Financial system resource access control method, device and equipment and storage medium

By constructing a multi-dimensional user model and resource model, and combining caching middleware and data byte stream monitoring module, the problem of lagging protection in dynamic scenarios of financial systems in existing technologies has been solved, and real-time risk blocking effect has been achieved.

CN122268634APending Publication Date: 2026-06-23CSC FINANCIAL CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
CSC FINANCIAL CO LTD
Filing Date
2026-03-26
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

In the face of dynamic and complex scenarios in financial systems, existing role-based access control models have difficulty identifying abnormal batch reading or covert data infiltration behaviors in real time, resulting in delayed protection actions and an inability to achieve accurate risk blocking.

Method used

Construct multi-dimensional user models and multi-dimensional resource models, and combine caching middleware and data byte stream monitoring modules. By associating users and roles with multiple extended dimensions, configure data source ownership rules, access count limit thresholds, access frequency limit thresholds, and data traffic monitoring thresholds to achieve real-time counting status and traffic data acquisition and composite verification.

Benefits of technology

It enables precise access control to financial system resources in complex and dynamic scenarios, and can trigger quantitative circuit breakers in real time to ensure the real-time and accurate blocking of risks and prevent abnormal batch reading and hidden data infiltration.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122268634A_ABST
    Figure CN122268634A_ABST
Patent Text Reader

Abstract

The application discloses a financial system resource access control method and device, equipment and storage medium, relates to the field of information security technology, and can ensure that the financial system realizes accurate risk blocking in a complex dynamic scene. The method comprises the following steps: constructing a multi-dimensional user model and a multi-dimensional resource model; configuring a processing strategy for data resources; in response to an access request of a target user, determining a resource permission set corresponding to the access request based on multi-source extended attribute information mapping; obtaining real-time counting states of the target resources from the deployed cache middleware and real-time traffic data of the target resources from the deployed data byte flow monitoring module; and substituting the obtained real-time counting states and real-time traffic data into the processing strategy, performing resource-level composite verification on the number of access, access frequency and data traffic of the current access request, and performing an access allowing operation or an access rejecting operation according to the verification result.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of information security technology, and in particular to a method, apparatus, device and storage medium for access control of financial system resources. Background Technology

[0002] As critical infrastructure carrying sensitive customer data, high-frequency trading orders, and core risk control logic, financial information systems operate in an environment characterized by high complexity and stringent regulatory oversight. During business processes, access requests to computing resources and data assets from different organizational levels, functional positions, and temporary collaborative units exhibit significant heterogeneity and dynamism. To ensure data confidentiality and meet compliance audit requirements, financial systems need to construct an access control mechanism capable of accurately identifying the context of the entity's identity, finely defining the boundaries of object resources, and responding in real-time to dynamic security policies to mitigate the risks of unauthorized internal access and external data infiltration.

[0003] In related technologies, a standard role-based access control model can be used to achieve resource isolation. This mechanism first instantiates role objects and binds corresponding functional permission identifiers to a predefined set of roles and their associated financial systems. Then, it points the user account pointer to a specific role. User requests are authenticated by an authentication module that matches the resource list bound to the role to determine whether to grant permission. This mode is essentially a static access control based on function menus or interface URLs, focusing on logical isolation at the application layer.

[0004] However, role-based access control models mainly rely on static and flat one-way mapping logic, lacking the ability to dynamically analyze the complex topology of financial business and the real-time measurement mechanism of data flow. This leads to a problem of lagging security response in practical applications: because they cannot perceive the dynamic changes in organizational hierarchy and fine-grained data flow characteristics in real time, financial systems are unable to trigger quantitative circuit breakers based on frequency and throughput in a timely manner when faced with abnormal batch reading or covert data penetration behavior. As a result, protective actions often lag behind the moment the risk occurs, and they cannot achieve accurate risk blocking in complex and dynamic business scenarios. Summary of the Invention

[0005] In view of this, this application provides a method, apparatus, device and storage medium for access control of financial system resources. The main purpose is to solve the problem that in the prior art, when financial systems face abnormal batch reading or covert data penetration behavior, it is difficult to trigger the quantitative circuit breaker mechanism based on frequency and throughput in a timely manner, which often results in the protection action lagging behind the moment the risk occurs and failing to achieve accurate risk blocking in complex dynamic business scenarios.

[0006] Firstly, a method for access control of resources in a financial system is provided, the method comprising: Construct a multi-dimensional user model and a multi-dimensional resource model. The multi-dimensional user model sets up multiple source extension dimensions on the basis of the basic user and role association to form a multi-source association relationship between users and roles. The multi-dimensional resource model divides the financial system resources into front-end resources, back-end interface resources and data resources. Configure a processing strategy for the data resource, the processing strategy including at least a data source attribution rule, an access count limit threshold, an access frequency limit threshold, and a data traffic monitoring threshold; In response to the access request of the target user, the multi-source extended attribute information of the target user is extracted, and the resource permission set corresponding to the access request is determined based on the mapping of the multi-source extended attribute information; After confirming that the target resource carried by the access request matches the resource permission set, the real-time count status of the target resource is obtained from the deployed caching middleware and the real-time traffic data of the target resource is obtained from the deployed data byte stream monitoring module, respectively, using the target resource as an index. The caching middleware is used to store and accumulate access frequency data in real time, and the data byte stream monitoring module is used to collect and calculate the byte stream of the data transmission link in real time. The acquired real-time counting status and real-time traffic data are substituted into the processing strategy to perform resource-level composite verification of the number of accesses, access frequency, and data traffic for the current access request, and to perform access allow or access deny operation based on the verification result.

[0007] Secondly, a financial system resource access control device is provided, the device comprising: The building unit is used to build a multi-dimensional user model and a multi-dimensional resource model. The multi-dimensional user model sets up multiple source extension dimensions on the basis of the basic user and role association to form a multi-source association relationship between users and roles. The multi-dimensional resource model divides the financial system resources into front-end resources, back-end interface resources and data resources. A configuration unit is used to configure a processing strategy for the data resource, wherein the processing strategy includes at least a data source attribution rule, an access count limit threshold, an access frequency limit threshold, and a data traffic monitoring threshold. The determining unit is used to respond to the access request of the target user, extract the multi-source extended attribute information of the target user, and determine the resource permission set corresponding to the access request based on the mapping of the multi-source extended attribute information; The acquisition unit is used to, after confirming that the target resource carried by the access request matches the resource permission set, obtain the real-time count status of the target resource from the deployed caching middleware and the real-time traffic data of the target resource from the deployed data byte stream monitoring module, respectively, using the target resource as an index. The caching middleware is used to store and accumulate access frequency data in real time, and the data byte stream monitoring module is used to collect and calculate the byte stream of the data transmission link in real time. The control unit is used to input the acquired real-time counting status and real-time traffic data into the processing strategy, so as to perform resource-level composite verification of the number of accesses, access frequency and data traffic of the current access request through the processing strategy, and to perform access allow or access denial operation according to the verification result.

[0008] Thirdly, a financial system resource access control device is provided, including a storage medium, a processor, and a computer program stored on the storage medium and executable on the processor, wherein the processor implements the aforementioned financial system resource access control method when executing the program.

[0009] Fourthly, a storage medium is provided on which a computer program is stored, which, when executed by a processor, implements the aforementioned financial system resource access control method.

[0010] By employing the above technical solutions, this application provides a method, apparatus, device, and storage medium for access control of financial system resources. Compared with the current role-based access control model for access control of financial system resources, this application constructs a multi-dimensional user model and a multi-dimensional resource model. The multi-dimensional user model sets up multi-source extended dimensions on the basis of basic user and role association, forming a multi-source association relationship between users and roles. The multi-dimensional resource model divides financial system resources into front-end resources, back-end interface resources, and data resources; it configures processing strategies for data resources, including at least data source attribution rules, access count limit thresholds, access frequency limit thresholds, and data traffic monitoring thresholds; in response to the access request of the target user, it extracts the multi-source extended attribute information of the target user and, based on multi-source extended attributes, further refines the data resource model. The source extended attribute information mapping determines the resource permission set corresponding to the access request. After confirming that the target resource carried in the access request matches the resource permission set, the real-time count status for the target resource is obtained from the deployed caching middleware and the real-time traffic data for the target resource is obtained from the deployed data byte stream monitoring module, using the target resource as an index. The caching middleware is used to store and accumulate access frequency data in real time, and the data byte stream monitoring module is used to collect and calculate the byte stream of the data transmission link in real time. The obtained real-time count status and real-time traffic data are substituted into the processing strategy to perform resource-level composite verification of the access count, access frequency, and data traffic of the current access request, and to perform allow or deny access operation based on the verification result. The entire process achieves precise association of user permissions and comprehensive coverage of financial system resources by constructing a user model that integrates multiple sources and extended dimensions with a fine-grained resource model. Combined with caching middleware and data byte stream monitoring technology, and relying on refined data processing strategies to complete resource-level composite verification, it can accurately identify abnormal batch reading and hidden data penetration behaviors, and instantly trigger a quantitative circuit breaker mechanism based on access frequency and data throughput. This transforms risk protection from a delayed response to real-time blocking, ensuring that the financial system can achieve precise risk blocking in complex and dynamic scenarios.

[0011] The above description is only an overview of the technical solution of this application. In order to better understand the technical means of this application and to implement it in accordance with the contents of the specification, and to make the above and other objects, features and advantages of this application more obvious and understandable, the following are specific embodiments of this application. Attached Figure Description

[0012] The accompanying drawings, which are included to provide a further understanding of this application and form part of this application, illustrate exemplary embodiments and are used to explain this application, but do not constitute an undue limitation of this application. In the drawings: Figure 1 This is a flowchart illustrating a financial system resource access control method in one embodiment of this application; Figure 2 This is a schematic diagram of a multidimensional user model in one embodiment of this application; Figure 3 This is a schematic diagram of a multidimensional resource model in one embodiment of this application; Figure 4 yes Figure 1 A schematic diagram of a specific implementation method for step 103; Figure 5 yes Figure 4 A flowchart illustrating a specific implementation method for step 204; Figure 6 yes Figure 4 A flowchart illustrating a specific implementation method for step 205; Figure 7 This is an architecture diagram of resource access control in a financial system according to one embodiment of this application; Figure 8 This is a schematic diagram of the structure of a financial system resource access control device in one embodiment of this application; Figure 9 This is a schematic diagram of the device structure of a computer device provided in an embodiment of the present invention. Detailed Implementation

[0013] The present application will be described in detail below with reference to the accompanying drawings and embodiments. It should be noted that, unless otherwise specified, the embodiments and features described in the embodiments of the present application can be combined with each other.

[0014] In related technologies, role-based access control models mainly rely on static and flat one-way mapping logic, lacking the ability to dynamically analyze the complex topology of financial business and the real-time measurement mechanism of data flow. This leads to a problem of delayed security response in practical applications: due to the inability to perceive dynamically changing organizational hierarchical relationships and fine-grained data flow characteristics in real time, financial systems are unable to trigger quantitative circuit breakers based on frequency and throughput in a timely manner when faced with abnormal batch reading or covert data penetration behavior. As a result, protective actions often lag behind the moment the risk occurs, and it is impossible to achieve accurate risk blocking in complex and dynamic business scenarios.

[0015] To address this issue, this embodiment provides a method for resource access control in a financial system, such as... Figure 1 As shown, it includes the following steps: 101. Construct a multi-dimensional user model and a multi-dimensional resource model.

[0016] The multi-dimensional user model, based on the basic user-role association, incorporates multiple extended dimensions to form a multi-source relationship between users and roles. This makes the role-based permission adaptation to users more targeted, while achieving a deep binding between user attributes and permission requirements. The basic user-role association dimension includes the correspondence between basic user information and basic role information, ensuring that users have basic system access and operation permissions. The multi-dimensional extended dimensions, combined with the needs of financial business scenarios, are specifically defined as department affiliation, group affiliation, and job affiliation dimensions. These extended dimensions work synergistically with the basic association dimensions to form a complete multi-dimensional user model.

[0017] The aforementioned departmental affiliation dimension is used to clearly identify the internal department of the financial system to which a user belongs, and to accurately define the user's business jurisdiction. Common departments in the financial system include Personal Finance Department, Corporate Finance Department, Risk Control and Compliance Department, Operations Management Department, and Information Technology Department. Users in different departments are matched with the set of roles corresponding to their departmental functions. For example, users in the Personal Finance Department can be associated with roles such as Personal Client Manager, Personal Business Operator, and Personal Loan Reviewer, while users in the Risk Control and Compliance Department can be associated with roles such as Risk Control Analyst, Compliance Reviewer, and Risk Management Officer, ensuring that user permissions are highly consistent with departmental functions.

[0018] The aforementioned group affiliation dimension is used to identify the specific work groups to which a user belongs. These groups are usually formed around specific business tasks or projects, such as personal credit groups, wealth management product promotion groups, and system upgrade and maintenance groups. Users can associate with multiple groups according to their work needs, thereby obtaining the corresponding group's role permissions and realizing cross-departmental and cross-position collaborative work. For example, a user participating in a wealth management product promotion group can temporarily associate with the wealth management product promotion role and obtain product promotion-related permissions.

[0019] The aforementioned job affiliation dimension is used to refine the specific job division of users. Within the same department, users in different positions have different permissions. This dimension enables fine-grained allocation of permissions. For example, in the corporate finance department, corporate account managers have permissions for customer development and business negotiation, corporate business reviewers have permissions for reviewing business documents and confirming results, and corporate business approvers have final approval permissions. By using the job affiliation dimension, the permission requirements of each position can be accurately matched, avoiding redundancy or lack of permissions. The multidimensional resource model addresses the diversity and complexity of financial system resources by dividing them into front-end resources, back-end interface resources, and data resources. Each type of resource can be further subdivided into lower-level sub-resources, forming a clearly hierarchical resource system. This provides precise resource support for the permission matching of the multidimensional user model, while also enabling the classified management and control of resources.

[0020] The aforementioned front-end resources mainly refer to user interface resources, which serve as the entry point for users to interact with the financial system. These resources include page resources, component resources, and interactive resources. Page resources cover various functional pages of the financial system, such as login pages, customer information management pages, wealth management product display pages, transaction settlement pages, and risk control approval pages.

[0021] The aforementioned backend interface resources serve as the hub connecting frontend and data resources. They are responsible for receiving frontend requests, processing business logic, accessing data resources, and returning processing results. Specifically, these include business interface resources, permission interface resources, and monitoring interface resources. The aforementioned data resources are core assets of the financial system, covering all types of data generated throughout the entire financial business process, specifically including user data, business data, risk control data, and system data.

[0022] 102. Configure the processing strategy for the data resources.

[0023] In this embodiment, multi-dimensional processing decisions are pre-set for data resources. The processing strategy includes at least data source attribution rules, access count limit thresholds, access frequency limit thresholds, and data traffic monitoring thresholds.

[0024] The aforementioned data source attribution rules define the logical affiliation between data resources and access subjects. They not only verify whether users possess general permissions but also conduct a deeper comparison to ensure consistency between the data's attribution domain and the attributes of the requesting party. For example, when a user belonging to the "Beijing Branch" attempts to query customer asset data marked as "Exclusive to the Shanghai Branch," even if they have an advanced query role, the financial system will directly block the request and issue an unauthorized warning due to the mismatched attribution domain and the lack of a cross-domain authorization whitelist. This prevents unauthorized access to data across institutions.

[0025] The aforementioned access limit threshold defines the maximum cumulative number of times a specific user is allowed to successfully access the same data resource within a relatively long time window, serving as a long-term total volume control measure. For example, it stipulates that the daily limit for a regular teller to query the "complete profile of high-net-worth clients" is 20 times; when a teller completes the 20th legitimate query on a given day, the financial system counter reaches the threshold, and the 21st request initiated by the teller will be automatically rejected with the message "Today's quota has been exhausted."

[0026] The aforementioned access limit threshold defines the maximum rate at which a user is allowed to initiate requests within a very short time window, used to identify and block abnormal traffic caused by non-human operations in real time. For example, a frequency threshold of 5 times / minute may be set for a sensitive transaction interface; if the financial system detects that a user has initiated 8 query requests in 10 seconds, far exceeding the normal human operation speed, it will immediately determine it as a machine attack, trigger the circuit breaker mechanism, temporarily freeze the user's access permissions for the next 10 minutes, and generate a high-risk alert.

[0027] The aforementioned data traffic monitoring thresholds limit the upper limit of the size of a single response data packet or the total number of bytes transmitted per unit time. By integrating a dynamic volume verification mechanism into the server-side data encapsulation stage, a final interception is implemented before the response message leaves the system. For example, the traffic of a single interface response is set not to exceed 500KB. If a user attempts to query "full historical transaction details" without specifying a time range, resulting in the financial system retrieving tens of thousands of records and generating a response message of approximately 8MB, the traffic monitoring module will immediately identify that the value exceeds the limit before the packet is sent and disconnect the connection, thus preventing the risk of massive data leakage caused by overly broad query conditions from the source.

[0028] 103. In response to the access request of the target user, extract the multi-source extended attribute information of the target user, and determine the resource permission set corresponding to the access request based on the mapping of the multi-source extended attribute information.

[0029] In this embodiment, when the financial system receives an access request from a target user, it first triggers an attribute extraction mechanism. This attribute extraction mechanism is no longer limited to the user's basic identity information, but automatically extracts multi-source extended attribute information of the target user. Here, multi-source extended attribute information refers to the department affiliation, group affiliation, and job affiliation information defined above. Specifically, it includes attributes such as the target user's department, associated special work group, specific job division, and job level, ensuring accurate identification of user identity and the basis for business permission adaptation.

[0030] Based on the extracted multi-source extended attribute information, the financial system accurately maps and determines the set of resource permissions corresponding to the access request through preset attribute and permission mapping rules. In the specific mapping process, based on a predefined policy engine, the financial system uses multi-source extended attributes as dynamic input variables and performs complex logical mapping operations. This process typically employs an attribute-based access control model, using algorithms such as Boolean logic, range comparison, or weighted scoring to perform multi-dimensional matching of user attributes with resource and environmental attributes. For example, a policy might stipulate that "read and write permissions to the 'financial database' are only mapped when the user's job level is higher than P7, they are using company intranet devices, and it is within working hours." The financial system then iterates through all applicable access control policies in real time, dynamically calculating the set of resource permissions corresponding to this specific request. It is understandable that this set of resource permissions is not statically configured but rather a dynamic result that evolves in real time as user attributes change, ensuring fine-grained permission determination and context-awareness.

[0031] Correspondingly, the financial system can execute the final access decision and response based on the generated resource permission set. This resource permission set clearly defines the specific list of resources that the target user can access in the current request context and the types of operations allowed therein. The access control gateway uses this set as a mandatory whitelist to perform secondary verification on the user's actual operation request: if the request falls within the set's scope, it is allowed and an audit log is recorded; if the request exceeds the set's boundaries, the connection is immediately blocked and an anomaly alarm is triggered.

[0032] 104. After confirming that the target resource carried by the access request matches the resource permission set, the real-time count status of the target resource is obtained from the deployed cache middleware and the real-time traffic data of the target resource is obtained from the deployed data byte stream monitoring module, using the target resource as an index.

[0033] In this embodiment, a request only possesses a trusted context when the target resource is verified to belong to a legitimate subset of permissions calculated by the current user based on multi-source attributes. By verifying the target resource, all collected frequency and traffic data can be confirmed to originate from compliant business interactions, providing a high-value data foundation for subsequent risk assessment.

[0034] After confirming that the target resource carried in the access request matches the resource permission set, the financial system uses the globally unique identifier of the resource as an index to concurrently initiate two independent high-speed data acquisition links. This design leverages the parallel processing capabilities of a distributed system to directly initiate real-time queries to the deployed monitoring infrastructure: one link points to a high-performance caching middleware to obtain frequency status, and the other link points to the underlying byte stream monitoring module to obtain traffic characteristics. This resource-based indexing mechanism enables the financial system to quickly locate the operational status of a specific resource within the current time window.

[0035] The aforementioned caching middleware is a distributed caching component pre-deployed on the backend of the financial system, used for real-time storage and cumulative calculation of access frequency data. This middleware assigns a unique cache key to each type of target resource, corresponding one-to-one with the target resource identifier. When a user initiates an access request for that target resource, and the permission verification passes, the middleware automatically updates the access frequency data corresponding to that target resource and stores the latest count status in real time. Specifically, the real-time count status of the middleware includes two parts of data, corresponding to the access count limit threshold and access frequency limit threshold in the data resource processing strategy mentioned above: First, the cumulative access count within a preset period, i.e., the total number of times all legitimate users access the target resource from 00:00 on the current day or the 1st of the current month; the middleware automatically resets this count according to the natural cycle. Second, the real-time access frequency per unit time, i.e., the average number of times legitimate users access the target resource in the most recent minute or hour; the middleware accumulates and updates this frequency data in real time to ensure that the data is synchronized with actual access behavior.

[0036] The data byte stream monitoring module, which works in parallel with the caching middleware, is also a dedicated monitoring component pre-deployed in the financial system's data transmission chain. It is used to collect and calculate the byte stream of the data transmission chain in real time. This module provides comprehensive monitoring of all data transmission chains within the financial system. When a target user's access request passes authentication and begins transmitting target resource data, the module automatically identifies the byte stream corresponding to that target resource and collects the number of bytes during the data transmission process in real time. This includes the number of bytes in the data stream when the user views it online and the number of bytes in the file when downloading / exporting. Simultaneously, it accumulates the byte count at preset intervals to obtain the real-time traffic data of the target resource. Specifically, the real-time traffic data acquired by the data byte stream monitoring module mainly includes the cumulative number of bytes transmitted per unit time and the real-time byte flow rate of the current transmission session. The cumulative number of bytes transmitted directly corresponds to the data traffic monitoring threshold, used to determine whether the current user and all users' traffic usage of the target resource exceeds the limit. The data byte stream monitoring module also has the function of identifying abnormal traffic. If the real-time byte stream rate of a certain target resource suddenly surges and far exceeds the flow rate range under normal access scenarios, an early warning will be triggered to facilitate the operation and maintenance personnel to promptly investigate whether there is malicious batch download behavior.

[0037] It should be noted that the data acquisition processes of the caching middleware and the data byte stream monitoring module are executed in complete parallel. Both use the target resource identifier as a unique index, ensuring that real-time counting status and traffic data obtained from different sources strictly correspond to the same target resource. This parallel mechanism based on a unified index eliminates the risk of data misalignment and ensures the accuracy of subsequent threshold verification.

[0038] 105. Substitute the acquired real-time counting status and real-time traffic data into the processing strategy to perform resource-level composite verification of the number of accesses, access frequency and data traffic of the current access request through the processing strategy, and perform access allow or access denial operation according to the verification result.

[0039] In practical implementation, the financial system can input real-time counting status and real-time traffic data into a preset processing strategy engine. This processing strategy engine no longer relies on a single static rule, but instead constructs a multi-dimensional resource-level composite verification model. First, the processing strategy engine parses the real-time counting status, extracts the cumulative number of accesses and the instantaneous access frequency, and compares them with the frequency thresholds defined in the processing strategy. Simultaneously, the processing strategy engine parses the real-time traffic data, extracts the number of bytes transmitted in the current session and the instantaneous bandwidth utilization rate, and matches them with the traffic thresholds.

[0040] Specifically, resource-level composite verification does not rely on isolated judgments of single indicators, but rather constructs a three-dimensional decision space encompassing access limit, access frequency threshold, and data traffic limit. The financial system comprehensively considers the interaction of these three dimensions: for example, even if the access frequency does not exceed the limit, if a single request triggers abnormally large data traffic, or if the cumulative access count reaches a critical value within a short period, composite verification will determine it as risky behavior. This multi-factor correlation analysis mechanism can effectively identify various complex attack patterns, ensuring the accuracy of the verification results.

[0041] If the verification results show that all indicators are within the safety threshold range, the processing strategy will generate an access permission instruction, allow the current request and return the target resource data normally. At the same time, the real-time counting status of the cache middleware will be updated synchronously. For example, the cumulative number of accesses and the access frequency per unit time will each be incremented by 1, as well as the real-time traffic data of the data byte stream monitoring module, for example, the current number of bytes transmitted will be incremented.

[0042] If any step of the verification fails, the financial system will immediately execute an access denial operation, terminating data transmission and returning a clear denial message to the target user. In addition, the denial operation will also trigger the security alarm module, recording detailed information of the verification failure to the log system in real time and triggering corresponding warnings based on the severity of the failure: ordinary failures are only logged, such as exceeding the access limit; serious failures are pushed to operations and maintenance personnel and the risk control and compliance department to promptly investigate whether there is malicious access behavior, such as high-frequency access or traffic surges, to ensure the security of financial data resources.

[0043] The financial system resource access control method provided in this application, compared with the current role-based access control model for access control of financial system resources, constructs a multi-dimensional user model and a multi-dimensional resource model. The multi-dimensional user model, based on the basic user-role association, sets up multi-source extended dimensions to form multi-source associations between users and roles. The multi-dimensional resource model divides financial system resources into front-end resources, back-end interface resources, and data resources; it configures processing strategies for data resources, including at least data source attribution rules, access count limit thresholds, access frequency limit thresholds, and data traffic monitoring thresholds; in response to the access request of a target user, it extracts the multi-source extended attribute information of the target user and maps it based on the multi-source extended attribute information to... The system defines the resource permission set corresponding to the access request. After confirming that the target resource carried in the access request matches the resource permission set, it retrieves the real-time count status of the target resource from the deployed caching middleware and the real-time traffic data of the target resource from the deployed data byte stream monitoring module, using the target resource as an index. The caching middleware is used to store and accumulate access frequency data in real time, and the data byte stream monitoring module is used to collect and calculate the byte stream of the data transmission link in real time. The obtained real-time count status and real-time traffic data are substituted into the processing strategy to perform resource-level composite verification of the access count, access frequency, and data traffic of the current access request, and executes the allow or deny access operation based on the verification result. The entire process achieves precise association of user permissions and comprehensive coverage of financial system resources by constructing a user model that integrates multiple sources and extended dimensions with a fine-grained resource model. Combined with caching middleware and data byte stream monitoring technology, and relying on refined data processing strategies to complete resource-level composite verification, it can accurately identify abnormal batch reading and hidden data penetration behaviors, and instantly trigger a quantitative circuit breaker mechanism based on access frequency and data throughput. This transforms risk protection from a delayed response to real-time blocking, ensuring that the financial system can achieve precise risk blocking in complex and dynamic scenarios.

[0044] In practical applications, multidimensional user models can be found in [reference needed]. Figure 2 As shown in the figure, this embodiment clearly illustrates the multi-dimensional attribution structure of user identity in the financial system and its mapping path to the final permission module. It aims to realize a refined access control model based on multi-source extended dimensions. In the multi-dimensional user model, the multi-source extended dimensions are specifically defined as department attribution dimension, group attribution dimension and job position attribution dimension. Figure 2 The left side represents the department affiliation dimension. For the department affiliation dimension, there are permission inheritance rules based on a tree topology structure: when establishing the association between users and roles, if a child node department does not have a specific role explicitly configured, it will automatically inherit the set of roles associated with its parent node department up to the root node. The aforementioned departmental affiliation configuration adopts a multi-tiered departmental architecture, supporting hierarchical divisions of first-level departments, second-level departments...N-level departments. By configuring departmental hierarchical relationships, a mechanism is established for child departments to inherit roles from parent departments. Specifically, information on each level of departments is entered into the access control system, clarifying the subordinate relationship between parent and child departments. After configuring basic roles and corresponding resource permissions for parent departments, child departments automatically inherit the roles and permissions of their parent departments. Furthermore, child departments can configure personalized roles and permissions based on inherited permissions, with personalized permissions having higher priority than inherited permissions.

[0045] Figure 2 The middle section represents the group affiliation dimension. For this dimension, a temporary role binding mechanism based on a time window is established: when a user leaves a group or the time window expires, the corresponding role association is automatically terminated. The group affiliation dimension includes dynamic virtual organizations such as project groups, emergency response groups, and business collaboration groups. Users can temporarily or permanently join different groups based on their actual work tasks. This layer supports flexible permission allocation in cross-departmental collaboration scenarios, compensating for the shortcomings of static departmental structures and enhancing the system's adaptability to agile business needs.

[0046] The above group affiliation configuration is based on the needs of financial business collaboration, dividing different business groups, such as project groups and emergency handling groups. Users can freely join or leave groups. Within a group, users automatically obtain the corresponding role and resource permissions, while retaining their own department role and job role permissions. The scope of permissions is the union of the permissions of each role.

[0047] Figure 2 The right side represents the job affiliation dimension. For this dimension, mutually exclusive role constraints are set: multiple job roles with conflicting business requirements cannot be mapped to the same user simultaneously. The dotted arrows indicate that financial positions are not directly bound to permissions; instead, they are first mapped to a predefined set of roles, and then the roles are aggregated to generate specific permission modules. This indirect mapping mechanism decouples job responsibilities from system permissions, facilitating adjustments. For example, when a job's responsibilities change, only the associated role combination needs modification, without needing to adjust the underlying permission points one by one.

[0048] The above-mentioned job assignment configuration constructs a financial job system covering the entire business process of the front office, middle office, and back office, specifically including positions such as financial product sales, wealth management, risk review, operations management, and technical support; it supports the same person to be assigned to multiple financial positions at the same time, and users obtain corresponding job roles and resource permissions through different positions. The permissions of each position are calculated independently, and the scope of permissions is the union of all position permissions, department permissions, and group permissions.

[0049] For specific multidimensional resource models in practical applications, please refer to [link / reference]. Figure 3As shown in the diagram, this embodiment clearly divides the three major resource domains in the system that require fine-grained access control: front-end resources, back-end interface resources, and data resources.

[0050] Figure 3 The left side represents front-end resources, which encompass all UI elements that users can directly perceive and manipulate in the graphical interface, including menu resources, button resources, form resources, pop-up resources, file resources, and image resources. Access control for these resources is primarily reflected in visibility and operability. For example, unauthorized users cannot see specific menu items or click critical operation buttons, thereby achieving security isolation at the front-end level.

[0051] Figure 3 The middle section comprises backend interface resources, which represent the service entry points supporting business operations. These resources are functionally categorized into management interfaces, transaction interfaces, data query interfaces, configuration interfaces, resource interfaces, and permission interfaces. These resources are key execution points for permission verification. Each interface is bound to a unique resource identifier, and upon request arrival, real-time counting and traffic data collection are triggered for a three-dimensional composite verification of frequency, number of calls, and traffic, preventing interface abuse or unauthorized calls.

[0052] Figure 3 The right side represents data resources, which point to the underlying data storage entities. These include structured or unstructured datasets such as customer data sources, transaction data sources, product data sources, post-investment data sources, stock data sources, and fund data sources. Access control for these resources relies not only on role-based permissions but also on data sensitivity levels, anonymization strategies, and row / column-level filtering rules. This ensures that even those with API access rights can only access the minimum necessary datasets within their scope of responsibility, thus protecting both permissions and data.

[0053] Specifically, such as Figure 4 As shown, step 103 above, which determines the resource permission set corresponding to the access request based on the multi-source extended attribute information mapping, includes the following steps: 201. Analyze the department affiliation dimension of the target user, traverse the tree path from the bottom up to the root node of its department, collect the valid roles that are explicitly configured or inherited by each level of the department on the path, and form an initial set of inherited roles.

[0054] 202. Obtain the set of temporary roles associated with the target user under the group affiliation dimension, and the set of responsibility roles associated with the target user under the job position affiliation dimension.

[0055] 203. Merge and deduplicate the inherited role set, temporary role set, and duty role set to obtain the role set to be adjudicated.

[0056] 204. Based on the preset mutually exclusive role constraint rules and priority weights, perform conflict detection and strategy adjudication on the set of roles to be adjudicated, remove roles with business mutual exclusion conflicts and low-priority conflict roles, and generate a compliant target role set.

[0057] 205. Parse the resource permission identifier bound to each role in the set of compliant target roles, perform secondary deduplication on all resource permission identifiers, and form the final resource permission set.

[0058] In this embodiment, determining the set of resource permissions corresponding to an access request is a refined process from multi-dimensional attribute parsing to policy adjudication. First, the financial system parses the target user's department affiliation dimension, using a bottom-up traversal algorithm to scan along the tree path from the user's department node to the root node. During this process, the financial system automatically collects the explicitly configured roles at each level of the path and the effective roles that take effect through the inheritance mechanism, constructing an initial set of inherited roles that reflects the organizational structure hierarchy, ensuring that the user naturally possesses the basic permissions of their organizational chain.

[0059] Subsequently, the financial system aggregates user role information across the dimensions of dynamic collaboration and functional positioning. Specifically, the financial system obtains a set of temporary roles associated with a user under the group affiliation dimension due to participation in specific projects or temporary tasks, and a set of responsibility roles bound under the job affiliation dimension. The initial inherited role set, temporary role set, and responsibility role set generated above are then subjected to a union operation and preliminary deduplication to form a set of roles to be adjudicated.

[0060] Next, to ensure the security and compliance of the authorization system, the financial system performs in-depth conflict detection and policy adjudication on the set of roles to be adjudicated, based on pre-defined mutually exclusive role constraint rules and the priority weights of each role. At this stage, any roles with mutually exclusive business logic will be identified, and low-priority roles or those violating security baselines will be forcibly removed, generating the target role set.

[0061] Finally, the financial system performs permission mapping and resolution on the set of compliant target roles. This process involves the financial system extracting the underlying resource permission identifier bound to each role in the set, aggregating all extracted identifiers, and performing a second deduplication process to eliminate redundant entries, forming the final resource permission set. This resource permission set serves as the direct basis for subsequent access control decisions, ensuring that current access requests can only operate on target resources within the adjudicated permission scope, achieving a precise closed-loop mapping from the user's multi-dimensional identity to specific resource operation rights.

[0062] Specifically, such as Figure 5 As shown, step 204 above includes the following steps: 301. Pre-set cross-dimensional priority weights; 302. During the process of merging the inherited role set, temporary role set and duty role set, when access policy conflicts are detected in role sets with different priorities for the same resource identifier, the high priority overriding policy is executed, the access policy in the highest priority set is retained and the conflicting policy in the low priority set is blocked. 303. At the same time, within the department affiliation dimension, if a sub-department explicitly configures personalized permissions for a specific resource, then the priority of the personalized permission is determined to be higher than the permission inherited from the parent department, directly overriding the restrictions in the inherited permission. 304. Based on the pre-set list of mutually exclusive role pairs, the set of roles after the above-mentioned policy decision is verified. If it is detected that the same user has multiple roles belonging to the same mutually exclusive role pair, the role with the lower priority is forcibly removed, and only the role with the highest priority is retained to obtain a compliant target role set.

[0063] In this embodiment, the financial system resolves role conflicts by constructing a multi-dimensional priority adjudication mechanism. First, a cross-dimensional weighting ladder is established: the job-based attribute dimension based on function is set as the highest priority, the group-based attribute dimension based on collaboration is set as the second highest, and the department-based attribute dimension based on organizational structure is set as the lowest. At the same time, within the department, the principle of explicit configuration of child level is superior to inheritance of parent level is followed to ensure that personalized permissions can accurately cover the general inheritance strategy.

[0064] Based on this, the financial system executes a dual verification logic of high-priority coverage and mutual exclusion. When merging multi-source role sets, if a policy conflict is found for the same resource identifier, the access policy in the highest priority dimension is directly retained, and the conflicting items of lower priority are blocked. Subsequently, the financial system performs a deep scan of the list based on pre-defined mutually exclusive roles. Once it detects that a user holds multiple mutually exclusive roles, the lower-priority role is immediately and forcibly removed, retaining only the highest-priority one. Through this series of automated decisions, a target role set that both conforms to the principle of separation of business responsibilities and accurately reflects the user's current highest effective authority is ultimately output.

[0065] Specifically, such as Figure 6 As shown, step 205 above includes the following steps: 401. Initialize and build the resource permission bitmap; 402. Traverse the set of compliant target roles and extract the resource permission identifiers bound to each role; 403. Utilizing the unique index characteristic of the resource permission bitmap, all extracted resource permission identifiers are mapped to the corresponding index positions of the resource permission bitmap and set, so that duplicate resource permission identifiers occupy only the same index position in the resource permission bitmap, thereby generating a deduplicated dynamic permission bitmap. 404. Determine the final set of resource permissions by taking the set of resource identifiers corresponding to all valid index positions in the dynamic permission bitmap.

[0066] In this embodiment, each binary number in the resource permission bitmap uniquely corresponds to the access status of a global resource identifier through a preset mapping function, and the initial status is set to invalid.

[0067] In the process of traversing the generated set of compliant target roles, the specific financial system extracts all resource permission identifiers bound to each role. Utilizing the uniqueness of the bitmap index, each extracted resource identifier is mapped to a specific index position in the resource permission bitmap, and a bit-setting operation is performed. This process leverages the characteristics of the data structure to achieve automatic deduplication: regardless of how many times the same resource identifier appears in different roles, it always occupies only the same index position in the resource permission bitmap, generating a compact and non-redundant dynamic permission bitmap.

[0068] Specifically, during the scanning and parsing of the generated dynamic permission bitmap in the financial system, all valid index positions are identified. These valid indexes are then mapped back to their corresponding global resource identifiers and aggregated into a final list. The resulting final resource permission set not only fully covers the permission scope of all compliant user roles but also eliminates duplicate entries, providing a basis for subsequent access control decisions and significantly improving the processing efficiency of large-scale permission data.

[0069] In practical application scenarios, the architecture for specific financial system resource access control can be found in [reference needed]. Figure 7 As shown, in Figure 7 In this architecture, the financial system takes the data control center as its hub, connecting upwards to three key data sources: customer data sources, transaction data sources, and product data sources, and linking downwards to the data byte stream monitoring and configuration activation engine, forming a closed-loop risk control system from data collection and strategy execution to effect feedback.

[0070] On the data inflow side, the caching middleware acts as a front-end buffer layer, responsible for preset threshold management, real-time query response, and record updates. This improves access efficiency and provides a stable data input environment for subsequent control modules. The data management center integrates three core control engines: access frequency control limits the frequency of requests to specific resources per unit time; access reduction control automatically lowers the access priority or rate for high-frequency users or those exhibiting abnormal behavior; and data flow control performs macro-level throughput regulation based on bandwidth, packet volume, or byte count.

[0071] All control policies are deployed and dynamically adjusted in real time through a configuration activation engine, ensuring that risk control rules can iterate rapidly with business scenarios. Simultaneously, the raw byte streams generated during the control process are pushed to the data byte stream monitoring module. Specifically, the data byte stream monitoring module uses a circular buffer algorithm based on a sliding time window when calculating real-time data traffic, including: The timeline is divided into time slices of equal length, and a circular buffer of a set length is maintained. Each storage unit of the circular buffer contains a timestamp and a byte counter, and the value of the byte counter is zero in the initial state. When the data transmission link captures byte stream data, the target time segment index corresponding to the current timestamp is obtained, and the timestamp marker stored at the target segment index position in the circular buffer is read. If the timestamp is inconsistent with the current time slice, it is determined that the data in the storage unit has expired. First, the byte counter of the storage unit is cleared and the timestamp is updated to the current time slice. Then, the captured byte stream data is accumulated into the updated byte counter using an atomic accumulation instruction. When performing data traffic composite verification, all storage units covered by the starting shard index to the ending shard index in the circular buffer are traversed, and the byte counter values ​​of the timestamp markers within the current window range are filtered and accumulated. The accumulated result is determined as the real-time traffic data.

[0072] In this embodiment, the data byte stream monitoring module employs an efficient sliding time window circular buffer algorithm to accurately calculate real-time traffic. First, the continuous timeline is divided into equal-length time slices, and a fixed-length circular buffer is maintained. Each storage unit in this buffer contains two key fields: a timestamp to identify validity and a byte counter for counting. During initialization, the byte counters of all units are set to zero, establishing the underlying data structure for subsequent dynamic traffic statistics.

[0073] When new byte stream data is captured in the data transmission link, the current timestamp is obtained and mapped to the corresponding target time slice index. Then, the timestamp marker stored at that index position in the circular buffer is read and compared for verification: if the marker is found to be inconsistent with the current time slice, it is determined that the historical data within that unit has expired. At this point, the financial system performs a reset and update operation: first, the byte counter is cleared to zero; then, the timestamp marker is updated to the current slice; finally, an atomic accumulation instruction is used to safely accumulate the number of newly captured bytes into the counter. This mechanism ensures that expired data can be automatically cleaned up in high-concurrency scenarios, and the counting operation is thread-safe.

[0074] During the final data traffic verification, based on the current sliding window range, the algorithm traverses all storage units covered by the circular buffer from the start shard index to the end shard index. The algorithm intelligently filters out units whose timestamps fall within the current valid window, ignoring outdated data that, although within the buffer, has exceeded the window range. The byte counter values ​​within these valid units are accumulated, and the sum obtained is the accurate real-time traffic data. This method not only maintains constant memory usage but also ensures the real-time performance and accuracy of traffic statistics, enabling rapid response to sudden traffic fluctuations.

[0075] In practical application scenarios, in order to address the state consistency issues caused by policy changes, after configuring the processing policy for the data resource, the above method further includes the following steps: When the processing strategy changes, a configuration version snapshot containing the real-time counting status is generated, and the configuration version snapshot is pushed to the cache middleware and the data byte stream monitoring module. Correspondingly, the cache middleware initiates an asynchronous persistence task, and writes the real-time counting status and real-time traffic data in memory to a non-volatile storage medium according to a preset time interval or triggering condition, forming a persistent snapshot file with a persistence completion timestamp. When the system restarts due to a failure, it loads the most recent persistent snapshot file to restore the basic state and reads the historical transmission logs in the data byte stream monitoring module whose timestamps are later than the persistence completion timestamp for replay and accumulation to compensate for the count increments lost during the failure.

[0076] Specifically, once a change in the processing strategy is detected, the financial system generates a configuration version snapshot containing the current real-time counting status. This configuration version snapshot is then pushed to the caching middleware and data byte stream monitoring module in real time, ensuring that downstream components can seamlessly switch based on the latest strategy version and data benchmark, thereby avoiding control deviations or logical conflicts caused by configuration update lags.

[0077] Following the aforementioned state synchronization process, to ensure data persistence and reliability, the caching middleware immediately initiates an asynchronous persistence task. This task no longer relies on synchronous blocking writes, but instead writes high-frequency changing real-time counting states and traffic data from memory to non-volatile storage media in batches according to preset time intervals or specific trigger conditions. Each write operation generates a snapshot file with a precise persistence completion timestamp. This not only enables periodic archiving of critical operational states but also provides a reliable data anchor for potential subsequent fault recovery.

[0078] Furthermore, this embodiment constructs a recovery process to address potential unexpected system failures. When the system restarts after a failure, it first loads the most recently successfully persisted snapshot file to quickly restore the system to its pre-failure state. Based on this, the system automatically reads the historical transmission logs stored in the data byte stream monitoring module and intelligently filters out incremental records with timestamps later than the persistence completion timestamp. By replaying and accumulating this un-persisted data, the system can accurately compensate for the lost count increments during the failure, achieving zero-loss recovery of statistical data and smooth continuation of business status.

[0079] In one application scenario, taking a cross-departmental new product marketing campaign at a bank as an example, a financial system resource access control system is constructed. The system first creates a new financial product marketing group, unifying cross-functional personnel from the marketing, wealth management, and information technology departments, and associating them with marketing project roles. In terms of identity attribution, the system automatically integrates the personnel's secondary or primary department attributes and their respective financial job attributes, and ensures that there are no mutually exclusive permissions between multiple roles through a built-in conflict detection mechanism. Based on this, the system implements a fine-grained resource control strategy: at the front-end, the marketing management page, product release button, and customer information viewing form are open; at the back-end, product release and basic customer information query interfaces are authorized; at the data level, full access is granted to product data sources, while customer data sources are strictly restricted to basic information visibility.

[0080] In the specific risk control execution phase, the system set quantitative thresholds for the project team's access behavior, including a daily access limit of 500 times, a frequency limit of 10 times per minute, and a data traffic cap of 10MB per access. Implementation results showed that project members, through the combined effect of group, department, and job role, obtained comprehensive permissions that met the needs of cross-departmental collaboration, and the system did not trigger any permission conflict alarms throughout the process. All calls to the product database and queries of customer information ran smoothly within the preset frequency and traffic range, achieving secure isolation and compliant flow of financial-grade data.

[0081] In another application scenario, taking the emergency situation of abnormal fluctuations in securities company client funds as an example, an emergency fund verification permission configuration system was built. The system quickly created an emergency fund verification group, temporarily absorbing key personnel from the risk control department, operations department, and finance department, and uniformly associating them with emergency verification roles. In the identity verification stage, the system automatically identified the primary attributes and corresponding positions of each department, and took effect immediately after confirming that there were no permission conflicts between the risk control and finance positions. In terms of resource control, the system precisely opened the emergency verification front-end page, fund flow viewing, and transaction record export functions, and authorized the corresponding query and export interfaces on the back end; at the data level, transaction and fund data sources were strictly limited to read-only access to prevent data tampering. At the same time, given the emergency export requirements, the system dynamically adjusted the control thresholds, setting a maximum total number of accesses of 1000 times during the emergency period, a frequency limit of 20 times per minute, and temporarily increasing the single data traffic threshold to 50MB to balance verification efficiency and security bottom line.

[0082] The above implementation process demonstrated extremely high response speed and closed-loop management capabilities, enabling the emergency response team to instantly obtain full-link access permissions and quickly conduct in-depth investigations into fund flows. During operation, the system monitored data access traffic and call frequency in real time, and all operations were precisely controlled within preset thresholds, with no violations or overreach occurring. Crucially, this embodiment achieved automated lifecycle management of permissions: once the emergency task ended and personnel left the group, an automatic permission revocation mechanism was triggered, completely eliminating the security risks of temporarily high-privilege accounts remaining in the system.

[0083] Furthermore, as a specific implementation of the above method, embodiments of this application provide a financial system resource access control device, such as... Figure 8 As shown, the device includes: a construction unit 51, a configuration unit 52, a determination unit 53, an acquisition unit 54, and a control unit 55.

[0084] The construction unit 51 is used to construct a multi-dimensional user model and a multi-dimensional resource model. The multi-dimensional user model sets up multiple source extension dimensions on the basis of the basic user and role association to form a multi-source association relationship between users and roles. The multi-dimensional resource model divides the financial system resources into front-end resources, back-end interface resources and data resources. Configuration unit 52 is used to configure a processing strategy for the data resource, the processing strategy including at least a data source attribution rule, an access count limit threshold, an access frequency limit threshold, and a data traffic monitoring threshold; The determining unit 53 is used to respond to the access request of the target user, extract the multi-source extended attribute information of the target user, and determine the resource permission set corresponding to the access request based on the mapping of the multi-source extended attribute information; The acquisition unit 54 is used to, after confirming that the target resource carried by the access request matches the resource permission set, obtain the real-time count status of the target resource from the deployed cache middleware and the real-time traffic data of the target resource from the deployed data byte stream monitoring module, respectively, using the target resource as the index. The cache middleware is used to store and accumulate access frequency data in real time, and the data byte stream monitoring module is used to collect and calculate the byte stream of the data transmission link in real time. The control unit 55 is used to input the acquired real-time counting status and real-time traffic data into the processing strategy, so as to perform resource-level composite verification of the number of accesses, access frequency and data traffic of the current access request through the processing strategy, and to perform access allow or access denial operation according to the verification result.

[0085] The financial system resource access control device provided in this invention, compared with the current role-based access control model for access control of financial system resources, constructs a multi-dimensional user model and a multi-dimensional resource model. The multi-dimensional user model, based on the basic user-role association, sets up multi-source extended dimensions to form a multi-source association relationship between users and roles. The multi-dimensional resource model divides financial system resources into front-end resources, back-end interface resources, and data resources; it configures processing strategies for data resources, including at least data source attribution rules, access count limit thresholds, access frequency limit thresholds, and data traffic monitoring thresholds; in response to the access request of a target user, it extracts the multi-source extended attribute information of the target user and maps it based on the multi-source extended attribute information to determine... The system defines the resource permission set corresponding to the access request. After confirming that the target resource carried in the access request matches the resource permission set, it retrieves the real-time count status of the target resource from the deployed caching middleware and the real-time traffic data of the target resource from the deployed data byte stream monitoring module, using the target resource as an index. The caching middleware is used to store and accumulate access frequency data in real time, and the data byte stream monitoring module is used to collect and calculate the byte stream of the data transmission link in real time. The obtained real-time count status and real-time traffic data are substituted into the processing strategy to perform resource-level composite verification of the access count, access frequency, and data traffic of the current access request, and executes the allow or deny access operation based on the verification result. The entire process achieves precise association of user permissions and comprehensive coverage of financial system resources by constructing a user model that integrates multiple sources and extended dimensions with a fine-grained resource model. Combined with caching middleware and data byte stream monitoring technology, and relying on refined data processing strategies to complete resource-level composite verification, it can accurately identify abnormal batch reading and hidden data penetration behaviors, and instantly trigger a quantitative circuit breaker mechanism based on access frequency and data throughput. This transforms risk protection from a delayed response to real-time blocking, ensuring that the financial system can achieve precise risk blocking in complex and dynamic scenarios.

[0086] In specific application scenarios, the multi-source extended dimensions are specifically defined as department affiliation dimension, group affiliation dimension, and job affiliation dimension; Specifically, for the department affiliation dimension, a permission inheritance rule based on a tree topology structure is configured: when establishing the association between users and roles, if a child node department does not explicitly configure a specific role, it will automatically inherit the set of roles associated with its parent node department up to the root node. For the group affiliation dimension, a temporary role binding mechanism based on a time window is established: when a user leaves the group or the time window expires, the corresponding role association is automatically terminated; For the aforementioned job affiliation dimension, a mutually exclusive role constraint rule is set: it is prohibited to map multiple job roles with business conflicts to the same user at the same time.

[0087] In specific application scenarios, the determining unit is specifically used for: The department affiliation dimension of the target user is analyzed, and the tree path from the bottom up to the root node is traversed. The effective roles that are explicitly configured or inherited by each level of the department on the path are collected to form an initial set of inherited roles. Obtain the set of temporary roles associated with the target user under the group affiliation dimension, and the set of responsibility roles associated with the target user under the job position affiliation dimension; The inherited role set, temporary role set, and duty role set are merged and deduplicated to obtain the role set to be adjudicated. Based on the preset mutually exclusive role constraint rules and priority weights, conflict detection and strategy adjudication are performed on the set of roles to be adjudicated, removing roles with business mutual exclusion conflicts and low-priority conflict roles, and generating a compliant target role set. The resource permission identifier bound to each role in the set of compliant target roles is parsed, and all resource permission identifiers are deduplicated a second time to form the final set of resource permissions.

[0088] In specific application scenarios, the determining unit is further used for: Pre-set cross-dimensional priority weights, wherein the set of responsibilities and roles corresponding to the job affiliation dimension has the highest priority, the set of temporary roles corresponding to the group affiliation dimension has the second highest priority, and the set of inherited roles corresponding to the department affiliation dimension has the lowest priority; During the process of merging the inherited role set, temporary role set, and duty role set, when access policy conflicts are detected in role sets with different priorities for the same resource identifier, a high priority overriding strategy is executed, retaining the access policy in the highest priority set and blocking the conflicting policies in the low priority set. Meanwhile, within the department affiliation dimension, if a sub-department explicitly configures personalized permissions for a specific resource, then the priority of that personalized permission is determined to be higher than the permission inherited from the parent department, directly overriding the restrictions in the inherited permissions. The set of roles after the above strategy is validated based on the pre-set list of mutually exclusive role pairs. If it is detected that the same user has multiple roles belonging to the same mutually exclusive role pair, the role with the lower priority is forcibly removed and only the role with the highest priority is retained to obtain a compliant target role set.

[0089] In specific application scenarios, the determining unit is further used for: Initialize and construct a resource permission bitmap. Each binary number in the resource permission bitmap uniquely corresponds to the access status of a global resource identifier through a preset mapping function. The initial status is set to invalid. Iterate through the set of compliant target roles and extract the resource permission identifier bound to each role; By utilizing the unique index characteristic of the resource permission bitmap, all extracted resource permission identifiers are mapped to the corresponding index positions of the resource permission bitmap and set, so that duplicate resource permission identifiers occupy only the same index position in the resource permission bitmap, thereby generating a deduplicated dynamic permission bitmap. The final set of resource permissions is determined by the set of resource identifiers corresponding to all valid index positions in the dynamic permission bitmap.

[0090] In specific application scenarios, within the acquisition unit, the data byte stream monitoring module employs a circular buffer algorithm based on a sliding time window when calculating real-time data traffic, specifically including: The timeline is divided into time slices of equal length, and a circular buffer of a set length is maintained. Each storage unit of the circular buffer contains a timestamp and a byte counter, and the value of the byte counter is zero in the initial state. When the data transmission link captures byte stream data, the target time segment index corresponding to the current timestamp is obtained, and the timestamp marker stored at the target segment index position in the circular buffer is read. If the timestamp is inconsistent with the current time slice, it is determined that the data in the storage unit has expired. First, the byte counter of the storage unit is cleared and the timestamp is updated to the current time slice. Then, the captured byte stream data is accumulated into the updated byte counter using an atomic accumulation instruction. When performing data traffic composite verification, all storage units covered by the starting shard index to the ending shard index in the circular buffer are traversed, and the byte counter values ​​of the timestamp markers within the current window range are filtered and accumulated. The accumulated result is determined as the real-time traffic data.

[0091] In specific application scenarios, the device further includes: The generation unit is configured to generate a configuration version snapshot containing real-time counting status when the processing strategy for the data resource changes after the configuration is completed, and push the configuration version snapshot to the cache middleware and the data byte stream monitoring module. Correspondingly, the cache middleware initiates an asynchronous persistence task, and writes the real-time counting status and real-time traffic data in memory to a non-volatile storage medium according to a preset time interval or triggering condition, forming a persistent snapshot file with a persistence completion timestamp. When the system restarts due to a failure, it loads the most recent persistent snapshot file to restore the basic state and reads the historical transmission logs in the data byte stream monitoring module whose timestamps are later than the persistence completion timestamp for replay and accumulation to compensate for the count increments lost during the failure.

[0092] Based on the above-described financial system resource access control method, this application embodiment also provides a storage medium storing a computer program thereon, which implements the above-described financial system resource access control method when executed by a processor.

[0093] Based on this understanding, the technical solution of this application can be embodied in the form of a software product. The software product can be stored in a non-volatile storage medium (such as a CD-ROM, USB flash drive, or portable hard drive), and includes several instructions to cause a computer device (such as a personal computer, server, or network device) to execute the methods described in the various implementation scenarios of this application.

[0094] Based on the above-described financial system resource access control method and corresponding virtual device embodiments, in order to achieve the above objectives, this application embodiment also provides a physical device for financial system resource access control, which may be a computer, smartphone, tablet computer, smartwatch, server, or network device, etc. The physical device includes a storage medium and a processor; the storage medium is used to store computer programs; the processor is used to execute the computer programs to implement the above-described financial system resource access control method.

[0095] Optionally, the physical device may also include a user interface, a network interface, a camera, radio frequency (RF) circuitry, sensors, audio circuitry, a Wi-Fi module, etc. The user interface may include a display screen, input units such as a keyboard, etc., and optional user interfaces may also include USB interfaces, card reader interfaces, etc. The network interface may optionally include standard wired interfaces, wireless interfaces (such as Wi-Fi interfaces), etc.

[0096] In an exemplary embodiment, see Figure 9 The aforementioned physical device includes a communication bus, a processor, a memory, and a communication interface. It may also include an input / output interface and a display device. The various functional units can communicate with each other via the bus. The memory stores computer programs, and the processor executes the programs stored in the memory to perform the financial system resource access control method described in the above embodiments.

[0097] Those skilled in the art will understand that the physical device structure for financial system resource access control provided in this embodiment does not constitute a limitation on the physical device, and may include more or fewer components, or combine certain components, or have different component arrangements.

[0098] The storage medium may also include an operating system and a network communication module. The operating system is a program that manages the hardware and software resources of the physical device for access control of the aforementioned financial system resources, supporting the operation of information processing programs and other software and / or programs. The network communication module is used to enable communication between the various components within the storage medium, as well as communication with other hardware and software in the information processing physical device.

[0099] Through the above description of the implementation methods, those skilled in the art can clearly understand that this application can be implemented using software plus necessary general-purpose hardware platforms, or it can be implemented through hardware. By applying the technical solution of this application, compared with the existing methods, this application achieves precise association of user permissions and comprehensive coverage of financial system resources by constructing a user model that integrates multiple source extended dimensions and a resource model with fine-grained partitioning; combined with caching middleware and data byte stream monitoring technology, and relying on refined data processing strategies to complete resource-level composite verification, it can accurately identify abnormal batch reading and hidden data penetration behaviors, and immediately trigger a quantitative circuit breaker mechanism based on access frequency and data throughput, transforming risk protection from delayed response to real-time blocking, ensuring that the financial system achieves precise risk blocking in complex dynamic scenarios.

[0100] Those skilled in the art will understand that the accompanying drawings are merely schematic diagrams of a preferred embodiment, and the modules or processes shown in the drawings are not necessarily essential for implementing this application. Those skilled in the art will understand that the modules in the apparatus of the embodiment can be distributed within the apparatus of the embodiment as described, or can be modified to be located in one or more apparatuses different from this embodiment. The modules of the above-described embodiment can be combined into one module, or further divided into multiple sub-modules.

[0101] The serial numbers in this application are for descriptive purposes only and do not represent the superiority or inferiority of any particular implementation scenario. The above disclosures are merely a few specific implementation scenarios of this application; however, this application is not limited thereto, and any variations conceived by those skilled in the art should fall within the protection scope of this application.

Claims

1. A method for resource access control in a financial system, characterized in that, include: Construct a multi-dimensional user model and a multi-dimensional resource model. The multi-dimensional user model sets up multiple source extension dimensions on the basis of the basic user and role association to form a multi-source association relationship between users and roles. The multi-dimensional resource model divides the financial system resources into front-end resources, back-end interface resources and data resources. Configure a processing strategy for the data resource, the processing strategy including at least a data source attribution rule, an access count limit threshold, an access frequency limit threshold, and a data traffic monitoring threshold; In response to the access request of the target user, the multi-source extended attribute information of the target user is extracted, and the resource permission set corresponding to the access request is determined based on the mapping of the multi-source extended attribute information; After confirming that the target resource carried by the access request matches the resource permission set, the real-time count status of the target resource is obtained from the deployed caching middleware and the real-time traffic data of the target resource is obtained from the deployed data byte stream monitoring module, respectively, using the target resource as an index. The caching middleware is used to store and accumulate access frequency data in real time, and the data byte stream monitoring module is used to collect and calculate the byte stream of the data transmission link in real time. The acquired real-time counting status and real-time traffic data are substituted into the processing strategy to perform resource-level composite verification of the number of accesses, access frequency, and data traffic for the current access request, and to perform access allow or access deny operation based on the verification result.

2. The method according to claim 1, characterized in that, The multi-source extended dimensions are specifically defined as department affiliation dimension, group affiliation dimension, and job affiliation dimension; Specifically, for the department affiliation dimension, a permission inheritance rule based on a tree topology structure is configured: when establishing the association between users and roles, if a child node department does not explicitly configure a specific role, it will automatically inherit the set of roles associated with its parent node department up to the root node. For the group affiliation dimension, a temporary role binding mechanism based on a time window is established: when a user leaves the group or the time window expires, the corresponding role association is automatically terminated; For the aforementioned job affiliation dimension, a mutually exclusive role constraint rule is set: it is prohibited to map multiple job roles with business conflicts to the same user at the same time.

3. The method according to claim 1, characterized in that, The step of determining the resource permission set corresponding to the access request based on the multi-source extended attribute information mapping specifically includes: The department affiliation dimension of the target user is analyzed, and the tree path from the bottom up to the root node is traversed. The effective roles that are explicitly configured or inherited by each level of the department on the path are collected to form an initial set of inherited roles. Obtain the set of temporary roles associated with the target user under the group affiliation dimension, and the set of responsibility roles associated with the target user under the job position affiliation dimension; The inherited role set, temporary role set, and duty role set are merged and deduplicated to obtain the role set to be adjudicated. Based on the preset mutually exclusive role constraint rules and priority weights, conflict detection and strategy adjudication are performed on the set of roles to be adjudicated, removing roles with business mutual exclusion conflicts and low-priority conflict roles, and generating a compliant target role set. The resource permission identifier bound to each role in the set of compliant target roles is parsed, and all resource permission identifiers are deduplicated a second time to form the final set of resource permissions.

4. The method according to claim 3, characterized in that, Based on preset mutually exclusive role constraint rules and priority weights, conflict detection and policy adjudication are performed on the set of roles to be adjudicated, removing roles with business mutual exclusion conflicts and low-priority conflicting roles, and generating a compliant target role set, specifically including: Pre-set cross-dimensional priority weights, wherein the set of responsibilities and roles corresponding to the job affiliation dimension has the highest priority, the set of temporary roles corresponding to the group affiliation dimension has the second highest priority, and the set of inherited roles corresponding to the department affiliation dimension has the lowest priority; During the process of merging the inherited role set, temporary role set, and duty role set, when access policy conflicts are detected in role sets with different priorities for the same resource identifier, a high priority overriding strategy is executed, retaining the access policy in the highest priority set and blocking the conflicting policies in the low priority set. Meanwhile, within the department affiliation dimension, if a sub-department explicitly configures personalized permissions for a specific resource, then the priority of that personalized permission is determined to be higher than the permission inherited from the parent department, directly overriding the restrictions in the inherited permissions. The set of roles after the above strategy is validated based on the pre-set list of mutually exclusive role pairs. If it is detected that the same user has multiple roles belonging to the same mutually exclusive role pair, the role with the lower priority is forcibly removed and only the role with the highest priority is retained to obtain a compliant target role set.

5. The method according to claim 3, characterized in that, The process involves parsing the resource permission identifier bound to each role in the compliant target role set, performing secondary deduplication on all resource permission identifiers to form the final resource permission set, specifically including: Initialize and construct a resource permission bitmap. Each binary number in the resource permission bitmap uniquely corresponds to the access status of a global resource identifier through a preset mapping function. The initial status is set to invalid. Iterate through the set of compliant target roles and extract the resource permission identifier bound to each role; By utilizing the unique index characteristic of the resource permission bitmap, all extracted resource permission identifiers are mapped to the corresponding index positions of the resource permission bitmap and set, so that duplicate resource permission identifiers occupy only the same index position in the resource permission bitmap, thereby generating a deduplicated dynamic permission bitmap. The final set of resource permissions is determined by the set of resource identifiers corresponding to all valid index positions in the dynamic permission bitmap.

6. The method according to any one of claims 1-4, characterized in that, The data byte stream monitoring module employs a circular buffer algorithm based on a sliding time window when calculating real-time data traffic, specifically including: The timeline is divided into time slices of equal length, and a circular buffer of a set length is maintained. Each storage unit of the circular buffer contains a timestamp and a byte counter, and the value of the byte counter is zero in the initial state. When the data transmission link captures byte stream data, the target time segment index corresponding to the current timestamp is obtained, and the timestamp marker stored at the target segment index position in the circular buffer is read. If the timestamp is inconsistent with the current time slice, it is determined that the data in the storage unit has expired. First, the byte counter of the storage unit is cleared and the timestamp is updated to the current time slice. Then, the captured byte stream data is accumulated into the updated byte counter using an atomic accumulation instruction. When performing data traffic composite verification, all storage units covered by the starting shard index to the ending shard index in the circular buffer are traversed, and the byte counter values ​​of the timestamp markers within the current window range are filtered and accumulated. The accumulated result is determined as the real-time traffic data.

7. The method according to any one of claims 1-4, characterized in that, After configuring the processing strategy for the data resource, the method further includes: When the processing strategy changes, a configuration version snapshot containing the real-time counting status is generated, and the configuration version snapshot is pushed to the cache middleware and the data byte stream monitoring module. Correspondingly, the cache middleware initiates an asynchronous persistence task, and writes the real-time counting status and real-time traffic data in memory to a non-volatile storage medium according to a preset time interval or triggering condition, forming a persistent snapshot file with a persistence completion timestamp. When the system restarts due to a failure, it loads the most recent persistent snapshot file to restore the basic state and reads the historical transmission logs in the data byte stream monitoring module whose timestamps are later than the persistence completion timestamp for replay and accumulation to compensate for the count increments lost during the failure.

8. A resource access control device for a financial system, characterized in that, include: The building unit is used to build a multi-dimensional user model and a multi-dimensional resource model. The multi-dimensional user model sets up multiple source extension dimensions on the basis of the basic user and role association to form a multi-source association relationship between users and roles. The multi-dimensional resource model divides the financial system resources into front-end resources, back-end interface resources and data resources. A configuration unit is used to configure a processing strategy for the data resource, wherein the processing strategy includes at least a data source attribution rule, an access count limit threshold, an access frequency limit threshold, and a data traffic monitoring threshold. The determining unit is used to respond to the access request of the target user, extract the multi-source extended attribute information of the target user, and determine the resource permission set corresponding to the access request based on the mapping of the multi-source extended attribute information; The acquisition unit is used to, after confirming that the target resource carried by the access request matches the resource permission set, obtain the real-time count status of the target resource from the deployed caching middleware and the real-time traffic data of the target resource from the deployed data byte stream monitoring module, respectively, using the target resource as an index. The caching middleware is used to store and accumulate access frequency data in real time, and the data byte stream monitoring module is used to collect and calculate the byte stream of the data transmission link in real time. The control unit is used to input the acquired real-time counting status and real-time traffic data into the processing strategy, so as to perform resource-level composite verification of the number of accesses, access frequency and data traffic of the current access request through the processing strategy, and to perform access allow or access denial operation according to the verification result.

9. A computer device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the steps of the method according to any one of claims 1 to 7.

10. A computer storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method according to any one of claims 1 to 7.