A system permission conversion method and device, a storage medium, and an electronic device

Abstract

This application provides a system permission conversion method, apparatus, storage medium, and electronic device. The method includes: determining a permission graph corresponding to the user identifier based on an input user identifier and a permission graph constructed according to entities and relationships between entities in the source system; outputting the path of the user accessing system resources and the corresponding probability based on the graph and a pre-trained deep learning model, wherein the deep learning model includes a topological constraint loss function, which constrains the deep learning model to retain the shortest path for the user to access system resources; and generating system permission mapping rules based on the path of the user accessing system resources and the corresponding probability. Applying the technical solution of this application can effectively overcome the problem of incomplete permission inheritance logic caused by the contradiction between static rules and dynamic requirements, and simultaneously solve the problem of over-authorization or permission loss caused by differences in cross-system permission granularity.

Description

Technical Field

[0001] This application relates to the field of computer security technology, and more specifically, to a system permission conversion method, apparatus, storage medium, and electronic device. Background Technology

[0002] In the existing field of multi-system permission management and conversion, traditional solutions mainly rely on predefined rule engines and manually created mapping tables. This approach exposes significant limitations when faced with complex organizational structures and role-based permissions. Specifically, the closest current technical solutions exhibit shortcomings in the following aspects:

[0003] 1. Lack of Staticity and Flexibility in Rule Engines: Traditional methods, such as the Drools rule engine, while capable of handling basic permission allocation logic, fall short when dealing with role hierarchy inheritance and multi-dimensional cross-relationships. For example, during corporate mergers or business restructuring, frequent changes in roles and departments require permission management to adapt rapidly. However, predefined rules require manual modification one by one, which is not only time-consuming but also prone to errors, leading to inconsistencies in permission logic and reduced security. Furthermore, rule engines struggle to handle cross-system semantic differences; that is, the same role may represent different permission scopes in different systems, requiring meticulous manual comparison and increasing the management burden.

[0004] 2. Disruptions in Permission Inheritance Logic: When the permission model of the source system (such as Role-Based Access Control, RBAC) differs structurally from that of the target system, simple linear mapping often fails to preserve the original permission inheritance logic. Traditional methods, when handling multi-level inheritance between roles, tend to overlook the role of intermediate levels, leading to either over-centralization (over-authorization) or uneven distribution (permission loss) of permissions in the target system. This not only affects the user experience in the new system but may also introduce security risks. For example, a role in the source system might require three departmental levels to gain access to specific resources, but in the target system, it might be directly granted higher-level permissions, disrupting the original hierarchical control strategy.

[0005] 3. Weak ability to handle dynamic changes in organizational structure: Current permission conversion tools are unable to automatically identify and adapt to changes in the internal organizational structure of an enterprise, such as department mergers, splits, or the addition of new roles.

[0006] In summary, existing technologies face numerous challenges in handling multi-system permission transfers, including the contradiction between the static nature of rules and the dynamic requirements of complex organizational structures, the break in permission inheritance logic, and insufficient adaptability to dynamic changes in organizational architecture. Summary of the Invention

[0007] This application provides a system permission conversion method, apparatus, storage medium, and electronic device to at least address the numerous challenges faced by the prior art in handling multi-system permission conversion, including the contradiction between the static nature of rules and the dynamic requirements of complex organizational structures, the break in permission inheritance logic, and insufficient adaptability to dynamic changes in organizational structure.

[0008] According to one embodiment of this application, a system permission conversion method is provided, the method comprising:

[0009] The graph corresponding to the user identifier is determined based on the input user identifier and the permission graph constructed according to the entities and relationships between entities in the source system;

[0010] Based on the graph and the pre-trained deep learning model, the output shows the path and corresponding probability of the user accessing system resources. The deep learning model includes a topology constraint loss function, which is used to constrain the deep learning model to retain the shortest path for the user to access system resources.

[0011] System permission mapping rules are generated based on the user's access path to system resources and the corresponding probability.

[0012] In one exemplary embodiment, the entity includes at least one of the following: user or user identifier; role; department; system resource.

[0013] In an exemplary embodiment, before determining the permission graph corresponding to the user identifier based on the input user identifier and the permission graph constructed according to the entities and relationships between entities in the source system, the method further includes: obtaining original permission data from the source system, wherein the original permission data includes the entities and relationships between entities and permission access records; performing preprocessing operations on the original permission data to obtain preprocessed data, wherein the data processing operations include one of the following: data cleaning, entity identification and attribute extraction; constructing an initial permission graph based on a preset edge relationship type and the preprocessed data; and generating the permission graph by updating the probabilities of the edges in the initial permission graph according to the permission access records.

[0014] In an exemplary embodiment, the deep learning model includes an input layer, two graph convolutional layers, and an output layer. Correspondingly, the output of the probability of a user accessing system resources based on the graph and the pre-trained deep learning model includes: inputting the graph into the input layer and feeding it into the graph convolutional layers; aggregating the user's directly associated roles and departments, and aggregating accessible system resources based on the roles, in the graph convolutional layers and feeding them into the output layer; and generating the path of the user accessing system resources and the corresponding probability in the output layer.

[0015] In one exemplary embodiment, the deep learning model is a heterogeneous graph attention network, and the deep learning model further includes a topology constraint loss function, which is used to constrain the deep learning model to retain the shortest path for users to access system resources.

[0016] In an exemplary embodiment, generating system permission mapping rules based on the user's access to system resources path and the corresponding probability includes: retaining the user access to system resources paths with a probability greater than a preset threshold, and generating system permission mapping rules from the retained user access to system resources paths.

[0017] In an exemplary embodiment, before generating system permission mapping rules based on the user's access path to system resources and the corresponding probability, the method further includes: outputting hard system permission mapping rules based on the user identifier and a predefined rule base.

[0018] According to another embodiment of this application, a system permission conversion device is also provided, the device comprising:

[0019] The user graph module is used to determine the graph corresponding to the user identifier based on the input user identifier and the permission graph constructed according to the entities and relationships between entities in the source system.

[0020] The probability determination module is used to output the path of the user accessing system resources and the corresponding probability based on the graph and the pre-trained deep learning model. The deep learning model includes a topology constraint loss function, which is used to constrain the deep learning model to retain the shortest path of the user accessing system resources.

[0021] The rule mapping module is used to generate system permission mapping rules based on the user's access path to system resources and the corresponding probability.

[0022] According to yet another embodiment of this application, a computer-readable storage medium is also provided, in which a computer program is stored, wherein the computer program is configured to perform the steps in any of the above method embodiments when it is run.

[0023] According to yet another embodiment of this application, an electronic device is also provided, including a memory and a processor, wherein a computer program is stored in the memory and the processor is configured to run the computer program to perform the steps in any of the above method embodiments.

[0024] In this embodiment of the invention, the association graph in the source system's permission graph is determined by inputting the user identifier. Then, a pre-trained deep learning model is used to analyze the graph structure, outputting the path for the user to access resources in the target system and its corresponding probability. This process leverages the model's ability to learn implicit relationships between entities, particularly when handling multi-dimensional cross-permission relationships. It can capture complex permission inheritance logic and map it to the target system through path probabilities, ensuring the accuracy of permission conversion. Finally, this method generates system permission mapping rules based on the path and probability, and uses a topological constraint loss function to ensure the consistency of permission inheritance paths between the source and target systems, effectively avoiding over-authorization or permission loss. Attached Figure Description

[0025] The accompanying drawings, which are included to provide a further understanding of the invention and form part of this application, illustrate exemplary embodiments of the invention and, together with their description, serve to explain the invention and do not constitute an undue limitation thereof. In the drawings:

[0026] Figure 1 This is a schematic diagram of the hardware environment for an optional system permission conversion method according to an embodiment of this application;

[0027] Figure 2 This is a flowchart of an optional system permission conversion method according to an embodiment of this application;

[0028] Figure 3 This is an example diagram of the permission graph in an optional system permission conversion method according to an embodiment of this application;

[0029] Figure 4 This is a schematic diagram illustrating the adjustment of an optional deep learning model according to an embodiment of this application;

[0030] Figure 5 This is a schematic diagram of an optional system permission conversion device according to an embodiment of this application. Detailed Implementation

[0031] The embodiments of this application will be described in detail below with reference to the accompanying drawings and examples.

[0032] It should be noted that the terms "first," "second," etc., in the specification, claims, and drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.

[0033] The methods and embodiments provided in this application can be executed on a computer terminal or similar computing device. Taking running on a computer terminal as an example, Figure 1 This is a hardware structure block diagram of a computer terminal for an optional system permission conversion method according to an embodiment of this application. (See diagram below.) Figure 1As shown, a computer terminal may include one or more ( Figure 1 Only one is shown in the diagram. A processor 102 (which may include, but is not limited to, a microprocessor MCU or a programmable logic device FPGA, etc.) and a memory 104 for storing data are also shown. The computer terminal may further include a transmission device 106 for communication functions and an input / output device 108. Those skilled in the art will understand that... Figure 1 The structure shown is for illustrative purposes only and does not limit the structure of the computer terminal described above. For example, the computer terminal may also include components that are more complex than those described above. Figure 1 The more or fewer components shown, or having the same Figure 1 The different configurations shown.

[0034] The memory 104 can be used to store computer programs, such as application software programs and modules, like the computer program corresponding to the method for determining the adaptability of heat dissipation equipment in this embodiment. The processor 102 executes various functional applications and data processing by running the computer program stored in the memory 104, thereby implementing the above-described method. The memory 104 may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 104 may further include memory remotely located relative to the processor 102, and these remote memories can be connected to a computer terminal via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.

[0035] The transmission device 106 is used to receive or send data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider for the computer terminal. In one example, the transmission device 106 includes a Network Interface Controller (NIC), which can connect to other network devices via a base station to communicate with the Internet. In another example, the transmission device 106 may be a Radio Frequency (RF) module used for wireless communication with the Internet.

[0036] This embodiment provides an example of a system permission conversion method. Figure 2 This is a flowchart of an optional system permission conversion method according to an embodiment of this application, such as... Figure 2 As shown, the process includes the following steps:

[0037] Step S202: Determine the graph corresponding to the user identifier based on the input user identifier and the permission graph constructed according to the entities and relationships between entities in the source system.

[0038] An entity includes at least one of the following: user or user ID; role; department; system resource.

[0039] In this embodiment, the user identifier can be a unique symbol or code that identifies the user and is used in the access control system to record all the user's access information. For example, in this application, the user identifier is used to extract information such as the user's associated roles and resources from the access graph for access control reasoning. The access graph can be a data representation that models entities (such as users, roles, departments, and resources) and their relationships in access control as a graph structure. Storing it through a graph database management system facilitates the querying and updating of access control relationships. System resources can refer to various accessible objects in the system, including but not limited to API endpoints, data tables, and file directories.

[0040] Specifically, based on the input user identifier, the associated subgraph is extracted from the permission graph, such as the user node corresponding to the user identifier and the roles and resources within 2 hops.

[0041] Optionally, before determining the permission graph corresponding to the user identifier based on the input user identifier and the permission graph constructed according to the entities and relationships between entities in the source system, the following steps are also included:

[0042] a1) Obtain the original permission data from the source system. The original permission data includes each entity and the relationship between entities, as well as permission access records.

[0043] b1) Preprocessed data is obtained by performing preprocessing operations on the original permission data. The data processing operations include one of the following: data cleaning, entity recognition and attribute extraction.

[0044] c1) Construct an initial permission graph based on the preset edge relationship types and preprocessed data;

[0045] d1) Generate a new permission graph by updating the probabilities of edges in the initial permission graph based on the permission access records.

[0046] In this embodiment, raw permission data is collected from the source system. This includes, but is not limited to, information on various entities (such as users, roles, departments, and resources) and their interrelationships, as well as detailed permission access records. By performing necessary preprocessing on this raw data—such as data cleaning to remove invalid or redundant information, entity identification to accurately distinguish different types of entities, and attribute extraction to summarize the key features of each entity—the scheme can construct a more accurate initial permission graph. Subsequently, based on preset edge relationship types, such as the affiliation between users and roles, roles and departments, and access permissions between roles and resources, the constructed initial permission graph can intuitively reflect the permission structure within the system. More importantly, the scheme further dynamically updates the edge weights, i.e., the edge probability values, based on permission access records. This process helps to reflect the tightness of permission relationships between entities in real time. For example, if a user frequently accesses a specific resource, the corresponding edge weight will be strengthened, and vice versa. This mechanism ensures that the permission graph can adapt to changes in system permissions in real time, providing a solid foundation for subsequent permission conversions.

[0047] Through this series of preprocessing and graph construction processes, this technical solution can not only accurately capture the complex permission inheritance relationships in the source system, but also achieve efficient and accurate permission mapping in the target system, significantly improving the accuracy and reliability of cross-system permission conversion. Specifically, based on a dynamically updated permission graph, the solution can automatically generate user-resource mapping rules adapted to the target system's permission model through hybrid inference of a rule engine and a graph neural network. Simultaneously, by using a topological constraint loss function and a dynamic permission adjustment strategy, it ensures the consistency of permission inheritance logic and the matching of permission granularity, effectively preventing permission leakage or excessive permission convergence. Finally, through an incremental learning mechanism, the solution achieves self-optimization of permission conversion rules, further improving the accuracy and efficiency of permission conversion.

[0048] For example, the initial step involves collecting raw permission data from the source system. This includes entity information such as user identifiers, roles, departments, and system resources, as well as the relationships and access records between them. This data is then cleaned to remove irrelevant or erroneous information, followed by entity identification and attribute extraction. Key attributes such as identifying user U1 as belonging to department D1 and holding role R1, and role R1's access rights to Res1, are then identified. Using predefined edge relationship types, this data is transformed into a graph format to construct an initial permission graph. During this process, it is ensured that each edge (i.e., the relationship between entities) has a corresponding weight, reflecting its importance in the permission system. Subsequently, the graph is updated using permission access records to generate the final permission graph. This step ensures the timeliness and accuracy of the graph.

[0049] Figure 3This is an example diagram of the permission graph in an optional system permission conversion method according to an embodiment of this application. Figure 3 A graph model illustrating entities, relationships, and relationship weights is presented. The graph includes entities such as users (U1), roles (R1, R2), resources (Res1, Res2), and departments (D1), as well as relationships between them such as "belongs_to", "inherits_from", "has_access", and "assigned_to", with the specific weight values ​​of these relationships labeled.

[0050] Step S204: Based on the graph and the pre-trained deep learning model, output the path of the user accessing system resources and the corresponding probability; the deep learning model includes a topology constraint loss function, which is used to constrain the deep learning model to retain the shortest path of the user accessing system resources.

[0051] Optionally, the deep learning model includes an input layer, two graph convolutional layers, and an output layer.

[0052] Optionally, the graph-based and pre-trained deep learning model outputs the probability of a user accessing system resources, including: inputting the graph into the input layer and feeding it into the graph convolutional layer; aggregating the user's directly associated roles and departments and the accessible system resources based on roles in the graph convolutional layer and then feeding them into the output layer; and generating the path of the user accessing system resources and the corresponding probability in the output layer.

[0053] In this embodiment, the deep learning model consists of an input layer, two graph convolutional layers, and an output layer, used to output the probability of a user accessing system resources based on a constructed permission relationship graph. Specifically, the model's input layer receives the permission graph, including connection information between users, roles, departments, and resources, and passes it to the graph convolutional layers. The first graph convolutional layer focuses on processing user-level information, capturing key aspects of user permissions by aggregating data on role and department nodes directly associated with the user. Next, the second graph convolutional layer delves into the relationships between roles and resources, dynamically aggregating the features of accessible resources based on role embeddings, which helps reveal permission inheritance patterns hidden in the role hierarchy. A topological constraint loss function is used to constrain the deep learning model to retain the shortest path for users to access system resources. Finally, the output layer generates the path and corresponding probability for a user to access a specific resource, explicitly indicating the scope and likelihood of user permissions. This design not only efficiently parses complex permission inheritance logic but also accurately converts permissions between different systems, ensuring the consistency and security of cross-system permission migration. Through the model's dynamic weight calculation and incremental learning mechanism, the system can adapt to changes in the frequency of permission use and adjustments to the system architecture in real time, significantly reducing the manpower cost of permission management and improving the accuracy and response speed of permission conversion. The topology constraint loss function ensures that the model can retain the shortest path logic for users to access system resources during the permission mapping process, thereby accurately reproducing the permission inheritance relationship in the target system.

[0054] Optionally, the deep learning model is a heterogeneous graph attention network.

[0055] Figure 4 This is a schematic diagram illustrating the adjustment of an optional deep learning model according to an embodiment of this application. Figure 4 A flowchart describing the dynamic degradation / upgrade strategy is provided, such as... Figure 4 As shown, the topology constraint loss is calculated based on the path length of the input source system and the prediction probability of the GNN. The topology constraint loss is the weighted total loss. The process of backpropagating and updating the GNN parameters is performed based on the loss. When the loss does not converge, the calculation of the topology constraint loss is returned. When the loss converges, the adjusted user-resource mapping rule is output.

[0056] For example, a pre-trained deep learning model, specifically a heterogeneous graph attention network, is used to input the permission graph into the model. The model then aggregates directly associated role and department information for users through graph convolutional layers, as well as accessible system resource information based on roles. Finally, the model generates paths and probabilities for users to access system resources at the output layer; for example, the probability of user U1 accessing Res1 through role R1 is 0.9. Based on these paths and probabilities, system permission mapping rules can be generated to effectively manage user access to system resources.

[0057] In the training process of the deep learning model, in addition to the conventional prediction loss, a topological constraint loss function is introduced to ensure that the model prioritizes the shortest path when predicting user access resource paths. This is because the shortest path usually represents the most direct and effective permission relationship, avoiding unnecessary permission diffusion or contraction, and improving the accuracy and efficiency of permission conversion. Specifically, when the model outputs the path for a user to access a resource, it calculates the length of this path and compares it with the actual shortest path length, using this as part of the topological constraint. If the path predicted by the model is not the shortest path, even if its probability is high, the model will be penalized by adjusting the weights, prompting it to be more inclined to output the shortest path. This mechanism ensures that permission inheritance logic is accurately preserved in a dynamic business environment, improving the quality of permission conversion. Dynamic Weight Update Mechanism This embodiment is a further optimization of the deep learning model, improving the efficiency and accuracy of permission conversion through a dynamic weight update mechanism. When new permission access records are added to the system, the model immediately processes this new data and adjusts the weights of relevant edges in the permission graph. For example, if a new access record for user U1 indicates that they frequently access Res2 rather than the previous Res1, then during the update process, the weight between U1 and Res2 is increased, while the weight between U1 and Res1 is appropriately decreased (assuming that R1's access weight to Res1 is higher than that to Res2). This mechanism ensures that the model can reflect the latest permission access behavior in a timely manner, thereby generating permission mapping rules that are more in line with reality.

[0058] Step S206: Generate system permission mapping rules based on the user's access path to system resources and the corresponding probability.

[0059] In this embodiment, the system permission mapping rules can be a series of rules used to describe the transfer of permissions between the source system and the target system, including direct mapping and indirect mapping through entities such as roles and departments. In this application, a hybrid architecture of rule engine and graph neural network is used to dynamically generate system permission mapping rules, realizing effective conversion of permissions between different systems and preservation of inheritance logic.

[0060] Optionally, system permission mapping rules are generated based on the user's access path to system resources and the corresponding probability, including: retaining the user's access path to system resources with a probability greater than a preset threshold, and generating system permission mapping rules for the retained user access path to system resources.

[0061] In this embodiment, the preset threshold can be a pre-set value, and no specific limitation is made in this embodiment. For example, the threshold can be 0.7.

[0062] In this embodiment, specifically, after the access path between a user and a specific resource is calculated by a graph neural network (GNN), its access probability is quantified and evaluated. If the probability exceeds a preset threshold, it means that the user's access to the resource is reasonable and expected; in this case, the path is considered a valid permission mapping benchmark. By retaining these high-probability paths and transforming them into explicit permission rules, a precise transformation from complex multi-system permission relationships to direct user-resource mapping within the target system is achieved, ensuring the accuracy and rationality of permission allocation.

[0063] The core advantage of this design lies in its ability to dynamically adapt to changing organizational structures and role-based permission systems. This is particularly crucial in large enterprises or institutions where frequent role changes and permission additions / removals mean that traditional static rules often lag behind actual needs, leading to vulnerabilities in permission management and over-authorization issues. This solution, through real-time updated access probabilities and dynamic threshold adjustments, can instantly reflect the actual usage of permissions, automatically identify and correct potential permission deviations, reduce the complexity of permission management, and improve overall security and efficiency. In actual deployment, this path-probability-based permission rule generation mechanism significantly improves the success rate of permission migration, reduces errors and permission omissions, and makes permission management more flexible and intelligent, better adapting to ever-changing business needs and technological environments.

[0064] By applying the technical solution of this embodiment, the system permission conversion method effectively resolves the contradiction between dynamic requirements and static rules during cross-system permission conversion by integrating a rule engine and a deep learning model. This method first determines the association graph in the source system's permission graph based on the input user identifier. Then, it uses a pre-trained deep learning model to analyze the graph structure and outputs the path for the user to access resources in the target system and its corresponding probability. This process leverages the model's ability to learn implicit relationships between entities, especially when handling multi-dimensional cross-permission relationships. It can capture complex permission inheritance logic and map it to the target system through path probabilities, ensuring the accuracy of permission conversion. Finally, this method generates system permission mapping rules based on the path and probability, and uses a topological constraint loss function to ensure the consistency of permission inheritance paths between the source and target systems, effectively avoiding over-authorization or permission loss. Furthermore, through dynamic weights and incremental learning mechanisms, this solution can automatically adapt to changes in the source system's organizational structure, achieving real-time permission adjustment and optimization, significantly reducing the maintenance cost of permission management.

[0065] Optionally, before generating system permission mapping rules based on the user's access path to system resources and the corresponding probability, the system permission mapping rules may also include: outputting hard system permission mapping rules based on the user identifier and a predefined rule base.

[0066] In this embodiment, before utilizing a Graph Neural Network (GNN) for cross-system permission conversion, the technical solution first outputs hard system permission mapping rules based on user identifiers and a predefined rule base through a rule engine. This process ensures that the permissions of key roles can be immediately confirmed without going through a complex GNN inference process; for example, administrator-level users can instantly gain access to all resources. Through the rule engine, the system can quickly determine and allocate the corresponding permissions based on a clear set of rules the moment it receives a user request, thereby achieving millisecond-level response in hard rule scenarios. Next, the GNN intervenes to handle more complex and dynamic permission inheritance relationships. By analyzing the node features and edge weights on multi-hop paths, it dynamically generates user-resource mapping rules, supplementing the limitations of the rule engine in handling non-hard rule scenarios. The entire solution achieves comprehensive coverage of permission management through the complementary advantages of the rule engine and GNN, ensuring efficient allocation of basic permissions while solving the inheritance logic problem in cross-system permission conversion, improving permission inheritance retention rate while reducing rule maintenance costs. This hybrid reasoning architecture not only improves the accuracy and efficiency of permission transitions, but also enhances the system's adaptability, enabling it to quickly adjust permission mappings when the system architecture changes, ensuring the consistency and security of permission logic.

[0067] Furthermore, in this embodiment, before generating system permission mapping rules based on the user's access path to system resources and the corresponding probability, the system further includes: outputting hard system permission mapping rules based on user identifiers and a predefined rule base. Through the preprocessing of the rule engine, the system first identifies and applies hard permission rules to ensure the deterministic allocation of core permissions, such as directly granting users of specific roles the highest level of access. This step can quickly process high-priority permission allocation, ensuring that the basic security requirements of system operation are met. Then, the GNN inference layer further analyzes the remaining complex inheritance relationships and dynamic permission scenarios to generate more detailed and adaptive permission mapping rules, thus forming an efficient permission conversion framework that can both quickly respond to hard rules and handle complex permission logic.

[0068] By applying the technical solution of this embodiment, the system permission conversion method effectively resolves the contradiction between dynamic requirements and static rules during cross-system permission conversion by integrating a rule engine and a deep learning model. This method first determines the association graph in the source system's permission graph based on the input user identifier. Then, it uses a pre-trained deep learning model to analyze the graph structure and outputs the path for the user to access resources in the target system and its corresponding probability. This process leverages the model's ability to learn implicit relationships between entities, especially when handling multi-dimensional cross-permission relationships. It can capture complex permission inheritance logic and map it to the target system through path probabilities, ensuring the accuracy of permission conversion. Finally, this method generates system permission mapping rules based on the path and probability, and uses a topological constraint loss function to ensure the consistency of permission inheritance paths between the source and target systems, effectively avoiding over-authorization or permission loss. Furthermore, through dynamic weights and incremental learning mechanisms, this solution can automatically adapt to changes in the source system's organizational structure, achieving real-time permission adjustment and optimization, significantly reducing the maintenance cost of permission management. Overall, the technical solution of this invention not only improves the efficiency and accuracy of permission conversion, but also flexibly responds to the dynamic changes in permission models, achieving complete preservation of permission logic and consistency across systems, and providing strong support for permission management in multi-system environments.

[0069] This embodiment also provides a system permission conversion device, which is used to implement the above embodiments and preferred embodiments; details already described will not be repeated. As used below, the term "module" can be a combination of software and / or hardware that implements a predetermined function. Although the device described in the following embodiments is preferably implemented in software, hardware implementation, or a combination of software and hardware, is also possible and contemplated.

[0070] Figure 5 This is a schematic diagram of an optional system permission conversion device according to an embodiment of this application, such as... Figure 5 As shown, the device includes:

[0071] User graph module 502 is used to determine the graph corresponding to the user identifier based on the input user identifier and the permission graph constructed according to the entities and relationships between entities in the source system;

[0072] The probability determination module 504 is used to output the path of the user accessing system resources and the corresponding probability based on the graph and the pre-trained deep learning model. The deep learning model includes a topology constraint loss function, which is used to constrain the deep learning model to retain the shortest path of the user accessing system resources.

[0073] The rule mapping module 506 is used to generate system permission mapping rules based on the path of the user accessing system resources and the corresponding probability.

[0074] Optionally, the user graph module 502 is further configured to include at least one of the following entities: user or user identifier; role; department; system resource.

[0075] Optionally, the system permission conversion device may also include: a permission graph construction module;

[0076] Obtain the original permission data from the source system. The original permission data includes each entity, the relationships between entities, and permission access records.

[0077] Preprocessed data is obtained by performing preprocessing operations on the original permission data. The data processing operations include one of the following: data cleaning, entity recognition and attribute extraction.

[0078] An initial permission graph is constructed based on the preset edge relationship type and the preprocessed data;

[0079] The permission graph is generated by updating the probabilities of edges in the initial permission graph based on the permission access records.

[0080] Optionally, the probability determination module 504 is further configured to: The deep learning model includes an input layer, two graph convolutional layers, and an output layer; correspondingly, the deep learning model based on the graph and the pre-trained model outputs the probability of a user accessing system resources, including:

[0081] The graph is input into the input layer and then fed into the graph convolutional layer.

[0082] Based on the graph, the user's directly associated roles and departments, as well as the accessible system resources based on the roles, are aggregated in the graph convolutional layer and then input to the output layer.

[0083] The output layer generates the path for the user to access system resources and the corresponding probability.

[0084] Optionally, the probability determination module 504 is further configured to: the deep learning model is a heterogeneous graph attention network, the deep learning model further includes a topology constraint loss function, the topology constraint loss function is used to constrain the deep learning model to retain the shortest path for users to access system resources.

[0085] Optionally, the rule mapping module 506 is further configured to: generate system permission mapping rules based on the user's access path to system resources and the corresponding probability, including:

[0086] The paths of users who access system resources with a probability greater than a preset threshold are retained, and system permission mapping rules are generated from the retained user access paths.

[0087] Optionally, the system permission conversion device may also include: a hard system permission mapping module;

[0088] Based on the user identifier and the predefined rule base, output hard system permission mapping rules.

[0089] It should be noted that the above modules can be implemented by software or hardware. For the latter, they can be implemented in the following ways, but are not limited to: all the above modules are located in the same processor; or, the above modules are located in different processors in any combination.

[0090] Through the above description of the embodiments, those skilled in the art can clearly understand that the methods according to the above embodiments can be implemented by means of software plus necessary general-purpose hardware platforms. Of course, they can also be implemented by hardware, but in many cases the former is a better implementation method. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk), and includes several instructions to cause a terminal device (which may be a mobile phone, computer, server, or network device, etc.) to execute the system permission conversion method of the various embodiments of this application.

[0091] Embodiments of this application also provide a computer-readable storage medium storing a computer program, wherein the computer program is configured to execute the steps in any of the above method embodiments when run.

[0092] In one exemplary embodiment, the aforementioned computer-readable storage medium may include, but is not limited to, various media capable of storing computer programs, such as a USB flash drive, read-only memory (ROM), random access memory (RAM), portable hard disk, magnetic disk, or optical disk.

[0093] Embodiments of this application also provide an electronic device, including a memory and a processor, wherein the memory stores a computer program and the processor is configured to run the computer program to perform the steps in any of the above method embodiments.

[0094] In one exemplary embodiment, the electronic device may further include a transmission device and an input / output device, wherein the transmission device is connected to the processor and the input / output device is connected to the processor.

[0095] Specific examples in this embodiment can be found in the examples described in the above embodiments and exemplary implementations, and will not be repeated here.

[0096] Obviously, those skilled in the art should understand that the modules or steps of this application described above can be implemented using general-purpose computing devices. They can be centralized on a single computing device or distributed across a network of multiple computing devices. They can be implemented using computer-executable program code, and thus can be stored in a storage device for execution by a computing device. In some cases, the steps shown or described can be performed in a different order than those presented here, or they can be fabricated as separate integrated circuit modules, or multiple modules or steps can be fabricated as a single integrated circuit module. Thus, this application is not limited to any particular combination of hardware and software.

[0097] The collection, storage, use, processing, transmission, provision, and disclosure of financial data or user data involved in the technical solution of this application all comply with the provisions of relevant laws and regulations and do not violate public order and good morals.

[0098] It should be noted that in the embodiments of this application, certain software, components, models and other existing solutions in the industry may be mentioned. These should be regarded as exemplary and are only intended to illustrate the feasibility of implementing the technical solution of this application. However, it does not mean that the applicant has used or necessarily used the solution.

[0099] The above description is merely a preferred embodiment of this application and is not intended to limit this application. Various modifications and variations can be made to this application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the principles of this application should be included within the protection scope of this application.

Claims

1. A system permission conversion method, characterized in that, The method includes: The graph corresponding to the user identifier is determined based on the input user identifier and the permission graph constructed according to the entities and relationships between entities in the source system; Based on the graph and the pre-trained deep learning model, the output shows the path and corresponding probability of the user accessing system resources. The deep learning model includes a topology constraint loss function, which is used to constrain the deep learning model to retain the shortest path for the user to access system resources. System permission mapping rules are generated based on the user's access path to system resources and the corresponding probability.

2. The method according to claim 1, characterized in that, The entity includes at least one of the following: user or user identifier; role; department; system resource.

3. The method according to claim 2, characterized in that, Before determining the permission graph corresponding to the user identifier based on the input user identifier and the permission graph constructed according to the entities and relationships between entities in the source system, the method further includes: Obtain the original permission data from the source system. The original permission data includes each entity, the relationships between entities, and permission access records. Preprocessed data is obtained by performing preprocessing operations on the original permission data. The data processing operations include one of the following: data cleaning, entity recognition and attribute extraction. An initial permission graph is constructed based on the preset edge relationship type and the preprocessed data; The permission graph is generated by updating the probabilities of edges in the initial permission graph based on the permission access records.

4. The method according to claim 2, characterized in that, The deep learning model includes an input layer, two graph convolutional layers, and an output layer. Correspondingly, the deep learning model based on the graph and pre-trained outputs the probability of a user accessing system resources, including: The graph is input into the input layer and then fed into the graph convolutional layer. Based on the graph, the user's directly associated roles and departments, as well as the accessible system resources based on the roles, are aggregated in the graph convolutional layer and then input to the output layer. The output layer generates the path for the user to access system resources and the corresponding probability.

5. The method according to claim 1, characterized in that, The deep learning model is a heterogeneous graph attention network.

6. The method according to claim 1, characterized in that, The system permission mapping rules generated based on the user's access path to system resources and the corresponding probability include: The paths of users who access system resources with a probability greater than a preset threshold are retained, and system permission mapping rules are generated from the retained user access paths.

7. The method according to claim 1, characterized in that, Before generating system permission mapping rules based on the user's access path to system resources and the corresponding probability, the method further includes: Based on the user identifier and the predefined rule base, output hard system permission mapping rules.

8. A system permission conversion device, characterized in that, include: The user graph module is used to determine the graph corresponding to the user identifier based on the input user identifier and the permission graph constructed according to the entities and relationships between entities in the source system. The probability determination module is used to output the path of the user accessing system resources and the corresponding probability based on the graph and the pre-trained deep learning model. The deep learning model includes a topology constraint loss function, which is used to constrain the deep learning model to retain the shortest path of the user accessing system resources. The rule mapping module is used to generate system permission mapping rules based on the user's access path to system resources and the corresponding probability.

9. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, wherein the computer program, when executed by a processor, implements the steps of the method described in any one of claims 1 to 7.

10. An electronic device comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the computer program, it implements the steps of the method described in any one of claims 1 to 7.

Images