Permission management method and related apparatus

Abstract

Embodiments of the present application provide a permission management method and a related apparatus, so as to reduce the complexity of permission management and reduce the probability of permission misallocation. The method comprises: acquiring an operation request of a target user, the operation request being used for requesting to perform a target operation on a target object; acquiring a user feature of the target user and an object feature of the target object; using the user feature and the object feature to match against rules in a rule set to obtain rules in the rule set that match the user feature and the object feature, the rule set comprising N rules, N being an integer greater than or equal to 1, and the rules being used for authentication of the target operation; and on the basis of a target rule, determining whether to execute the target operation, the target rule being a rule in the rule set that matches the user feature and the object feature.

Description

Access control methods and related devices

[0001] This application claims priority to Chinese patent application filed on December 12, 2024, with application number 202411842296.1 and entitled "Rights Management Method and Related Device", the entire contents of which are incorporated herein by reference. Technical Field

[0002] This application relates to the field of communication technology, and in particular to a method and related apparatus for access control. Background Technology

[0003] In multi-user, multi-resource shared device scenarios, it is necessary to manage the permissions of resources in the shared devices to ensure that resources in the shared devices are exposed to different types of users in a controlled manner.

[0004] By implementing a hierarchical system of permissions and domains, different management privileges can be provided to different types of users. Hierarchical permissions, also known as operation authorization, control which operations a user can perform on the device; unauthorized operations are prohibited. Domain-based permissions, also known as management authorization, control which objects an administrator can manage on the device; unauthorized operations on objects are prohibited. Currently, permission management technologies based on hierarchical permissions and domains include permission matrix-based and feature-based hierarchical permissions and domains. In permission matrix-based hierarchical permissions and domains, each managed resource object has a one-to-one mapping of permission settings to a user, forming a permission matrix, which is used for permission management. In feature-based hierarchical permissions and domains, each feature has independent permission control logic; as features evolve, permission management logic is set independently for each feature.

[0005] However, as the number of managed resource objects / features continues to grow, delivery personnel lack awareness of decentralization and domain division, making it very common for newly added managed resource objects / features to fail to adapt, leading to the leakage of sensitive information. Summary of the Invention

[0006] This application provides a permission management method and related apparatus to solve the problem of information leakage caused by missing permission configuration.

[0007] The first aspect provides a permission management method. This method includes: obtaining an operation request from a target user, the operation request requesting a target operation on a target object; obtaining the user characteristics of the target user and the object characteristics of the target object; matching the user characteristics and object characteristics with rules in a rule set to obtain a rule in the rule set that matches the user characteristics and object characteristics, the rule set including N rules, where N is an integer greater than or equal to 1, the rule being used for authentication of the target operation; and determining whether to execute the target operation based on the target rule, the target rule being a rule in the rule set that matches the user characteristics and object characteristics. By extracting the user characteristics of the target user and the object characteristics of the object being operated on, and matching the user characteristics and object characteristics with rules in the rule set, the method determines whether to execute the target user's target operation based on the matching rule. The rules in the rule set are based on the permission relationship between the user domain and the object domain. As a result, the number of rules in the rule set is small. Furthermore, the rules in the rule set summarize the general authentication principles between the user domain and the object domain. Thus, the rules in the rule set can cover authentication information for different users and different objects without having to configure permission relationships for each user for each object. Even if the objects continue to evolve, authentication can still be performed through the rules in the rule set without any omissions.

[0008] Since shared devices involve multiple users, users can be divided into multiple user domains. A user can belong to at least one user domain. Because there are multiple managed objects within the shared device, these objects can be divided into multiple object domains. An object belongs to one object domain. Rules in the rule set can be defined at the user domain and object domain granularity. Since the number of user domains and object domains is relatively small, fewer rules can cover the operation permissions of any user on any object. Furthermore, when adding new users or objects, it is not necessary to add corresponding rules at the user or object granularity. That is, even without adding new user domains / object domains, permission management for new users / objects can be achieved without adding rules, reducing the difficulty of permission management and avoiding misconfiguration or omission of permissions.

[0009] In one possible implementation, N rules have corresponding priorities, and the target rule is the rule with the highest priority among those that match the user characteristics and object characteristics. Therefore, accurate authentication is performed based on the target rule.

[0010] In one possible implementation, matching user features and object features with rules in the rule set involves: matching user features and object features with rules in the rule set sequentially in descending order of priority to determine the target rule.

[0011] In one possible implementation, matching user features and object features with rules in a rule set includes: matching user features and object features with each rule in the rule set to determine a matching rule set, where the rules in the matching rule set are those that match the user features and object features; and determining the highest priority rule in the matching rule set as the target rule. Parallel matching with rules in the rule set is performed to quickly determine the matching rule.

[0012] In one possible implementation, each rule in the rule set includes a condition. The user characteristics and object characteristics are matched against the rules in the rule set to obtain the rules in the rule set that match the user characteristics and object characteristics. This includes: determining whether the user characteristics and object characteristics satisfy the condition of a first rule, where the first rule is a rule in the rule set; if the user characteristics and object characteristics satisfy the condition of the first rule, then it is determined that the user characteristics and object characteristics match the first rule; if the user characteristics and object characteristics do not satisfy the condition of the first rule, then it is determined that the user characteristics and object characteristics do not match the first rule.

[0013] In one possible implementation, each rule in the rule set includes operation permissions. Operation permissions can include at least one of read permissions (view permissions), modify permissions, create permissions, delete permissions, etc. Operation permissions indicate the scope of allowed operations. Determining whether to execute a target operation based on the target rule involves: determining whether the target operation is within the scope of allowed operations indicated by the operation permissions of the target rule; if the target operation is within the scope of allowed operations indicated by the operation permissions of the target rule, then the target operation is executed; if the target operation is not within the scope of allowed operations indicated by the operation permissions of the target rule, then the target operation is not executed. This allows for accurate authentication of target users and target operations, preventing information leakage and reducing the complexity of permission management.

[0014] In one possible implementation, if no rule in the rule set matches the user characteristics and object characteristics, then the target operation is determined not to be executed. This avoids information leakage and ensures information security.

[0015] The second aspect provides a permission management device. This permission management device includes: an acquisition module for acquiring an operation request from a target user, the operation request requesting a target operation on a target object; an acquisition module for acquiring user characteristics of the target user and object characteristics of the target object; a processing module for matching the user characteristics and object characteristics with rules in a rule set to obtain rules in the rule set that match the user characteristics and object characteristics, the rule set including N rules, where N is an integer greater than or equal to 1, and the rules are used for authentication of the target operation; and a processing module for determining whether to execute the target operation based on the target rule, the target rule being a rule in the rule set that matches the user characteristics and object characteristics.

[0016] In one possible implementation, N rules have corresponding priorities, and the target rule is the rule with the highest priority among the rules that match the user characteristics and object characteristics.

[0017] In one possible implementation, a processing module is used to match user features and object features with rules in the rule set in descending order of priority to determine the target rule.

[0018] In one possible implementation, a processing module is used to match user features and object features with each rule in the rule set to determine a matching rule set, wherein the rules in the matching rule set are the rules that match the user features and object features; the processing module is used to determine the rule with the highest priority in the matching rule set as the target rule.

[0019] In one possible implementation, each rule in the rule set includes a condition, a processing module for determining whether user features and object features satisfy the condition of a first rule, where the first rule is a rule in the rule set; a processing module for determining that user features and object features match the first rule when user features and object features satisfy the condition of the first rule; and a processing module for determining that user features and object features do not match the first rule when user features and object features do not satisfy the condition of the first rule.

[0020] In one possible implementation, each rule in the rule set includes operation permissions, which indicate the scope of allowed operations. A processing module is used to determine whether the target operation is within the scope of allowed operations indicated by the operation permissions of the target rule; if the target operation is within the scope of allowed operations indicated by the operation permissions of the target rule, the processing module determines to execute the target operation; if the target operation is not within the scope of allowed operations indicated by the operation permissions of the target rule, the processing module determines not to execute the target operation.

[0021] In one possible implementation, the processing module is used to determine not to perform the target operation when no rule matching the user characteristics and object characteristics exists in the rule set.

[0022] Thirdly, a data copying device is provided, including a processor and an interface circuit. The interface circuit is used to receive signals from other devices outside the data copying device and transmit them to the processor, or to send signals from the processor to other devices outside the data copying device. The processor implements the methods of the first aspect and any possible implementation thereof through logic circuits or execution code instructions. The data copying device can be a copying unit, a memory controller, or a memory module.

[0023] Fourthly, a computer-readable storage medium is provided that stores a computer program or instructions that, when executed by a processor, implement the methods described in the first aspect and any possible implementation thereof.

[0024] Fifthly, a computer program product storing instructions is provided, which, when executed by a processor, implements the methods described in the first aspect and any possible implementation thereof.

[0025] Sixthly, a chip is provided, comprising a processor and potentially a memory, for implementing the methods described in the first aspect and any possible implementation thereof. The chip system may be composed of a chip or may include chips and other discrete devices. Attached Figure Description

[0026] Figure 1 is a schematic diagram of the architecture of a hierarchical and domain-based management system provided in this application;

[0027] Figure 2 is a schematic diagram of the hardware architecture of a permission management system provided in this application;

[0028] Figure 3 is a flowchart illustrating a permission management method provided in this application;

[0029] Figure 4 is a schematic diagram of the structure of a permission management device provided in this application;

[0030] Figure 5 is a schematic diagram of another access control device provided in this application. Detailed Implementation

[0031] The embodiments of this application are described below with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of this application, and not all of them. As those skilled in the art will recognize, with the development of technology and the emergence of new scenarios, the technical solutions provided by the embodiments of this application are also applicable to similar technical problems.

[0032] The terms "first," "second," etc., used in the specification, claims, and accompanying drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. "A plurality of" means two or more.

[0033] The term “exemplary” as used herein means “serving as an example, embodiment, or illustration.” Any embodiment illustrated herein as “exemplary” is not necessarily to be construed as superior to or better than other embodiments.

[0034] This application can be applied to multi-tenant, multi-resource shared device system architectures. It can be applied to shared device scenarios such as shared network devices and shared terminal devices to support access control for resources within shared devices. Resources within shared devices can be hardware resources, such as computing power resources (central processing unit, graphics processing unit, or AI processor, etc.), storage resources, and network resources, or software resources or data resources. Shared network devices can be base stations, routers, switches, etc. Shared terminal devices can be servers, smartphones, smart wearable devices, computers, tablets, etc.

[0035] Figure 1 illustrates the architecture of a hierarchical management system for shared devices, as provided in this application. This system manages access permissions for resources within shared devices. It includes user domains, object domains, and rule sets. Since shared devices involve multiple users, users can be divided into multiple user domains. For example, the system may include at least two user domains such as device owner, system administrator, log administrator, operator, maintenance administrator, ordinary user, and visitor. A user can belong to at least one user domain. A user domain can be understood as a user type or user identity. Because shared devices contain multiple managed objects (hereinafter referred to as objects), these objects can be divided into multiple object domains. For example, the system may include at least two object domains such as basic settings, access control, link configuration, cell configuration, network topology, and wireless viewing. An object belongs to one object domain. This differentiated division of user domains and object domains constitutes the domain management function.

[0036] The permission relationship between user domains and object domains is a function of hierarchical management. This relationship defines which operation permissions a user domain possesses in the object domain, or in other words, what operations a user in the user domain is authorized to perform on the corresponding object in the object domain. Operation permissions can include at least one of the following: read permission (view permission), modify permission, create permission, delete permission, etc.

[0037] A user domain can have the same or different operation permissions for different object domains. For example, user domain 1 has operation permissions 1 and 2 for object domain 1, operation permission 3 for object domain 2, and operation permission 3 for object domain 3. Different user domains can have the same or different operation permissions for the same object domain. For example, user domain 1 has operation permissions 1 and 2 for object domain 1, user domain 2 has operation permissions 1, 2, and 3 for object domain 1, user domain 3 has operation permission 3 for object domain 1, and user domain 4 has operation permissions 1 and 2 for object domain 1. A user domain can have all operation permissions, some operation permissions (such as at least one of read, modify, create, and delete permissions) for an object domain, or a user domain can have no operation permissions for an object domain.

[0038] In this embodiment, the permission relationship between user domains and object domains is managed through a rule set. The rule set includes N rules, where N is an integer greater than or equal to 1. Based on the permission relationship between different user domains and different object domains, corresponding rules can be formulated at the user domain and object domain granularity. Since the number of user domains and object domains is relatively small, fewer rules can cover the operation permissions of any user on any object. Furthermore, when adding new users or objects, it is not necessary to add corresponding rules at the user or object granularity. That is, even when adding a new user / object without adding a new user domain / object domain, permission management for the new user / object can be achieved without adding rules, reducing the difficulty of permission management and avoiding mismatches or omissions in permission configuration. For example, a system administrator has all operation permissions for all objects, and a rule can be formulated that when the operating user is the system administrator, the operating user has the right to perform all operations on all objects. Another example is an operator having all operation permissions for the cell configuration of a bound cell, and a rule can be formulated that when the operating user is the operator, the object is the cell configuration, and the cell configuration belongs to the operator, the operating user has the right to perform all operations on the cell configuration. For example, visitors have permission to view the network topology, and rules can be set to grant visitors the right to view the network topology when the user is a visitor and the object is the network topology.

[0039] In one possible implementation, the N rules in the rule set can include rules between each user domain and each object domain. In another possible implementation, if a user domain does not have operational permissions for a certain object domain, the rule set may not include rules between that user domain and that object domain. Furthermore, if a user domain has the same operational permissions for all object domains, the rule set can include a rule corresponding to that user domain, thereby reducing the number of rules in the rule set and improving rule matching efficiency.

[0040] Rules can include conditions and permissions. Conditions in a rule are the requirements that must be met to match the rule. Conditions in a rule are used for user authentication. Permissions in a rule indicate the permissions a user is allowed to perform when the rule is matched. Permissions in a rule are used for user authentication.

[0041] When a target user sends an operation request to the hierarchical management system to perform a target operation on a target object, the system can extract the user's user characteristics and the target object's object characteristics. Based on these characteristics, rule matching is performed within a rule set to obtain the target rule. The target rule is the rule that matches the user and object characteristics; that is, the user and object characteristics satisfy the conditions of the target rule. Further, the system determines whether the target operation falls within the allowed operation range indicated by the operation permissions in the target rule, and then determines whether to execute the target operation, thus obtaining the authentication result. In one possible implementation, the operation permissions in the rule can directly indicate the allowed operation range. In another possible implementation, the operation permissions in the rule can indirectly indicate the allowed operations. For example, if the rule's operation permission is a prohibited operation, then operations outside the prohibited operations are allowed. For instance, if the prohibited operations include modifying, creating, and deleting, then the rule's operation permissions indicate that the allowed operation range includes viewing. Of the N rules, all rules can have operation permissions that directly indicate the allowed operation range. Alternatively, some rules can have operation permissions that directly indicate the allowed operation range, while others can have operation permissions that indirectly indicate the allowed operation range. Alternatively, among N rules, the operation permissions of all rules can indirectly indicate the scope of allowed operations.

[0042] User characteristics indicate the target user and the user domain to which the target user belongs. Object characteristics indicate the target object and the object domain to which the target object belongs. Since the rules in the rule set are formulated based on the permission relationship between the user domain and the object domain, corresponding rules can be matched in the rule set based on user characteristics and object characteristics. In this embodiment, matching corresponding rules in the rule set based on user characteristics and object characteristics can have two aspects. On the one hand, based on user characteristics and object characteristics, rules corresponding to the user domain indicated by the user characteristics and the object domain indicated by the object characteristics can be determined in the rule set. On the other hand, based on user characteristics and object characteristics, it can be determined whether the target user and the target object match, that is, whether the conditions in the rule can be met. For example, if the user characteristics indicate that the target user is operator 1 and the object characteristics indicate that the target object is cell configuration 1, then based on the user characteristics, rule 1 corresponding to the operator and cell configuration can be determined in the rule set. The condition of rule 1 is that there is a correlation between the operator value and the cell configuration value. If the query finds that there is a correlation between operator 1 and cell configuration 1, then operator 1 and cell configuration 1 match rule 1.

[0043] Optionally, the N rules in the rule set have priorities, and the target rule is the highest-priority rule among the N rules that match the user characteristics of the target user and the object characteristics of the target object. In one possible implementation, the N rules are matched against the user characteristics of the target user and the object characteristics of the target object sequentially, from highest to lowest priority. When a rule matches both, it is determined to be the target rule, and rule matching stops. If, after traversing the N rules, no rule matches either the user characteristics of the target user or the object characteristics of the target object, the target operation is not executed. In another possible implementation, the user characteristics of the target user and the object characteristics of the target object are matched against the N rules in parallel, resulting in M ​​rules that match both. M is an integer greater than or equal to 0. When M is greater than or equal to 2, the highest-priority rule among the M rules is determined to be the target rule. When M = 1, all M rules are determined to be the target rules. When M=0, it can be determined that there is no rule among the N rules that matches the user characteristics of the target user and the object characteristics of the target object, so the target operation is not executed.

[0044] It's important to note that if all users have the same access permissions to a particular object, the rules can validate only the object's characteristics. For example, if the object is on a whitelist (primarily for emergency testing functions), all logged-in users have viewing and operation permissions. If a user has the same access permissions to all objects, the rules can validate only the user's characteristics. For example, if the user is a system administrator, that user has all permissions. Of course, the rule set can also include general rules. For instance, if an object has a parent object, the authentication result of that object inherits the authentication result of its parent object.

[0045] After authentication is completed, the decentralized access control system can return the authentication result to the user. If the authentication result allows the execution of the target operation, the decentralized access control system can execute the target operation on the target object, or instruct the shared device to execute the target operation on the target object.

[0046] In this embodiment, user characteristics of the target user and object characteristics of the object being operated on are extracted, and these user characteristics and object characteristics are matched with rules in the rule set. The matching rules determine whether to execute the target user's target operation. The rules in the rule set are formulated based on the permission relationship between the user domain and the object domain, resulting in a smaller number of rules. Furthermore, the rules in the rule set summarize general authentication principles between the user domain and the object domain, thus covering authentication information for different users and different objects without requiring the configuration of permission relationships for each user for each object. Even if the object evolves, authentication can still be performed using the rules in the rule set without any omissions.

[0047] Figure 2 shows a schematic diagram of the hardware architecture of a permission management system provided in this application. Figure 2 includes a permission management device and a sharing device. The sharing device is a device shared by multiple users. The sharing device includes multiple managed objects. The permission management device is used to manage the permission relationships between multiple users and multiple objects. The permission management device may include the hierarchical management system shown in Figure 1, which manages the permission relationships between multiple users and multiple objects through rule sets and authenticates user operations based on the rule sets. For details, please refer to the relevant content corresponding to Figure 1, so it will not be repeated here.

[0048] Access control devices can be servers, computers, tablets, mobile phones, network devices, etc. Shared devices can be the aforementioned shared network devices or shared terminal devices, etc.

[0049] In one possible implementation, the access control device and the sharing device are independent devices. The access control device authenticates the target user's permissions for the target operation. If authentication is successful (a target rule exists, and the target operation is within the allowed operation range indicated by the target rule's operation permissions), it is determined that the target user has the permission to perform the target operation on the target object. If the target user is allowed to perform the target operation, the sharing device is notified to perform the target operation on the target object. If authentication fails (a target rule does not exist, or the target operation is outside the allowed operation range indicated by the target rule's operation permissions), it is determined that the target user does not have the permission to perform the target operation on the target object. If the target user is not allowed to perform the target operation, the sharing device does not need to be notified to perform the target operation.

[0050] In another possible implementation, the access control device and the sharing device are the same device. That is, the sharing device includes the access control and domain management system shown in Figure 1. The sharing device itself authenticates the target user's target operation and executes the target operation on the target object when the authentication is successful.

[0051] As shown in Figure 3, Figure 3 is a flowchart illustrating a permission management method provided in this application. The execution entity in this embodiment is the permission management device shown in Figure 2. This embodiment includes the following steps:

[0052] S301: Obtain the target user's operation request. The operation request is used to request the target operation to be performed on the target object.

[0053] The target user is one of multiple users sharing the target device. The target object is one of multiple managed objects within the target device. Target operations can include viewing, modifying, creating, or deleting.

[0054] S302: Obtain the user characteristics of the target user and the object characteristics of the target object.

[0055] The target user's user characteristics can indicate the target user and the user domain to which the target user belongs. User characteristics can include a user identity field and its corresponding value. The user identity field indicates the corresponding user domain, and the corresponding value indicates the target user. For example, a user characteristic could be a carrier identifier field and its corresponding value, i.e., the carrier identifier. Another example is an operator identifier field and its corresponding value, i.e., the operator identifier, which could indicate that the operator is a viewer, administrator, or maintenance administrator, etc.

[0056] The object characteristics of a target object can indicate the target object and the object domain to which it belongs. Object characteristics can include an object identifier field and its corresponding value. The object identifier field indicates the corresponding object domain, and the value indicates the corresponding target object. For example, an object characteristic could be a cell identifier field and its corresponding value, i.e., the cell identifier.

[0057] S303: Match user features and object features with rules in the rule set to obtain rules in the rule set that match user features and object features. The rule set includes N rules, where N is an integer greater than or equal to 1. The rules are used for authentication of the target operation.

[0058] In this embodiment, the permission relationship between user domains and object domains is managed through a rule set. The explanations of object domains and user domains can be found in the relevant descriptions above, and will not be repeated here. The rule set includes N rules, where N is an integer greater than or equal to 1. Based on the permission relationship between different user domains and different object domains, corresponding rules can be formulated at the granularity of user domains and object domains. Since the number of user domains and object domains is relatively small, fewer rules can cover the operation permissions of any user on any object. Furthermore, when adding new users or objects, it is not necessary to add corresponding rules at the granularity of each user or object. That is, when adding a new user / object without adding a new user domain / object domain, permission management for the new user / object can be achieved without adding rules, reducing the difficulty of permission management and avoiding mismatches or omissions in permission configuration. For example, if a system administrator has all operation permissions on all objects, a rule can be formulated that when the operating user is the system administrator, the operating user has the right to perform all operations on all objects. For example, an operator has full access to the cell configuration of a bound cell network. Rules can be set up so that when the operator is the user, the cell configuration is the target, and the cell configuration belongs to the operator, the user has the right to perform all operations on the cell configuration. Similarly, a visitor has access to view the network topology. Rules can be set up so that when a visitor is the user and the target is the network topology, the visitor has the right to view the network topology.

[0059] Suppose there are x user domains and y object domains, where x and y are integers greater than or equal to 2. In one possible implementation, the N rules in the rule set can include rules between each user domain and each object domain, i.e., N = x * y. In another possible implementation, if a user domain does not have operation permissions on a certain object domain, the rule set may not include rules between that user domain and that object domain, in which case N < x * y. Furthermore, if a user domain has the same operation permissions on all object domains, the rule set can include a rule corresponding to that user domain, thereby reducing the number of rules in the rule set and improving rule matching efficiency.

[0060] Rules can include conditions and permissions. Conditions in a rule are the requirements that must be met to match the rule. Conditions in a rule are used for user authentication. Permissions in a rule indicate the permissions a user is allowed to perform when the rule is matched. Permissions in a rule are used for user authentication.

[0061] Rule matching is performed within a rule set based on user and object characteristics to obtain target rules. A target rule is a rule that matches the user and object characteristics; that is, the user and object characteristics of the target user satisfy the conditions of the target rule. For a specific rule in the rule set (let's call it rule number one), the process of matching the user characteristics of the target user and the object characteristics of the target object with rule number one involves determining whether the user characteristics of the target user and the object characteristics of the target object satisfy the conditions of rule number one. If they do, then the user characteristics of the target user and the object characteristics of the target object match rule number one; otherwise, they do not match rule number one.

[0062] Since the rules in the rule set are based on the permission relationship between user domains and object domains, corresponding rules can be matched in the rule set based on user characteristics and object characteristics. In this embodiment, matching corresponding rules in the rule set based on user characteristics and object characteristics can have two aspects. On the one hand, based on user characteristics and object characteristics, rules corresponding to the user domain indicated by the user characteristics and the object domain indicated by the object characteristics can be determined in the rule set. On the other hand, based on user characteristics and object characteristics, it can be determined whether the target user and the target object match, that is, whether the conditions in the rule can be met. For example, if the user characteristics indicate that the target user is operator 1 and the object characteristics indicate that the target object is cell configuration 1, based on the user characteristics, rule 1 corresponding to the operator and cell configuration can be determined in the rule set. The condition of rule 1 is that there is a correlation between the operator value and the cell configuration value. If the query finds that there is a correlation between operator 1 and cell configuration 1, then operator 1 and cell configuration 1 match rule 1.

[0063] Optionally, the N rules in the rule set have priorities, and the target rule is the highest-priority rule among the N rules that match the user characteristics of the target user and the object characteristics of the target object. In one possible implementation, the N rules are matched against the user characteristics of the target user and the object characteristics of the target object sequentially, from highest to lowest priority. When a rule matches both, it is determined to be the target rule, and rule matching stops. If, after traversing the N rules, no rule matches either the user characteristics of the target user or the object characteristics of the target object, the target operation is not executed. In another possible implementation, the user characteristics of the target user and the object characteristics of the target object are matched against the N rules in parallel to obtain a matching rule set. The matching rule set includes M rules that match the user characteristics of the target user and the object characteristics of the target object. M is an integer greater than or equal to 0. When M is greater than or equal to 2, the highest-priority rule among the M rules is determined to be the target rule. When M = 1, all M rules are determined to be the target rules. When M=0, it can be determined that there is no rule among the N rules that matches the user characteristics of the target user and the object characteristics of the target object, so the target operation is not executed.

[0064] S304: Determine whether to execute the target operation based on the target rule, which is a rule in the rule set that matches the user characteristics and object characteristics.

[0065] After determining the target rule, it is further determined whether the target operation falls within the permitted operation range indicated by the operation permissions in the target rule, thereby determining whether to execute the target operation. If the target operation is within the permitted operation range indicated by the operation permissions in the target rule, the shared device is notified to execute the target operation on the target object; or, when the permission management device is a shared device, the target operation is executed on the target object. If the target operation is outside the permitted operation range indicated by the operation permissions in the target rule, there is no need to execute the target operation on the target object.

[0066] In one possible implementation, the operation permissions in a rule can directly indicate the scope of allowed operations. In another possible implementation, the operation permissions in a rule can indirectly indicate the allowed operations. For example, if a rule's operation permission is for prohibited operations, then operations outside the prohibited operations are considered allowed. For instance, if a rule prohibits operations such as modify, create, and delete, then the rule's operation permissions indicate that viewing is allowed. Of N rules, all rules can have operation permissions that directly indicate the scope of allowed operations. Alternatively, some rules can have operation permissions that directly indicate the scope of allowed operations, while others can have operation permissions that indirectly indicate the scope of allowed operations. Or, all rules can have operation permissions that indirectly indicate the scope of allowed operations.

[0067] In this embodiment, user characteristics of the target user and object characteristics of the object being operated on are extracted, and these user characteristics and object characteristics are matched with rules in the rule set. The matching rules determine whether to execute the target user's target operation. The rules in the rule set are formulated based on the permission relationship between the user domain and the object domain, resulting in a smaller number of rules. Furthermore, the rules in the rule set summarize general authentication principles between the user domain and the object domain, thus covering authentication information for different users and different objects without requiring the configuration of permission relationships for each user for each object. Even if the object evolves, authentication can still be performed using the rules in the rule set without any omissions.

[0068] Based on the same inventive concept, this application also provides a device embodiment corresponding to FIG3. FIG4 is a schematic diagram of the structure of a permission management device provided in this application. This permission management device 400 is applied to the permission management device in FIG2. The permission management device 400 can be a software module or a hardware module (such as a chip) in the permission management device.

[0069] The access control device includes an acquisition module 401 and a processing module 402. The acquisition module 401 acquires the operation request from the target user, which requests a target operation on a target object. The acquisition module 401 acquires the user characteristics of the target user and the object characteristics of the target object. The processing module 402 matches the user characteristics and object characteristics against rules in a rule set to obtain rules that match the user characteristics and object characteristics. The rule set includes N rules, where N is an integer greater than or equal to 1, and these rules are used for authentication of the target operation. The processing module 402 determines whether to execute the target operation based on the target rule, which is a rule in the rule set that matches the user characteristics and object characteristics.

[0070] In one possible implementation, N rules have corresponding priorities, and the target rule is the rule with the highest priority among the rules that match the user characteristics and object characteristics.

[0071] In one possible implementation, the processing module 402 is used to match user features and object features with rules in the rule set in descending order of priority to determine the target rule.

[0072] In one possible implementation, processing module 402 is used to match user features and object features with each rule in the rule set to determine a matching rule set, wherein the rules in the matching rule set are the rules that match the user features and object features; processing module 402 is used to determine the rule with the highest priority in the matching rule set as the target rule.

[0073] In one possible implementation, each rule in the rule set includes a condition. Processing module 402 is used to determine whether user features and object features meet the condition of a first rule, where the first rule is a rule in the rule set. Processing module 402 is used to determine that user features and object features match the first rule when user features and object features meet the condition of the first rule. Processing module 402 is used to determine that user features and object features do not match the first rule when user features and object features do not meet the condition of the first rule.

[0074] In one possible implementation, each rule in the rule set includes operation permissions, which indicate the scope of allowed operations. Processing module 402 is used to determine whether the target operation is within the scope of allowed operations indicated by the operation permissions of the target rule; processing module 402 is used to determine to execute the target operation when the target operation is within the scope of allowed operations indicated by the operation permissions of the target rule; processing module 402 is used to determine not to execute the target operation when the target operation is not within the scope of allowed operations indicated by the operation permissions of the target rule.

[0075] In one possible implementation, the processing module 402 is used to determine that the target operation should not be performed when there is no rule in the rule set that matches the user characteristics and object characteristics.

[0076] As shown in Figure 5, Figure 5 is a schematic diagram of another permission management device provided in this application. In this embodiment, the permission management device 500 can be the copy unit, DDRC, or DDR in Figure 2. Alternatively, the permission management device 500 can be the computing unit in Figure 2.

[0077] The access control device 500 includes a bus 501, a processor 502, a communication interface 503, and a memory 504. The processor 502, the memory 504, and the communication interface 503 communicate with each other via the bus 501.

[0078] Bus 501 can be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus, etc. Buses can be categorized as address buses, data buses, control buses, etc. For ease of representation, only one thick line is used in Figure 5, but this does not indicate that there is only one bus or one type of bus.

[0079] The processor 502 can be any one or more of the following processors: central processing unit (CPU), graphics processing unit (GPU), microprocessor (MP), or digital signal processor (DSP).

[0080] Memory 504 may include volatile memory, such as random access memory (RAM).

[0081] The memory 504 can be used to store software code related to the permission management method, and the processor 502 can execute the steps of the permission management method and schedule other units to achieve the corresponding functions.

[0082] It should be understood that the access control device 500 can be a centralized or distributed device, and the processor 502 in the access control device 500 can be a hardware circuit (such as an application-specific integrated circuit (ASIC), a field-programmable gate array (FPGA), a general-purpose processor, a digital signal processor (DSP), a microprocessor or a microcontroller, etc.) or a combination of these hardware circuits. For example, the processor can be a hardware system with instruction execution capabilities, such as a CPU or a DSP, or a hardware system without instruction execution capabilities, such as an ASIC or an FPGA, or a combination of the aforementioned hardware systems without instruction execution capabilities and hardware systems with instruction execution capabilities.

[0083] This application also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a computer, implements the permission management method flow of the above method embodiments.

[0084] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0085] This application also provides a computer-readable storage medium storing a computer program thereon, which, when executed by a computer, implements the permission management method flow of the above method embodiments.

[0086] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0087] In the several embodiments provided in this application, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces, indirect coupling or communication connection between devices or units, and may be electrical or other forms.

[0088] The units described as discrete components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0089] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0090] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, all or part of the technical solution of this application can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.

Claims

1. A method for managing access permissions, characterized in that, The method includes: Obtain the operation request from the target user, wherein the operation request is used to request a target operation to be performed on the target object; Obtain the user characteristics of the target user and the object characteristics of the target object; The user features and object features are matched with the rules in the rule set to obtain the rules in the rule set that match the user features and object features. The rule set includes N rules, where N is an integer greater than or equal to 1. The rules are used for authentication of the target operation. Whether to perform the target operation is determined based on the target rule, which is a rule in the rule set that matches the user characteristics and the object characteristics.

2. The method according to claim 1, characterized in that, The N rules have corresponding priorities, and the target rule is the rule with the highest priority among the rules that match the user features and the object features.

3. The method according to claim 2, characterized in that, The matching of the user features and the object features with the rules in the rule set includes: The user features and object features are matched with the rules in the rule set in descending order of priority to determine the target rule.

4. The method according to claim 2, characterized in that, The matching of the user features and the object features with the rules in the rule set includes: The user features and the object features are matched against each rule in the rule set to determine a matching rule set, wherein the rules in the matching rule set are the rules that match the user features and the object features; The rule with the highest priority in the matching rule set is determined as the target rule.

5. The method according to claims 1 to 4, characterized in that, Each rule in the rule set includes a condition, and the step of matching the user features and object features with the rules in the rule set to obtain the rules in the rule set that match the user features and object features includes: Determine whether the user characteristics and the object characteristics satisfy the conditions of the first rule, where the first rule is a rule in the rule set; If the user features and the object features satisfy the conditions of the first rule, then it is determined that the user features and the object features match the first rule; If the user characteristics and the object characteristics do not meet the conditions of the first rule, then it is determined that the user characteristics and the object characteristics do not match the first rule.

6. The method according to claims 1 to 5, characterized in that, Each rule in the rule set includes an operation permission, which indicates the permitted operation range. Determining whether to execute the target operation based on the target rule includes: Determine whether the target operation is within the allowed operation range indicated by the operation permissions of the target rule; If the target operation is within the allowed operation range indicated by the operation permission of the target rule, then the target operation is determined to be executed; If the target operation is not within the allowed operation range indicated by the operation permission of the target rule, then it is determined that the target operation will not be executed.

7. The method according to claims 1 to 6, characterized in that, The method further includes: If there is no rule in the rule set that matches the user characteristics and the object characteristics, then it is determined that the target operation will not be performed.

8. A data copying device, characterized in that, The apparatus includes modules for implementing the method of any one of claims 1 to 7.

9. A data copying device, characterized in that, Including processor and memory: The processor is configured to execute a computer program or instructions stored in the memory, wherein when the processor executes the computer program or instructions, the method described in any one of claims 1 to 7 is performed.

10. A chip, characterized in that, The method includes a processor coupled to a memory for executing a computer program or instructions stored in the memory, wherein when the processor executes the computer program or instructions, the method described in any one of claims 1 to 7 is performed.

11. A computer-readable storage medium, characterized in that, The system stores instructions that, when executed on a computer, cause the computer to perform the method as described in any one of claims 1 to 7.

12. A computer program product, characterized in that, The device stores computer-readable instructions that, when read and executed by the data copying device, cause the data copying device to perform the method as described in any one of claims 1 to 7.

Images