Method, apparatus, and medium for determining permissions

By using a first or second storage structure to quickly determine organizational relationships and permissions, the problems of slow access speed and poor scalability in permission determination systems are solved, achieving efficient permission management and organizational architecture expansion.

CN115130135BActive Publication Date: 2026-06-05CCB FINTECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CCB FINTECH CO LTD
Filing Date
2022-07-08
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing permission control systems suffer from slow data access speeds and a lack of consideration for organizational hierarchies, resulting in slow data reading and poor scalability.

Method used

By employing either a first or second storage structure, organizational relationships can be quickly determined based on the request identifier, and user permissions can be determined according to the organizational relationships. This supports the scalability of organizational structure levels and improves access speed.

Benefits of technology

It enables rapid identification of organizational relationships and access control, avoiding the limitations of organizational structure levels and improving access speed and system scalability.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115130135B_ABST
    Figure CN115130135B_ABST
Patent Text Reader

Abstract

The present disclosure provides a permission determination method and device, equipment, storage medium and program product, relates to the technical field of computers, and can be applied to the technical field of finance. The method comprises the following steps: in response to receiving a permission determination request from a user, determining an identifier corresponding to the request; determining an organizational relationship corresponding to the identifier according to a first storage structure or a second storage structure; and determining whether the user has a permission corresponding to the organizational relationship according to the organizational relationship; wherein the first storage structure comprises a predetermined first user identifier field and an organizational relationship tree field, and the second storage structure comprises a predetermined first user identifier field, a predetermined second user identifier field and an organizational relationship field.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of computer technology, and can be applied to the field of financial technology, and more specifically to a method, apparatus, device, medium and program product for determining permissions. Background Technology

[0002] Currently, existing permission-based systems suffer from slow data access speeds. They also fail to consider organizational hierarchies, resulting in slow data retrieval and poor scalability due to a single, disorganized, and disorganized data storage method. Summary of the Invention

[0003] In view of the above problems, this disclosure provides a method, apparatus, device, medium, and program product for determining permissions. Based on a first or second storage structure, it can quickly determine the corresponding organizational relationship according to the identifier corresponding to the request, and then further determine whether the user has the permissions corresponding to the organizational relationship, thereby managing permissions through the determined permissions. At the same time, it can quickly determine organizational relationships or permissions, avoiding the limitations of organizational structure levels, and improving access speed and scalability.

[0004] According to a first aspect of this disclosure, a method for determining permissions is provided, comprising: in response to receiving a permission determination request from a user, determining an identifier corresponding to the request;

[0005] The organizational relationship corresponding to the identifier is determined according to a first storage structure or a second storage structure; and the user is determined to have permissions corresponding to the organizational relationship according to the organizational relationship; wherein the first storage structure includes a predetermined first user identifier field and an organizational relationship tree field, and the second storage structure includes a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field.

[0006] According to an embodiment of this disclosure, the permission determination method further includes: in response to receiving an organizational relationship tree, determining a predetermined first user identifier corresponding to the organizational relationship tree; determining a predetermined second user identifier and an organizational relationship based on the organizational relationship tree; determining a predetermined first user identifier field and an organizational relationship tree field in the first storage structure based on the organizational relationship tree and the predetermined first user identifier corresponding to the organizational relationship tree; and determining a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field in the second storage structure based on the predetermined second user identifier, the organizational relationship, and the predetermined first user identifier corresponding to the organizational relationship tree.

[0007] According to an embodiment of this disclosure, the identifier corresponding to the request includes a predetermined first user identifier; determining the organizational relationship corresponding to the identifier according to a first storage structure or a second storage structure includes: in the first storage structure, determining an organizational relationship tree corresponding to the predetermined first user identifier.

[0008] According to an embodiment of this disclosure, the identifier corresponding to the request includes a predetermined second user identifier; determining the organizational relationship corresponding to the identifier according to a first storage structure or a second storage structure includes: determining the organizational relationship corresponding to the predetermined second user identifier in the second storage structure.

[0009] According to an embodiment of this disclosure, the permission determination method further includes: in response to receiving a request to update organizational relationships, determining an identifier corresponding to the request and an updated organizational relationship; updating the organizational relationship field in the second storage structure according to the updated organizational relationship to obtain an updated second storage structure; and updating the organizational relationship tree field in the first storage structure according to the updated second storage structure to obtain an updated first storage structure.

[0010] According to an embodiment of this disclosure, the permission determination method further includes: in response to receiving a request to add a second user, determining a predetermined second user identifier and organizational relationship of the second user to be added; updating the organizational relationship tree to which the second user to be added belongs based on the predetermined second user identifier and organizational relationship of the second user to be added; and adding the organizational relationship tree to the first storage structure.

[0011] A second aspect of this disclosure provides an access control device, comprising: an identifier determination module, configured to determine an identifier corresponding to a user's access control request in response to receiving such a request; an organizational relationship determination module, configured to determine an organizational relationship corresponding to the identifier based on a first storage structure or a second storage structure; and an access control determination module, configured to determine whether the user has access rights corresponding to the organizational relationship based on the organizational relationship; wherein the first storage structure includes a predetermined first user identifier field and an organizational relationship tree field, and the second storage structure includes a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field.

[0012] A third aspect of this disclosure provides an electronic device comprising: one or more processors; and a memory for storing one or more programs, wherein, when the one or more programs are executed by the one or more processors, the one or more processors perform the aforementioned permission determination method.

[0013] A fourth aspect of this disclosure also provides a computer-readable storage medium having executable instructions stored thereon, which, when executed by a processor, cause the processor to perform the aforementioned permission determination method.

[0014] The fifth aspect of this disclosure also provides a computer program product, including a computer program that, when executed by a processor, implements the above-described permission determination method.

[0015] The permission determination method provided in this embodiment can quickly determine the corresponding organizational relationship based on the identifier corresponding to the request, using either a first or second storage structure. It then further determines whether the user has the permissions corresponding to that organizational relationship, and manages permissions accordingly. Simultaneously, it can quickly determine organizational relationships or permissions, avoiding the limitations of organizational hierarchy and improving access speed and scalability. Attached Figure Description

[0016] The foregoing contents, as well as other objects, features, and advantages of this disclosure, will become clearer from the following description of embodiments with reference to the accompanying drawings, in which:

[0017] Figure 1 The illustrations depict application scenarios of the permission determination method, apparatus, device, medium, and program products according to embodiments of the present disclosure.

[0018] Figure 2 A flowchart illustrating a permission determination method according to an embodiment of the present disclosure is shown schematically.

[0019] Figure 3 A schematic diagram of an organizational tree according to an embodiment of the present disclosure is shown;

[0020] Figure 4 This illustration schematically shows an execution diagram of determining the storage structure according to an embodiment of the present disclosure;

[0021] Figure 5 A schematic block diagram of a permission determination device according to an embodiment of the present disclosure is shown; and

[0022] Figure 6 A block diagram schematically illustrates an electronic device suitable for implementing a permission determination method according to an embodiment of the present disclosure. Detailed Implementation

[0023] The embodiments of the present disclosure will now be described with reference to the accompanying drawings. However, it should be understood that these descriptions are exemplary only and are not intended to limit the scope of the disclosure. In the following detailed description, numerous specific details are set forth to provide a thorough understanding of the embodiments of the present disclosure for ease of explanation. However, it will be apparent that one or more embodiments may be practiced without these specific details. Furthermore, descriptions of well-known structures and techniques are omitted in the following description to avoid unnecessarily obscuring the concepts of the present disclosure.

[0024] The terminology used herein is for the purpose of describing particular embodiments only and is not intended to limit this disclosure. The terms “comprising,” “including,” etc., as used herein indicate the presence of the stated features, steps, operations, and / or components, but do not exclude the presence or addition of one or more other features, steps, operations, or components.

[0025] All terms used herein (including technical and scientific terms) have the meanings commonly understood by those skilled in the art, unless otherwise defined. It should be noted that the terms used herein are to be interpreted in a manner consistent with the context of this specification, and not in an idealized or overly rigid way.

[0026] When using expressions such as "at least one of A, B, and C", they should generally be interpreted in accordance with the meaning that is commonly understood by a person skilled in the art (e.g., "a system having at least one of A, B, and C" should include, but is not limited to, a system having A alone, a system having B alone, a system having C alone, a system having A and B, a system having A and C, a system having B and C, and / or a system having A, B, and C, etc.).

[0027] Embodiments of this disclosure provide a permission determination method and apparatus, which, in response to receiving a permission determination request from a user, determine an identifier corresponding to the request; determine an organizational relationship corresponding to the identifier according to a first storage structure or a second storage structure; and determine whether the user has permissions corresponding to the organizational relationship according to the organizational relationship; wherein the first storage structure includes a predetermined first user identifier field and an organizational relationship tree field, and the second storage structure includes a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field.

[0028] Figure 1 The illustration shows an application scenario diagram of the permission determination method, apparatus, device, medium, and program product according to embodiments of the present disclosure.

[0029] like Figure 1As shown, application scenario 100 according to this embodiment may include terminal devices 101, 102, and 103, a network 104, and a server 105. Network 104 serves as a medium for providing a communication link between terminal devices 101, 102, and 103 and server 105. Network 104 may include various connection types, such as wired or wireless communication links, or fiber optic cables, etc.

[0030] Users can use terminal devices 101, 102, and 103 to interact with server 105 via network 104 to receive or send messages, etc. Various communication client applications can be installed on terminal devices 101, 102, and 103, such as shopping applications, web browser applications, search applications, instant messaging tools, email clients, social media platform software, etc. (for example only).

[0031] Terminal devices 101, 102, and 103 can be various electronic devices with displays and web browsing capabilities, including but not limited to smartphones, tablets, laptops, and desktop computers.

[0032] Server 105 can be a server that provides various services, such as a backend management server that supports websites browsed by users using terminal devices 101, 102, and 103 (for example only). The backend management server can analyze and process data such as received user requests, and feed back the processing results (such as web pages, information, or data obtained or generated according to user requests) to the terminal devices.

[0033] It should be noted that the permission determination method provided in this embodiment can generally be executed by server 105. Correspondingly, the permission determination device provided in this embodiment can generally be located in server 105. The permission determination method provided in this embodiment can also be executed by a server or server cluster that is different from server 105 and capable of communicating with terminal devices 101, 102, 103 and / or server 105. Correspondingly, the permission determination device provided in this embodiment can also be located in a server or server cluster that is different from server 105 and capable of communicating with terminal devices 101, 102, 103 and / or server 105.

[0034] It should be understood that Figure 1 The number of terminal devices, networks, and servers shown is merely illustrative. Depending on implementation needs, any number of terminal devices, networks, and servers can be included.

[0035] The following will be based on Figure 1 The described scene, through Figure 2 The permission determination method of the disclosed embodiments is described in detail.

[0036] Figure 2 A flowchart illustrating a permission determination method according to an embodiment of this disclosure is shown schematically.

[0037] like Figure 2 As shown, this embodiment includes operations S210 to S230, and the permission determination method can be executed by the server.

[0038] In the technical solution disclosed herein, the acquisition, collection, storage, use, processing, transmission, provision, disclosure, and application of data all comply with the provisions of relevant laws and regulations, necessary confidentiality measures have been taken, and they do not violate public order and good morals.

[0039] In operation S210, in response to receiving a permission confirmation request from the user, the identifier corresponding to the request is determined.

[0040] In operation S220, the organizational relationship corresponding to the identifier is determined based on either the first storage structure or the second storage structure. The first storage structure includes a predetermined first user identifier field and an organizational relationship tree field, while the second storage structure includes a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field.

[0041] In operation S230, determine whether the user has the permissions corresponding to the organizational relationship based on the organizational relationship.

[0042] The first or second storage structure can be a sequential storage structure, a linked storage structure, or an indexed storage structure. For example, the second storage structure is an indexed storage table in the database, which may include a predefined first user identifier field, a predefined second user identifier field, and an organizational relationship field.

[0043] The first or second storage structure can be constructed based on the acquired data information. For example, data information used to construct the storage structure (first or second storage structure) can be extracted from the data information, such as a predetermined first user identifier corresponding to the first-level organizational hierarchy, a predetermined second user identifier corresponding to an employee, and the organizational relationship corresponding to an employee. Then, an organizational relationship tree can be built based on the data information, and an indexed storage table can be constructed based on the organizational relationship tree and the data information used to construct the storage structure, thus constructing the storage structure.

[0044] The first or second storage structure can also be built based on an organizational tree, for example, a head office corresponds to a main system, and multiple subsidiaries correspond to multiple subsystems. Each company has a corresponding organizational tree, for example, Figure 3A schematic diagram of an organizational relationship tree according to an embodiment of the present disclosure is shown. The organizational relationship tree 300 of Company A has an organizational hierarchy of Company-Department-Group. A predetermined first user identifier corresponding to the first organizational level can be First User Identifier 310; a predetermined second user identifier corresponding to an employee can be Second User Identifier 301, or Second User Identifier 302, or Second User Identifier 303, or Second User Identifier 304; the organizational relationship corresponding to an employee is, for example, employee D1, Second User Identifier 301, organizational relationship Company A-Department B1-Group C1.

[0045] Organizational relationships can be the organizational relationship tree stored in the first storage structure table corresponding to a company (e.g., tenant, Company A) or a first user identifier, or the organizational relationship stored in the second storage table corresponding to an employee (e.g., user, employee D1) or a second user identifier.

[0046] For example, a predetermined second user identifier field in the second storage structure can be used as an index to quickly determine the corresponding organizational relationship based on the determined predetermined second user identifier. This organizational relationship then determines whether a user (e.g., employee D1) has the permissions corresponding to that organizational relationship. For instance, a permission table storing the permissions matched to each organizational level can be used to determine whether a user has the permissions corresponding to the organizational relationship. For example, at the first-level organizational level, Company A has permissions a, b, c, d, e, f, and g; at the third-level organizational level (group C1), employees can have permissions a and b; and at the third-level organizational level (group C2), employees can have permissions c and d. If employee D1 was a member of group C1 one day and is a member of group C2 today, employee D1's organizational relationship has changed. The second storage structure can quickly correct the organizational relationship corresponding to the second user identifier matching employee D1 in the organizational relationship field. Therefore, when user (employee D1) does not have the permissions corresponding to the organizational relationship (group C2), permissions can be corrected, such as granting employee D1 permissions c and d, or removing permissions a and b.

[0047] For example, a predetermined first user identifier field in the first storage structure can be used as an index. Based on this predetermined first user identifier, the organizational tree can be quickly determined, i.e., the corresponding organizational relationship can be identified. Then, based on this organizational relationship, it can be determined whether a user (e.g., Company A) has the permissions corresponding to that organizational relationship. For instance, by storing a permission table containing the permissions matched to each company, it can be determined whether the user has the permissions corresponding to the organizational relationship. For example, at the first-level organizational level, Company A has permissions a, b, c, d, e, f, and g; Company B has permissions h, i, j, and k; and Company C has permissions o, p, and q. Furthermore, at the second-level organizational level of Company A (Department B1), permissions a, d, and e can be obtained; and at the second-level organizational level of Company A (Department B2), permissions f and g can be obtained. Thus, permissions can be determined based on the organizational relationship, such as modifying the permissions of Company A or adjusting the permissions of various departments or groups.

[0048] The permission determination method provided in this embodiment has no restrictions on the level of organizational relationships. It can be three levels, four levels, or even an unlimited number of levels, thereby supporting the expansion of organizational relationship levels to cope with changes in organizational hierarchy. For example, when Company A adjusts its organizational structure, it changes the original department-department member structure to department-group-squad-member structure, which improves scalability.

[0049] The permission determination method provided in this embodiment can quickly determine the corresponding organizational relationship based on the identifier corresponding to the request, using either a first or second storage structure. This allows for further determination of whether the user possesses the permissions corresponding to the organizational relationship, and ultimately, permission management is performed based on the determined permissions. Simultaneously, fields in the storage structure (either the first or second storage structure) can be used as indexes to quickly determine organizational relationships or permissions, improving response efficiency and access speed.

[0050] The permission determination method further includes, in response to receiving an organizational relationship tree, determining a predetermined first user identifier corresponding to the organizational relationship tree; determining a predetermined second user identifier and an organizational relationship based on the organizational relationship tree; determining a predetermined first user identifier field and an organizational relationship tree field in a first storage structure based on the organizational relationship tree and the predetermined first user identifier corresponding to the organizational relationship tree; and determining a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field in a second storage structure based on the predetermined second user identifier, the organizational relationship, and the predetermined first user identifier corresponding to the organizational relationship tree.

[0051] For example, upon receiving an organizational tree from a client, the system parses the tree and extracts information, such as the organizational tree of Company A. This allows the identification of a first user representing Company A, such as identifier 111 (a predetermined first user identifier); the identification of a second user representing employee D1, such as identifier 001 (a predetermined second user identifier), with the organizational relationship being Company A - Department B1 - Group C1; and the identification of a second user representing employee D2, such as identifier 002 (a predetermined second user identifier), with the organizational relationship being Company A - Department B1 - Group C2, and so on. Therefore, identifier 111 can be added to the predetermined first identifier field in the first storage structure, and the organizational tree can be added to the organizational tree field in the first storage structure. Alternatively, identifier 111, identifier 002, and Company A - Department B1 - Group C2 can be added to their respective fields in the second storage structure.

[0052] Figure 4 This illustration schematically shows an execution diagram of determining the storage structure according to an embodiment of the present disclosure, see also Figure 4 First, the user sends data information through client 410, including employee-related information, organizational hierarchy, and organizational structure information for each hierarchy. Upon receiving this data information, server 420 can parse the data information to generate an organizational relationship tree and send this organizational relationship tree to permission determination device 430. Permission determination device 430, upon receiving the organizational relationship tree, can determine a predetermined first user identifier corresponding to the organizational relationship tree; determine a predetermined second user identifier and organizational relationship based on the organizational relationship tree; determine a predetermined first user identifier field and an organizational relationship tree field in a first storage structure based on the organizational relationship tree and the predetermined first user identifier corresponding to the organizational relationship tree; and determine a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field in a second storage structure based on the predetermined second user identifier, organizational relationship, and the predetermined first user identifier corresponding to the organizational relationship tree, thereby determining the storage structure, such as a first storage structure or a second storage structure. Permission determination device 430 can then send this storage structure to server 420 for storage.

[0053] To protect data security, Base64 can also be used to encrypt and decrypt all data information.

[0054] The permission determination method provided in this embodiment can obtain data information for constructing a first storage structure or a second storage structure by parsing and extracting the received organizational relationship tree, thereby determining the corresponding first storage structure and second storage structure. Using this storage structure is beneficial for quickly determining organizational relationships.

[0055] The identifier corresponding to the request includes a predetermined first user identifier; the organizational relationship corresponding to the identifier is determined according to the first storage structure or the second storage structure, including: in the first storage structure, determining the organizational relationship tree corresponding to the predetermined first user identifier.

[0056] For example, if the first user identifier is 111, the first storage structure can be quickly queried to obtain the organizational relationship tree corresponding to company A.

[0057] The permission determination method provided in this embodiment determines the organizational relationship by quickly reading data in the first storage structure to determine the organizational relationship corresponding to the predetermined first user identifier.

[0058] The identifier corresponding to the request includes a predetermined second user identifier; the organizational relationship corresponding to the identifier is determined according to the first storage structure or the second storage structure, including: in the second storage structure, determining the organizational relationship corresponding to the predetermined second user identifier.

[0059] For example, if the second user identifier is 001, the second storage structure can be quickly queried to obtain the organizational relationship corresponding to employee D1, namely Company A - Department B1 - Group C1.

[0060] The permission determination method provided in this embodiment determines the organizational relationship corresponding to the predetermined second user identifier in the second storage structure, and quickly reads data to determine the organizational relationship without traversing the organizational relationship tree.

[0061] The permission determination method further includes, in response to receiving a request to update organizational relationships, determining the identifier corresponding to the request and the updated organizational relationship; updating the organizational relationship field in the second storage structure according to the updated organizational relationship to obtain the updated second storage structure; and updating the organizational relationship tree field in the first storage structure according to the updated second storage structure to obtain the updated first storage structure.

[0062] For example, if employee D2's job changes, such as from a member of group C2 to a member of group C4, the organizational relationship changes and needs to be updated.

[0063] The corresponding organizational relationship can be directly modified in the second storage structure based on the identifier (pre-defined second user identifier) ​​corresponding to employee D2 and the updated organizational relationship (Company A - Department B2 - Group C4), making the operation simple and efficient.

[0064] Both the first and second storage structures include an identifier corresponding to Company A (a predetermined first user identifier). Based on this predetermined first user identifier, the corresponding organizational relationship tree can be determined, and then the organizational relationship tree can be partially updated. That is, only the part corresponding to employee D2 is updated, without updating the entire tree, thereby achieving rapid updating of the organizational relationship tree.

[0065] The permission determination method further includes, in response to receiving a request to add a second user, determining the predetermined second user identifier and organizational relationship of the second user to be added; updating the organizational relationship tree to which the second user to be added belongs based on the predetermined second user identifier and organizational relationship of the second user to be added; and adding the organizational relationship tree to the first storage structure.

[0066] For example, if a new employee D5 joins Company A and belongs to Group C4 with the ID (identification code 009), the organizational relationship would be Company A - Department B2 - Group C4.

[0067] Understandably, the identifier of the second user to be added is 009, and the organizational relationship of the second user to be added is Company A - Department B2 - Group C4.

[0068] Understandably, the organizational tree to which the second user (employee D5) belongs is the organizational tree corresponding to Company A. Quickly obtain Company A's organizational tree and update it, such as adding a leaflet at the position corresponding to Company A-B2 department-C4 group, including relevant information of employee D5, such as 009.

[0069] The permission determination method provided in this embodiment can quickly adjust the organizational relationship tree and data structure when new employees need to be added, which helps to ensure the real-time nature of organizational relationships.

[0070] Based on the above-described permission determination method, this disclosure also provides a permission determination device. The following will be combined with... Figure 5 The device is described in detail.

[0071] Figure 5 A schematic block diagram of a permission determination device according to an embodiment of the present disclosure is shown.

[0072] like Figure 5 As shown, the permission determination device 500 of this embodiment includes an identifier determination module 510, an organizational relationship determination module 520, and a permission determination module 530.

[0073] The identifier determination module 510 is used to determine the identifier corresponding to the request in response to receiving a permission determination request from a user; the organizational relationship determination module 520 is used to determine the organizational relationship corresponding to the identifier according to a first storage structure or a second storage structure; and the permission determination module 530 is used to determine whether the user has the permissions corresponding to the organizational relationship according to the organizational relationship; wherein, the first storage structure includes a predetermined first user identifier field and an organizational relationship tree field, and the second storage structure includes a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field.

[0074] In some embodiments, the apparatus further includes: a first determining module, configured to determine a predetermined first user identifier corresponding to the organizational relationship tree in response to receiving the organizational relationship tree; a second determining module, configured to determine a predetermined second user identifier and an organizational relationship based on the organizational relationship tree; a third determining module, configured to determine a predetermined first user identifier field and an organizational relationship tree field in a first storage structure based on the organizational relationship tree and the predetermined first user identifier corresponding to the organizational relationship tree; and a fourth determining module, configured to determine a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field in a second storage structure based on the predetermined second user identifier, the organizational relationship, and the predetermined first user identifier corresponding to the organizational relationship tree.

[0075] In some embodiments, the identifier corresponding to the request includes a predetermined first user identifier; the organizational relationship determination module is used to: determine the organizational relationship tree corresponding to the predetermined first user identifier in a first storage structure.

[0076] In some embodiments, the identifier corresponding to the request includes a predetermined second user identifier; the organizational relationship determination module is used to: determine the organizational relationship corresponding to the predetermined second user identifier in the second storage structure.

[0077] In some embodiments, the apparatus further includes: a fifth determining module, configured to determine an identifier corresponding to the request and an updated organizational relationship in response to receiving a request to update the organizational relationship; a first updating module, configured to update the organizational relationship field in the second storage structure according to the updated organizational relationship to obtain an updated second storage structure; and a second updating module, configured to update the organizational relationship tree field in the first storage structure according to the updated second storage structure to obtain an updated first storage structure.

[0078] In some embodiments, the apparatus further includes: a sixth determining module, configured to determine a predetermined second user identifier and organizational relationship of the second user to be added in response to receiving a request to add a second user; a third updating module, configured to update the organizational relationship tree to which the second user to be added belongs based on the predetermined second user identifier and organizational relationship of the second user to be added; and an adding module, configured to add the organizational relationship tree to a first storage structure.

[0079] According to embodiments of this disclosure, any plurality of modules among the identifier determination module 510, organizational relationship determination module 520, and permission determination module 530 may be merged into one module, or any one of these modules may be split into multiple modules. Alternatively, at least a portion of the functionality of one or more of these modules may be combined with at least a portion of the functionality of other modules and implemented in one module. According to embodiments of this disclosure, at least one of the identifier determination module 510, organizational relationship determination module 520, and permission determination module 530 may be at least partially implemented as hardware circuitry, such as a field-programmable gate array (FPGA), a programmable logic array (PLA), a system-on-a-chip, a system-on-a-substrate, a system-on-package, an application-specific integrated circuit (ASIC), or implemented in hardware or firmware by any other reasonable means of integrating or packaging circuitry, or implemented in any one of software, hardware, and firmware methods, or in a suitable combination of any of these. Alternatively, at least one of the identifier determination module 510, organizational relationship determination module 520, and permission determination module 530 may be at least partially implemented as a computer program module, which, when run, can perform corresponding functions.

[0080] Figure 6 A block diagram schematically illustrates an electronic device suitable for implementing a permission determination method according to an embodiment of the present disclosure.

[0081] like Figure 6 As shown, an electronic device 600 according to an embodiment of this disclosure includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a read-only memory (ROM) 602 or a program loaded from a storage portion 608 into a random access memory (RAM) 603. The processor 601 may include, for example, a general-purpose microprocessor (e.g., a CPU), an instruction set processor and / or an associated chipset and / or a special-purpose microprocessor (e.g., an application-specific integrated circuit (ASIC)), etc. The processor 601 may also include onboard memory for caching purposes. The processor 601 may include a single processing unit or multiple processing units for performing different actions of the method flow according to an embodiment of this disclosure.

[0082] RAM 603 stores various programs and data required for the operation of electronic device 600. Processor 601, ROM 602, and RAM 603 are interconnected via bus 604. Processor 601 performs various operations of the method flow according to embodiments of the present disclosure by executing programs in ROM 602 and / or RAM 603. It should be noted that the programs may also be stored in one or more memories other than ROM 602 and RAM 603. Processor 601 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in said one or more memories.

[0083] According to embodiments of this disclosure, the electronic device 600 may further include an input / output (I / O) interface 605, which is also connected to a bus 604. The electronic device 600 may also include one or more of the following components connected to the I / O interface 605: an input section 606 including a keyboard, mouse, etc.; an output section 607 including a cathode ray tube (CRT), liquid crystal display (LCD), etc., and a speaker, etc.; a storage section 608 including a hard disk, etc.; and a communication section 609 including a network interface card such as a LAN card, modem, etc. The communication section 609 performs communication processing via a network such as the Internet. A drive 610 is also connected to the I / O interface 605 as needed. A removable medium 611, such as a disk, optical disk, magneto-optical disk, semiconductor memory, etc., is installed on the drive 610 as needed so that computer programs read from it can be installed into the storage section 608 as needed.

[0084] This disclosure also provides a computer-readable storage medium, which may be included in the device / apparatus / system described in the above embodiments; or it may exist independently and not assembled into the device / apparatus / system. The computer-readable storage medium carries one or more programs that, when executed, implement the method according to the embodiments of this disclosure.

[0085] According to embodiments of this disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, such as including, but not limited to: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof. In this disclosure, the computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. For example, according to embodiments of this disclosure, the computer-readable storage medium may include ROM 602 and / or RAM 603 and / or one or more memories other than ROM 602 and RAM 603 described above.

[0086] Embodiments of this disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowchart. When the computer program product is run on a computer system, the program code is used to enable the computer system to implement the permission determination method provided in the embodiments of this disclosure.

[0087] When the computer program is executed by the processor 601, it performs the functions defined in the system / apparatus of this disclosure embodiments. According to embodiments of this disclosure, the systems, apparatuses, modules, units, etc., described above can be implemented by computer program modules.

[0088] In one embodiment, the computer program may rely on a tangible storage medium such as an optical storage device or a magnetic storage device. In another embodiment, the computer program may also be transmitted and distributed in the form of signals over a network medium, and downloaded and installed via the communication section 609, and / or installed from the removable medium 611. The program code contained in the computer program can be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination thereof.

[0089] In such an embodiment, the computer program can be downloaded and installed from a network via the communication section 609, and / or installed from the removable medium 611. When the computer program is executed by the processor 601, it performs the functions defined in the system of this disclosure embodiment. According to embodiments of this disclosure, the systems, devices, apparatuses, modules, units, etc., described above can be implemented by computer program modules.

[0090] According to embodiments of this disclosure, program code for executing the computer programs provided in embodiments of this disclosure can be written in any combination of one or more programming languages. Specifically, these computational programs can be implemented using high-level procedural and / or object-oriented programming languages, and / or assembly / machine languages. Programming languages ​​include, but are not limited to, languages ​​such as Java, C++, Python, "C", or similar programming languages. The program code can execute entirely on the user's computing device, partially on the user's device, partially on a remote computing device, or entirely on a remote computing device or server. In cases involving remote computing devices, the remote computing device can be connected to the user's computing device via any type of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computing device (e.g., via the Internet using an Internet service provider).

[0091] The flowcharts and block diagrams in the accompanying drawings illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of this disclosure. In this regard, each block in a flowchart or block diagram may represent a module, segment, or portion of code containing one or more executable instructions for implementing a specified logical function. It should also be noted that in some alternative implementations, the functions indicated in the blocks may occur in a different order than those indicated in the drawings. For example, two consecutively indicated blocks may actually be executed substantially in parallel, and they may sometimes be executed in reverse order, depending on the functions involved. It should also be noted that each block in a block diagram or flowchart, and combinations of blocks in a block diagram or flowchart, may be implemented using a dedicated hardware-based system that performs the specified function or operation, or using a combination of dedicated hardware and computer instructions.

[0092] Those skilled in the art will understand that the features described in the various embodiments and / or claims of this disclosure can be combined and / or combined in various ways, even if such combinations or combinations are not explicitly described in this disclosure. In particular, the features described in the various embodiments and / or claims of this disclosure can be combined and / or combined in various ways without departing from the spirit and teachings of this disclosure. All such combinations and / or combinations fall within the scope of this disclosure.

[0093] The embodiments of this disclosure have been described above. However, these embodiments are for illustrative purposes only and are not intended to limit the scope of this disclosure. Although various embodiments have been described above, this does not mean that the measures in the various embodiments cannot be used advantageously in combination. The scope of this disclosure is defined by the appended claims and their equivalents. Various substitutions and modifications can be made by those skilled in the art without departing from the scope of this disclosure, and all such substitutions and modifications should fall within the scope of this disclosure.

Claims

1. A method for determining permissions, comprising: In response to receiving a permission confirmation request from a user, determine the identifier corresponding to the request; The organizational relationship corresponding to the identifier is determined based on the first storage structure or the second storage structure; as well as Determine whether the user has the permissions corresponding to the organizational relationship based on the organizational relationship; The first storage structure includes a predetermined first user identifier field and an organizational relationship tree field, and the second storage structure includes a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field. The method further includes: In response to receiving an organizational relationship tree, a predetermined first user identifier corresponding to the organizational relationship tree is determined; Based on the organizational relationship tree, determine the predetermined second user identifier and organizational relationship; Based on the organizational relationship tree and the predetermined first user identifier corresponding to the organizational relationship tree, the predetermined first user identifier field and the organizational relationship tree field in the first storage structure are determined; and Based on the predetermined second user identifier, organizational relationship, and predetermined first user identifier corresponding to the organizational relationship tree, the predetermined first user identifier field, predetermined second user identifier field, and organizational relationship field in the second storage structure are determined.

2. The method according to claim 1, wherein, The identifier corresponding to the request includes a pre-defined first user identifier; The organizational relationship corresponding to the identifier, determined according to the first or second storage structure, includes: In the first storage structure, an organizational relationship tree corresponding to the predetermined first user identifier is determined.

3. The method according to claim 1, wherein, The identifier corresponding to the request includes a pre-defined second user identifier; The organizational relationship corresponding to the identifier, determined according to the first or second storage structure, includes: In the second storage structure, the organizational relationship corresponding to the predetermined second user identifier is determined.

4. The method according to claim 1, further comprising: In response to receiving a request to update organizational relationships, determine the identifier corresponding to the request and the updated organizational relationships; Based on the updated organizational relationship, update the organizational relationship field in the second storage structure to obtain the updated second storage structure; as well as Based on the updated second storage structure, the organization tree field in the first storage structure is updated to obtain the updated first storage structure.

5. The method according to claim 1, further comprising: In response to receiving a request to add a second user, determine the intended second user identifier and organizational relationship of the second user to be added; Update the organizational relationship tree to which the second user to be added belongs based on the predetermined second user identifier and organizational relationship of the second user to be added; as well as Add the organizational relationship tree to the first storage structure.

6. An access control device, comprising: The identifier determination module is used to determine the identifier corresponding to the request in response to receiving an authorization determination request from the user; An organizational relationship determination module is used to determine, based on a first storage structure or a second storage structure, the organizational relationship corresponding to the identifier; as well as The permission determination module is used to determine whether the user has permissions corresponding to the organizational relationship based on the organizational relationship. The first storage structure includes a predetermined first user identifier field and an organizational relationship tree field, and the second storage structure includes a predetermined first user identifier field, a predetermined second user identifier field, and an organizational relationship field. The device further includes: The first determining module is used to determine a predetermined first user identifier corresponding to the organizational relationship tree in response to receiving the organizational relationship tree; The second determination module is used to determine the predetermined second user identifier and organizational relationship based on the organizational relationship tree; The third determining module is used to determine the predetermined first user identifier field and the organizational relationship tree field in the first storage structure based on the organizational relationship tree and the predetermined first user identifier corresponding to the organizational relationship tree; and The fourth determining module is used to determine the predetermined first user identifier field, the predetermined second user identifier field, and the organizational relationship field in the second storage structure based on the predetermined second user identifier, the organizational relationship, and the predetermined first user identifier corresponding to the organizational relationship tree.

7. An electronic device, comprising: One or more processors; Storage device for storing one or more programs. Wherein, when the one or more programs are executed by the one or more processors, the one or more processors perform the method according to any one of claims 1 to 5.

8. A computer-readable storage medium having executable instructions stored thereon, which, when executed by a processor, cause the processor to perform the method according to any one of claims 1 to 5.

9. A computer program product comprising a computer program that, when executed by a processor, implements the method according to any one of claims 1 to 5.