阅读说明：本技术 基于权限图的资源权限控制方法、系统、设备及存储介质 (Resource authority control method, system, equipment and storage medium based on authority graph ) 是由 吴昊宇 于 2021-08-16 设计创作，主要内容包括：本发明公开了一种基于权限图的资源权限控制方法、系统、设备及存储介质,上述方法包括：权限图形成步骤：在组织内部的知识图谱中,根据用户拥有的权限规则,将用户所有能触达的数据资源权限的拥有者实体组成用户的权限图；权限图缓存步骤：将权限图放入缓存中,并指定权限图的过期时间；权限判断步骤：当用户访问数据资源时,检查缓存列表中是否存在用户对应的权限图,若是,则返回权限图进行权限判断；若否,则返回权限图形成步骤。可以大大加快用户访问数据资源时候的速度,适用于灵活多变的组织结构和复杂的权限控制场景。(The invention discloses a resource authority control method, a system, equipment and a storage medium based on an authority graph, wherein the method comprises the following steps: and (3) permission graph forming step: in a knowledge graph in an organization, according to an authority rule owned by a user, all owner entities of data resource authority which can be reached by the user form an authority graph of the user; and (3) permission graph caching step: putting the authority graph into a cache, and appointing the expiration time of the authority graph; and (3) permission judgment step: when a user accesses a data resource, checking whether an authority graph corresponding to the user exists in the cache list, and if so, returning the authority graph to judge the authority; if not, returning to the step of forming the authority graph. The method can greatly accelerate the speed of the user when accessing the data resources, and is suitable for flexible and changeable organizational structures and complex authority control scenes.)

1. A resource authority control method based on an authority graph is characterized by comprising the following steps:

and (3) permission graph forming step: in a knowledge graph in an organization, according to an authority rule owned by a user, all owner entities of data resource authority which can be reached by the user form an authority graph of the user;

and (3) permission graph caching step: putting the authority graph into a cache, and specifying the expiration time of the authority graph;

and (3) permission judgment step: when the user accesses the data resource, checking whether the permission graph corresponding to the user exists in a cache list, if so, returning the permission graph to judge the permission; if not, returning to the step of forming the authority graph.

2. The resource right control method according to claim 1, wherein the right judging step includes: and judging whether the entity having the data resource is in the authority graph corresponding to the user, if so, the user has the authority to access the data resource, and if not, the user does not have the authority to access the data resource.

3. The method of claim 2, further comprising:

a data resource control step: taking the data resource as an entity to be treated and then entering the knowledge graph; or; and increasing the reference relation to the entity through the data resource list.

4. The method of claim 1, further comprising:

and (3) updating the authority graph: and when the entity or the edge in the knowledge graph changes, the change of the entity or the edge is transmitted to a user entity node according to a path specified by an authority rule, and the authority graph corresponding to the user entity node is deleted.

5. A resource right control system based on a right graph, comprising:

the authority graph is formed into a unit: in a knowledge graph in an organization, according to an authority rule owned by a user, all owner entities of data resource authority which can be reached by the user form an authority graph of the user;

permission map caching unit: putting the authority graph into a cache, and specifying the expiration time of the authority graph;

an authority judgment unit: when the user accesses the data resource, checking whether the permission graph corresponding to the user exists in a cache list, if so, returning the permission graph to judge the permission; if not, returning the authority graph forming unit.

6. The resource right control system according to claim 5, wherein the right judging unit includes: and judging whether the entity having the data resource is in the authority graph corresponding to the user, if so, the user has the authority to access the data resource, and if not, the user does not have the authority to access the data resource.

7. The resource right control system according to claim 6, further comprising:

a data resource control unit: taking the data resource as an entity to be treated and then entering the knowledge graph; or; and increasing the reference relation to the entity through the data resource list.

8. The resource right control system according to claim 5, further comprising:

permission map updating unit: and when the entity or the edge in the knowledge graph changes, the change of the entity or the edge is transmitted to a user entity node according to a path specified by an authority rule, and the authority graph corresponding to the user entity node is deleted.

9. An electronic device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the processor implements the resource right control method according to any one of claims 1 to 4 when executing the computer program.

10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the resource right control method according to any one of claims 1 to 4.

Technical Field

The invention relates to the technical field of computers, in particular to a resource authority control method, a resource authority control system, resource authority control equipment and a storage medium based on an authority graph.

Background

The authority control is generally divided into two categories, namely function authority and data authority, the function authority can generally distinguish coarse degree of functions in a function path matching mode, and the data authority distinguishes fine degree of granularity according to owners of data resources.

A knowledge graph is essentially an associated network knowledge representation based on a graph model. The knowledge graph abstracts entities into vertexes, abstracts relationships between the entities into edges, models and describes knowledge in a structured form, and visualizes the knowledge. The knowledge graph is the application direction with the most compact graph database association and the most wide scene. The knowledge map takes a map database as a storage engine, and carries out intelligent processing on mass information to form a large-scale knowledge base and further support business application.

The current design of the privilege system generally uses a Role-Based Access Control (RBAC) system, such as a RBAC-0 model, a RBAC-1 model, and a RBAC-2 model. In such a system design, permissions are associated with roles, and users gain the permissions of the roles by becoming members of the appropriate roles.

However, the RBAC system does not support the authority control of the data resources well, generally only has basic data resource authority control such as superior and inferior inheritance, peer visibility and the like, and cannot solve the problem of data authority brought by changeable and unstable organizational structures such as virtual organizations, work groups, project organizations and the like in the existing enterprises.

Disclosure of Invention

Aiming at the technical problem that the permission control display of the data resources has limitation, the invention provides a resource permission control method, a resource permission control system, resource permission control equipment and a storage medium based on a permission graph.

In a first aspect, an embodiment of the present application provides a resource authority control method based on an authority graph, including:

and (3) permission graph forming step: in a knowledge graph in an organization, according to an authority rule owned by a user, all owner entities of data resource authority which can be reached by the user form an authority graph of the user;

and (3) permission graph caching step: putting the authority graph into a cache, and specifying the expiration time of the authority graph;

and (3) permission judgment step: when the user accesses the data resource, checking whether the permission graph corresponding to the user exists in a cache list, if so, returning the permission graph to judge the permission; if not, returning to the step of forming the authority graph.

The resource authority control method comprises the following steps: and judging whether the entity having the data resource is in the authority graph corresponding to the user, if so, the user has the authority to access the data resource, and if not, the user does not have the authority to access the data resource.

The resource right control method further includes:

a data resource control step: taking the data resource as an entity to be treated and then entering the knowledge graph; or; and increasing the reference relation to the entity through the data resource list.

The resource right control method further includes:

and (3) updating the authority graph: and when the entity or the edge in the knowledge graph changes, the change of the entity or the edge is transmitted to a user entity node according to a path specified by an authority rule, and the authority graph corresponding to the user entity node is deleted.

In a second aspect, an embodiment of the present application provides a resource authority control system based on an authority graph, including:

the authority graph is formed into a unit: in a knowledge graph in an organization, according to an authority rule owned by a user, all owner entities of data resource authority which can be reached by the user form an authority graph of the user;

permission map caching unit: putting the authority graph into a cache, and specifying the expiration time of the authority graph;

an authority judgment unit: when the user accesses the data resource, checking whether the permission graph corresponding to the user exists in a cache list, if so, returning the permission graph to judge the permission; if not, returning the authority graph forming unit.

The resource authority control system, wherein the authority determining unit includes: and judging whether the entity having the data resource is in the authority graph corresponding to the user, if so, the user has the authority to access the data resource, and if not, the user does not have the authority to access the data resource.

The resource right control system further includes:

a data resource control unit: taking the data resource as an entity to be treated and then entering the knowledge graph; or; and increasing the reference relation to the entity through the data resource list.

The resource right control system further includes:

permission map updating unit: and when the entity or the edge in the knowledge graph changes, the change of the entity or the edge is transmitted to a user entity node according to a path specified by an authority rule, and the authority graph corresponding to the user entity node is deleted.

In a third aspect, an embodiment of the present application provides an electronic device, which includes a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor, when executing the computer program, implements the resource right control method based on the right graph according to the first aspect.

In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the resource right control method based on the right graph as described in the first aspect.

Compared with the prior art, the invention has the advantages and positive effects that:

1. the invention provides a data resource control method based on an authority graph, which can precisely control the affiliation and authority of data resources by using a knowledge graph technology, can judge and control the authority of the data resources based on the organization hierarchy, personnel relationship and even the relationship of any appointed entity, can flexibly configure and use the authority of the data resources, and is suitable for flexible and changeable organization structures and complex authority control scenes.

2. The invention provides a method for accelerating the judgment of the authority of the data resource by a cache authority graph, which can greatly accelerate the speed of a user when accessing the data resource, and set the expiration time to ensure the on-time update of the cache authority graph; when the contents of entities, edges and the like in the knowledge graph are changed, the expired cache permission graph can be deleted, so that the user can access the reconstructed permission graph next time, and the data resource permission is judged correctly.

Drawings

FIG. 1 is a schematic diagram illustrating steps of a resource right control method based on a right graph according to the present invention;

FIG. 2 is a schematic illustration of a knowledge map of an interior of a tissue provided by the present invention;

FIG. 3 is a diagram illustrating the control of data resources by entering a knowledge-graph according to the present invention;

FIG. 4 is a schematic diagram of a non-access knowledge graph implementation for controlling data resources according to the present invention;

FIG. 5 is a frame diagram of a resource right control system based on a right graph according to the present invention;

fig. 6 is a block diagram of a computer device according to an embodiment of the present application.

Wherein the reference numerals are:

1. a data resource control unit; 2. the authority graph forms a unit; 3. an authority graph caching unit; 4. an authority judgment unit; 5. an authority map updating unit; 81. a processor; 82. a memory; 83. a communication interface; 80. a bus.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.

It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.

Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.

Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.

The present invention is described in detail with reference to the embodiments shown in the drawings, but it should be understood that these embodiments are not intended to limit the present invention, and those skilled in the art should understand that functional, methodological, or structural equivalents or substitutions made by these embodiments are within the scope of the present invention.

Before describing in detail the various embodiments of the present invention, the core inventive concepts of the present invention are summarized and described in detail by the following several embodiments.

The invention provides a method for controlling data resource authority by using a knowledge graph technology and two modes of graph entry and graph non-entry respectively, and a method for judging the data resource authority of a user by generating authority graph cache and using the authority graph.

The first embodiment is as follows:

fig. 1 is a schematic step diagram of a resource right control method based on a right graph according to the present invention. As shown in fig. 1, this embodiment discloses a specific implementation of a resource right control method (hereinafter referred to as "method") based on a right graph.

Specifically, the method disclosed in this embodiment mainly includes the following steps:

step S1: in a knowledge graph in an organization, according to an authority rule owned by a user, all owner entities of data resource authority which can be reached by the user form an authority graph of the user;

wherein, the data resource can be treated as an entity and then enters the knowledge graph; or; and increasing the reference relation to the entity through the data resource list.

Step S2: putting the authority graph into a cache, and specifying the expiration time of the authority graph;

step S3: when the user accesses the data resource, checking whether the permission graph corresponding to the user exists in a cache list, if so, returning the permission graph to judge the permission; if not, the process returns to the step S1.

Wherein, step S3 includes: and judging whether the entity having the data resource is in the authority graph corresponding to the user, if so, the user has the authority to access the data resource, and if not, the user does not have the authority to access the data resource.

Specifically, when an entity or an edge in the knowledge graph changes, the change of the entity or the edge is transmitted to a user entity node according to a path specified by an authority rule, and the authority graph corresponding to the user entity node is deleted.

The following specifically describes the application flow of the method with reference to fig. 2, fig. 3, and fig. 4 as follows:

as shown in fig. 2, fig. 2 is a knowledge graph inside an organization, which includes entities and relationships between them, and based on such knowledge graph of the relationships between the entities inside the organization, there can be two ways to control data resources:

one way is to treat the data as one or more types of entities and then enter a knowledge graph, and definitely represent the relationship between the data resource entities and other entities by edges, as shown in fig. 3;

another way is to not build the entities of the data resources in the knowledge graph, but to add reference relations to the entities in the data resource list, as shown in fig. 4. The resource control method without entering the graph can reduce the storage amount.

The rights granting method for a data resource may be defined in the knowledge graph as the path granted to a specified point and edge.

For example, the superior of an employee has the data resource authority of the employee:

grant permission to g.V(resource).outE(“own”).out().hasLabel(“employee”).outE(“leader”).inV()

the employees in a project association group have the data resource authority of all the groups of the project:

grant permission to g.V(resource).outE(“owner”).out().hasLabel(“group”).outE(“relation”).inV().hasLabel(“project”).outE(“relation”).inV().hasLabel(“group”).outE(“hasMember”).inV()

a typical scenario for controlling data resource permissions is to determine whether a user has permission to a specific data resource.

Under the first scenario, as shown in fig. 3, it can be converted into: in a graph, whether one point and another point have a path with specified conditions is found, wherein authorization of each data resource is converted into path judgment of the specified conditions between the two points. If a path exists between the two points, the user has the authority to the data resource, and if the two points do not have the path under the authorization condition of all the data resources, the user does not have the authority to the data resource.

Under the second scheme shown in fig. 4, a data resource can be added to the graph as a temporary entity, and the method of the first scheme is used to find whether a path exists between a temporary entity point and a user point.

Real-time data resource permission judgment requires a query similar to graph traversal, which is time-consuming. Considering that the data of user organization, project and the like are relatively stable, a user authority graph cache can be generated to accelerate the judgment of authority. The user authority graph caching method is as follows:

when a certain user accesses the data resource, checking the cache list, and if a cached authority graph exists, directly returning the cached authority graph to judge the authority: and whether the entity owning the data resource is in the cache authority graph of the user, if so, the entity indicates that the user has the authority to access, otherwise, the entity does not have the authority to access.

If there is no cached authority graph, for a certain user, all authority rules owned by the user, namely graph authority paths, are used to reach all reachable authority owner entities (excluding data resource entities) of the user, possibly including entities such as employees, projects, groups and the like, so as to form the authority graph of the user.

And (4) putting the authority graph corresponding to the user into a cache, and appointing the expiration time of the authority graph of the user to prevent the cache from not being updated.

When an entity or an edge in the knowledge graph changes, all data authority rules in the system need to be scanned, the change of the entity or the edge is transmitted to all affected user entity nodes through the path specified by the data authority rules, and the authority graph cache of the corresponding user is deleted. If a large number of entities or edges need to be changed, when batch change is performed, the permission graph caches of all users can be deleted first, and then the change of the batch entities and edges is performed.

By the caching method, the caching authority graph of the user who frequently accesses the system is maintained in the system, so that the speed of the user accessing the data resources can be greatly increased; when the contents of entities, edges and the like in the knowledge graph are changed, the expired cache permission graph can be deleted, so that the user can access the reconstructed permission graph next time, and the data resource permission is judged correctly.

The method for caching can accelerate the judgment of the data resource authority, improve the performance of the system, realize flexible data resource authority configuration and use, and is suitable for flexible and changeable organizational structures and complex authority control scenes.

Example two:

in combination with the method for controlling resource authority based on the authority graph disclosed in the first embodiment, the present embodiment discloses a specific implementation example of a resource authority control system (hereinafter referred to as "system") based on the authority graph.

Referring to fig. 5, the system includes:

data resource control unit 1: taking the data resource as an entity to be treated and then entering a knowledge graph; or; increasing the reference relation to the entity through the data resource list;

rights graph forming unit 2: in a knowledge graph in an organization, according to an authority rule owned by a user, all owner entities of data resource authority which can be reached by the user form an authority graph of the user;

authority map cache unit 3: putting the authority graph into a cache, and specifying the expiration time of the authority graph;

the authority judgment unit 4: when the user accesses the data resource, checking whether the permission graph corresponding to the user exists in a cache list, if so, returning the permission graph to judge the permission; if not, returning to the authority graph forming unit 2;

specifically, the authority judgment unit 4 includes: and judging whether the entity having the data resource is in the authority graph corresponding to the user, if so, the user has the authority to access the data resource, and if not, the user does not have the authority to access the data resource.

Authority map updating unit 5: and when the entity or the edge in the knowledge graph changes, the change of the entity or the edge is transmitted to a user entity node according to a path specified by an authority rule, and the authority graph corresponding to the user entity node is deleted.

For reference, the embodiment a refers to the description of the embodiment a, and details are not repeated herein.

Example three:

referring to fig. 6, the present embodiment discloses an embodiment of a computer device. The computer device may comprise a processor 81 and a memory 82 in which computer program instructions are stored.

Specifically, the processor 81 may include a Central Processing Unit (CPU), or A Specific Integrated Circuit (ASIC), or may be configured to implement one or more Integrated circuits of the embodiments of the present Application.

Memory 82 may include, among other things, mass storage for data or instructions. By way of example, and not limitation, memory 82 may include a Hard Disk Drive (Hard Disk Drive, abbreviated to HDD), a floppy Disk Drive, a Solid State Drive (SSD), flash memory, an optical Disk, a magneto-optical Disk, tape, or a Universal Serial Bus (USB) Drive or a combination of two or more of these. Memory 82 may include removable or non-removable (or fixed) media, where appropriate. The memory 82 may be internal or external to the data processing apparatus, where appropriate. In a particular embodiment, the memory 82 is a Non-Volatile (Non-Volatile) memory. In particular embodiments, Memory 82 includes Read-Only Memory (ROM) and Random Access Memory (RAM). The ROM may be mask-programmed ROM, Programmable ROM (PROM), Erasable PROM (EPROM), Electrically Erasable PROM (EEPROM), Electrically rewritable ROM (EAROM), or FLASH Memory (FLASH), or a combination of two or more of these, where appropriate. The RAM may be a Static Random-Access Memory (SRAM) or a Dynamic Random-Access Memory (DRAM), where the DRAM may be a Fast Page Mode Dynamic Random-Access Memory (FPMDRAM), an Extended data output Dynamic Random-Access Memory (EDODRAM), a Synchronous Dynamic Random-Access Memory (SDRAM), and the like.

The memory 82 may be used to store or cache various data files for processing and/or communication use, as well as possible computer program instructions executed by the processor 81.

The processor 81 implements any of the resource right control methods in the above embodiments by reading and executing computer program instructions stored in the memory 82.

In some of these embodiments, the computer device may also include a communication interface 83 and a bus 80. As shown in fig. 6, the processor 81, the memory 82, and the communication interface 83 are connected via the bus 80 to complete communication therebetween.

The communication interface 83 is used for implementing communication between modules, devices, units and/or equipment in the embodiment of the present application. The communication port 83 may also be implemented with other components such as: the data communication is carried out among external equipment, image/data acquisition equipment, a database, external storage, an image/data processing workstation and the like.

Bus 80 includes hardware, software, or both to couple the components of the computer device to each other. Bus 80 includes, but is not limited to, at least one of the following: data Bus (Data Bus), Address Bus (Address Bus), Control Bus (Control Bus), Expansion Bus (Expansion Bus), and Local Bus (Local Bus). By way of example, and not limitation, Bus 80 may include an Accelerated Graphics Port (AGP) or other Graphics Bus, an Enhanced Industry Standard Architecture (EISA) Bus, a Front-Side Bus (FSB), a Hyper Transport (HT) Interconnect, an ISA (ISA) Bus, an InfiniBand (InfiniBand) Interconnect, a Low Pin Count (LPC) Bus, a memory Bus, a microchannel Architecture (MCA) Bus, a PCI (Peripheral Component Interconnect) Bus, a PCI-Express (PCI-X) Bus, a Serial Advanced Technology Attachment (SATA) Bus, a Video Electronics Bus (audio Electronics Association), abbreviated VLB) bus or other suitable bus or a combination of two or more of these. Bus 80 may include one or more buses, where appropriate. Although specific buses are described and shown in the embodiments of the application, any suitable buses or interconnects are contemplated by the application.

In addition, in combination with the resource authority control method in the foregoing embodiment, the embodiment of the present application may provide a computer-readable storage medium to implement. The computer readable storage medium having stored thereon computer program instructions; the computer program instructions, when executed by a processor, implement any of the resource right control methods in the above embodiments.

The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.