Method, device, storage medium and program product for generating a rights policy

By generating visual permission policies, the complexity of sub-user permission configuration is solved, achieving a low-cost, secure, and convenient cloud resource access experience.

CN121967090BActive Publication Date: 2026-06-16CHINA MOBILE (SUZHOU) SOFTWARE TECH CO LTD +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA MOBILE (SUZHOU) SOFTWARE TECH CO LTD
Filing Date
2026-04-01
Publication Date
2026-06-16

AI Technical Summary

Technical Problem

In existing technologies, sub-user permission policy configuration relies on manual writing, resulting in high user learning costs and poor usability.

Method used

By acquiring permission tracking information from both the first and second accounts, a visualized permission policy is generated. This multi-account collaboration model reduces user learning costs and improves configuration efficiency.

Benefits of technology

It enables low-cost, visual permission configuration, improves user experience and security, and simplifies the process for sub-users to access cloud resources.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121967090B_ABST
    Figure CN121967090B_ABST
Patent Text Reader

Abstract

The present disclosure relates to the technical field of cloud computing, and particularly provides a permission policy generation method, device, storage medium and program product. The method acquires permission tracking information of a first account, the permission tracking information including resources operated by a second account inviting the first account to jointly start a permission tracking function and resources operated by the first account; the first account and the second account are sub-accounts under a same master account; a visual permission policy is generated based on the resources operated by the second account and the resources operated by the first account; and a sub-account under the master account that has not configured a permission policy is configured with a permission based on the permission policy. The method has a lower requirement for user knowledge, and can be implemented through simple click operations on a man-machine interaction interface, thereby reducing user learning and using costs, improving user efficiency, enhancing user experience, and enabling users to more safely and conveniently access resources on the cloud.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to the field of cloud computing technology, and in particular to a method, device, storage medium, and program product for generating permission policies. Background Technology

[0002] In cloud computing systems, users can create and manage sub-users and control their access permissions to resources. When a user's enterprise involves multiple users collaborating on resources, sub-users can help prevent the sharing of cloud account keys with other users, allowing for the allocation of minimal permissions to users as needed, thereby reducing the enterprise's information security risks.

[0003] Sub-users have the following characteristics: Multiple sub-users can be created under a single main account, corresponding to employees, systems, or applications within the enterprise. Sub-users do not own resources and cannot be independently metered and billed; they are centrally controlled and billed by their respective main accounts. Sub-users belong to the main account and are only visible within the main account's space, not as independent main accounts. Sub-users must obtain authorization from the main account before logging into the console or using the API to manipulate resources under the main account.

[0004] In related technologies, the permissions of sub-users are configured by users manually writing permission policy text, which results in high user learning costs and poor usability. Summary of the Invention

[0005] This disclosure is made in view of the above-mentioned problems. This disclosure provides a method, apparatus, storage medium, and program product for generating permission policies.

[0006] According to the first aspect of this disclosure, a method for generating permission policies is provided, comprising:

[0007] Obtain permission tracking information for the first account, including the resources operated by the second account that invited the first account to jointly enable the permission tracking function, and the resources operated by the first account; the first account and the second account are sub-accounts under the same main account;

[0008] Based on the resources operated by the second account and the resources operated by the first account, a visual permission policy is generated.

[0009] Based on the aforementioned permission policy, permissions are configured for sub-accounts under the main account that do not have a permission policy configured.

[0010] Furthermore, according to the permission policy generation method of the first aspect of this disclosure, the resources operated by the first account and the resources operated by the second account are resources of different types.

[0011] Furthermore, according to the permission policy generation method of the first aspect of this disclosure, a visual permission policy is generated based on the resources operated by the second account and the resources operated by the first account, including:

[0012] Based on the resources operated by the first account, obtain the operations that the first account is authorized to perform; and based on the resources operated by the second account, obtain the operations that the second account is authorized to perform.

[0013] Generate a first visual operation that the first account has permission to perform, and generate a second visual operation that the second account has permission to perform;

[0014] Based on the first visualization operation and the second visualization operation, a visualized permission policy is generated.

[0015] Furthermore, according to the permission policy generation method of the first aspect of this disclosure, a visualized permission policy is generated based on the first visualization operation and the second visualization operation, including:

[0016] The first target visualization operation is uniquely determined from the first visualization operation, and the second target visualization operation is uniquely determined from the second visualization operation.

[0017] Based on the first target visualization operation and the first resource of the first target visualization operation, a first permission policy is generated to instruct the first resource of the first target visualization operation; based on the second target visualization operation and the second resource of the second target visualization operation, a second permission policy is generated to instruct the second resource of the second target visualization operation; a third permission policy is generated based on operations in the first visualization operation other than the first target visualization operation; and a fourth permission policy is generated based on operations in the second visualization operation other than the second target visualization operation.

[0018] The first permission policy, the second permission policy, the third permission policy, and the fourth permission policy are used as the permission policy.

[0019] Furthermore, according to the permission policy generation method of the first aspect of this disclosure, based on the resources operated by the first account, the operations that the first account has permission to perform are obtained, including:

[0020] The order of the association between the current permission item and all permission items is determined, wherein the current permission item is used to indicate the resource of the operation performed by the first account;

[0021] Obtain the N highest-ranking permission items from the sorting;

[0022] Based on the operations indicated by the N permission items and the operations issued by the first account to the resource, it is determined that the first account has the permission to perform the operations.

[0023] Furthermore, according to the permission policy generation method of the first aspect of this disclosure, based on the operations indicated by the N permission items and the operations issued by the first account to the resource, determining the operations that the first account has permission to perform includes:

[0024] The N permission items are displayed in a list on the human-computer interaction interface and associated with the current permission item.

[0025] Obtain the M permission items selected by the user from the list;

[0026] The operations indicated by the M permission items and the operations issued by the first account to the resource are taken as the operations that the first account has permission to perform.

[0027] According to a second aspect of this disclosure, an apparatus for generating permission policies is provided, comprising:

[0028] The acquisition module is used to acquire the permission tracking information of the first account. The permission tracking information includes the resources operated by the second account that invited the first account to jointly enable the permission tracking function, and the resources operated by the first account. The first account and the second account are sub-accounts under the same main account.

[0029] The generation module is used to generate a visual permission policy based on the resources operated by the second account and the resources operated by the first account.

[0030] The configuration module is used to configure permissions for sub-accounts under the main account that have not been configured with a permission policy, based on the permission policy.

[0031] According to a third aspect of this disclosure, an electronic device is provided, including a memory, a processor, and a computer program stored in the memory, the processor executing the computer program to implement the steps of the method described in the first aspect.

[0032] According to a fourth aspect of this disclosure, a computer-readable storage medium is provided having a computer program / instructions stored thereon that, when executed by a processor, implements the steps of the method described in the first aspect.

[0033] According to a fifth aspect of this disclosure, a computer program product is provided, including a computer program / instructions that, when executed by a processor, implement the steps of the method described in the first aspect.

[0034] As will be described in detail below, the permission policy generation method according to the embodiments of this disclosure tracks the resources operated by the first account and the second account through permission tracking information, and generates a visual permission policy accordingly. In this way, when configuring the same permission policy for other sub-accounts under the main account that have not been configured with permission policies, the already generated visual permission policy can be used. Since it is a visual configuration, the knowledge requirements for users are low. It can be achieved with simple click operations on the human-computer interaction interface, reducing the user's learning and usage costs, improving user efficiency, enhancing user experience, and allowing users to access cloud resources more safely and conveniently.

[0035] It should be understood that both the foregoing general description and the following detailed description are exemplary and intended to provide further illustration of the claimed technology. Attached Figure Description

[0036] The above and other objects, features, and advantages of this disclosure will become more apparent from the more detailed description of the embodiments thereof in conjunction with the accompanying drawings. The drawings are provided to further illustrate the embodiments of this disclosure and form part of the specification. They are used together with the embodiments of this disclosure to explain the disclosure and do not constitute a limitation thereof. In the drawings, the same reference numerals generally represent the same components or steps.

[0037] Figure 1 This is a flowchart illustrating a permission policy generation method for an application according to an embodiment of this disclosure.

[0038] Figure 2 This is a flowchart illustrating permission tracking analysis of an application according to an embodiment of this disclosure.

[0039] Figure 3 This is a flowchart illustrating resource filtering applied according to an embodiment of the present disclosure.

[0040] Figure 4 This is a flowchart illustrating an application for generating a permission policy according to an embodiment of this disclosure.

[0041] Figure 5 This is a hardware block diagram illustrating an electronic device according to an embodiment of the present disclosure.

[0042] Figure 6 This is a schematic diagram illustrating a computer program product according to an embodiment of the present disclosure. Detailed Implementation

[0043] The technical methods of the embodiments of the present invention will now be clearly and completely described with reference to the accompanying drawings.

[0044] To facilitate understanding of this embodiment, a permission policy generation method disclosed in this disclosure will first be described in detail. The execution subject of the permission policy generation method provided in this disclosure is generally an electronic device with a certain computing power, such as a terminal device, a server, or other processing device. In some possible implementations, the permission policy generation method can be implemented by a processor calling computer-readable instructions stored in memory.

[0045] See Figure 1 The diagram shown is a flowchart of a permission policy generation method provided in this embodiment of the disclosure. The method includes the following steps:

[0046] Step 101: Obtain the permission tracking information of the first account. The permission tracking information includes the resources operated by the second account that invited the first account to jointly enable the permission tracking function, and the resources operated by the first account. The first account and the second account are sub-accounts under the same main account.

[0047] In this embodiment, to simplify the user learning curve, a multi-account collaborative mode for permission tracking and analysis is provided to generate a permission policy. Specifically, after logging into the cloud service platform with a second account, the user enables the permission tracking and analysis function through the second account, and simultaneously selects the first account to generate a permission policy. After the first account logs into the cloud service platform, when permission tracking and analysis is enabled, an invitation notification from the second account will be received. If the first account accepts the invitation, the relevant information of the second account will be subsequently written into the permission tracking information of the first account.

[0048] The information related to the second account may include the account information and permission tracking information, which will be stored in distributed storage. The permission tracking information of the second account includes the operations made by the user through the second account to resources of the cloud service platform and / or the resources operated on.

[0049] It should be understood that the permission tracking information of the first account includes not only the relevant information of the second account, but also the relevant information of the first account, namely the account information of the first account. The permission tracking information of the first account includes the operations made by the user to the resources of the cloud service platform through the first account and / or the resources operated on.

[0050] This embodiment also provides permission tracking and analysis in a dedicated mode, in which only permission tracking information of the current account is recorded.

[0051] In this embodiment, the permission tracking information of the first account is stored in Redis in key-value format. The relevant information of the second account is obtained from the distributed storage, and the relevant information of the second account is used as the key, while the operations of the first and second accounts and the resources operated on are used as the value and stored in Redis, thereby realizing collaborative permission analysis of multiple accounts.

[0052] It should be understood that if the first account rejects the invitation from the second account, the permission request information of the first account will be analyzed separately. The relevant information of the first account will be used as the key, and the value will be the operation of the first account and the resources of the operation, which will be saved in Redis.

[0053] In one or more alternative embodiments, considering the high technical barriers between various products (such as cloud servers, cloud disks, and networks) in cloud computing scenarios and the high knowledge requirements for users, the resources operated by the first account and the resources operated by the second account can be set to different types of resources. For example, the resource operated by the first account is a cloud server, and the resource operated by the second account can be a cloud disk. Or, for example, the resource operated by the first account is a network, and the resource operated by the second account can be a cloud server, etc.

[0054] Step 102: Generate a visual permission policy based on the resources operated by the second account and the resources operated by the first account.

[0055] In this embodiment, the visual permission policy refers to displaying the operations and / or resources that the first account and the second account are authorized to operate in a visual manner.

[0056] In one or more alternative embodiments, generating a visual permission policy based on the resources operated by the second account and the resources operated by the first account may include the following steps:

[0057] Based on the resources operated by the first account, obtain the operations that the first account has permission to perform; and based on the resources operated by the second account, obtain the operations that the second account has permission to perform.

[0058] The first visual operation generates the first operation that the first account has permission to perform, and the second visual operation generates the second operation that the second account has permission to perform;

[0059] Based on the first and second visualization operations, a visual permission policy is generated.

[0060] In this embodiment, when the first account initiates an operation to the cloud service platform, the authentication center module of the cloud service platform needs to authenticate the first account's operation permissions. If the authentication is successful, the cloud service platform responds to the first account's operation. If the authentication fails, the cloud service platform returns a response indicating failure.

[0061] In one example, the first account initiates an operation to read data from the cloud drive through the cloud service platform. If the authentication center module in the cloud service platform determines that the first account has permission to read the cloud drive, it responds to the first account's read operation by returning the read data to the first account. Conversely, if the authentication center module determines that the first account does not have permission to read the cloud drive, it returns a read failure response to the first account.

[0062] In this embodiment, the first visualization operation and the second visualization operation include, but are not limited to, displaying a certain operation as a plugin of a specific shape. This specific shape can be preset, for example, all plugins can be set to display in the same shape, or different operations can have different plugin shapes. This embodiment does not impose any specific limitations on this.

[0063] In one example, when generating a visual operation that allows the user to power on, the operation can be displayed as a circular plugin on the human-computer interaction interface with "Power On" as the plugin's name.

[0064] In one or more alternative embodiments, generating a visualized permission policy based on a first visualization operation and a second visualization operation may include the following steps:

[0065] The first target visualization operation is uniquely determined from the first visualization operation, and the second target visualization operation is uniquely determined from the second visualization operation.

[0066] Based on a first target visualization operation and a first resource of the first target visualization operation, a first permission policy is generated to indicate the first resource of the first target visualization operation; based on a second target visualization operation and a second resource of the second target visualization operation, a second permission policy is generated to indicate the second resource of the second target visualization operation; a third permission policy is generated based on operations in the first visualization operation other than the first target visualization operation; and a fourth permission policy is generated based on operations in the second visualization operation other than the second target visualization operation.

[0067] The first, second, third, and fourth permission policies are used as permission policies.

[0068] In this embodiment, "uniquely identifiable resource" in an operation refers to a specific object of the operation, rather than a general one. For example, taking the operation of purchasing as an example, if a user wants to buy 3 cloud servers from a cloud service platform using their account, the cloud servers are the resource or object of this purchase operation. Since the user doesn't intend to buy a specific number of cloud servers, but only requires a certain quantity, and doesn't require parameters such as the factory serial number that uniquely identifies a particular cloud server, the resource for this purchase operation is not uniquely identifiable. However, still using the purchase operation as an example, if a user wants to buy a specific cloud server from a cloud service platform using their account, since the cloud server the user wants to buy is uniquely identifiable, the resource for this purchase operation is uniquely identifiable in this scenario.

[0069] In this embodiment, when generating the first permission policy based on the first visual operation and the first resource, the first visual operation and the first resource can be represented by different plugins, and the direction of the line connecting the two plugins indicates that the first target visual operation can operate on the first resource. Taking enabling cloud host A as an example, in this example, enabling is the first target visual operation, and cloud host A is the first resource. When generating the first permission policy, a circular plugin can represent enabling this operation, and another square plugin can represent cloud host A. The circular plugin and the square plugin are connected by a straight line, and the direction of the line is from the circular plugin to the square plugin, thus indicating that cloud host A is enabled.

[0070] In this embodiment, the resources operated on by operations other than the first target visualization operation in the first visualization operation are not uniquely determined. As in the aforementioned example of purchasing three cloud servers, the resources or objects involved in this operation are general and do not specifically limit the cloud servers to parameters such as their factory serial number that can uniquely identify a particular cloud server. Therefore, the resources for this operation are not uniquely identifiable. Because the resources of operations other than the first target visualization operation in the first visualization operation are not uniquely identifiable, when generating the third permission policy for such operations, only the plugin corresponding to the operation is generated, while the plugin for displaying the resources corresponding to the operation is not generated.

[0071] In one or more alternative embodiments, obtaining the operations that the first account is authorized to perform based on the resources operated by the first account may include the following steps:

[0072] The order of the relationships between the current permission item and all permission items is determined, and the current permission item is used to indicate the resources operated by the first account;

[0073] Retrieve the top N permission items from the sorted list;

[0074] Based on the operations indicated by N permission items and the operations issued by the first account to the resource, determine the operations that the first account has permission to perform.

[0075] In this embodiment, the current permission item includes the operations of the first account and the resources operated on. The association between the current permission item and other permission items is used to indicate the degree of association between the operations on resources included in the current permission item and the operations on resources included in other permission items. That is, when performing the operation included in the current permission item on a resource, is it necessary to perform the operations on the resources included in other permission items? If so, it indicates that the current permission item has a high degree of association with other permission items; if it is average, it indicates that the current permission item has a moderate degree of association with other permission items; if it is completely unnecessary, it indicates that the current permission item has no association with other permission items.

[0076] In one or more embodiments, a score can be used to represent the degree of association between the current permission item and all permission items. A higher score indicates a higher degree of association, and a lower score indicates a lower degree of association. For example, the score can be set to a range of -100 to 100, with a larger value indicating a stronger association.

[0077] In this embodiment, the operation habits of all users can be analyzed at the session level. The number of permission requests to the authentication center after authentication for each permission item is counted. When a session expires or a user logs out of the system, the current session statistics are merged into the overall permission item statistics table. The number of permission item requests to the authentication service for each permission item is recorded, and these statistics are divided into two hundred intervals, weighted from -100 to 100, from low to high. Thus, the authentication center maintains two sets of scoring systems: one set is a preset value provided by the system, and the other is a real-time statistical analysis of permission relationships based on user requests. Both sets of scores range from -100 to 100. The relationship value between permission items is the sum of the system preset value and the real-time statistical result score; the larger the value, the higher the priority.

[0078] In one or more alternative embodiments, determining the operations that the first account has permission to perform based on the operations indicated by N permission items and the operations issued by the first account to the resource may include the following steps:

[0079] The human-computer interaction interface displays N permission items associated with the current permission item in a list;

[0080] Retrieve the M permission items selected by the user from the list;

[0081] The operations indicated by the M permission items and the operations issued by the first account to the resource are considered as the operations that the first account has permission to perform.

[0082] In this embodiment, the cloud service platform's console establishes a WebSocket connection with the backend service. The backend service can synchronize user operations and M permission items to the browser display on the console in real time. The top M permissions with the highest priority, obtained from the previous step's ranking of the relationships between each permission item and all other permissions, are selected as the recommended permission items. After deduplicating the recommended permission item list information based on the synchronized permission items saved in a Redis set, the system's recommended permission list is synchronized to the user's browser via WebSocket. When a user deletes or adds a permission item in the browser's permission list, the backend server is synchronized via WebSocket to modify the permission item and record the event type. If it is a deletion operation, the permission item is synchronously deleted from the recommended list, and the deleted permission item is hidden in the recommended permission list.

[0083] Step 103: Configure permissions for sub-accounts under the main account that do not have a permission policy configured, based on the permission policy.

[0084] In the solution provided in this embodiment, the resources operated by the first and second accounts are tracked through permission tracking information, and a visual permission policy is generated accordingly. In this way, when configuring the same permission policy for other sub-accounts under the main account that have not been configured with permission policies, the already generated visual permission policy can be used. Since it is a visual configuration, the knowledge requirements for users are low. It can be achieved with simple click operations on the human-computer interaction interface, reducing the user's learning and usage costs, improving user efficiency, enhancing user experience, and allowing users to access cloud resources more securely and conveniently.

[0085] In addition, this application can also calculate the dependency relationship between different permission items based on user historical data and data from the pre-installed systems of each service, prompting users to add missing permission items, remove high-risk permission items and irrelevant permission items in a timely manner, thereby improving the user experience.

[0086] This application analyzes the request history of authorized accounts to obtain permission information, which is then synchronized to the console in real time via WebSocket. Users can delete or add permission items through the console's permission list. The analysis center calculates the dependency coefficients between different permission items based on historical permission authentication data for different users and the pre-configured permission item association coefficients for each service (positive numbers: dependency, simultaneous authorization is recommended; negative numbers: mutual exclusion, simultaneous authorization is not recommended). If the permission item with the highest coefficient is not yet in the console list, it is pushed to the browser and displayed in the recommended list, facilitating users to add permission items promptly. If the permission item with the lowest coefficient is included in the list, it is pushed to the browser and displayed in the high-risk operation list, prompting users to delete high-risk permission items promptly. The specific process mainly consists of the following two parts: 1. Permission item tracking and analysis; 2. Resource filtering.

[0087] Access tracking and analysis process as follows Figure 2 As shown, the following steps may be included:

[0088] When authorized account A enables the permission tracking and analysis function for the first time, it can select account B to generate a permission policy together. After account B logs into the system and enables tracking and analysis, it will receive an invitation notification from account A. If account B accepts A's invitation, account B's permission tracking will include relevant information about account A, including account A's personal information and permission tracking information, and will be saved to distributed storage.

[0089] Account A and Account B initiate operation requests through the human-computer interaction interface provided by the console. The gateway adds a common request header to all requests to identify and track user information, and forwards the requests to specific services.

[0090] The service obtains the permission code corresponding to the operation request based on the request context information and requests authentication from the authentication center.

[0091] The authentication center returns the authentication result based on the request context and the user's bound permission policy, and synchronizes the request context information to the analysis center via MQ.

[0092] The analysis center consumes MQ messages, retrieving permission items, request headers for tracing and analysis, session information, etc., from the request context information. First, it aggregates permission item information using the tracing and analysis request headers as the key and saves it to a Redisset, then synchronizes it to the user's browser via WebSocket for display. The top N permissions with the highest priority, based on the association between each permission item and all other permissions obtained in the previous step, are selected as the recommended permission items. After deduplicating the recommended permission item list from the synchronized permissions in the Redisset, it is synchronized to the user's browser via WebSocket for display as a system recommended permission list. When a user adds or deletes a permission item in the browser's permission list, the event type is synchronized to the backend server via WebSocket. If it's a deletion operation, the permission item is simultaneously removed from the recommended permission list, and the deleted permission item is hidden from the recommended permission list.

[0093] The console establishes a WebSocket connection with the backend service, and the backend synchronizes user operations, selected permissions, and resource information to the console in real time.

[0094] Only users who have enabled permission tracking and analysis can disable the permission tracking and analysis function. When disabling it, the user will be prompted with the final details of the permission items, the request header information will be deleted, and the request will be forwarded to the authentication service to create a permission policy.

[0095] The above logic can generate operation-level permission policies, while supporting multiple users to work together, reducing the difficulty of use for users.

[0096] Resource screening process as follows Figure 3 As shown, the following steps may be included:

[0097] When permission tracking and analysis is enabled, after a user selects a resource in the resource list, the user is prompted whether they need to add the resource ID to the permission policy. Once the user agrees, the information is synchronized to the permission policy analysis center service via WebSocket.

[0098] The permission policy analysis center requests the resource center service to obtain the product type to which the resource ID belongs, establishes a mapping relationship with the permission item, and synchronizes it to the browser via WebSocket, displaying the permission list and resource information simultaneously.

[0099] When a user stops the permission tracking and analysis function, if the selected permission item also restricts the scope of a specific resource list, a logical resource group is created. The logical resource group contains the IDs and type information of all selected resources and establishes an association with the newly created permission policy. When a newly created permission policy is bound to a user, the logical resource group information is also written to it, restricting the resource scope of the permission policy.

[0100] When a user who has bound a newly created permission policy logs into the system, the authentication center determines whether the user has permission to perform the current operation based on the permission list and the limited resource scope in the permission policy. If the user has permission, the request is forwarded; otherwise, the current processing flow is terminated and a permission-deficient message is displayed.

[0101] This disclosure also provides a permission policy generation apparatus for executing the permission policy generation method provided in any of the above embodiments. Figure 4 As shown, the device includes:

[0102] The acquisition module 41 is used to acquire the permission tracking information of the first account. The permission tracking information includes the resources operated by the second account that invited the first account to jointly enable the permission tracking function and the resources operated by the first account. The first account and the second account are sub-accounts under the same main account.

[0103] The generation module 42 is used to generate a visual permission policy based on the resources operated by the second account and the resources operated by the first account.

[0104] Configuration module 43 is used to configure permissions for sub-accounts under the main account that have not been configured with a permission policy, based on the permission policy.

[0105] In one or more alternative embodiments, the resources operated by the first account and the resources operated by the second account are resources of different types.

[0106] In one or more alternative embodiments, the generation module 42 is used to:

[0107] Based on the resources operated by the first account, obtain the operations that the first account is authorized to perform; and based on the resources operated by the second account, obtain the operations that the second account is authorized to perform.

[0108] Generate a first visual operation that the first account has permission to perform, and generate a second visual operation that the second account has permission to perform;

[0109] Based on the first visualization operation and the second visualization operation, a visualized permission policy is generated.

[0110] In one or more alternative embodiments, the generation module 42 is used to:

[0111] The first target visualization operation is uniquely determined from the first visualization operation, and the second target visualization operation is uniquely determined from the second visualization operation.

[0112] Based on the first target visualization operation and the first resource of the first target visualization operation, a first permission policy is generated to instruct the first resource of the first target visualization operation; based on the second target visualization operation and the second resource of the second target visualization operation, a second permission policy is generated to instruct the second resource of the second target visualization operation; a third permission policy is generated based on operations in the first visualization operation other than the first target visualization operation; and a fourth permission policy is generated based on operations in the second visualization operation other than the second target visualization operation.

[0113] The first permission policy, the second permission policy, the third permission policy, and the fourth permission policy are used as the permission policy.

[0114] In one or more alternative embodiments, the generation module 42 is used to:

[0115] The order of the association between the current permission item and all permission items is determined, wherein the current permission item is used to indicate the resource of the operation performed by the first account;

[0116] Obtain the N highest-ranking permission items from the sorting;

[0117] Based on the operations indicated by the N permission items and the operations issued by the first account to the resource, it is determined that the first account has the permission to perform the operations.

[0118] In one or more alternative embodiments, the generation module 42 is used to:

[0119] The N permission items are displayed in a list on the human-computer interaction interface and associated with the current permission item.

[0120] Obtain the M permission items selected by the user from the list;

[0121] The operations indicated by the M permission items and the operations issued by the first account to the resource are taken as the operations that the first account has permission to perform.

[0122] The permission policy generation apparatus and the permission policy generation method provided in this disclosure are based on the same inventive concept and have the same beneficial effects as the methods they adopt, operate or implement.

[0123] This disclosure also provides an electronic device for executing the above-described permission policy generation method. Please refer to... Figure 5 It illustrates a schematic diagram of an electronic device provided by some embodiments of this disclosure. For example... Figure 5 As shown, the electronic device 5 includes: a processor 500, a memory 501, a bus 502, and a communication interface 503. The processor 500, the communication interface 503, and the memory 501 are connected via the bus 502. The memory 501 stores a computer program that can run on the processor 500. When the processor 500 runs the computer program, it executes the permission policy generation method provided in any of the foregoing embodiments of this disclosure.

[0124] The memory 501 may include high-speed random access memory (RAM) or non-volatile memory, such as at least one disk storage device. Communication between this device network element and at least one other network element is achieved through at least one communication interface 503 (which can be wired or wireless), such as the Internet, wide area network, local area network, metropolitan area network, etc.

[0125] Bus 502 can be an ISA bus, PCI bus, or EISA bus, etc. The bus can be divided into an address bus, a data bus, a control bus, etc. The memory 501 is used to store programs. After receiving an execution instruction, the processor 500 executes the program. The permission policy generation method disclosed in any of the foregoing embodiments of this disclosure can be applied to the processor 500, or implemented by the processor 500.

[0126] The processor 500 may be an integrated circuit chip with signal processing capabilities. In implementation, each step of the above method can be completed by the integrated logic circuitry in the hardware of the processor 500 or by instructions in software form. The processor 500 may be a general-purpose processor, including a central processing unit (CPU), a network processor (NP), etc.; it may also be a digital signal processor (DSP), an application-specific integrated circuit (ASIC), an off-the-shelf programmable gate array (FPGA), or other programmable logic devices, discrete gate or transistor logic devices, or discrete hardware components. It can implement or execute the methods, steps, and logic block diagrams disclosed in the embodiments of this disclosure. The general-purpose processor may be a microprocessor or any conventional processor. The steps of the methods disclosed in the embodiments of this disclosure can be directly embodied in the execution of a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software modules may reside in random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, or other mature storage media in the art. The storage medium is located in memory 501. The processor 500 reads the information in memory 501 and, in conjunction with its hardware, completes the steps of the above method.

[0127] The electronic device provided in this disclosure and the permission policy generation method provided in this disclosure are based on the same inventive concept and have the same beneficial effects as the methods they adopt, run or implement.

[0128] This disclosure also provides a computer-readable storage medium corresponding to the permission policy generation method provided in the foregoing embodiments. The computer-readable storage medium is an optical disc, on which a computer program (i.e., a computer program product) is stored. When the computer program is run by a processor, it executes the permission policy generation method provided in any of the foregoing embodiments.

[0129] It should be noted that examples of the computer-readable storage medium may also include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other optical and magnetic storage media, which will not be elaborated here.

[0130] The computer-readable storage medium provided in the above embodiments of this disclosure and the permission policy generation method provided in the embodiments of this disclosure are based on the same inventive concept and have the same beneficial effects as the methods adopted, run or implemented by the applications stored therein.

[0131] This disclosure also provides a computer program product; please refer to [reference needed]. Figure 6 The computer program product 600 carries program code, namely computer program 601. The instructions included in the computer program 601 can be used to execute the steps of the permission policy generation method described in the above method embodiments. For details, please refer to the above method embodiments, which will not be repeated here.

[0132] The aforementioned computer program product can be implemented through hardware, software, or a combination thereof. In one optional embodiment, the computer program product is specifically embodied in a computer storage medium; in another optional embodiment, the computer program product is specifically embodied in a software product, such as a software development kit (SDK), etc.

[0133] The basic principles of this disclosure have been described above with reference to specific embodiments. However, it should be noted that the advantages, benefits, and effects mentioned in this disclosure are merely examples and not limitations, and should not be considered as essential features of each embodiment of this disclosure. Furthermore, the specific details disclosed above are for illustrative and facilitative purposes only, and are not limitations. These details do not limit the scope of this disclosure to the necessity of employing the aforementioned specific details for implementation.

[0134] The block diagrams of devices, apparatuses, devices, and systems disclosed herein are merely illustrative examples and are not intended to require or imply that they must be connected, arranged, or configured in the manner shown in the block diagrams. As those skilled in the art will recognize, these devices, apparatuses, devices, and systems can be connected, arranged, and configured in any manner. Words such as “comprising,” “including,” “having,” etc., are open-ended terms meaning “including but not limited to,” and are used interchangeably with them. The terms “or” and “and” as used herein refer to the terms “and / or,” and are used interchangeably with them unless the context clearly indicates otherwise. The term “such as” as used herein refers to the phrase “such as but not limited to,” and is used interchangeably with it.

[0135] Additionally, as used herein, the "or" used in a list of items beginning with "at least one" indicates a separate list, such that a list of, for example, "at least one of A, B, or C" means A or B or C, or AB or AC or BC, or ABC (i.e., A and B and C). Furthermore, the word "exemplary" does not imply that the described example is preferred or better than other examples.

[0136] It should also be noted that in the systems and methods of this disclosure, the components or steps can be decomposed and / or recombined. These decompositions and / or recombinations should be considered as equivalent solutions to this disclosure.

[0137] Various changes, substitutions, and modifications can be made to the technology described herein without departing from the teachings defined by the appended claims. Furthermore, the scope of the claims of this disclosure is not limited to the specific aspects of the processes, machines, manufactures, events, means, methods, and actions described above. Currently existing or later-developed processes, machines, manufactures, events, means, methods, or actions that perform substantially the same function or achieve substantially the same result as the corresponding aspects described herein can be utilized. Therefore, the appended claims include such processes, machines, manufactures, events, means, methods, or actions within their scope.

[0138] The above description of the disclosed aspects is provided to enable any person skilled in the art to make or use this disclosure. Various modifications to these aspects will be readily apparent to those skilled in the art, and the general principles defined herein may be applied to other aspects without departing from the scope of this disclosure. Therefore, this disclosure is not intended to be limited to the aspects shown herein, but rather to be carried out within the widest scope consistent with the principles and novel features disclosed herein.

[0139] The above description has been given for purposes of illustration and description. Furthermore, this description is not intended to limit the embodiments of this disclosure to the forms disclosed herein. Although numerous exemplary aspects and embodiments have been discussed above, those skilled in the art will recognize certain variations, modifications, alterations, additions, and sub-combinations therein.

Claims

1. A method for generating permission policies, characterized in that, include: Obtain permission tracking information for the first account, including the resources operated by the second account that invited the first account to jointly enable the permission tracking function, and the resources operated by the first account; the first account and the second account are sub-accounts under the same main account; Based on the resources operated by the second account and the resources operated by the first account, a visual permission policy is generated. Based on the aforementioned permission policy, permissions are configured for sub-accounts under the main account that do not have a permission policy configured. Based on the resources operated by the second account and the resources operated by the first account, a visual permission policy is generated, including: Based on the resources operated by the first account, obtain the operations that the first account is authorized to perform; and based on the resources operated by the second account, obtain the operations that the second account is authorized to perform. Generate a first visual operation that the first account has permission to perform, and generate a second visual operation that the second account has permission to perform; Based on the first visualization operation and the second visualization operation, a visualized permission policy is generated; Based on the first visualization operation and the second visualization operation, a visualized permission policy is generated, including: The first target visualization operation is uniquely determined from the first visualization operation, and the second target visualization operation is uniquely determined from the second visualization operation. Based on the first target visualization operation and the first resource of the first target visualization operation, a first permission policy is generated to instruct the first resource of the first target visualization operation; based on the second target visualization operation and the second resource of the second target visualization operation, a second permission policy is generated to instruct the second resource of the second target visualization operation; a third permission policy is generated based on operations in the first visualization operation other than the first target visualization operation; and a fourth permission policy is generated based on operations in the second visualization operation other than the second target visualization operation. The first permission policy, the second permission policy, the third permission policy, and the fourth permission policy are used as the permission policy.

2. The method according to claim 1, characterized in that, The resources operated by the first account and the resources operated by the second account are of different types.

3. The method according to claim 1, characterized in that, Based on the resources operated by the first account, obtain the operations that the first account is authorized to perform, including: The order of the association between the current permission item and all permission items is determined, wherein the current permission item is used to indicate the resource of the operation performed by the first account; Obtain the N highest-ranking permission items from the sorting; Based on the operations indicated by the N permission items and the operations issued by the first account to the resource, it is determined that the first account has the permission to perform the operations.

4. The method according to claim 3, characterized in that, Based on the operations indicated by the N permission items and the operations issued by the first account to the resource, the operations that the first account has permission to perform are determined, including: The N permission items are displayed in a list on the human-computer interaction interface and associated with the current permission item. Obtain the M permission items selected by the user from the list; The operations indicated by the M permission items and the operations issued by the first account to the resource are taken as the operations that the first account has permission to perform.

5. A permission policy generation device, characterized in that, include: The acquisition module is used to acquire the permission tracking information of the first account. The permission tracking information includes the resources operated by the second account that invited the first account to jointly enable the permission tracking function, and the resources operated by the first account. The first account and the second account are sub-accounts under the same main account. The generation module is used to generate a visual permission policy based on the resources operated by the second account and the resources operated by the first account. The configuration module is used to configure permissions for sub-accounts under the main account that have not been configured with a permission policy, based on the permission policy. The generation module is used for: Based on the resources operated by the first account, obtain the operations that the first account is authorized to perform; and based on the resources operated by the second account, obtain the operations that the second account is authorized to perform. Generate a first visual operation that the first account has permission to perform, and generate a second visual operation that the second account has permission to perform; Based on the first visualization operation and the second visualization operation, a visualized permission policy is generated; The generation module is used for: The first target visualization operation is uniquely determined from the first visualization operation, and the second target visualization operation is uniquely determined from the second visualization operation. Based on the first target visualization operation and the first resource of the first target visualization operation, a first permission policy is generated to instruct the first target visualization operation on the first resource. Based on the second target visualization operation and the second resource of the second target visualization operation, a second permission policy is generated to instruct the second target visualization operation on the second resource; A third permission policy is generated based on the operations other than the first target visualization operation in the first visualization operation; And generate a fourth permission policy based on operations other than the second target visualization operation in the second visualization operation; The first permission policy, the second permission policy, the third permission policy, and the fourth permission policy are used as the permission policy.

6. An electronic device comprising a memory, a processor, and a computer program stored in the memory, characterized in that, The processor executes the computer program to implement the steps of the method according to any one of claims 1-4.

7. A computer-readable storage medium having a computer program / instructions stored thereon, characterized in that, When the computer program / instructions are executed by the processor, they implement the steps of the method according to any one of claims 1-4.

8. A computer program product comprising a computer program / instructions, characterized in that, When the computer program / instructions are executed by the processor, they implement the steps of the method according to any one of claims 1-4.