A permission query method and device, electronic equipment, and storage medium

By converting a relational database into a graph data structure to store the mapping relationships between subjects and roles, subjects and attributes, attributes and roles, and roles and objects, the problems of large data volume and low query efficiency in permission management are solved, and more efficient permission queries are achieved.

CN117235115BActive Publication Date: 2026-06-26CHANGCHUN JIDA ZHENGYUAN INFORMATION TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHANGCHUN JIDA ZHENGYUAN INFORMATION TECH CO LTD
Filing Date
2023-09-25
Publication Date
2026-06-26

AI Technical Summary

Technical Problem

In access control, existing technologies store the relationships between subjects, roles, and objects, as well as attributes, roles, and objects in relational databases. This results in large data volumes and low query efficiency, leading to long storage times and excessively long query times.

Method used

Convert relational databases into graph data structures to store the relationships between subjects and roles, subjects and attributes, attributes and roles, and roles and objects. Use graph data structures for permission queries to reduce the amount of data storing the same information and improve query efficiency.

Benefits of technology

By using graph data structures for querying, storage time is reduced and the efficiency of permission-based queries is improved, solving the problems of large data volume and long query time.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN117235115B_ABST
    Figure CN117235115B_ABST
Patent Text Reader

Abstract

The present disclosure provides a permission query method and device, electronic equipment and storage medium, comprising: confirming and storing a relational database; wherein the relational database at least includes a subject and role comparison relationship, a subject and attribute comparison relationship, an attribute and role comparison relationship, and a role and object comparison relationship; in response to the authorization service starting, the relational database is converted into a graph data structure; in response to receiving a permission query request of a first subject, the corresponding object of the first subject is confirmed based on the graph data structure; wherein the attribute and role comparison relationship includes the comparison relationship between any role and all attributes owned by the role; the corresponding object of the first subject is the corresponding permission of the first subject; in this way, different comparison relationships are stored in the relational database, the same information is reflected by less data, and the storage time is reduced; when querying the permission, the graph data structure is used for querying, which can improve the query efficiency.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of access control technology, and in particular to an access control query method, apparatus, electronic device, and storage medium. Background Technology

[0002] In the process of permission management, subjects and objects are associated through roles, that is, subjects are associated with roles, and roles are associated with objects; attributes and objects are also associated through roles, that is, attributes are associated with roles, and roles are associated with objects. When storing permissions, the complete subject-role-object and attribute-role-object associations are usually stored in a relational database, which results in a large amount of data and a long storage time. In addition, when querying permissions, it is necessary to traverse all subjects and all attributes of all subjects in the relational database, which results in low search efficiency. Summary of the Invention

[0003] This disclosure provides a method, apparatus, electronic device, and storage medium for querying permissions, in order to at least solve the above-mentioned technical problems existing in the prior art.

[0004] According to a first aspect of this disclosure, a method for querying permissions is provided, comprising:

[0005] Identify and store a relational database; wherein the relational database includes at least subject-role correspondence, subject-attribute correspondence, attribute-role correspondence, and role-object correspondence;

[0006] In response to the activation of the authorization service, the relational database is converted into a graph data structure;

[0007] In response to receiving a permission query request from the first subject, the object corresponding to the first subject is confirmed based on the graph data structure;

[0008] The attribute-role correspondence includes the correspondence between any role and all attributes that possess that role; the object corresponding to the first subject is the permission corresponding to the first subject.

[0009] According to a second aspect of this disclosure, an authorization query device is provided, comprising:

[0010] A confirmation unit is used to confirm and store a relational database; wherein the relational database includes at least subject-role correspondence, subject-attribute correspondence, attribute-role correspondence, and role-object correspondence;

[0011] A transformation unit is used to convert the relational database into a graph data structure in response to the activation of the authorization service;

[0012] The query unit is used to respond to receiving a permission query request from the first subject, and then confirm the object corresponding to the first subject based on the graph data structure.

[0013] The attribute-role correspondence includes the correspondence between any role and all attributes that possess that role; the object corresponding to the first subject is the permission corresponding to the first subject.

[0014] According to a third aspect of this disclosure, an electronic device is provided, comprising:

[0015] At least one processor; and

[0016] A memory communicatively connected to the at least one processor; wherein,

[0017] The memory stores instructions that can be executed by the at least one processor to enable the at least one processor to perform the methods described in this disclosure.

[0018] According to a fourth aspect of this disclosure, a non-transitory computer-readable storage medium is provided storing computer instructions for causing the computer to perform the methods described in this disclosure.

[0019] The permission query method disclosed herein confirms and stores a relational database. This relational database includes at least subject-role mappings, subject-attribute mappings, attribute-role mappings, and role-object mappings. In response to the activation of the authorization service, the relational database is converted into a graph data structure. In response to receiving a permission query request from a first subject, the object corresponding to the first subject is confirmed based on the graph data structure. The attribute-role mappings include mappings between any attribute and all roles possessing that attribute. The object corresponding to the first subject is the permission corresponding to the first subject. Thus, storing subject-object mappings and attribute-role mappings in the relational database eliminates the need to associate roles with subjects, allowing for the representation of the same information with less data and reducing storage time. Querying permissions using the graph data structure improves query efficiency.

[0020] It should be understood that the description in this section is not intended to identify key or essential features of the embodiments of this disclosure, nor is it intended to limit the scope of this disclosure. Other features of this disclosure will become readily apparent from the following description. Attached Figure Description

[0021] The above and other objects, features, and advantages of this disclosure will become readily apparent from the following detailed description of exemplary embodiments, taken in conjunction with the accompanying drawings. Several embodiments of this disclosure are illustrated in the drawings by way of example and not limitation, in which:

[0022] In the accompanying drawings, the same or corresponding reference numerals indicate the same or corresponding parts.

[0023] Figure 1 This illustration shows an optional flowchart of the permission query method provided in an embodiment of the present disclosure;

[0024] Figure 2 This illustration shows another optional flowchart of the permission query method provided in an embodiment of the present disclosure;

[0025] Figure 3 This illustration shows another optional flowchart of the permission query method provided in the embodiments of this disclosure;

[0026] Figure 4 This illustration shows an alternative flowchart of the permission query method provided in this embodiment of the present disclosure;

[0027] Figure 5 An optional schematic diagram of the graph data structure provided in an embodiment of this disclosure is shown;

[0028] Figure 6 This diagram illustrates an optional structure of the permission query device provided in an embodiment of the present disclosure.

[0029] Figure 7 A schematic diagram of the composition structure of an electronic device according to an embodiment of the present disclosure is shown. Detailed Implementation

[0030] To make the objectives, features, and advantages of this disclosure more apparent and understandable, the technical solutions in the embodiments of this disclosure will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this disclosure, and not all of them. All other embodiments obtained by those skilled in the art based on the embodiments of this disclosure without creative effort are within the scope of protection of this disclosure.

[0031] In the following description, references are made to “some embodiments,” which describe a subset of all possible embodiments. However, it is understood that “some embodiments” may be the same subset or different subsets of all possible embodiments and may be combined with each other without conflict.

[0032] In the following description, the terms "first" and "second" are used merely to distinguish similar objects and do not represent a specific ordering of objects. It is understood that "first" and "second" may be interchanged in a specific order or sequence where permitted, so that the embodiments of this disclosure described herein can be implemented in an order other than that illustrated or described herein.

[0033] Unless otherwise defined, all technical and scientific terms used in this disclosure have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. The terminology used in this disclosure is for the purpose of describing embodiments of this disclosure only and is not intended to be limiting of this disclosure.

[0034] It should be understood that in the various embodiments of this disclosure, the sequence number of each implementation process does not imply the order of execution. The execution order of each process should be determined by its function and internal logic, and should not constitute any limitation on the implementation process of the embodiments of this disclosure.

[0035] Before providing a further detailed description of the embodiments of this disclosure, the nouns and terms involved in the embodiments of this disclosure will be explained, and the nouns and terms involved in the embodiments of this disclosure shall be interpreted as follows.

[0036] 1) Main body.

[0037] In the embodiments disclosed herein, the subject generally refers to the object, which is a single, independent individual.

[0038] 2) Role.

[0039] Roles correspond to subjects. One subject can correspond to multiple roles, representing the subject's identity, responsibilities, or powers. For example, roles can include administrators, employees, and managers.

[0040] 3) Attributes.

[0041] Attributes correspond to the subject and can also be called subject attributes or subject attributes. They refer to some characteristics of the subject, such as the organization to which the subject belongs.

[0042] 4) Object.

[0043] An object includes functions, resources, and roles, which can be collectively referred to as permissions. For example, granting a subject function 1 can be understood as granting an object the permissions corresponding to function 1.

[0044] In related technologies, relational databases are generally used in the field of access control. During access control, the permissions of a subject to an object are associated through roles. The relationship between subject, role, and object is: subject associated with role, role associated with object. After introducing authorization through subject attributes in access control, the relationship between subject attributes, role, and object becomes: subject attributes associated with role, role associated with object, adding an extra layer of association between subject and subject attributes. Authorization generally takes two forms: one is directly granting permissions to the subject itself, and the other is authorizing permissions through subject attributes, with the subject inheriting the permissions possessed by those attributes. A subject's permission information is generally determined by its own permissions and the permissions inherited from its attributes, ultimately defining its final permissions.

[0045] There are two ways to handle the permissions granted to a subject and the permissions granted to its attributes:

[0046] Method 1) stores the permission results granted to the subject and the permission results granted to the subject attributes separately. When the administrator needs to display the final permissions of the subject during the subject permission query, the administrator polls all attribute permissions of the subject, calculates the final subject permission result, and displays it to the administrator.

[0047] Method 2) involves querying all associated entities through the entity attributes during the authorization process, directly matching permissions to the entities, and then saving the results. When the administrator performs a subject permission query, all permissions of the entity can be directly queried and displayed to the administrator.

[0048] Both the permissions and attributes granted to the subject, and the two methods of handling the granted permissions, have certain shortcomings:

[0049] The results of granting permissions to the subject and the results of granting permissions to the subject's attributes are stored separately. When querying subject permissions, it is necessary to display the subject's final permissions. This requires polling all attribute permissions of the subject in the relational database to calculate the subject's final permissions. The time spent on this process increases with the complexity of the subject's attributes, gradually exceeding the time that users can tolerate for the system to display.

[0050] During the authorization process, the permissions of the subject attributes are directly matched to the subject before the result is saved. However, when the number of subjects associated with the subject attributes reaches a certain level, the permissions granted to the subject attributes need to be saved to the subjects separately when saving the authorization result. The time spent on data storage cannot be completed within the time that users can tolerate.

[0051] In view of the deficiencies existing in the related technologies, the present disclosure provides a permission query method that can solve some or all of the above-mentioned technical problems.

[0052] Figure 1A schematic diagram of an optional permission query method provided in an embodiment of this disclosure is shown, and the steps will be described in detail.

[0053] Step S101: Confirm and store the relational database.

[0054] In some embodiments, the carrier implementing the permission query method identifies and stores a relational database, which includes at least subject-role correspondence, subject-attribute correspondence, attribute-role correspondence, and role-object correspondence.

[0055] In some embodiments, the process of the carrier confirming the relational database may include a process of authorizing the subject, that is, confirming the object corresponding to the subject, or the object corresponding to the attribute; the carrier storing the relational database includes storing the authorization result of the subject.

[0056] The subject-role correspondence includes the correspondence between any role and the subject that owns that role, for example, all subjects with the role of "employee"; the subject-attribute correspondence includes the correspondence between any attribute and the subject that owns that attribute, for example, all subjects belonging to organization A; the attribute-role correspondence includes the correspondence between any role and the attribute that owns that role, for example, all organizations that own the role of "administrator", i.e., the correspondence between the administrator role and all organizations; the role-object correspondence includes the correspondence between any object and the role that owns that object, for example, all roles with the object "login", or all roles with the object "editor attribute".

[0057] Specifically, the correspondence between subjects and attributes can include how many subjects are included in any attribute, such as how many objects are included in an organization; the correspondence between roles and objects can include the correspondence between the objects owned by a role, such as which objects the "administrator" role owns (and which objects correspond to it), and which objects the "employee" role owns.

[0058] In this way, relational databases no longer store detailed subject-object relationships, but rather attribute-role mappings. It is not necessary to directly associate roles with subjects during authorization, thus using less data to represent the same information and reducing data storage time.

[0059] In step S102, in response to the start of the authorization service, the relational database is converted into a graph data structure.

[0060] In some embodiments, in response to the activation of the authorization service, the carrier loads the relational database into memory and converts the two-dimensional relational database into a graph structure, storing it in a cache so that it can be directly retrieved from the cache for subsequent use.

[0061] In some embodiments, the authorization service includes a permission granting service, a permission query service, and a permission update server.

[0062] In some embodiments, the graph data structure includes vertices and edges connecting two vertices. The vertices may include subjects, roles, attributes, and objects, and the edges connecting the vertices represent an association or correspondence between the two vertices. For example, if subject 1 is connected to role 1, it means that subject 1 is role 1 in certain circumstances.

[0063] Step S103: In response to receiving the permission query request from the first subject, the object corresponding to the first subject is confirmed based on the graph data structure.

[0064] In some embodiments, the permission query request of the first subject may include a permission query request issued by the system after the first subject logs in, in order to facilitate the first subject to perform relevant operations; or, it may also include permission query requests from other users for the first subject.

[0065] In some embodiments, the carrier queries the graph data structure for role vertices that have an association relationship with the vertices of the first subject, and further confirms object vertices that have an association relationship with the role vertices; and queries the graph data structure for attribute vertices that have an association relationship with the vertices of the first subject, and for role vertices that have an association relationship with the attribute vertices, and further confirms object vertices that have an association relationship with the role vertices. The identifiers corresponding to all object vertices are confirmed to be objects corresponding to the first subject. The identifiers corresponding to object vertices include the object represented by the object vertex; for example, if the identifier corresponding to an object vertex is query data, then the object represented by the object vertex is the query data.

[0066] Thus, the permission query method provided in this embodiment stores the subject-role correspondence, subject-attribute correspondence, attribute-role correspondence, and role-object correspondence in the relational database, instead of storing all objects corresponding to each subject. This eliminates the need to associate roles with subjects, allowing the same information to be represented with less data and reducing storage time. Furthermore, querying permissions through a graph data structure can improve query efficiency.

[0067] Figure 2 This illustration shows another optional flowchart of the permission query method provided in the embodiments of this disclosure, which will be explained step by step.

[0068] Step S201: Confirm and store the relational database.

[0069] In some embodiments, the process of verifying a relational database includes the process of granting principal permissions, and the process of storing a relational database includes the process of storing principal permissions.

[0070] In some embodiments, the carrier implementing the permission query method confirms the correspondence between each subject and role in all subjects; based on the role of each subject in its corresponding attribute, confirms the correspondence between attribute and role; confirms that the correspondence between subject and object, and the correspondence between attribute and role constitute the relational database, and stores the relational database in memory.

[0071] In specific implementation, the carrier implementing the permission query method confirms the role corresponding to the second subject, and confirms the object corresponding to the role based on the role; the carrier confirms the attribute corresponding to the second subject, confirms the role corresponding to the attribute based on the attribute, and confirms the object corresponding to the role based on the role.

[0072] In some embodiments, the carrier confirms that the relational database includes one of subject-object mapping relationships and subject-role mapping relationships, as well as attribute-role mapping relationships. Specifically, the subject-object mapping relationship includes the mapping relationship between a subject and an object confirmed through a role, i.e., the subject authorization result; the subject-role mapping relationship includes the mapping relationship between any role and the subject that owns that role; the attribute-role mapping relationship includes the mapping relationship between any role and the attribute that owns that role. For example, all organizations that own the "administrator" role represent the mapping relationship between the administrator role and all organizations.

[0073] In some alternative embodiments, the carrier can also confirm the role-object contrast relationship.

[0074] Thus, in storage, only the correspondence needs to be stored, rather than storing all objects corresponding to each subject or all objects corresponding to each attribute. Representing the same information with less data can reduce the amount of data stored.

[0075] In some optional embodiments, the subject authorization result and the attribute authorization result can be stored separately, that is, the subject-object correspondence and the attribute-role correspondence can be stored separately.

[0076] Specifically, in related technologies, relational databases store all roles corresponding to each subject, all objects corresponding to each role, all attributes corresponding to each subject, and all roles corresponding to each attribute, resulting in a huge amount of data in relational databases. In this embodiment of the present disclosure, the relational database only stores the correspondence between subjects and roles, subjects and attributes, attributes and roles, and roles and objects, which greatly reduces the amount of data.

[0077] For example, in existing technologies, all entities within an organization need to have their roles and permissions stored separately; or, for each entity, the permissions corresponding to its roles are stored separately. For example, entity 1 corresponds to employee, administrator, and manager roles, corresponding to objects 1-10; entity 2 corresponds to employee roles, corresponding to objects 1-3; entity 3 corresponds to employee and administrator roles, corresponding to objects 1-10. In related technologies, relational databases store entity 1-role 1-object 1, entity 1-role 1-object 2, entity 1-role 1-object 3, etc. Using the method provided in this disclosure, the data stored in the relational database is optimized as follows: entity 1, entity 2, and entity 3 correspond to employee roles; entity 1 and entity 3 correspond to administrator roles; employee roles correspond to objects 1, 2, and 3; and administrator roles correspond to objects 4-10. There is no need to store the permissions corresponding to each entity separately.

[0078] Step S202: Using subjects, attributes, roles, and objects as vertices, and the relationships between vertices as edges, the relational database is converted into a graph data structure.

[0079] In some embodiments, in response to the activation of the authorization service, the carrier obtains the relational database and loads the relational database into memory; based on the subjects, attributes, objects, and roles in the relational database, the vertices of the graph data structure are confirmed; based on the subject-object correspondence and the attribute-role correspondence, the edges of the graph data structure are confirmed; after constructing the graph data structure, the graph data structure is stored in the cache.

[0080] In specific implementation, in response to the subject-object correspondence and attribute-role correspondence stored in the relational database, the carrier, based on the subject-object correspondence, confirms whether any subject vertex and any object vertex in the graph data structure have an association relationship; based on the attribute-role correspondence, it confirms whether any subject vertex and any attribute vertex, any attribute vertex and any role vertex, and any role vertex and any object vertex in the graph data structure have an association relationship; two vertices with an association relationship are connected, and the connecting line is an edge of the graph data structure; two vertices without an association relationship are not connected.

[0081] For example, if the relational database stores subject-object correspondences and attribute-role correspondences, then after setting each vertex of the graph data structure as subject, role, attribute, and object, subject vertices with correspondences (or associations) are connected to object vertices based on subject-object correspondences; attribute vertices with correspondences are connected to role vertices based on attribute-role correspondences; and role vertices with correspondences are connected to object vertices based on role-object correspondences.

[0082] Alternatively, in specific implementation, in response to the relational database storing subject-role correspondences, attribute-role correspondences, and role-object correspondences, the carrier confirms whether any subject vertex and any role vertex in the graph data structure have an association relationship, and whether any role vertex and any object vertex have an association relationship; based on the attribute-role correspondences, it confirms whether any subject vertex and any attribute vertex in the graph data structure have an association relationship, whether any attribute vertex and any role vertex have an association relationship, and whether any role vertex and any object vertex have an association relationship; two vertices with an association relationship are connected, and the connecting line is an edge of the graph data structure; two vertices without an association relationship are not connected.

[0083] For example, if the relational database stores subject-role correspondences, attribute-role correspondences, and role-object correspondences, then after setting each vertex of the graph data structure as subject, role, attribute, and object, subject vertices with correspondences (or associations) are connected to role vertices based on subject-role correspondences; attribute vertices with correspondences are connected to role vertices based on attribute-role correspondences; and role vertices with correspondences are connected to object vertices based on role-object correspondences.

[0084] In some alternative embodiments, after the carrier constructs the graph data structure, it can also store the graph data structure in a cache, and retrieve the graph data structure from the cache when permission query is required.

[0085] In some embodiments, the carrier serializes the graph data structure and converts the serialized graph data structure into a character stream, which is then stored in a cache.

[0086] In specific implementation, the carrier, based on the association relationships between vertices in the graph data structure, splits the graph data structure into at least two sequences; wherein, each sequence includes vertices with association relationships, the starting vertex of each sequence is the subject vertex, the ending vertex is the object vertex, and the intermediate vertices include role vertices, or attribute vertices and role vertices; based on the characters corresponding to the vertices and the characters corresponding to the edges between the vertices, each sequence is converted into a character stream, and the character streams corresponding to the at least two sequences are stored in the cache according to the splitting order.

[0087] Specifically, the carrier can start from any principal vertex in the graph data structure, identify any role vertex connected to the principal vertex, and any object vertex connected to the role vertex. The principal vertex-role vertex-object vertex is a sequence. Based on the characters corresponding to the vertices and the characters corresponding to the edges between the vertices, each sequence is converted into a character stream. In this way, the graph data structure is split into at least two sequences. According to the splitting order, the character streams corresponding to the at least two sequences are stored in the cache.

[0088] Step S203: Based on the graph data structure, confirm the object corresponding to the first subject.

[0089] In some embodiments, in response to receiving a permission query request from a first subject, the graph data structure is retrieved from the cache, and the living room corresponding to the first subject is confirmed based on the graph data structure.

[0090] In specific implementation, the carrier obtains all first role vertices that are associated with the first subject and first object vertices that are associated with the first role vertices from the graph data structure; obtains all first attribute vertices that are associated with the first subject, second role vertices that are associated with the first attribute vertices, and second object vertices that are associated with the second role vertices from the graph data structure; and confirms that the object corresponding to the first object vertex and the object corresponding to the second object vertex are the objects corresponding to the first subject.

[0091] In some embodiments, the carrier can also receive query requests for any one of the roles, attributes, and objects. Any two vertices with a relationship in the graph data structure are bidirectional. For example, if there is a relationship between subject 1 and role 1, the carrier can query to obtain role 1 based on subject 1, or it can query to obtain subject 1 through role 1.

[0092] In some optional embodiments, if the cache stores a serialized graph data structure, the carrier obtains the character streams corresponding to the at least two sequences from the cache in reverse order of splitting; based on the characters corresponding to the vertices and the characters corresponding to the edges between the vertices, the character streams are converted into at least two sequences; based on the vertices in the sequences and the relationships between the vertices, the at least two sequences are restored to a graph data structure.

[0093] Thus, the permission query method provided in this embodiment stores the subject-role correspondence, subject-attribute correspondence, attribute-role correspondence, and role-object correspondence in the relational database. It does not require associating the role with the subject, and the same information can be represented with less data, reducing storage time. When querying permissions, the query can be performed through a graph data structure, which can improve query efficiency.

[0094] Figure 3 This illustration shows another optional flowchart of the permission query method provided in the embodiments of this disclosure, which will be explained step by step.

[0095] Step S301: Receive permission update broadcast.

[0096] In some embodiments, after converting the relational database into a graph data structure (i.e., executing steps S101-S102 or S201-S202), there may still be scenarios involving permission updates, such as adding permissions for a subject, adding permissions for a role, deleting permissions for an attribute, etc.; then the carrier receives the permission update broadcast and obtains the update operation corresponding to the permission update broadcast.

[0097] The update operation corresponding to the permission update broadcast includes at least one of the following: update operation of subject, role, attribute and object, update operation of subject-role correspondence, update operation of subject-attribute correspondence, update operation of attribute-role correspondence, and update operation of role-object correspondence.

[0098] Step S302: Update the graph data structure based on the update operation corresponding to the permission update broadcast.

[0099] In some embodiments, in response to a relational database update, the carrier confirms the vertices and / or edges in the graph data structure corresponding to the update operation; in response to the update operation being an addition, it confirms whether the vertex and / or edge corresponding to the update operation is in the current graph structure, and if not, adds the vertex and / or edge corresponding to the operation to the current graph structure; in response to the update operation being a deletion, it deletes the vertex and / or edge corresponding to the operation from the current graph structure.

[0100] In some alternative embodiments, there may be scenarios where multiple update operations occur simultaneously, i.e., multiple update broadcasts are sent. In such cases, a locking mechanism is used when updating the graph data structure to avoid problems such as dirty reads of the graph data structure caused by simultaneous operations.

[0101] Thus, after the relational database is updated, the embodiments of this disclosure can adaptively update the graph data structure to ensure the accuracy of permission queries.

[0102] Figure 4 A schematic diagram of another optional process for the permission query method provided in this disclosure embodiment is shown, and will be described step by step.

[0103] Step S401: Confirm and store the relational database.

[0104] In some embodiments, the process of confirming a relational database includes the process of granting permissions. The following example is to grant the object (permission) corresponding to role 1 (admin) to subject 1 (Zhang San) and to grant the permission corresponding to role 2 (PM) to subject 1 through its corresponding attribute (organization).

[0105] Among them, the objects corresponding to Role 1 include administrator management, configuration management and data dictionary (the subject's own permissions), and the objects corresponding to Role 2 include adding, viewing, modifying and deleting personnel.

[0106] In some embodiments, the carrier implementing the permission query method confirms the permission granted by the subject 1 to the role 1 and stores the correspondence between the subject 1 and the role 1, denoted as r1; the carrier confirms the permission granted by the subject 1 to the role 2 and stores the correspondence between the attribute 1 and the role 2, denoted as r2.

[0107] For example, grant the [PM] role permissions to Zhang San's organization, and record the data storage organization and the [PM] role permissions (all personnel under this organization will inherit this permission record).

[0108] In some optional embodiments, when the carrier checks Zhang San's permissions through the permission query function, it needs to query record r1, then loop through all of Zhang San's attributes. When looping to the organization attribute, record r2 is retrieved. Record r2 contains the permissions that Zhang San inherited through the organization, and it needs to be merged and displayed in the permission query results.

[0109] In some embodiments, the carrier stores the authorization results of the subject and the authorization results of the subject attributes separately. The purpose is to eliminate the need to simultaneously retrieve all subjects associated with the attribute when authorizing an attribute; instead, it only needs to save the attribute-role mapping relationship, thus solving the problem of long permission storage time by avoiding the direct association of roles to subjects during authorization. This simplifies the business process of directly storing permissions to subjects by associating attributes with them during authorization management.

[0110] Step S402: Convert the relational database into a graph data structure.

[0111] In some embodiments, the permission query service loads the relational database into memory when it starts; the two-dimensional relational database data is processed into graph data structure data; to avoid the graph data structure being repeatedly constructed during use, the graph data structure is serialized and stored in the cache.

[0112] In specific implementation, after the carrier loads the two-dimensional relational data into memory, it abstracts the subject, attribute, object, and role into graph data structure vertices, puts them into the graph data structure, and retains the original type identifiers (such as subject, attribute, role, and object); it abstracts the subject-attribute relationship, the role-object relationship, the subject-role relationship, and the attribute-role relationship into undirected associations (or bidirectional associations) between vertices, creating associations between each vertex.

[0113] Optionally, the graph data structure is serialized by converting the object into a byte stream and storing it in a cache service; when the data is used, the graph data structure data in the cache is deserialized to convert the byte stream data into graph data.

[0114] Figure 5 An optional schematic diagram of the graph data structure provided in an embodiment of this disclosure is shown.

[0115] The graph data structure constructed according to the embodiments of this disclosure has the characteristic of being able to accommodate different types of data and the relationships between data. It can solve the technical problem that graph data structures can only store a single data relationship, and achieve the technical effect of obtaining a panoramic view of the permission relationship in a single query for the permission query business.

[0116] Step S403: Perform an access control query based on the query information.

[0117] In some embodiments, the query information may include at least one of subject, attribute, role, and object. Since the two vertices with an association in the graph data structure are undirected (or bidirectional) connected, other vertices associated with any vertex can be queried based on that vertex. The following example uses Zhang San as the query information.

[0118] In some embodiments, the carrier retrieves a graph data structure from a cache; constructs a vertex structure for Zhang San, and queries the graph data structure to find the vertex corresponding to Zhang San; retrieves all other vertices in the graph data structure that are associated with Zhang San's vertex; and restores the original data type of the associated vertices through their type identifiers.

[0119] Step S404, Permission Update.

[0120] In some embodiments, after the graph data structure is generated, there may be updates to the relational database.

[0121] In some embodiments, after updating permissions based on an update operation, the updated data is stored in a relational database and broadcast; the carrier receives the permission update broadcast and obtains the update operation corresponding to the permission update broadcast.

[0122] In some embodiments, the carrier determines whether the subject, attribute, role, and object corresponding to the update operation are already in the graph data structure. If not, it adds a new vertex to the graph data structure. Based on the update operation, it modifies the relationship between vertices. If it is a permission grant, it adds a vertex relationship; if it is a permission revocation, it deletes the relationship between vertices. Optionally, due to the possibility of concurrent scenarios, a locking mechanism will be used to avoid problems such as dirty reads of the graph data structure caused by concurrency.

[0123] Thus, the permission query method provided in this embodiment loads the relationships between the subject, subject attributes, roles, and objects into memory to construct a graph structure during permission query. The subjects, subject attributes, roles, and objects constitute the vertices in the graph structure, and each vertex identifies its category. The relationships between vertices are bidirectional. During permission query, the subject, subject attributes, roles, and objects can be used as query conditions. All vertices associated with the vertices matching the query conditions in the graph structure are retrieved and categorized for display on the front-end page. This improves permission query speed without changing the format of the authorization management storage data or increasing the complexity when permissions change.

[0124] Figure 6 A schematic diagram of an optional structure of the permission query device provided in an embodiment of this disclosure is shown, and will be described in terms of each part.

[0125] In some embodiments, the permission query device 600 includes a confirmation unit 601, a conversion unit 602, and a query unit 603.

[0126] The confirmation unit 601 is used to confirm and store the relational database; wherein the relational database includes at least subject-role correspondence, subject-attribute correspondence, attribute-role correspondence, and role-object correspondence;

[0127] The conversion unit 602 is configured to convert the relational database into a graph data structure in response to the activation of the authorization service.

[0128] The query unit 603 is configured to, in response to receiving a permission query request from the first subject, confirm the object corresponding to the first subject based on the graph data structure.

[0129] The attribute-role correspondence includes the correspondence between any role and all attributes that possess that role; the object corresponding to the first subject is the permission corresponding to the first subject.

[0130] The confirmation unit 601 is specifically used to confirm the subject-role correspondence based on the role corresponding to each subject in all subjects.

[0131] Based on the attributes corresponding to each role in all subjects, confirm the correspondence between subjects and attributes;

[0132] Based on the role of each subject in its corresponding attribute, confirm the attribute-role correspondence;

[0133] Based on the object corresponding to each of all roles, confirm the role-object correspondence relationship;

[0134] Confirm that the subject-role correspondence, subject-attribute correspondence, attribute-role correspondence, and role-object correspondence are the relational database, and store the relational database in memory.

[0135] The conversion unit 602 is specifically used to confirm the vertices of the graph data structure based on the subjects, attributes, objects, and roles in the relational database, and to confirm the edges of the graph data structure based on the subject-object correspondence and the attribute-role correspondence.

[0136] The conversion unit 602 is specifically used to confirm, based on the subject-object comparison relationship, whether there is an association between any subject vertex and any role vertex in the graph data structure, and whether there is an association between any role vertex and any object vertex;

[0137] Based on the attribute-role correspondence, confirm whether there is an association between any subject vertex and any attribute vertex, whether there is an association between any attribute vertex and any role vertex, and whether there is an association between any role vertex and any object vertex in the graph data structure.

[0138] Two vertices that are confirmed to have an association relationship are connected, and the connecting line is an edge of the graph data structure; two vertices that do not have an association relationship are not connected.

[0139] After converting the relational database into a graph data structure, the conversion unit 602 is further configured to split the graph data structure into at least two sequences based on the association relationships between vertices in the graph data structure; wherein each sequence includes vertices with association relationships, the starting vertex of each sequence is the subject vertex, the ending vertex is the object vertex, and the intermediate vertices include role vertices, or attribute vertices and role vertices.

[0140] Based on the characters corresponding to the vertices and the characters corresponding to the edges between the vertices, each sequence is converted into a character stream, and the character streams corresponding to at least two sequences are stored in the cache according to the order of splitting.

[0141] After receiving the permission query request from the first subject, the query unit 603 is further configured to: obtain the character streams corresponding to the at least two sequences from the cache in reverse order of the split; convert the character streams into at least two sequences based on the characters corresponding to the vertices and the characters corresponding to the edges between the vertices; and restore the at least two sequences into a graph data structure based on the vertices in the sequences and the relationships between the vertices.

[0142] The query unit 603 is specifically used to obtain all first role vertices that have a relationship with the first subject and first object vertices that have a relationship with the first role vertices from the graph data structure.

[0143] Obtain from the graph data structure all first attribute vertices that are associated with the first subject, second role vertices that are associated with the first attribute vertices, and second object vertices that are associated with the second role vertices;

[0144] The object corresponding to the first object vertex and the object corresponding to the second object vertex are confirmed to be the objects corresponding to the first subject.

[0145] According to embodiments of this disclosure, this disclosure also provides an electronic device and a readable storage medium.

[0146] Figure 7 A schematic block diagram of an example electronic device 800 that can be used to implement embodiments of the present disclosure is shown. The electronic device is intended to represent various forms of digital computers, such as laptop computers, desktop computers, workstations, personal digital assistants, servers, blade servers, mainframe computers, and other suitable computers. The electronic device may also represent various forms of mobile devices, such as personal digital processors, cellular phones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions are merely illustrative and are not intended to limit the implementation of the present disclosure described and / or claimed herein.

[0147] like Figure 7As shown, the electronic device 800 includes a computing unit 801, which can perform various appropriate actions and processes according to a computer program stored in a read-only memory (ROM) 802 or a computer program loaded from a storage unit 808 into a random access memory (RAM) 803. The RAM 803 may also store various programs and data required for the operation of the electronic device 800. The computing unit 801, ROM 802, and RAM 803 are interconnected via a bus 804. An input / output (I / O) interface 805 is also connected to the bus 804.

[0148] Multiple components in electronic device 800 are connected to I / O interface 805, including: input unit 806, such as keyboard, mouse, etc.; output unit 807, such as various types of displays, speakers, etc.; storage unit 808, such as disk, optical disk, etc.; and communication unit 809, such as network card, modem, wireless transceiver, etc. Communication unit 809 allows electronic device 800 to exchange information / data with other devices through computer networks such as the Internet and / or various telecommunications networks.

[0149] The computing unit 801 can be a variety of general-purpose and / or special-purpose processing components with processing and computing capabilities. Some examples of the computing unit 801 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various special-purpose artificial intelligence (AI) computing chips, various computing units running machine learning model algorithms, a digital signal processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 801 performs the various methods and processes described above, such as the permission query method. For example, in some embodiments, the permission query method may be implemented as a computer software program tangibly contained in a machine-readable medium, such as storage unit 808. In some embodiments, part or all of the computer program may be loaded and / or installed on the electronic device 800 via ROM 802 and / or communication unit 809. When the computer program is loaded into RAM 803 and executed by the computing unit 801, one or more steps of the permission query method described above may be performed. Alternatively, in other embodiments, the computing unit 801 may be configured to perform the permission query method by any other suitable means (e.g., by means of firmware).

[0150] Various embodiments of the systems and techniques described above herein can be implemented in digital electronic circuit systems, integrated circuit systems, field-programmable gate arrays (FPGAs), application-specific integrated circuits (ASICs), application-specific standard products (ASSPs), systems-on-a-chip (SoCs), payload-programmable logic devices (CPLDs), computer hardware, firmware, software, and / or combinations thereof. These various embodiments may include implementations in one or more computer programs that can be executed and / or interpreted on a programmable system including at least one programmable processor, which may be a dedicated or general-purpose programmable processor, capable of receiving data and instructions from a storage system, at least one input device, and at least one output device, and transmitting data and instructions to the storage system, the at least one input device, and the at least one output device.

[0151] The program code used to implement the methods of this disclosure may be written in any combination of one or more programming languages. This program code may be provided to a processor or controller of a general-purpose computer, special-purpose computer, or other programmable data processing apparatus, such that when executed by the processor or controller, the program code causes the functions / operations specified in the flowcharts and / or block diagrams to be implemented. The program code may be executed entirely on a machine, partially on a machine, as a standalone software package partially on a machine and partially on a remote machine, or entirely on a remote machine or server.

[0152] In the context of this disclosure, a machine-readable medium can be a tangible medium that may contain or store a program for use by or in conjunction with an instruction execution system, apparatus, or device. A machine-readable medium can be a machine-readable signal medium or a machine-readable storage medium. A machine-readable medium can be, but is not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, apparatus, or devices, or any suitable combination of the foregoing. More specific examples of machine-readable storage media include electrical connections based on one or more wires, portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing.

[0153] To provide interaction with a user, the systems and techniques described herein can be implemented on a computer having: a display device for displaying information to the user (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor); and a keyboard and pointing device (e.g., a mouse or trackball) through which the user provides input to the computer. Other types of devices can also be used to provide interaction with the user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form (including sound input, voice input, or tactile input).

[0154] The systems and technologies described herein can be implemented in computing systems that include backend components (e.g., as a data server), or computing systems that include middleware components (e.g., an application server), or computing systems that include frontend components (e.g., a user computer with a graphical user interface or web browser through which a user can interact with embodiments of the systems and technologies described herein), or any combination of such backend, middleware, or frontend components. The components of the system can be interconnected via digital data communication of any form or medium (e.g., a communication network). Examples of communication networks include local area networks (LANs), wide area networks (WANs), and the Internet.

[0155] Computer systems can include clients and servers. Clients and servers are generally located far apart and typically interact via communication networks. Client-server relationships are created by computer programs running on the respective computers and having a client-server relationship with each other. Servers can be cloud servers, servers in distributed systems, or servers incorporating blockchain technology.

[0156] It should be understood that the various forms of processes shown above can be used to rearrange, add, or delete steps. For example, the steps described in this disclosure can be executed in parallel, sequentially, or in different orders, as long as the desired result of the technical solution disclosed in this disclosure can be achieved, and this is not limited herein.

[0157] Furthermore, the terms "first" and "second" are used for descriptive purposes only and should not be construed as indicating or implying relative importance or implicitly specifying the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one of that feature. In the description of this disclosure, "a plurality of" means two or more, unless otherwise explicitly specified.

[0158] The above description is merely a specific embodiment of this disclosure, but the scope of protection of this disclosure is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the scope of the technology disclosed in this disclosure should be included within the scope of protection of this disclosure. Therefore, the scope of protection of this disclosure should be determined by the scope of the claims.

Claims

1. A permission query method, characterized in that, The method includes: A relational database is identified and stored; wherein the relational database includes at least subject-role correspondence, subject-attribute correspondence, attribute-role correspondence, and role-object correspondence; the storage of the relational database includes: storing subject authorization results and attribute authorization results respectively, wherein the subject authorization results include the correspondence between the subject and the object identified through the role, and the attribute authorization results include the attribute-role correspondence. In response to the activation of the authorization service, the relational database is converted into a graph data structure; In response to receiving a permission query request from the first subject, the object corresponding to the first subject is confirmed based on the graph data structure; The attribute-role correspondence includes the correspondence between any role and all attributes that possess that role; the object corresponding to the first subject is the permission corresponding to the first subject.

2. The method according to claim 1, characterized in that, The confirmed and stored relational database includes: Based on the role corresponding to each subject in the entire body, confirm the subject-role correspondence; Based on the attributes corresponding to each role in all subjects, confirm the correspondence between subjects and attributes; Based on the role of each subject in its corresponding attribute, confirm the attribute-role correspondence; Based on the object corresponding to each of all roles, confirm the role-object correspondence relationship; Confirm that the subject-role correspondence, subject-attribute correspondence, attribute-role correspondence, and role-object correspondence are the relational database, and store the relational database in memory.

3. The method according to claim 1, characterized in that, The process of converting the relational database into a graph data structure includes: Vertices of the graph data structure are determined based on the subjects, attributes, objects, and roles in the relational database, and edges of the graph data structure are determined based on the subject-object correspondence and the attribute-role correspondence.

4. The method according to claim 3, characterized in that, The process of identifying the edges of the graph data structure based on the subject-object correspondence and the attribute-role correspondence includes: Based on the subject-object correspondence, confirm whether there is an association between any subject vertex and any role vertex in the graph data structure, and whether there is an association between any role vertex and any object vertex; Based on the attribute-role correspondence, confirm whether there is an association between any subject vertex and any attribute vertex, whether there is an association between any attribute vertex and any role vertex, and whether there is an association between any role vertex and any object vertex in the graph data structure. Two vertices that are confirmed to have an association relationship are connected, and the connecting line is an edge of the graph data structure; two vertices that do not have an association relationship are not connected.

5. The method according to claim 1, characterized in that, After converting the relational database into a graph data structure, the method further includes: Based on the relationships between vertices in the graph data structure, the graph data structure is split into at least two sequences; wherein each sequence includes vertices with relationships, the starting vertex of each sequence is the subject vertex, the ending vertex is the object vertex, and the intermediate vertices include role vertices, or attribute vertices and role vertices; Based on the characters corresponding to the vertices and the characters corresponding to the edges between the vertices, each sequence is converted into a character stream, and the character streams corresponding to at least two sequences are stored in the cache according to the order of splitting.

6. The method according to claim 5, characterized in that, After receiving the permission query request from the first subject, the method further includes: Retrieve the character streams corresponding to the at least two sequences from the cache in the reverse order of the splitting; Based on the characters corresponding to the vertices and the characters corresponding to the edges between the vertices, the character stream is converted into at least two sequences; Based on the vertices in the sequence and the relationships between the vertices, the at least two sequences are restored to a graph data structure.

7. The method according to claim 1 or 6, characterized in that, The process of identifying the object corresponding to the first subject based on the graph data structure includes: Obtain all first role vertices that have an association relationship with the first subject, and first object vertices that have an association relationship with the first role vertices from the graph data structure; Obtain from the graph data structure all first attribute vertices that are associated with the first subject, second role vertices that are associated with the first attribute vertices, and second object vertices that are associated with the second role vertices; The object corresponding to the first object vertex and the object corresponding to the second object vertex are confirmed to be the objects corresponding to the first subject.

8. A permission query device, characterized in that, The device includes: A confirmation unit is used to confirm and store a relational database; wherein the relational database includes at least subject-role correspondence, subject-attribute correspondence, attribute-role correspondence, and role-object correspondence; the confirmation unit is specifically used to store subject authorization results and attribute authorization results respectively, wherein the subject authorization results include the correspondence between the subject and the object confirmed through the role, and the attribute authorization results include the attribute-role correspondence. A transformation unit is used to convert the relational database into a graph data structure in response to the activation of the authorization service; The query unit is used to respond to receiving a permission query request from the first subject, and then confirm the object corresponding to the first subject based on the graph data structure. The attribute-role correspondence includes the correspondence between any role and all attributes that possess that role; the object corresponding to the first subject is the permission corresponding to the first subject.

9. An electronic device, characterized in that, include: At least one processor; as well as A memory communicatively connected to the at least one processor; wherein, The memory stores instructions that can be executed by the at least one processor to enable the at least one processor to perform the method of any one of claims 1-7.

10. A non-transitory computer-readable storage medium storing computer instructions, characterized in that, The computer instructions are used to cause the computer to perform the method according to any one of claims 1-7.