations with attribute values under the menu page attribute and under the data attribute to form permissions; and
and the authorization configuration module is used for adding the role, authorizing the permission to the role and authorizing the role to the user.
The existing permission configuration system generally configures the whole configuration process step by step, and the configuration is not completed until all the configuration processes are finished. If the configuration process is terminated during this period because of some non-violative factor, the previously configured information must be reconfigured when reconfigured. Therefore, in an embodiment of the present invention, the application configuration module is configured to add an application or select a stored application. Specifically, in an embodiment of the present invention, the application configuration module may perform an operation of selecting an application. For example, fig. 4 is a design diagram illustrating an operation interface of an application configuration module of the RBAC-based rapidly configurable privilege configuration system according to an embodiment of the present invention. As shown in fig. 4, an existing application record is selected in the system interface of the application configuration, and after clicking the existing application record, the existing application record is automatically displayed in the current application frame, so that the reconfiguration is avoided when the application configuration is performed again.
In order to ensure the continuous update of the application data in the database, the application configuration module can perform the next operation. And setting a new button in an operation interface of the application configuration, and popping up a configuration interface of the new application by clicking the button. And when filling the necessary filling parameters, clicking a storage button, storing the application data into the database, automatically selecting the currently newly added application, and jumping to the next configuration interface. Specifically, the next operation in the application configuration module has an automatic saving function. When the configurator finishes configuring a newly added application and clicks the next operation, the system stores the application data of the current configuration interface into the database while jumping to the next configuration interface. Therefore, each configured application can be stored in the database, and further continuous updating of the application data in the database is realized, so that the configured application data can be directly selected in the next configuration.
After configuring an application, an existing permission configuration system firstly configures a page, and then configures a menu after configuring the page. However, there is a repeatability in the configuration information of the menu and the page, and the separate configuration of the page from the menu may result in a case where part of the configuration information is configured a plurality of times at the time of the configuration of the page and the menu. Therefore, in an embodiment of the present invention, the menu page configuration module is configured to configure a menu and a page of a newly added application or a selected application together, establish a tree structure by adding a menu page of the same level or a menu page of a sub level, and synchronize the configured menu page to an attribute value under an attribute of the menu page. Specifically, the permission configuration system provided in an embodiment of the present invention fuses the page configuration and the menu configuration into the menu page configuration. The menu page configuration module can be used for adding menu pages one by one through adding operation, adding the same-level menu pages or sub-level menu pages, establishing tree structures of the menus and the pages, and performing batch adding through leading-in operation.
For example, fig. 5 is a design drawing illustrating an operation interface of a menu and page configuration module of a RBAC-based rapidly configurable permission configuration system according to an embodiment of the present invention. As shown in fig. 5, the specific operation is as follows: first, the configurator adds a new menu by, for example, dragging a default menu page item to the integration test, filling in the necessary parameters (e.g., name, code) of the menu, and clicking to save, thereby completing the addition of the first menu. And dragging a default menu page item to the same level or lower level of the newly added menu item again to finish the newly added menu at the same level or lower level, wherein the menu item of the leaf node added at last is the page. It should be noted that a page is a function page, and must contain a URL address of an access page, and may also contain page resources on the page, such as controls on the page, including a control ID and a control name, so that if the page controls are to be controlled on the page, the page resources may also be configured here. In addition, the child nodes or subsets of one tree node can be conveniently migrated to the same level or child level of another node, the layout of the whole menu is changed, the menu subtree with the established error relationship is unnecessary to be deleted and then rebuilt, the effect of the dragging operation is consistent with that of the actually displayed menu tree, and the operation is not repeated herein.
Through the operation, the tree structure of the menu and the page is established. And the configuration process is simple, convenient and direct, and the configuration personnel can understand and modify the configuration quickly, thereby saving the configuration time and facilitating the operation of the configuration personnel. In an embodiment of the present invention, a hierarchical structure may be established between the menu and the sibling menu.
It should be noted that, in an embodiment of the present invention, all pages are leaf nodes. Where leaf nodes are concepts in discrete mathematics. Nodes in a tree that do not have child nodes (i.e., degrees 0) are called leaf nodes, simply "leaves". That is, in an embodiment of the present invention, a page may not be added with a new child level page, but only added with a new peer level page, that is, each page is in peer relationship with other pages in the same menu.
In an embodiment of the present invention, the established tree structures of the menu and the page are displayed on the system interface, so that a configurator can visually see the relationship between the configured menu and the page, and compared with the conventional rights management system in which the page and the menu are configured separately, the rights management system provided in an embodiment of the present invention is more convenient for the configurator to check and maintain the configured menu and page.
In an embodiment of the present invention, to facilitate configuration personnel to configure the menu and the page, the menu page configuration module may perform an import operation. Specifically, in order to avoid the situation that the configuration quantity of the menus and the pages is large, configuration personnel need to newly add the configuration quantity one by one. The database of the system stores menu page templates, the menu page configuration module can perform import operation, and the association between the import operation and the menu page templates is established through the back end. The configuration personnel can input the types and the number of the menu page templates to be imported by clicking the import operation, and the system can import the menu page templates with the corresponding types and the corresponding number to the system interface in batches, thereby avoiding the configuration personnel from adding the menus and the pages one by one, reducing the workload of the configuration personnel, saving the configuration time and facilitating the operation and maintenance work.
In the configuration process of the menu page, each configured menu page item is automatically synchronized into the attribute value of the menu page attribute. The permission configuration system provided by the embodiment of the invention combines the submission operation and the synchronization operation, and a configurator can store the menu data or the page data of the current configuration interface into the database only by clicking the submission operation set in the menu page configuration module and automatically synchronize the menu page of the current configuration interface into the attribute value under the attribute of the menu page.
More specifically, the authority configuration system provided in an embodiment of the present invention extracts IDs and codes of two different types of resources, namely, configured menus and pages, and uses the IDs and codes as attribute values under menu page attributes. When a configurator clicks a submit operation in the menu page configuration module, the system stores menu data or page data of a current configuration interface into a database, and simultaneously extracts IDs and codes of two different types of resources, namely a configured menu or page, as attribute values under menu page attributes. Therefore, the invention uniformly extracts the ID and the code of the control object as the attribute value of the attribute, thereby being beneficial to unifying resources.
And the data attribute configuration module is used for establishing data attributes under the newly added application or the selected application, establishing a flat-level structure or a tree-type structure by adding the same-level attribute value or the sublevel attribute value under the data attributes, and configuring the data attribute values. For data attributes except for menu pages under a certain application, the data attribute configuration module extracts the ID and the code of the service data as attribute values under the data attributes. The service data refers to data in the authority system and/or a third-party service system using the authority system. When the data attribute is configured, the data attribute values can be newly added one by one under the data attribute, the same-level data attribute value or the sublevel data attribute value is added, a flat-level structure or a tree-type structure is established, and the data attribute values are configured. The data attribute template can be imported through import operation for batch new increase, the new increase or deletion can be remotely called by a service application system through an API (application programming interface), and a flat structure or a tree structure is established by adding the attribute values of the same level or the sublevel. And storing the data attribute value data of the current configuration interface into a database.
In an embodiment of the invention, the permission configuration module is configured to combine the operation with an attribute value under a menu page attribute or a data attribute to form the permission. In particular, permissions are generally referred to as permissions, which include control objects, which are generally resources, including menus, pages, data attributes, etc., and operations, which are customizable, which support dynamic extensions, including but not limited to: add, delete, modify, query, import, and export operations, etc. For example, fig. 6 is a design diagram illustrating an operation interface of a license configuration module of a RBAC-based rapidly configurable rights configuration system according to an embodiment of the present invention. As shown in fig. 6, in an embodiment of the present invention, the license configuration module may perform an addition operation, a configuration operation, and a saving operation. When the configuration is permitted, the configuration personnel newly increases the permission through the additional operation. Selecting a certain permission, clicking a configuration operation, selecting an attribute value to be configured, then allocating a corresponding operation to the attribute value, and after the click storage operation is configured, generating the permission, and storing the permission into a database by the system.
Preferably, for all configured licenses of the right configuration system provided by an embodiment of the present invention, the query operation is a necessary default option, that is, the query operation is included in all licenses. Specifically, when configuration is permitted, through implementation of a backend code, query operations are configured for all attribute values by default, a configuration person only needs to select other operations, and the other operations can be customized, which support dynamic expansion, including but not limited to: add operations, delete operations, modify operations, import operations, and export operations. In an embodiment of the present invention, attribute values under the menu page attribute all have a query operation by default, that is, in the permission configuration, attribute values under the menu page attribute all combine with the query operation, and attribute values under the data attribute all have an add, delete, modify, and query operation by default.
In an embodiment of the present invention, the authorization configuration module is configured to add a new role, authorize a permission to the role, and authorize the role to the user. For example, fig. 7 is a design diagram of an operation interface of an authorization configuration module of the RBAC-based rapidly configurable permission configuration system according to an embodiment of the present invention. Specifically, as shown in fig. 7, in the authorization configuration, the role information is filled in, the role is added, the permission is authorized to the role, the role is authorized to the user, and the system stores the authorization configuration data in the database. Wherein the authorization configuration supports single authorization, multiple authorizations, and full authorizations. When a role is granted to a user, the user has the permissions that the role contains, and for each user, because all permissions include a query operation, each user has the right to query.
As described above, the existing rights configuration system generally configures the whole configuration process step by step, and the configuration is not completed until all configuration processes are finished. If the configuration process is terminated during the period due to some non-violative factor, the configuration must be restarted when the configuration is performed again. Therefore, in an embodiment of the present invention, in the configuration process, each time a configuration step is completed, the system automatically saves the configuration step, so that when the configuration process is interrupted, the interrupted configuration process can be selected to continue the configuration. For example, as described above, during application configuration, the system may save the application data of the current configuration interface into the database; when the menu page is configured, the system stores the menu data or page data of the current configuration interface into a database; when the data attribute is configured, the system stores the data of the data attribute lower attribute value of the current configuration interface into a database; when the license is configured, the system stores the generated license in a database; when configuration is authorized, the system stores the authorized configuration data in the database.
In addition, in order to enable the configuration process of selecting the interrupt to continue the configuration, in an embodiment of the present invention, the menu page configuration module, the data attribute configuration module, the permission configuration module, and the authorization configuration module may further perform an application selection operation for selecting an application. After the application is selected, the menu page configuration module, the data attribute configuration module, the permission configuration module and the authorization configuration module can perform menu page configuration and/or data attribute configuration and/or permission configuration and/or authorization configuration on the configuration data in the selected application.
Specifically, application drop-down boxes are arranged on interfaces corresponding to the menu page configuration module, the data attribute configuration module, the permission configuration module and the authorization configuration module, and all applications stored in the database are displayed in the application drop-down boxes. During the process of menu page configuration, data attribute configuration, permission configuration and authorization configuration, a configurator can select an application to be configured in an application drop-down box of an interface, and after selecting the application, the system calls all configuration data of the application from a database, wherein the configuration data comprises application configuration data of the application during application configuration, menu page configuration data during menu page configuration, data attribute value data during data attribute configuration, permission configuration data during permission configuration and authorization configuration data during authorization configuration.
It should be noted that all the configuration data of the application that is called is data that has been configured by the configuration personnel before and stored in the database. If the configurator has never been configured before, e.g., permission and authorization has not been configured before for the application, then all configuration data for the application includes only application configuration data and menu page configuration data.
At this point, all configuration data for the application has been called. The configuration personnel can complete the configuration of the menu page and/or the configuration of the data attribute and/or the configuration of the permission and/or the configuration of the authorization on the selected application which is not configured yet through the menu page configuration module, the data attribute configuration module, the permission configuration module and the authorization configuration module. The permission configuration system provided by the embodiment of the invention has the function of selectable configuration, so that the problem of complicated operation that the configuration which is not completed needs to be reconfigured in one step is solved. If the permission configuration system provided by the embodiment of the invention terminates the permission configuration process due to certain non-violative factors such as network outage, when the rapid configuration is opened again, the last unfinished configuration step can be selected to continue to complete the configuration.
Correspondingly, the embodiment of the invention also provides a rapid configurable permission configuration method based on RBAC, which comprises the following steps:
an application configuration step, which is used for newly adding applications or selecting stored applications;
a menu page configuration step, which is used for the configuration of the newly added application or the menu and the page of the selected application together, establishes a tree structure by adding the same-level menu page or the sub-level menu page, and automatically synchronizes the configured menu page to the attribute value under the attribute of the menu page;
a data attribute configuration step, which is used for establishing data attributes under the newly added application or the selected application, establishing a flat structure or a tree structure by adding a same level or a sublevel attribute value, and configuring a data attribute value;
a permission configuration step for combining an operation with attribute values under the menu page attribute and under the data attribute to form a permission; and
and authorization configuration step, which is used for adding new roles, authorizing the permission to the roles and authorizing the roles to users.
In one embodiment of the present invention, the attribute values include ID and code, the operation is customizable, and it supports dynamic augmentation, including but not limited to: add, delete, modify, query, import, and export. In the step of configuring the menu page, automatically synchronizing the configured menu page to the attribute value under the menu page attribute comprises: and extracting the ID and the code of the menu page as attribute values under the menu page attribute. In the data attribute configuration step, adding a peer or sub-peer attribute value includes: and extracting the ID and the code of the service data as attribute values under the data attribute. The service data refers to data in the authority system and/or a third-party service system using the authority system.
In the configuration process, each time a configuration step is completed, the configuration step is automatically saved, so that when the configuration process is interrupted, the interrupted configuration process can be selected to continue configuration.
Specifically, when the application is configured, the next operation is clicked, the application data of the current configuration interface is stored in the database, and the next configuration interface is skipped.
When the menu page is configured, the same level menu page or the sub-level menu page can be added through, for example, a dragging operation, and a tree structure of the menu and the page is established. Or clicking import operation, and when configuring the menu and the page, importing the menu page template stored in the database in batch. And storing the menu data or page data of the current configuration interface into a database, and extracting the ID and the code of the menu page as the attribute value under the menu page attribute.
When the data attribute is configured, the data attribute values can be newly added one by one under the data attribute, the same-level data attribute value or the sublevel data attribute value is added, a flat-level structure or a tree-type structure is established, and the data attribute values are configured. The batch new adding can be carried out through the import operation, the new adding or deleting can be remotely called by the service application system through the API, and a flat structure or a tree structure is established by adding the attribute values of the same level or the sublevel. And storing the data attribute value data of the current configuration interface into a database.
And when the license is configured, the license is newly added through the addition operation. Selecting a certain permission, clicking configuration operation, selecting an attribute value to be configured, then allocating corresponding operation to the attribute value, and generating the permission after finishing the clicking storage operation. And storing the permission data of the current configuration interface in a database. The query operation is a necessary default option, and the query operation is configured for all attribute values by default. In an embodiment of the present invention, the attribute value under the menu page attribute is configured with a query operation by default, and the attribute value under the data attribute is configured with an add operation, a delete operation, a modify operation, and a query operation by default.
And when the configuration is authorized, adding a role through adding operation, authorizing the permission to the role, authorizing the role to the user, and storing the authorization data of the current configuration interface into the database.
And after the application is selected, the menu page configuration and/or the data attribute configuration and/or the permission configuration and/or the authorization configuration are carried out on the configuration data of the selected application through the menu page configuration, the data attribute configuration, the permission configuration and the authorization configuration. Preferably, the application selection operation is an application drop-down box, which exposes all applications stored in the database.
Accordingly, an embodiment of the present invention further provides a storage medium having an executable code stored thereon, where the executable code, when executed by a processor, causes the processor to execute the RBAC-based fast configurable permission configuration method according to an embodiment of the present invention.
In summary, the present invention optimizes and improves the configuration flow of the existing permission configuration system and permission configuration method, extracts five parts of application configuration, menu page configuration, data attribute configuration, permission configuration and authorization configuration as fast configuration contents, facilitates the use of the permission configuration system by the user, improves efficiency, and has a wide application range and more flexible operation.
It is to be understood that the disclosed embodiments of the invention are not limited to the particular process steps or materials disclosed herein, but rather, are extended to equivalents thereof as would be understood by those of ordinary skill in the relevant art. It is also to be understood that the terminology used herein is for the purpose of describing particular embodiments only, and is not intended to be limiting.
Reference in the specification to "an embodiment" means that a particular feature, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. Thus, the appearances of the phrase "an embodiment" appearing in various places throughout the specification are not necessarily all referring to the same embodiment.
It will be appreciated by those of skill in the art that the elements and algorithm steps of the examples described in connection with the embodiments disclosed herein may be embodied in electronic hardware, computer software, or combinations of both, and that the components and steps of the examples have been described in a functional general in the foregoing description for the purpose of illustrating clearly the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Although the embodiments of the present invention have been described above, the above description is only for the convenience of understanding the present invention, and is not intended to limit the present invention. It will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (10)
1. A RBAC-based rapidly configurable privilege configuration system, comprising:
the application configuration module is used for newly adding applications or selecting stored applications;
the menu page configuration module is used for configuring the newly added application or the menu and the page of the selected application together, establishing a tree structure by adding the same-level menu page or the sub-level menu page, and automatically synchronizing the configured menu page to an attribute value under the attribute of the menu page;
the data attribute configuration module is used for establishing data attributes under the newly added application or the selected application, establishing a flat structure or a tree structure by adding a same-level attribute value or a sub-level attribute value, configuring the data attribute values, and storing the data attribute value data of the current configuration interface into a database;
the permission configuration module is used for combining the operation with the attribute values under the menu page attribute and the data attribute to form permission and storing the permission into a database; and
and the authorization configuration module is used for adding a new role, authorizing the permission to the role, authorizing the role to the user and storing authorization configuration data into a database.
2. The privilege configuration system as defined in claim 1, wherein,
the attribute values include an ID and an encoding,
the menu page configuration module extracts the ID and code of the menu page as the attribute value under the menu page attribute,
and the data attribute configuration module extracts the ID and the code of the service data as the attribute value under the data attribute.
3. The privilege configuration system as defined in claim 1, wherein,
the operation is predefined, which supports dynamic augmentation,
the attribute values under the menu page attribute are configured with query operations by default,
and default configuration of attribute values under the data attributes is provided with adding, deleting, modifying and querying operations.
4. The privilege configuration system of claim 1, wherein each operation is combinable with one or more attribute values, and wherein each attribute value is combinable with one or more operations.
5. The privilege configuration system as defined in claim 1, wherein the roles can be composed of one or more users, each user authorized to have one or more roles, each role authorized to have one or more permissions, each permission being authorized to one or more different roles.
6. The privilege configuration system as defined in claim 1, wherein,
the system stores a menu page template and a data attribute template,
the menu page configuration module is also used for leading in the menu page template in batch when configuring the menu pages,
the data attribute configuration module is also used for importing the data attribute templates in batches when configuring the data attributes.
7. A method for configuring permission capable of being rapidly configured based on RBAC comprises the following steps:
an application configuration step, which is used for newly adding applications or selecting stored applications;
a menu page configuration step, which is used for the configuration of the newly added application or the menu and the page of the selected application together, establishes a tree structure by adding the same-level menu page or the sub-level menu page, and automatically synchronizes the configured menu page to the attribute value under the attribute of the menu page;
a data attribute configuration step, which is used for establishing data attributes under the newly added application or the selected application, establishing a flat structure or a tree structure by adding a same level or a sublevel attribute value, configuring the data attribute value, and storing the data attribute value data of the current configuration interface into a database;
a permission configuration step, which is used for combining the operation with the attribute values under the menu page attribute and the data attribute to form permission and storing the permission into a database; and
and authorization configuration step, which is used for adding new roles, authorizing the permission to the roles, authorizing the roles to users and storing authorization configuration data in a database.
8. The authority configuration method according to claim 7,
the attribute values include an ID and an encoding,
the operation is predefined, which supports dynamic augmentation,
the attribute values under the menu page attribute are configured with query operations by default,
and default configuration of attribute values under the data attributes is provided with adding, deleting, modifying and querying operations.
9. A privilege configuration method according to claim 7, wherein each configuration step is automatically saved during the configuration process, so that when the configuration process is interrupted, the interrupted configuration process can be selected to continue configuration.
10. A storage medium having stored thereon executable code which, when executed by a processor, causes the processor to perform a rights configuration method as claimed in any one of claims 7 to 9.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910451862.9A CN110348183B (en) | 2019-05-28 | 2019-05-28 | RBAC-based rapidly configurable permission configuration system, method and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910451862.9A CN110348183B (en) | 2019-05-28 | 2019-05-28 | RBAC-based rapidly configurable permission configuration system, method and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN110348183A CN110348183A (en) | 2019-10-18 |
CN110348183B true CN110348183B (en) | 2021-07-20 |
Family
ID=68174083
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910451862.9A Active CN110348183B (en) | 2019-05-28 | 2019-05-28 | RBAC-based rapidly configurable permission configuration system, method and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110348183B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111427491A (en) * | 2020-03-02 | 2020-07-17 | 青岛聚好联科技有限公司 | Method and device for configuring system background menu button |
CN111400561B (en) * | 2020-03-17 | 2023-09-12 | 杭州迪普科技股份有限公司 | Electronic device and configuration method thereof |
CN111950866B (en) * | 2020-07-24 | 2023-11-07 | 合肥森亿智能科技有限公司 | Role-based multi-tenant organization structure management system, method, equipment and medium |
CN112487378A (en) * | 2020-12-11 | 2021-03-12 | 宝付网络科技(上海)有限公司 | Tenant authority management system suitable for big data platform |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101478536A (en) * | 2008-12-08 | 2009-07-08 | 山东浪潮齐鲁软件产业股份有限公司 | Method for solving access control in authority management |
CN101997876A (en) * | 2010-11-05 | 2011-03-30 | 重庆大学 | Attribute-based access control model and cross domain access method thereof |
CN103049684A (en) * | 2012-12-21 | 2013-04-17 | 大唐软件技术股份有限公司 | Data authority control method and data authority control system based on RBAC (role-based access control) model extension |
CN104243453A (en) * | 2014-08-26 | 2014-12-24 | 中国科学院信息工程研究所 | Access control method and system based on attribute and role |
-
2019
- 2019-05-28 CN CN201910451862.9A patent/CN110348183B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101478536A (en) * | 2008-12-08 | 2009-07-08 | 山东浪潮齐鲁软件产业股份有限公司 | Method for solving access control in authority management |
CN101997876A (en) * | 2010-11-05 | 2011-03-30 | 重庆大学 | Attribute-based access control model and cross domain access method thereof |
CN103049684A (en) * | 2012-12-21 | 2013-04-17 | 大唐软件技术股份有限公司 | Data authority control method and data authority control system based on RBAC (role-based access control) model extension |
CN104243453A (en) * | 2014-08-26 | 2014-12-24 | 中国科学院信息工程研究所 | Access control method and system based on attribute and role |
Also Published As
Publication number | Publication date |
---|---|
CN110348183A (en) | 2019-10-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110348183B (en) | RBAC-based rapidly configurable permission configuration system, method and storage medium | |
US20240037266A1 (en) | Activity-based content object access permissions | |
CN110443010B (en) | Authority visual configuration control method, device, terminal and storage medium in information system | |
US8819068B1 (en) | Automating creation or modification of database objects | |
US6122741A (en) | Distributed method of and system for maintaining application program security | |
US8346908B1 (en) | Identity migration apparatus and method | |
US10367824B2 (en) | Policy management, enforcement, and audit for data security | |
US8090775B2 (en) | Time limited collaborative community role delegation policy | |
CN111027921A (en) | Business processing method and device, electronic equipment and storage medium | |
US20210216652A1 (en) | Document-Level Attribute-Based Access Control | |
US20070174903A1 (en) | Method and system for managing user identities on a network | |
US8589306B1 (en) | Open source license management | |
US12007950B2 (en) | Systems and methods for content sharing using template-driven workflows | |
JP2008537818A (en) | Adapter architecture for mobile data systems | |
CN110807015A (en) | Big data asset value delivery management method and system | |
WO2010065283A1 (en) | Secure document management | |
CN110363012B (en) | Method for configuring authority of authority resource, authority system and storage medium | |
CN103996000A (en) | Authority management system and method | |
US11900147B2 (en) | Systems and methods for data collection using workflow forms | |
WO2018119589A1 (en) | Account management method and apparatus, and account management system | |
WO2020135492A1 (en) | Software hierarchical management system | |
US20200092337A1 (en) | Context-aware content object security | |
CN113282896A (en) | Authority management method and system | |
CN116974551A (en) | Application construction method and device, electronic equipment and storage medium | |
CN110348184B (en) | Industrial cloud-based permission resource configuration method, system and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |