Method, apparatus and computer storage medium for managing rights

By generating permission request forms for the target business system and combining them with the permission control model and administrator-defined configuration information, the reusability and flexibility of request forms in the permission management system are solved, thereby improving management efficiency and user experience.

CN115495717BActive Publication Date: 2026-07-03SHENZHEN BAMBOOCLOUD TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
SHENZHEN BAMBOOCLOUD TECH CO LTD
Filing Date
2022-09-15
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

In existing access control systems, the reusability and flexibility of application forms are poor, resulting in high learning costs, low efficiency, and a poor user experience when users move between different business systems.

Method used

By obtaining the application form generation request from the user to be authorized, the access control model and application form configuration information of the target business system are determined, the target application form is generated, and permission attributes are edited and visualized based on this. It supports table-by-table configuration and attribute value control, and realizes the combination of custom permission application forms and standard templates.

Benefits of technology

It improves the efficiency of access control and user experience, reduces the learning cost for users across different systems, and enables the integration and personalized configuration of access request forms across different access control model systems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN115495717B_ABST
    Figure CN115495717B_ABST
Patent Text Reader

Abstract

This invention relates to the field of computer data processing technology and discloses a permission management method. The method includes: obtaining an application form generation request sent by a user to be authorized; the application form generation request is used to request the generation of a permission application form corresponding to a target business system; determining the permission control model information and application form configuration information corresponding to the target business system; wherein, the application form configuration information is used to configure permission attributes in the permission application form; the permission attributes are used to configure user permissions; generating a target application form based on the permission control model information and the application form configuration information; and returning the target application form to the user to be authorized. Through the above method, this invention improves the efficiency of permission management in a business system under a multi-permission control model.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The embodiments of the present invention relate to the field of computer data processing technology, specifically to a permission management method, apparatus, device, and computer storage medium. Background Technology

[0002] In existing access control systems, users typically need to fill out a corresponding access request form when requesting permissions. These forms are usually configured separately by each business system according to its corresponding access control model. This results in poor reusability and flexibility of the forms, and inconsistent and non-standardized page configurations and attribute definitions across different systems, increasing the learning cost for users switching between different business systems. Therefore, the current access control system suffers from low efficiency and a poor user experience. Summary of the Invention

[0003] In view of the above problems, embodiments of the present invention provide a permission management method, apparatus, device, and computer storage medium to solve the problems of low efficiency and poor user experience in permission management in the prior art.

[0004] According to one aspect of the present invention, a permission management method is provided, the method comprising:

[0005] Obtain the request to generate an application form sent by the user to be authorized; the request to generate an application form corresponding to the target business system is used to request the generation of the permission application form.

[0006] Determine the access control model information and application form configuration information corresponding to the target business system; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions;

[0007] Generate a target application form based on the access control model information and the application form configuration information;

[0008] The target application form is returned to the user to be authorized.

[0009] In an alternative approach, the method further includes:

[0010] Determine the preset standard template for the permission request form corresponding to the permission control model information;

[0011] The permission attributes of the standard template for the permission application form are edited according to the configuration information of the application form to obtain the target application form.

[0012] In one optional approach, the permission attributes include default attributes and custom attributes; the standard template for the permission request form includes at least one of the default attributes; the request form configuration information includes attribute editing information and attribute style information; the method further includes:

[0013] The custom attribute is determined based on the attribute editing information and the default attribute;

[0014] The permission attributes are visualized based on the attribute style information to obtain the target application form.

[0015] In an optional embodiment, the application form configuration information further includes attribute restriction information; the attribute restriction information is used to control the attribute values ​​of the permission attributes; the method further includes:

[0016] Obtain the pending application form sent by the user to be authorized;

[0017] The application form to be approved is formally validated based on the attribute restriction information.

[0018] When the form of the application to be approved passes the form verification, the application to be approved is sent to the permission administrator corresponding to the target business system for permission approval processing of the user to be authorized.

[0019] In one optional approach, the application form configuration information includes sub-table configuration information; the sub-table configuration information is used to edit the permission attributes of at least two sub-tables included in the same permission application form; the sub-tables are used by the user to be authorized to complete multiple permission applications through one permission application form; the method further includes:

[0020] Based on the table partitioning configuration information, determine at least two sub-permission attributes corresponding to each sub-table and the attribute style information corresponding to the sub-permission attributes;

[0021] For each of the sub-tables, the sub-permission attributes and the standard template of the permission application table corresponding to the sub-table are visualized according to the attribute style information to obtain the target application table.

[0022] In an optional approach, the table partitioning configuration information further includes table partitioning restriction information; the table partitioning restriction information is used to control the attribute values ​​of the sub-permission attributes within each of the partitions; the method further includes:

[0023] Obtain the pending application form sent by the user to be authorized;

[0024] When it is determined that the application form to be approved includes multiple sub-tables, the sub-tables are respectively verified for sub-table format according to the sub-table restriction information;

[0025] Once it is determined that all the aforementioned tables have passed the formal validation, the application form to be approved is sent to the permission administrator corresponding to the target business system to authorize the user to be authorized.

[0026] In an alternative approach, the method further includes:

[0027] When it is determined that at least one of the sub-tables has failed verification, a prompt message is generated based on the application form to be approved and the sub-table restriction information.

[0028] The prompt message will be returned to the user who is to be authorized.

[0029] According to another aspect of the present invention, a permission management device is provided, comprising:

[0030] The acquisition module is used to acquire the application form generation request sent by the user to be authorized; the application form generation request is used to request the generation of the permission application form corresponding to the target business system;

[0031] The determination module is used to determine the access control model information and application form configuration information corresponding to the target business system; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions;

[0032] The generation module is used to generate a target application form based on the permission control model information and the application form configuration information;

[0033] The return module is used to return the target application form to the user to be authorized.

[0034] According to another aspect of the present invention, a permission management device is provided, comprising:

[0035] The processor, memory, communication interface, and communication bus are provided, wherein the processor, memory, and communication interface communicate with each other via the communication bus.

[0036] The memory is used to store at least one executable instruction, which causes the processor to perform operations as described in any of the preceding embodiments of the permission management method.

[0037] According to another aspect of the present invention, a computer-readable storage medium is provided, the storage medium storing at least one executable instruction, the executable instruction causing a permission management device to perform the operation of any of the preceding permission management method embodiments.

[0038] This invention, in its embodiment, obtains an application form generation request sent by a user awaiting authorization. The request requests the generation of a permission application form corresponding to a target business system. It determines the permission control model information and application form configuration information corresponding to the target business system. The application form configuration information configures the permission attributes in the permission application form, and the permission attributes configure user permissions. A target application form is generated based on the permission control model information and the application form configuration information. The target application form is then returned to the user awaiting authorization. This differs from existing technologies where application forms for different business systems need to be generated independently and are not reusable, leading to low efficiency in administrator configuration and management of permission application forms, and high learning costs for users applying for permissions across different systems. This invention generates application forms based on the permission control model adopted by the target business system and the administrator-defined configuration information. Therefore, when managing permissions for different business systems, the administrator only needs to configure the custom application form configuration information as needed. This simplifies permission management for administrators and enables the integration of permission application forms across systems with different permission control models, reducing the learning cost for users and thus improving the efficiency of permission management and user experience.

[0039] The above description is merely an overview of the technical solutions of the embodiments of the present invention. In order to better understand the technical means of the embodiments of the present invention and to implement them in accordance with the contents of the specification, and to make the above and other objects, features and advantages of the embodiments of the present invention more apparent and understandable, specific embodiments of the present invention are described below. Attached Figure Description

[0040] The accompanying drawings are for illustrative purposes only and are not intended to limit the invention. Furthermore, the same reference numerals denote the same parts throughout the drawings. In the drawings:

[0041] Figure 1 A flowchart illustrating the permission management method provided in an embodiment of the present invention is shown;

[0042] Figure 2 A flowchart illustrating a permission management method provided in another embodiment of the present invention is shown;

[0043] Figure 3 This diagram illustrates a permission request form template based on a single permission control model in a permission management method provided in another embodiment of the present invention.

[0044] Figure 4 This diagram illustrates a permission request form template based on a hybrid permission control model in a permission management method provided in another embodiment of the present invention.

[0045] Figure 5 This illustrates the intent of a permission request to enable table partitioning in a permission management method provided in another embodiment of the present invention;

[0046] Figure 6 A schematic diagram of the structure of the permission management device provided in an embodiment of the present invention is shown;

[0047] Figure 7 A schematic diagram of the permission management device provided in an embodiment of the present invention is shown. Detailed Implementation

[0048] Exemplary embodiments of the invention will now be described in more detail with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be implemented in various forms and should not be limited to the embodiments set forth herein.

[0049] Before describing the embodiments of the present invention, a brief explanation of the relevant terms is provided:

[0050] RBAC (Role-Based Access Control) model: This model associates users with roles and permissions. Simply put, a user has several roles, and each role has several permissions. This creates a "user-role-permission" authorization model. In this model, the relationship between users and roles, and between roles and permissions, is generally many-to-many.

[0051] The core of the ACL (Access Control List) model lies in directly linking users with permissions (such as functional permissions and data permissions).

[0052] Hybrid model: User functional permissions can be indirectly obtained through the relationship between roles and functional permissions, but data permissions can be directly granted to users, similar to a combination of RBAC and ACL models.

[0053] The existing access control methods and their problems will be further explained below:

[0054] When managing permission requests in existing business systems, administrators configure corresponding permission control models for each business system. This supports the use of a single ACL, RBAC model, or a hybrid model to authorize permissions for internal business systems. Simultaneously, based on the respective permission control model for each system (including mainstream permission authorization models such as RBAC (DRBAC), ACL, ABAC, and RBAC+ACL hybrid authorization models), corresponding permission request forms are configured so that users can fill out these pre-configured forms to request permissions.

[0055] The problems are as follows: Due to differences in system access control models, access request pages need to be customized according to each system model, resulting in poor reusability. Furthermore, because the application forms are custom-developed for each system, page configurations and attribute definitions are not standardized, increasing the learning curve for users. The application form configuration lacks flexibility, failing to adapt to the specific requirements of each system's application process and cannot flexibly configure attributes other than the unified application template. In a single access request, only users with the same access requirements can apply, leading to low efficiency in access requesting.

[0056] Figure 1 A flowchart of a permission management method provided in an embodiment of the present invention is shown. This method is executed by a computer processing device. The computer processing device may include a mobile phone, a laptop computer, etc. Figure 1 As shown, the method includes the following steps:

[0057] Step 10: Obtain the application form generation request sent by the user to be authorized; the application form generation request is used to request the generation of the permission application form corresponding to the target business system.

[0058] In one embodiment of the present invention, the user to be authorized can be a user of the target business system that needs to be authorized, such as an employee management system, and the user to be authorized can be a newly hired human resources staff member 52. The permission application form includes multiple fields to be filled in, and one or more fields represent a permission attribute. The permission attribute may include at least one of data permissions, role permissions, and function permissions. The user to be authorized submits an authorization application by filling in the fields in the permission application form in order to request to be granted specific permissions in the target business system.

[0059] Step 20: Determine the access control model information and application form configuration information corresponding to the target business system; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions.

[0060] Unlike existing technologies that require generating different permission request forms for different business systems according to their respective permission control models to complete the authorization of the business system, in one embodiment of the present invention, to improve the reusability of permission request forms, the generation of permission request forms is divided into two parts: a default template part and a part that permission request administrators of the business system can customize. The default template part is determined based on the permission control model information corresponding to the target business system, while the custom configuration part is determined based on the request form configuration information entered by the permission request administrator. The permission control model information includes the permission control model type, such as RBAC, ACL, or a hybrid model. The request form configuration information can include newly added permission attribute information and settings for the attribute display style of newly added attributes and / or default permission attributes in the template. For example, the data type of the attribute value can be text (e.g., "name", "role") or numeric (e.g., "employee ID", "phone number").

[0061] Optionally, to improve the efficiency and accuracy of permission review, the attribute values ​​entered by users in the permission attribute table can be controlled. For example, some permission attributes may be required fields with non-empty values, while the values ​​of other permission attributes may need to fall within a certain range. Therefore, the application form configuration information can also include attribute value control information for permission attributes to facilitate a preliminary formal review of the permission application forms submitted by users.

[0062] Optionally, considering that currently, when a user applies for permissions, only one application form can be submitted at a time to apply for permissions for one object under one business system, resulting in inefficiency in permission applications, in another embodiment of the present invention, the application form configuration information may further include sub-table configuration information. The sub-table configuration information is used to edit the permission attributes of at least two sub-tables included in the same permission application form. The sub-tables are used by the user to complete multiple permission applications through one permission application form. Thus, based on the sub-table configuration information, a corresponding application form including at least two sub-tables can be generated, allowing users to complete multiple independent permission applications by submitting one application form, such as applying for permissions for different users in different business systems with a single submission.

[0063] Step 30: Generate a target application form based on the access control model information and the application form configuration information.

[0064] In one embodiment of the present invention, a preset standard template for a permission request form is determined based on the permission control model information adopted by the business system. This standard template includes multiple default attributes, which are used to configure the permission attributes necessary for the permission control model. For example, when the permission control model is RBAC, the default attributes include role attributes and user identifier attributes. When the permission control model is ACL, the default attributes directly include the data permission attribute to be modified and the user identifier attribute. The request form configuration information is customized by the administrator of the target business system according to permission management requirements. It is used to add or modify permission attributes in the permission request form to control the permission request method for authorized users. The request form configuration information may include newly added custom attributes, which, unlike the aforementioned default attributes, are used to configure the permission attributes pre-configured by the administrator according to permission management requirements.

[0065] Furthermore, the application form configuration information can also include control information for attribute values ​​and styles of default and custom attributes. This means administrators can configure the conditions that default and custom attribute values ​​must meet, as well as data types, display methods, and other style information. This ensures that each permission attribute to be filled in the target application form is displayed in its customized manner, and that the attribute values ​​entered by the user meet the control conditions for attribute values. Finally, the target application form is generated based on the default and custom attributes according to the attribute style control information, and feedback is provided to the user after submitting the completed application form based on the attribute value control information.

[0066] Therefore, in another embodiment of the present invention, step 30 further includes:

[0067] Step 301: Determine the preset standard template of the permission application form corresponding to the permission control model information.

[0068] In one embodiment of the present invention, the standard template for the permission application form includes multiple default attributes. These default attributes are the permission attributes necessary for the permission control model corresponding to the target business system to complete the permission configuration. For example, the default attributes for the ACL model may include "Applicant Information," "Add Data Permission," "Add Data Permission Scope," "Cancel Data Permission Scope," "Remarks," and "Application Reason," etc. Here, "Add Data Permission Scope" indicates the specific scope of the newly added data permission, such as the authorized city scope, project scope, product scope, personnel scope, department / position scope, etc. Correspondingly, under the RBAC model, the default attributes may also include "Add Role Permission," such as "Audit Administrator," "Operations and Maintenance Personnel," etc., which are newly added roles associated with some data and functional permissions. The standard template for the permission application form can be pre-generated based on the permission attributes required by various existing common permission control models.

[0069] Step 302: Edit the permission attributes of the standard template of the permission application form according to the application form configuration information to obtain the target application form.

[0070] In one embodiment of the present invention, the default attributes are configured with attribute styles according to the application form configuration information, and at the same time, custom attributes are added to the target application form. Furthermore, the default attributes and custom attributes in the target application form can be controlled according to attribute value control information.

[0071] In one embodiment of the present invention, the permission attribute includes a default attribute and a custom attribute; the standard template of the permission application form includes at least one of the default attributes; the application form configuration information includes attribute editing information and attribute style information; wherein, the attribute editing information is used to edit the permission attributes in the application form, such as modification, deletion or addition, and the attribute style information includes attribute data type, display type, etc.

[0072] Step 302 further includes: Step 3021: Determine the custom attribute based on the attribute editing information and the default attribute.

[0073] In one embodiment of the present invention, the custom attribute can be obtained by modifying the default attribute as needed. Therefore, the custom attribute can be obtained by editing the default attribute based on the attribute editing information. Optionally, the newly added permission attribute can also be directly determined as the custom attribute based on the attribute editing information.

[0074] Step 3022: Visualize the permission attributes based on the attribute style information to obtain the target application form.

[0075] In one embodiment of the present invention, the display style and data type of the permission attributes in the target application form are set according to the attribute style information to obtain the target application form.

[0076] In another embodiment of the present invention, considering that in existing permission applications, a user can only apply for permissions for one applicant in a business system at a time by filling out one application form, such as submitting a completed target application form to apply for specific permissions for user C1 in system S1. However, in actual permission applications, there is often a need to apply for permissions in batches. For example, a newly hired employee may need to apply for permissions in multiple business systems related to multiple positions, or human resources personnel may need to change permissions in business systems for multiple different employees at the same time. For such scenarios, the existing permission application method is inefficient and cannot meet the needs of permission management. Therefore, in another embodiment of the present invention, it is proposed to set up multiple independent sub-tables in the target application form, and each sub-table can be used by different personnel to apply for permissions in different business systems.

[0077] Specifically, in another embodiment of the present invention, the application form configuration information includes sub-table configuration information; the sub-table configuration information is used to edit the permission attributes of at least two sub-tables included in the same permission application form; the sub-tables are used by the user to be authorized to complete multiple permission applications through one permission application form; step 302 further includes:

[0078] Step 3023: Determine the sub-permission attributes corresponding to at least two sub-tables and the attribute style information corresponding to the sub-permission attributes based on the sub-table configuration information.

[0079] In one embodiment of the present invention, the table partitioning configuration information may include application form configuration information configured by the administrator for each selectable business system and multiple selectable table partitioning combinations. The table partitioning combination represents the respective table partitions corresponding to the business systems that can simultaneously apply for permissions in the same permission application form. By using the application configuration information of each business system corresponding to each table in the table partitioning combination as the table partitioning configuration information, the corresponding sub-permission attributes and corresponding attribute style information in the respective table partitions are generated based on the table partitioning configuration information. It is readily understood that the generation process of the sub-permission attributes and the corresponding attribute style information is similar to that described above and will not be repeated here.

[0080] Step 3024: For each of the sub-tables, perform visualization processing on the sub-permission attributes and the standard template of the permission application table corresponding to the sub-table according to the attribute style information to obtain the target application table.

[0081] In one embodiment of the present invention, the standard template of the permission application form corresponding to the sub-table is determined according to the business system corresponding to the sub-table. The business system information corresponding to the sub-table can be obtained in real time based on the user's confirmation. Specifically, the method of visualizing the determined sub-permission attributes and the default attributes of the system corresponding to the sub-table based on the attribute style information is largely the same as the visualization method in the aforementioned embodiments, and will not be repeated here. Optionally, the sub-table configuration information may also include sub-table hierarchical information, which can be the displayed hierarchical information, such as flat side-by-side display or hierarchical expansion, etc.

[0082] Step 40: Return the target application form to the user to be authorized.

[0083] In one embodiment of the present invention, users can complete permission applications simply by filling in the automatically generated target application form. Users do not need to learn the permission configuration and management rules of different business systems to complete the permission application for the corresponding business system, which reduces the user's learning cost and improves the user's permission application experience.

[0084] In another embodiment of the present invention, considering that the attribute values ​​of permission attributes generally have certain value rules, such as some permission attributes being mandatory fields, their attribute values ​​cannot be empty; and to prevent malicious submission of permission requests to disrupt and attack normal permission management, the number of new permissions submitted by a user at one time should be within a certain range, neither too many nor too few. Therefore, the administrator can also control the attribute values ​​of all permission attributes in the application form configuration information, thereby ensuring that the application forms successfully submitted by the user are normal application forms that conform to the application form filling specifications.

[0085] Therefore, in another embodiment of the present invention, the application form configuration information further includes attribute restriction information; the attribute restriction information is used to control the attribute values ​​of the permission attributes; step 40 further includes:

[0086] Step 401: Obtain the application form to be approved sent by the user to be authorized.

[0087] In one embodiment of the present invention, the application form to be approved can be obtained by the user to be authorized filling in the target application form obtained in the foregoing embodiment, and the application form to be approved can be obtained by parsing the permission application request submitted by the user to be authorized.

[0088] Step 402: Perform a formal verification on the application form to be approved based on the attribute restriction information.

[0089] In one embodiment of the present invention, the attribute values ​​of the permission attributes in the application form to be approved are verified according to the attribute restriction information. When the attribute value meets the attribute value requirements specified in the attribute restriction information, it is determined that the formal verification of the permission attribute has passed; otherwise, it is determined that the formal verification has failed.

[0090] Step 403: When it is determined that the form of the application form to be approved has passed the form verification, the application form to be approved is sent to the permission administrator corresponding to the target business system to process the permission approval for the user to be authorized.

[0091] In one embodiment of the present invention, the application form that has passed the formal verification is then sent to the corresponding permission administrator for permission approval, thereby improving the efficiency of permission approval.

[0092] Correspondingly, when the target application table includes multiple sub-tables, it is necessary to control the attribute values ​​and other characteristics of the permission attributes in each sub-table for the business system corresponding to each sub-table. In another embodiment of the present invention, the sub-table configuration information further includes sub-table restriction information; the sub-table restriction information is used to control the attribute values ​​of the sub-permission attributes in each sub-table.

[0093] Step 40 also includes: Step 404: Obtain the application form to be approved sent by the user to be authorized.

[0094] Step 404 is the same as step 401 above, and will not be repeated here.

[0095] Step 405: When it is determined that the application form to be approved includes multiple sub-tables, the sub-tables are validated according to the sub-table restriction information.

[0096] In one embodiment of the present invention, for each sub-table in the application form to be approved, the sub-table restriction information corresponding to the sub-table is used to perform formal verification on all permission attributes in the sub-table, such as checking whether the attribute values ​​are within a preset range.

[0097] It should be noted that different sub-tables can correspond to permission requests in different business systems. Since different business systems employ different permission control models, the restrictions on the attribute values ​​of permission attributes in the sub-tables may also differ. Therefore, the application form to be approved can be parsed to obtain the permission control model information corresponding to each sub-table. Based on the sub-table permission control model information and the sub-table restriction information pre-configured by the administrator for this business system, the sub-table format verification can be performed. Specifically, the attribute restriction information corresponding to the default attributes included in the sub-table can be determined based on the sub-table permission control model information, and the attribute value restriction information corresponding to the custom sub-permission attributes in the sub-table can be determined based on the sub-table restriction information. The sub-table format verification can then be performed based on the attribute value restriction information.

[0098] Step 406: When it is determined that all the sub-tables have passed the form validation, the application form to be approved is sent to the permission administrator corresponding to the target business system to authorize the user to be authorized.

[0099] In one embodiment of the present invention, when a user fills in and submits multiple sub-tables in a single permission request, it is necessary to perform formal validation on all sub-tables according to the attribute restriction information pre-configured by the administrator. This avoids repeated modifications and submissions due to inappropriate information filled in by the user, thereby improving the efficiency of permission management.

[0100] In one embodiment of the present invention, step 405 is followed by:

[0101] Step 4051: When it is determined that at least one of the sub-tables has failed verification, a prompt message is generated based on the application form to be approved and the sub-table restriction information.

[0102] In one embodiment of the present invention, when any one or more table partitions fail the form validation, the attribute values ​​of each permission attribute in the application form to be approved are checked according to the table partition restriction information. Permission attribute items that do not conform to the table partition restriction information are selected as permission attributes to be modified. Permission attribute specification information corresponding to the permission attribute to be modified is generated according to the table partition restriction information. The permission attribute to be modified and the corresponding permission attribute specification information are displayed as prompt information to the user to be authorized.

[0103] For example, the permission attributes to be modified could be the number of table partitions, the number of users requesting a single table partition, the scope of permissions for adding new functions to a table partition, and the scope of permissions for adding new data to a table partition. If a user submits more table partitions than the maximum number of table partitions allowed in the partition restriction information (e.g., 10) in a single permission request, the user will be prompted regarding that permission attribute (e.g., the number of table partitions) and the corresponding permission attribute specification information (e.g., a maximum of 10 table partitions can be submitted at once), so that the user can reduce the number of table partitions submitted at one time.

[0104] Step 4052: Return the prompt message to the user to be authorized.

[0105] In one embodiment of the present invention, by providing the user to be authorized with the permission attributes to be modified and the corresponding permission attribute specification information, the user can modify the submitted application form according to the prompt information until it conforms to the table restriction information pre-configured by the administrator. On the one hand, this avoids the user failing to apply for multiple independent permissions through a single application form due to unfamiliarity with the operation method, thus improving the user experience of permission application. On the other hand, it also realizes the pre-formal review and correction of the application form to be approved, improving the accuracy of the permission application information and increasing the efficiency of subsequent authorization verification based on the application form to be approved.

[0106] In another embodiment of the present invention, the flowchart for permission management can also be referred to. Figure 2 .

[0107] refer to Figure 2 The first step involves the administrator pre-configuring the permission request form. The administrator selects the business system to be configured on the permission platform and configures the corresponding permission control model based on the actual needs of the business system. After configuring the permission control model, custom attributes are configured for the permission objects, in addition to the initial default attributes, thereby completing the relevant configuration of the permission request form. The permission platform is used by permission management personnel (such as administrators) to manage permissions for business systems.

[0108] The next step involves the user requesting permissions by filling out a permission request form. The user then enters a pre-defined permission request center (which can be a submodule of the aforementioned permission platform) and selects the corresponding business system to request permissions. After selecting the business system, the system will search for the corresponding permission request standard template based on the permission control model configured in the permission platform, such as the RBAC model or ACL model (e.g., ...). Figure 3 As shown), hybrid models (such as...) Figure 4 (As shown). If the permission control platform has not configured a permission control model for the selected system, the system will prompt that the user cannot apply for permission when clicking on the permission center permission application. In addition to the permission standard templates found above, the system will also query the current business system and check whether the administrator has configured custom permission attributes for the application form. Custom attributes can include whether the field is required, the display type, whether the table splitting function is enabled, and the addition of attribute information in the split table, etc. The permission application form with the table splitting function enabled can be found by referring to Figure 5 , Figure 5Application Sub-Form 1 is a newly added sub-table based on the existing permission application form. Furthermore, it can be determined whether the administrator has customized attribute value restrictions for permission attributes, such as whether the multi-table function is enabled, whether the number of applicants per form is controlled, whether the selectable function permissions for each form are controlled, and whether the selectable data permissions for each form are controlled. After confirming the above application form configuration, the permission center automatically assembles the target permission application form according to the corresponding system configuration. Users then apply for permissions based on the target permission application form configured by the system. Thus, the permission platform acts as a bridge between administrators and users, introducing administrators' custom configuration of permission application forms based on the permission control model. This improves personalization while maintaining high reusability, reduces user learning costs and application complexity, and enhances the user experience for both permission application administrators and users.

[0109] Figure 6 A schematic diagram of the permission management device provided in an embodiment of the present invention is shown. Figure 6 As shown, the device 50 includes: an acquisition module 501, a determination module 502, a generation module 503, and a return module 504.

[0110] The acquisition module 501 is used to acquire the application form generation request sent by the user to be authorized; the application form generation request is used to request the generation of the permission application form corresponding to the target business system.

[0111] The determining module 502 is used to determine the access control model information and application form configuration information corresponding to the target business system; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions;

[0112] The generation module 503 is used to generate a target application form based on the permission control model information and the application form configuration information.

[0113] Return module 504 is used to return the target application form to the user to be authorized.

[0114] The operation process performed by the permission management device provided in this embodiment of the invention is largely the same as that of the aforementioned method embodiment, and will not be described again.

[0115] The permission management device provided in this embodiment of the invention uses executable instructions stored in the computer storage medium provided in this embodiment of the invention to obtain an application form generation request sent by a user to be authorized. The application form generation request is used to request the generation of a permission application form corresponding to a target business system; determine the permission control model information and application form configuration information corresponding to the target business system; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions; generate a target application form according to the permission control model information and the application form configuration information; and return the target application form to the user to be authorized. This invention differs from existing technologies where application forms for different business systems need to be generated independently and cannot be reused, leading to low efficiency in administrator configuration and management of permission application forms, and high learning costs for users when applying for permissions for different systems. This invention generates application forms based on the permission control model adopted by the target business system, combined with administrator-defined application form configuration information. Therefore, when managing permissions for different business systems, administrators only need to configure the custom application form information as needed. This simplifies permission application management for administrators and enables the integration of permission application forms across systems with different permission control models, reducing user learning costs and thus improving the efficiency of permission management and user experience.

[0116] Figure 7 The diagram shows a schematic of the structure of a permission management device provided in an embodiment of the present invention. The specific implementation of the permission management device is not limited by the specific embodiments of the present invention.

[0117] like Figure 7 As shown, the access control device may include: a processor 602, a communications interface 604, a memory 606, and a communications bus 608.

[0118] The processor 602, communication interface 604, and memory 606 communicate with each other via communication bus 608. Communication interface 604 is used to communicate with other network elements such as clients or other servers. The processor 602 executes program 610, specifically performing the relevant steps described above in the embodiments of the permission management method.

[0119] Specifically, program 610 may include program code, which includes computer-executable instructions.

[0120] Processor 602 may be a central processing unit (CPU), an application-specific integrated circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention. The access control device includes one or more processors, which may be processors of the same type, such as one or more CPUs; or processors of different types, such as one or more CPUs and one or more ASICs.

[0121] Memory 606 is used to store program 610. Memory 606 may include high-speed RAM memory, and may also include non-volatile memory, such as at least one disk storage device.

[0122] Specifically, program 610 can be invoked by processor 602 to cause the permission management device to perform the following operations:

[0123] Obtain the request to generate an application form sent by the user to be authorized; the request to generate an application form corresponding to the target business system is used to request the generation of the permission application form.

[0124] Determine the access control model information and application form configuration information corresponding to the target business system; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions;

[0125] Generate a target application form based on the access control model information and the application form configuration information;

[0126] The target application form is returned to the user to be authorized.

[0127] The operation process performed by the permission management device provided in this embodiment of the invention is largely the same as that of the aforementioned method embodiment, and will not be described again.

[0128] The permission management device provided in this embodiment of the invention obtains an application form generation request sent by a user to be authorized; the application form generation request is used to request the generation of a permission application form corresponding to a target business system; the permission control model information and application form configuration information corresponding to the target business system are determined; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions; a target application form is generated according to the permission control model information and the application form configuration information; and the target application form is returned to the user to be authorized. This invention differs from existing technologies where application forms for different business systems need to be generated independently and cannot be reused, leading to low efficiency in administrator configuration and management of permission application forms, and high learning costs for users when applying for permissions for different systems. This invention generates application forms based on the permission control model adopted by the target business system, combined with administrator-defined application form configuration information. Therefore, when managing permissions for different business systems, administrators only need to configure the custom application form information as needed. This simplifies permission application management for administrators and enables the integration of permission application forms across systems with different permission control models, reducing user learning costs and thus improving the efficiency of permission management and user experience.

[0129] This invention provides a computer-readable storage medium storing at least one executable instruction. When the executable instruction is executed on a permission management device, the permission management device performs the permission management method in any of the above method embodiments.

[0130] Specifically, the executable instructions can be used to cause the access control device to perform the following operations:

[0131] Obtain the request to generate an application form sent by the user to be authorized; the request to generate an application form corresponding to the target business system is used to request the generation of the permission application form.

[0132] Determine the access control model information and application form configuration information corresponding to the target business system; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions;

[0133] Generate a target application form based on the access control model information and the application form configuration information;

[0134] The target application form is returned to the user to be authorized.

[0135] The operation process performed by the executable instructions stored in the computer storage medium provided in this embodiment of the invention is largely the same as that in the aforementioned method embodiments, and will not be described again.

[0136] The executable instructions stored in the computer storage medium provided in this embodiment of the invention generate a request by obtaining an application form sent by a user to be authorized; the application form generation request is used to request the generation of a permission application form corresponding to a target business system; determine the permission control model information and application form configuration information corresponding to the target business system; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions; generate a target application form according to the permission control model information and the application form configuration information; and return the target application form to the user to be authorized. This invention differs from existing technologies where application forms for different business systems need to be generated independently and cannot be reused, leading to low efficiency in administrator configuration and management of permission application forms, and high learning costs for users when applying for permissions for different systems. This invention generates application forms based on the permission control model adopted by the target business system, combined with administrator-defined application form configuration information. Therefore, when managing permissions for different business systems, administrators only need to configure the custom application form information as needed. This simplifies permission application management for administrators and enables the integration of permission application forms across systems with different permission control models, reducing user learning costs and thus improving the efficiency of permission management and user experience.

[0137] This invention provides a permission management device for executing the above-described permission management method.

[0138] This invention provides a computer program that can be invoked by a processor to cause a permission management device to execute the permission management method in any of the above method embodiments.

[0139] This invention provides a computer program product, which includes a computer program stored on a computer-readable storage medium. The computer program includes program instructions, which, when executed on a computer, cause the computer to perform the permission management method in any of the above method embodiments.

[0140] The algorithms or displays provided herein are not inherently related to any particular computer, virtual system, or other device. Various general-purpose systems can also be used in conjunction with the teachings herein. The required structure for constructing such systems is apparent from the above description. Furthermore, the embodiments of the present invention are not directed to any particular programming language. It should be understood that the content of the invention described herein can be implemented using various programming languages, and the above description of specific languages ​​is for the purpose of disclosing the best mode of implementation of the invention.

[0141] Numerous specific details are set forth in the specification provided herein. However, it will be understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures, and techniques have not been shown in detail so as not to obscure the understanding of this specification.

[0142] Similarly, it should be understood that, in order to streamline the invention and aid in understanding one or more of the various aspects of the invention, features of the embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof in the above description of exemplary embodiments of the invention. However, this disclosure should not be construed as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim.

[0143] Those skilled in the art will understand that modules in the device of the embodiments can be adaptively changed and placed in one or more devices different from that embodiment. Modules, units, or components in the embodiments can be combined into a single module, unit, or component, and can be divided into multiple sub-modules, sub-tables, or sub-components. Except where at least some of such features and / or processes or units are mutually exclusive, any combination can be used to combine all features disclosed in this specification (including the accompanying claims, abstract, and drawings) and all processes or units of any method or device so disclosed. Unless expressly stated otherwise, each feature disclosed in this specification (including the accompanying claims, abstract, and drawings) may be replaced by an alternative feature that serves the same, equivalent, or similar purpose.

[0144] It should be noted that the above embodiments are illustrative of the invention and not restrictive, and that those skilled in the art can devise alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses should not be construed as limiting the claims. The word "comprising" does not exclude the presence of elements or steps not listed in the claims. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several different elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by the same item of hardware. The use of the words first, second, and third, etc., does not indicate any order. These words can be interpreted as names. The steps in the above embodiments, unless otherwise specified, should not be construed as limiting the order of execution.

Claims

1. A method for managing access permissions, characterized in that, The method includes: Obtain the request to generate an application form sent by the user to be authorized; the request to generate an application form corresponding to the target business system is used to request the generation of the permission application form. The access control model information and application form configuration information corresponding to the target business system are determined; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions; the application form configuration information includes sub-table configuration information; the sub-table configuration information is used to edit the permission attributes of at least two sub-tables included in the same permission application form; the sub-tables are used by the user to be authorized to complete multiple permission applications through a single permission application form; Generating a target application form based on the access control model information and the application form configuration information further includes: determining a preset standard template for the access control model information; and editing the access attributes of the standard template for the access control model information to obtain the target application form. Editing the permission attributes of the standard template of the permission application form according to the application form configuration information includes: determining the sub-permission attributes corresponding to at least two sub-tables and the attribute style information corresponding to the sub-permission attributes according to the sub-table configuration information; for each sub-table, visualizing the sub-permission attributes and the standard template of the permission application form corresponding to the sub-table according to the attribute style information to obtain the target application form; The target application form is returned to the user to be authorized.

2. The method according to claim 1, characterized in that, The permission attributes include default attributes and custom attributes; the standard template for the permission application form includes at least one of the default attributes; the application form configuration information includes attribute editing information and attribute style information; The step of editing the permission attributes of the standard template of the permission application form according to the configuration information of the application form to obtain the target application form further includes: The custom attribute is determined based on the attribute editing information and the default attribute; The permission attributes are visualized based on the attribute style information to obtain the target application form.

3. The method according to claim 2, characterized in that, The application form configuration information also includes attribute restriction information; The attribute restriction information is used to control the attribute values ​​of the permission attributes; after returning the target application form to the user to be authorized, the process further includes: Obtain the pending application form sent by the user to be authorized; The application form to be approved is formally validated based on the attribute restriction information. When the form of the application to be approved passes the form verification, the application to be approved is sent to the permission administrator corresponding to the target business system for permission approval processing of the user to be authorized.

4. The method according to claim 1, characterized in that, The table partitioning configuration information also includes table partitioning restriction information; the table partitioning restriction information is used to control the attribute values ​​of the sub-permission attributes within each of the partitions; after returning the target application form to the user to be authorized, the process further includes: Obtain the pending application form sent by the user to be authorized; When it is determined that the application form to be approved includes multiple sub-tables, the sub-tables are respectively verified for sub-table format according to the sub-table restriction information; Once it is determined that all the aforementioned tables have passed the formal validation, the application form to be approved is sent to the permission administrator corresponding to the target business system to authorize the user to be authorized.

5. The method according to claim 4, characterized in that, When it is determined that the application form to be approved includes multiple sub-tables, after performing sub-table format verification on each of the multiple sub-tables according to the sub-table restriction information, the process further includes: When it is determined that at least one of the sub-tables has failed verification, a prompt message is generated based on the application form to be approved and the sub-table restriction information. The prompt message will be returned to the user who is to be authorized.

6. A permission management device, characterized in that, The device includes: The acquisition module is used to acquire the application form generation request sent by the user to be authorized; the application form generation request is used to request the generation of the permission application form corresponding to the target business system; The determination module is used to determine the access control model information and application form configuration information corresponding to the target business system; wherein, the application form configuration information is used to configure the permission attributes in the permission application form; the permission attributes are used to configure user permissions; the application form configuration information includes sub-table configuration information; the sub-table configuration information is used to edit the permission attributes of at least two sub-tables included in the same permission application form; the sub-tables are used by the user to be authorized to complete multiple permission applications through a single permission application form; The generation module is used to generate a target application form based on the access control model information and the application form configuration information, and further includes: determining a preset standard template for the access control model information; and editing the access attributes of the standard template for the access control model information according to the application form configuration information to obtain the target application form. Editing the permission attributes of the standard template of the permission application form according to the application form configuration information includes: determining the sub-permission attributes corresponding to at least two sub-tables and the attribute style information corresponding to the sub-permission attributes according to the sub-table configuration information; for each sub-table, visualizing the sub-permission attributes and the standard template of the permission application form corresponding to the sub-table according to the attribute style information to obtain the target application form; The return module is used to return the target application form to the user to be authorized.

7. A permission management device, characterized in that, include: The processor, memory, communication interface, and communication bus are provided, wherein the processor, memory, and communication interface communicate with each other via the communication bus. The memory is used to store at least one executable instruction, which causes the processor to perform the operation of the permission management method as described in any one of claims 1-5.

8. A computer-readable storage medium, characterized in that, The storage medium stores at least one executable instruction, which, when executed on the permission management device, causes the permission management device to perform the operation of the permission management method as described in any one of claims 1-5.