Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the technical solution of the present application and are not intended to limit the present application.
For a better understanding of the technical solution of the present application, the following detailed description will be given with reference to the drawings and the specific embodiments.
The main solution of the embodiment of the application is that when a data role configuration request of an administrator is detected, a data role to be configured is acquired, the system data resource authority of the data role is configured based on the system data dimension selected by the administrator, and the universal data resource authority of the data role is configured based on the universal data dimension selected by the administrator.
As business systems become increasingly complex, the management requirements of different subsystems on data rights become finer, and conventional configuration methods are difficult to meet such fine granularity. For example, if the financial approval authority of "staff" needs to be given for business requirement, the administrator can only configure the unified approval authority for the staff, which results in that the approval authority of "staff" not only includes finance, but also relates to other fields such as personnel.
Moreover, in the conventional RBAC model, the relationship between roles and rights is relatively fixed, and this manner of static definition is not flexible enough to cope with changes in business requirements. Taking the role of 'staff' as an example, the staff information checking authority is possessed in a personnel management system, and only the account checking authority is possessed in a financial management system. If the authority of staff needs to be improved temporarily for business requirement, so that staff can examine and approve the account, the traditional RBAC model can only create new roles to deal with, and thus, disorder of data authority is easy to cause.
In order to solve the problems, the application provides a scheme for distinguishing the system data resource authority from the universal data resource authority, and supporting the dynamic configuration of an administrator, and the fine-granularity authority division and flexible authority configuration mechanism improve the flexibility of the data authority configuration.
It should be noted that, the execution body of the scheme may be a computing service device with functions of data processing, network communication and program running, such as a tablet computer, a personal computer, a mobile phone, or a data authority configuration device capable of implementing the above functions. The following embodiments will be described with reference to a data right configuration device as an example.
Based on this, an embodiment of the present application provides a data authority configuration method, and referring to fig. 1, fig. 1 is a schematic flow chart of a first embodiment of the data authority configuration method of the present application.
In this embodiment, the data authority configuration method includes steps S10 to S30:
step S10, when a data role configuration request of an administrator is detected, a data role to be configured is acquired;
the data authority configuration method of the embodiment can be applied to an authority management platform (hereinafter referred to as a platform). The platform may assign permissions to users, roles, or specific resources. An administrator may configure, audit, and alter these rights through the platform in response to changes in business needs.
It should be noted that a data role is a core concept that is different from a user, which refers to entities that actually use a database, and a role is an abstraction of a set of rights that can be granted to a user.
The platform is provided with a mechanism to detect requests by administrators. These requests may be generated by button clicks of a graphical user interface, form submission, API calls, or other forms of interaction.
The rights management platform displays a data rights configuration interface, displaying all the current data roles and their attributes, and the administrator can select the data roles to be configured in the interface. To achieve this, the platform is provided with an event detector. When the administrator clicks on the button, the event detector captures the click event and gathers relevant information on the current interface, including the selected data role and other configuration parameters. This information is then sent to the backend for subsequent processing via a data role configuration request.
Accordingly, after the back-end receives the request, a simple content check is first performed on the request to verify that it exists and conforms to the expected structure. For example, it is checked whether a "roleId" field is included, and if so, it is determined as a data role configuration request.
Further, the request is automatically processed and parsed with middleware that is able to translate the request into an object that is available to the backend. Once the request is parsed, the backend can extract the required fields, i.e., the data roles to be configured, from the request according to predefined API (ApplicationProgrammingInterface ) specifications.
Step S20, configuring the system data resource authority of the data role based on the system data dimension selected by the administrator;
Step S30, configuring the universal data resource authority of the data role based on the universal data dimension selected by the administrator.
It should be noted that the method adopts a multidimensional authority control mode to divide the dimension into a system data dimension and a general data dimension.
The system data dimension refers to a permission dimension customized according to the requirements of a specific service system. These dimensions are highly personalized, aiming at solving the rights control problem in specific business scenarios. The system data dimension can be added or modified at any time according to the requirements of business development, thereby providing greater flexibility and adaptability.
For example, for an electronic business system, commodity types, inventory status, etc. can be considered system data dimensions. These dimensions allow access rights to be customized based on merchandise characteristics and inventory conditions, such as limiting certain users to view only certain types of merchandise.
Generic data dimensions refer to a predefined set of common rights dimensions that provide a standard rights template for most business scenarios. These dimensions are typically cross-system, universally applicable, capable of covering common rights control requirements.
For example, both the time dimension and the geographic location dimension may be considered generic data dimensions. Where the time dimension may predefine access rights for workdays and non-workdays, and the geographic location dimension may limit user access rights for particular regions.
Rights can be defined independently, whether in the generic data dimension or the system data dimension. The dimensions can form combined authorization through association interaction, so that the authority control is finer and more flexible. For example, combining the time dimension and the geographic location dimension, the "user a has access to the data of the zone D within the time period T" can be precisely controlled. The association and combination among the allowable dimensions construct a three-dimensional authority control system, thereby realizing fine-granularity and dynamic authority configuration and combined authorization.
Optionally, the rights management platform displays a data rights configuration interface, and after selecting a data role, an administrator may select a dimension required for rights control from a custom system data dimension list. At this point, the event detector will capture the selected operation and send it to the backend.
Accordingly, after the back-end receives the selected operation, the administrator selected system data dimension is extracted therefrom. The specific principle is the same as the processing flow of the data role configuration request, and is not repeated here.
And then, determining the codes corresponding to the system data dimensions, and searching the corresponding system data resource rights in a preset rights mapping table, so as to configure the system data resource rights for the currently selected data roles.
And similarly, searching the universal data resource permission corresponding to the universal data dimension in a preset permission mapping table, and then completing the configuration of the universal data resource permission.
It is understood that a data resource is a control object of data rights. For data resources, the administrator can also set different operation rights, such as read-only, editing, management, etc. By carefully controlling the access rights of different users to the data resources, unauthorized data access, modification or leakage can be prevented.
Specifically, the mapping relation between the data authority and the data resource is inquired, and the system data resource corresponding to the system data resource authority and the general data resource corresponding to the general data resource authority are determined. And then displaying the system data resource and the universal data resource on a user interface so that an administrator can conveniently configure the authority.
When the user selects the authority level on the interface, the corresponding configuration request is automatically triggered. The back end analyzes the request and configures the operation authority of the system data resource and the universal data resource.
Illustratively, the financial statement corresponding to the financial rights is made. If the read-only rights are configured, the user can view the financial statement but cannot make any modification, if the editing rights are configured, the user can view and modify the financial statement but cannot delete the statement, and if the management rights are configured, the user can view, edit and delete the financial statement and can generate a new financial statement. The scheme only allows users with specific rights to edit the data resources, and can prevent the data from being randomly changed, so that the consistency and the accuracy of the data are maintained, and the scheme is particularly important for business scenes requiring highly accurate data.
The embodiment provides a data authority configuration method, which allows the authority of each data role to be dynamically configured based on interaction of an administrator. The administrator can dynamically configure the authority in real time during running without restarting or reconfiguring the system, and the administrator can adjust the authority setting at any time according to actual requirements without being limited by fixed role-authority relationship, so that the temporary authority changing requirement can be more effectively met. Furthermore, the present embodiment distinguishes between system data resource rights and general data resource rights, this division enabling rights settings to be specific to the subsystem level, rather than encompassing the entire system or broad functionality in general. The fine-granularity authority dividing strategy ensures that the authority distribution can be more accurately matched with the requirements of specific business scenes, thereby effectively improving the accuracy and pertinence of authority control. In summary, the fine-grained permission partitioning and flexible permission configuration mechanism enables an administrator to independently configure permissions for each data role in different systems without having to create multiple similar roles to handle temporary permission changes. The number of roles is reduced, and the phenomena of authority overlapping and confusion among the roles are effectively avoided.
In the second embodiment of the present application, the same or similar content as in the first embodiment of the present application may be referred to the description above, and will not be repeated. On this basis, referring to fig. 2, after step S30, the data authority configuration method further includes steps a10 to a20:
Step A10, when a data role assignment request of the administrator is detected, analyzing a user identification and a target data role in the data role assignment request;
And step A20, establishing the association relation between the user identification and the target data role.
After the administrator configures the data roles and the corresponding resource rights, the binding operation of the data roles and the specific users can be performed.
The administrator triggers the data role assignment request through an interface or API call, and after the back end detects the data role assignment request, the user identification and the target data role are extracted from the data role assignment request. The user identification is the unique identification information of the user, and the target data role is the authority role which is hoped to be given to the user.
Then, the backend establishes an association between the user identification and the target data role. This means that the user will be given the right to the target data role. Such associations are typically stored in a rights management database for subsequent rights verification and management. The system can judge the authority of the user when accessing the data resource according to the association relation.
It can be appreciated that the data roles are divided into critical data roles and non-critical data roles according to business requirements, wherein the critical data roles generally have higher authority to access or manipulate sensitive data. By limiting the number of associated key data persona users, it is ensured that key rights are not abused.
Specifically, when the administrator requests that a certain user be assigned as a target data role, the backend will determine whether the target data role belongs to a key data role by querying the role database. If the target data role is the key data role, the back end will execute the query operation, counting the total number of all the current key data roles.
The back end is preset with a quantity threshold value for judging whether the quantity of the current key data roles is within an acceptable range or not. This threshold may be set according to the security policies and traffic requirements of the organization.
The backend compares the total number of counted critical data roles to a number threshold. If the total number of key data roles is below the set number threshold, the step of associating the user identification with the target data role is allowed to be performed. This means that in case of an insufficient number of critical data roles, the system will allow adding new critical roles to ensure flexibility and security of data access. If the total number of critical data roles is greater than or equal to the number threshold, the system may reject the role assignment request to prevent excessive rights concentration or abuse.
In the third embodiment of the present application, the same or similar content as the first embodiment of the present application can be referred to the description above, and the description is omitted. On this basis, referring to fig. 3, after step S30, the data authority configuration method further includes steps B10 to B30:
Step B10, when the reference request of the administrator is detected, determining and displaying a reference data dimension associated with the reference request, wherein the reference data dimension comprises a plurality of general data dimensions;
Step B20, determining corresponding reference data resource rights based on the selected operation of the administrator on the reference data dimension;
And step B30, performing duplication removal and union extraction processing on the reference data resource authority and the universal data resource authority, and configuring the universal data resource authority of the data role according to a processing result.
In this embodiment, the generic dimension rights are inheritable and inheritable, and an administrator can be inherited by defining some generic rights configurations, thereby reducing configuration repeatability.
Optionally, the user interface is provided with a reference button, which when clicked by the administrator automatically triggers the reference request. The system needs to parse this reference request, determine all the reference data dimensions it is associated with, and expose them to the administrator.
The dimension of the reference data can be in two forms, wherein one form is a fixed template customized by an administrator, and the other form is flexibly generated according to a specific business flow. The flexible generation mode can accurately determine the required data dimension, and the problems of mismatch or redundancy possibly brought by a fixed template are avoided.
Specifically, the request is parsed, and relevant parameters of the business process, such as data roles, business scene descriptions, business process types, and the like, are extracted. The back end maintains a business process mapping table that records the historical process records for each business process type. Therefore, the back end determines the historical flow record corresponding to the current business flow type based on the business flow mapping table, so as to identify the general data dimension related to the flow record. These generic data dimensions are then filtered and ordered to generate a final list of reference data dimensions.
As for a specific display mode, since the general dimension authority has a tree structure, the back end can display the dimensions to an administrator in a layering mode, so that the administrator can clearly see inheritance relations among the dimensions.
Further, the administrator selects one or more of the displayed reference data dimensions as desired. Based on the administrator's selected operations, the backend further determines the rights to the referenced data resources corresponding to these selected dimensions. Since the generic dimension rights can be inherited, the dimension selected by the administrator may automatically contain the rights of its parent dimension, thereby reducing configuration repeatability.
Then, the back end carries out de-duplication processing on the quoted data resource authority and the existing universal data resource authority to ensure that repeated authority configuration does not exist, and then the quoted data resource authority and the existing universal data resource authority are combined to obtain final data role authority configuration. Because of the inheritance nature of the generic rights, the merged set of rights may contain multiple levels of rights.
Illustratively, when an administrator configures a data role of "financial staff", clicking a reference button in an interface, the back end determines a business department of the data role, and displays a department generic dimension corresponding to the business department, that is, a generic data dimension in a financial management system. In response to a selected operation by the administrator, the backend determines corresponding reference data resource rights, such as financial bill viewing rights.
In addition, the back end can further analyze the department positions of the data roles in the business departments and bind department special authorities corresponding to the department positions for the data roles, for example, a role of 'financial management' can obtain financial bill auditing authorities. The measure not only endows the financial manager with a wider authority range, but also ensures that the financial staff group can continuously enjoy necessary access and operation authorities based on a department universal authority framework, ensures that the data authorities can flexibly adapt to the requirements of specific scenes on the basis of meeting universal configuration, thereby realizing the refinement and differentiation of authority allocation while maintaining the consistency of authority systems and ensuring the effective response to various complex authority management scenes.
The embodiment provides a data authority configuration method, which supports the inheritance and coverage mechanism of the universal authority, so that an administrator can flexibly realize the inheritance and the fine coverage of the authority when selecting the dimension of the reference data. The mechanism can ensure that the roles have proper rights, simultaneously reduce the workload of management and maintenance to the maximum extent, and effectively improve the efficiency of rights management.
In the fourth embodiment of the present application, the same or similar content as in the first embodiment of the present application can be referred to the above description, and the description thereof will be omitted. On this basis, referring to fig. 4, after step S30, the data authority configuration method further includes steps C10 to C40:
step C10, when a login request of a user is detected, carrying out identity verification on the login request;
step C20, if the identity verification is passed, analyzing a target data role and an access request in the login request;
Step C30, determining the target data resource authority corresponding to the target data role;
And step C40, determining the access decision corresponding to the target data resource authority and the access request according to the access control strategy, and executing the operation corresponding to the access decision.
As shown in fig. 5, the user inputs login information, such as a user name, a password, a mobile phone number verification code, etc., through the front-end interface, and the front-end interface submits a login request to the back-end server.
After the back end receives the login request from the front end, the user information is retrieved from the database, and a security algorithm can be used to verify whether the password hash values match. If the result is matched, the identity verification is passed, otherwise, the verification result is fed back to be reminded of failure.
Further, if the authentication is passed, the target data role and the access request information are extracted from the login request. And then, according to the target data role, inquiring the data role and the data resource authority mapping table in the database, and determining the corresponding target data resource authority.
Comparing the target data resource authority with the access request, determining an access decision according to the access control strategy, and executing the access decision, wherein the specific steps are as follows:
And analyzing the target data resource authority, determining accessible data resources, determining operations executable on the resources, and returning in the form of resource points. Meanwhile, the access request of the user is analyzed, and target data resources, operation types of the request and other relevant parameters related to the request are extracted.
And comparing the analyzed authority with the request. The comparison process requires careful matching of whether the requested target resource is within the user's authority and whether the type of operation requested is allowed.
And adopting an applicable access control strategy according to the current user attribute, resource attribute and other factors. These policies may be predefined or dynamically generated to accommodate different business scenarios and security requirements. For example, allowing access, if the user's rights match the request type, the system will allow access and perform the corresponding operation, denying access, if the user's rights do not match the request type, the system will deny access and return the corresponding error information, additional processing, additional access control processing such as multi-factor authentication, audit logging, log encryption, etc., may be required in some cases.
Based on the comparison and the access control policy, a final access decision is generated, which may be "access allowed", "access denied", or "additional processing".
Additionally, it is contemplated that in some cases, a user may be assigned multiple roles, each of which may correspond to a different right.
Therefore, when it is detected that the number of target data characters of the user is plural, the system needs to process these characters. And executing a query for each target data role, acquiring candidate data resource permissions associated with the target data role, and collecting the candidate data resource permissions into a set to form a list containing all the candidate data resource permissions.
Because users may possess the same rights in multiple roles, it is necessary to implement a deduplication algorithm, traverse the collection, identify and remove duplicate rights items, ensuring that each right appears only once. And after the duplication is removed, combining all the unique candidate authorities to form a final target data resource authority set.
In addition, the scheme can also establish a complete audit trail mechanism, comprehensively record the data access operation of the user and provide security analysis and monitoring.
Specifically, the system performs detailed audit log records for each user data access request, and the content includes information such as operation main body, access period, access place, request resource and the like. The audit logs can be used for authority security analysis to help an administrator find abnormal access modes or trends and prevent data leakage risks. In addition, the system can detect and examine the authority control flow in real time, and once an unauthorized operation request is found, the system can immediately adopt modes of interception or current limiting and the like to carry out protection and response.
The full life cycle tracking of the authority control is realized through a perfect audit and monitoring means, abnormal access can be timely found and prevented, and the integrity and confidentiality of data are not threatened. This significantly improves the rights control reliability and security of the system.
The embodiment provides a data authority configuration method, which adopts a strong verification and authorization mechanism, and can prevent unauthorized access by strictly verifying the identity of a user, thereby protecting sensitive data in a system from being snooped or tampered by unauthorized users. Moreover, the access control policy ensures that the user can only access its authorized resources, which further enhances the security of the system and reduces the risk of internal leakage or mishandling. The verification authorization mechanism runs through and constrains the whole data authority control flow, the system refuses any unauthorized access request, and the data security and authority management standardization of the whole system are enhanced.
For example, to facilitate understanding of the implementation flow of the data authority configuration method obtained by combining the present embodiment with the first embodiment, referring to fig. 6, fig. 6 provides a data authority service library table association structure diagram of the present method, specifically:
(1) 1 user may belong to a plurality of organizations, and 1 organization may also include a plurality of users.
(2) 1 Post may belong to multiple organizations, and 1 organization may also include multiple posts.
(3) 1 User may be associated with multiple posts, and 1 post may be associated with multiple users.
(4) 1 User may belong to a plurality of systems, and 1 system may also include a plurality of users, i.e., the users may possess a plurality of system rights.
(5) Some generic rights configurations, i.e. generic data dimensions, such as region, gender, year, quarter, etc., may be defined.
(6) The corresponding general dimension defines a general data authority resource, and the general data authority resource can be inherited by other authorities. Rights inheritance may be established between roles or users, or may span different dimensions.
(7) Each subsystem can be configured according to the customized system authority of the business application scene, namely the dimension of system data, such as personnel departments and the like.
(8) The corresponding system data dimension defines system data authority resources such as a special class group of a department.
(9) The role-associated data resources include general data resources and system data resource permissions. And giving the role multidimensional authority resources.
(10) 1 User may have multiple roles, and 1 role may be assigned to multiple users. And giving the corresponding role data authority to the user, and giving the user members the corresponding role data authority.
(11) And supporting dynamic configuration of the authority, adjusting and changing the configuration of the authority resources, and carrying out data authority access control by synchronizing the latest authority resource strategy according to the fact that the actual configuration authority details take effect without restarting or reconfiguring the system.
Referring to fig. 7, fig. 7 provides a data rights interface call flow diagram at the time of data rights application, specifically:
(1) And when the user logs in, the data role of the system owned by the user is acquired through the token and the system code.
(2) Inquiring the roles associated with the user, and returning empty rights if no roles are associated, namely, no data rights exist.
(3) And if the user associates part of the data roles, respectively processing the data resource authority corresponding to the data dimension code of each role under the system according to the universal data dimension or the system data dimension code.
(4) And querying the data resource authority selected under all the related data roles in the system according to the data dimension codes. Then, the data resource authorities are de-duplicated, and the union set is taken to obtain the data resource authorities owned by the user in the system.
(5) If the user is associated with a plurality of data roles, the system can acquire the data dimension codes defined by the roles associated with the user, and perform authority combination according to the same dimension codes. And for the same data dimension defined in the role, the system performs the union operation of the authority resources, and removes the repeated authority aggregated into the user in the data dimension.
(6) The universal data authority resource can be inherited by other authorities, and the authority inheritance can be established between roles or users, and can also span different dimensions. For example, a department manager role may inherit some or all of the rights of a company manager role, or a project role may inherit rights from a business role. The role-based right inheritance can quickly construct authorization logic between roles. In addition, a user can inherit the rights of multiple roles to meet the requirement that the user takes on multiple responsibilities in an organization.
It should be noted that the foregoing examples are only for understanding the present application, and are not meant to limit the data authority configuration method of the present application, and more forms of simple transformation based on the technical concept are all within the scope of the present application.
The application provides a data authority configuration device which comprises at least one processor and a memory in communication connection with the at least one processor, wherein the memory stores a computer program which can be executed by the at least one processor, and the computer program is executed by the at least one processor so that the at least one processor can execute the data authority configuration method in the first embodiment.
Referring now to FIG. 8, a schematic diagram of a data rights configuration device suitable for use in implementing embodiments of the present application is shown. The data right configuration device in the embodiment of the present application may include, but is not limited to, a mobile terminal such as a mobile phone, a notebook computer, a digital broadcast receiver, a PDA (Personal DIGITAL ASSISTANT: personal digital assistant), a PAD (Portable Application Description: tablet computer), a PMP (Portable MEDIA PLAYER: portable multimedia player), an in-vehicle terminal (e.g., an in-vehicle navigation terminal), and the like, and a fixed terminal such as a digital TV, a desktop computer, and the like. The data right configuration device shown in fig. 8 is only one example, and should not impose any limitation on the functions and the scope of use of the embodiment of the present application.
As shown in fig. 8, the data right configuration apparatus may include a processing device 1001 (e.g., a central processor, a graphic processor, etc.), which may perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 1002 or a program loaded from a storage device 1003 into a random access Memory (RAM: random Access Memory) 1004. In the RAM1004, various programs and data required for the operation of the data right configuration device are also stored. The processing device 1001, the ROM1002, and the RAM1004 are connected to each other by a bus 1005. An input/output (I/O) interface 1006 is also connected to the bus. In general, a system including an input device 1007 such as a touch screen, a touch pad, a keyboard, a mouse, an image sensor, a microphone, an accelerometer, a gyroscope, etc., an output device 1008 including a Liquid crystal display (LCD: liquid CRYSTAL DISPLAY), a speaker, a vibrator, etc., a storage device 1003 including a magnetic tape, a hard disk, etc., and a communication device 1009 may be connected to the I/O interface 1006. The communication means 1009 may allow the data rights configuration device to communicate wirelessly or by wire with other devices to exchange data. While the figures illustrate data rights configuration devices having various systems, it should be understood that not all illustrated systems are required to be implemented or provided. More or fewer systems may alternatively be implemented or provided.
In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through a communication device, or installed from the storage device 1003, or installed from the ROM 1002. The above-described functions defined in the method of the disclosed embodiment of the application are performed when the computer program is executed by the processing device 1001.
The data authority configuration equipment provided by the application can solve the technical problem of insufficient flexibility of data authority configuration by adopting the data authority configuration method in the embodiment. Compared with the prior art, the data authority configuration device provided by the application has the same beneficial effects as the data authority configuration method provided by the embodiment, and other technical features in the data authority configuration device are the same as the features disclosed by the method of the previous embodiment, and are not described in detail herein.
It is to be understood that portions of the present disclosure may be implemented in hardware, software, firmware, or a combination thereof. In the description of the above embodiments, particular features, structures, materials, or characteristics may be combined in any suitable manner in any one or more embodiments or examples.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
The present application provides a computer-readable storage medium having a computer program stored thereon, the computer-readable program instructions for performing the data right configuration method in the above-described embodiments.
The computer readable storage medium provided by the present application may be, for example, a U disk, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, or device, or a combination of any of the foregoing. More specific examples of a computer-readable storage medium may include, but are not limited to, an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access Memory (RAM: random Access Memory), a Read-Only Memory (ROM), an erasable programmable Read-Only Memory (EPROM: erasable Programmable Read Only Memory or flash Memory), an optical fiber, a portable compact disc Read-Only Memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In this embodiment, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, or device. Program code embodied on a computer readable storage medium may be transmitted using any appropriate medium, including but not limited to electrical wiring, fiber optic cable, RF (Radio Frequency) and the like, or any suitable combination of the foregoing.
The above-mentioned computer-readable storage medium may be contained in the data right configuration device or may exist alone without being assembled into the data right configuration device.
The computer-readable storage medium carries one or more programs that, when executed by a data authority configuration device, cause the data authority configuration device to acquire a data role to be configured when a data role configuration request of an administrator is detected, configure system data resource permissions of the data role based on a system data dimension selected by the administrator, and configure general data resource permissions of the data role based on a general data dimension selected by the administrator.
Computer program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of remote computers, the remote computer may be connected to the user's computer through any kind of network, including a local area network (LAN: local Area Network) or a wide area network (WAN: wide Area Network), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The modules involved in the embodiments of the present application may be implemented in software or in hardware. Wherein the name of the module does not constitute a limitation of the unit itself in some cases.
The readable storage medium provided by the application is a computer readable storage medium, and the computer readable storage medium stores a computer program for executing the data authority configuration method, so that the technical problem of insufficient flexibility of data authority configuration can be solved. Compared with the prior art, the beneficial effects of the computer readable storage medium provided by the application are the same as those of the data authority configuration method provided by the above embodiment, and are not described herein.
The foregoing description is only a partial embodiment of the present application, and is not intended to limit the scope of the present application, and all the equivalent structural changes made by the description and the accompanying drawings under the technical concept of the present application, or the direct/indirect application in other related technical fields are included in the scope of the present application.