Method and device for managing authority data lake and storage medium
1. A method for managing a rights data lake, the method comprising:
obtaining a data set from a rights management system; wherein the data set includes at least one of base rights data, rights alteration data, and rights consumption data;
importing the data set into a data lake;
and auditing the data in the data lake to obtain an audit report.
2. The method of claim 1,
the obtaining a data set from a rights management system, comprising:
acquiring log data from the rights management system;
filtering non-permission data in the log data;
and processing the filtered log data to obtain the basic permission data and the permission change data.
3. The method of claim 2,
the acquiring log data from the rights management system includes:
monitoring log data of the authority management system in real time;
the processing the filtered log data includes:
and adding the filtered log data into a buffer queue, and processing the log data in the buffer queue in real time.
4. The method of claim 2,
the acquiring log data from the rights management system includes:
and acquiring log data from the authority management system once every preset time period.
5. The method of claim 1,
the auditing of the data in the data lake comprises:
acquiring characteristic data of target data in the data lake;
and detecting and determining that the characteristic data does not meet the preset requirement, and determining that the target data is illegal.
6. The method of claim 5,
the acquiring of the characteristic data of the target data in the data lake comprises:
determining a current consumption place and a previous consumption place corresponding to the target authority consumption data based on the authority consumption data;
and if the characteristic data is detected and determined not to meet the preset requirement, determining that the target data is illegal, wherein the steps of:
and detecting and confirming that the current consumption place is different from the previous consumption place, and determining that the target permission consumption data is illegal.
7. The method of claim 5,
the acquiring of the characteristic data of the target data in the data lake comprises:
determining a ratio of consumed rights data to total rights data based on the base rights data and rights consumption data;
and if the characteristic data is detected and determined not to meet the preset requirement, determining that the target data is illegal, wherein the steps of:
and detecting and confirming that the ratio is smaller than a set proportion threshold value, and determining that the consumption rate of the authority data is unqualified.
8. The method of claim 1,
the method further comprises the following steps:
and displaying the audit report, wherein the displayed content at least comprises the life cycle of application, creation, use, recovery and destruction of the authority data.
9. A rights data management device, comprising a processor and a memory, the memory for storing program data, the processor for executing the program data to implement the method of any one of claims 1 to 8.
10. A computer-readable storage medium, in which program data are stored which, when being executed by a processor, are adapted to carry out the method according to any one of claims 1-8.
Background
The authority management system is widely applied to Enterprise management, such as an ERP (Enterprise Resource Planning) system and an OA (Office Automation) system. The ERP system is a management platform which is established on the basis of information technology, integrates the information technology and advanced management ideas, and provides decision means for enterprise employees and decision layers by using a systematized management idea. The OA system is a novel office mode formed by applying the modernization technologies such as computer and communication to the traditional office mode. The office automation utilizes modern equipment and informatization technology to replace partial manual or repetitive business activities of office workers, processes office affairs and business information with high quality and high efficiency, realizes high-efficiency utilization of information resources, further achieves the purposes of improving productivity and assisting decision, and improves working efficiency and quality and working environment to the maximum extent.
The setting and management of various rights to employees within an enterprise are involved in such rights management systems. Because of the wide variety of rights management systems, an enterprise may have multiple operating rights management systems at the same time, and how to perform unified management on these systems becomes a problem to be solved urgently.
Disclosure of Invention
In order to solve the above problems, the present application provides a method, a device and a storage medium for managing an authority data lake, which can improve the acquisition efficiency of authority data.
The technical scheme adopted by the application is as follows: a method for managing a permission data lake is provided, which comprises the following steps: obtaining a data set from a rights management system; wherein the data set comprises at least one of basic rights data, rights alteration data, and rights consumption data; importing a data set into a data lake; and auditing the data in the data lake to obtain an audit report.
Wherein obtaining the data set from the rights management system comprises: obtaining log data from a rights management system; filtering non-authority data in the log data; and processing the filtered log data to obtain basic authority data and authority change data.
Wherein, obtaining log data from the rights management system comprises: monitoring log data of the authority management system in real time; processing the filtered log data, including: and adding the filtered log data into a buffer queue, and processing the log data in the buffer queue in real time.
Wherein, obtaining log data from the rights management system comprises: the log data is acquired from the rights management system every a preset time period.
Wherein, audit is carried out to data in the data lake, including: acquiring characteristic data of target data in a data lake; and detecting and determining that the characteristic data does not meet the preset requirement, and determining that the target data is illegal.
The method for acquiring the characteristic data of the target data in the data lake comprises the following steps: determining a current consumption place and a previous consumption place corresponding to the target authority consumption data based on the authority consumption data; detecting and determining that the characteristic data does not meet the preset requirement, and determining that the target data is illegal, wherein the steps of: and detecting and confirming that the current consumption place is different from the previous consumption place, and determining that the target authority consumption data is illegal.
The method for acquiring the characteristic data of the target data in the data lake comprises the following steps: determining a ratio of the consumed authority data to the total authority data based on the base authority data and the authority consumption data; detecting and determining that the characteristic data does not meet the preset requirement, and determining that the target data is illegal, wherein the steps of: and detecting and confirming that the ratio is smaller than a set proportion threshold value, and determining that the consumption rate of the authority data is unqualified.
Wherein, the method further comprises: and displaying the audit report, wherein the displayed content at least comprises the life cycle of application, creation, use, recovery and destruction of the authority data.
Another technical scheme adopted by the application is as follows: there is provided a rights data management device comprising a processor and a memory, the memory for storing program data and the processor for executing the program data to implement a method as described above.
Another technical scheme adopted by the application is as follows: there is provided a computer readable storage medium having stored therein program data for implementing the method as described above when executed by a processor.
The method for managing the authority data lake comprises the following steps: obtaining a data set from a rights management system; wherein the data set comprises at least one of basic rights data, rights alteration data, and rights consumption data; importing a data set into a data lake; and auditing the data in the data lake to obtain an audit report. By the method, the authority data in the authority database and the authority management system can be managed in a unified mode, the whole life cycle of each authority data is tracked, and management and control of each link are achieved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts. Wherein:
fig. 1 is a schematic flow chart of a first embodiment of a method for acquiring authority data provided by the present application;
FIG. 2 is a schematic flow chart diagram illustrating a second embodiment of a method for acquiring rights data provided by the present application;
FIG. 3 is a flowchart illustrating a first embodiment of a method for analyzing rights data provided by the present application;
FIG. 4 is a schematic illustration of an analytical model provided herein;
FIG. 5 is a flowchart illustrating a first embodiment of a method for synchronizing rights data provided by the present application;
FIG. 6 is a flowchart illustrating a second embodiment of a method for synchronizing rights data provided by the present application;
FIG. 7 is a flowchart illustrating a third embodiment of a method for synchronizing rights data provided by the present application;
FIG. 8 is a flowchart illustrating a fourth embodiment of a method for synchronizing rights data provided by the present application;
fig. 9 is a flowchart illustrating a first embodiment of a method for managing rights data provided by the present application;
FIG. 10 is a schematic diagram illustrating an embodiment of a rights data management device according to the present application;
FIG. 11 is a schematic structural diagram of an embodiment of a computer-readable storage medium provided in the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application. It is to be understood that the specific embodiments described herein are merely illustrative of the application and are not limiting of the application. It should be further noted that, for the convenience of description, only some of the structures related to the present application are shown in the drawings, not all of the structures. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first", "second", etc. in this application are used to distinguish between different objects and not to describe a particular order. Furthermore, the terms "include" and "have," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not limited to only those steps or elements listed, but may alternatively include other steps or elements not listed, or inherent to such process, method, article, or apparatus.
Reference herein to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the application. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is explicitly and implicitly understood by one skilled in the art that the embodiments described herein can be combined with other embodiments.
Referring to fig. 1, fig. 1 is a schematic flow chart of a first embodiment of a method for acquiring rights data provided by the present application, where the method is mainly applied to acquiring basic rights data in a rights management system, and the method includes:
step 11: and acquiring an authority data acquisition instruction.
It is understood that, in the present embodiment, a data collection tool may be developed for performing the data collection method in the present embodiment. The collection tool may include an activation button, and the permission data collection may be achieved by operating the activation button.
Step 12: determining the dimensionality of the authority data in the authority management system based on the authority data acquisition instruction; the dimension of the authority data at least comprises one of user information, user classification and authority information.
Optionally, in an embodiment, the user information may include a user name, an ID (Identity document), a birth date, a native place, and the like, and may further include a scholarship, an enrollment time, and the like; the user classification can comprise organization, post, group, service role, system authority, system resource and the like of the user in the enterprise; the rights information may include user authorization, organization authorization, post authorization, group authorization, and the like.
For example, a general authority may be automatically authorized according to the user after entering into work to create an account, and the organization authorization, the post authorization, and the group authorization may be automatically authorized according to the organization, the post, and the group of the user, for example, if the post of the user is "administrative management", then the authorization in the aspect of "administrative management" may be automatically performed on the user after determining the post of the user. The group authorization is performed automatically after the user joins a group, for example, an enterprise creates an item group for a certain item, invites some users to join the group, and after joining the group, the some users are automatically performed with the group authorization.
In this embodiment, the dimension of the permission data may include the user, organization, post, group, service role, system permission, system resource, user authorization, organization authorization, post authorization, group authorization, and the like.
Step 13: and starting a plurality of threads corresponding to the dimensionality of the authority data, and collecting the authority data of the corresponding dimensionality by utilizing each thread.
Because the authority data in the authority management system is numerous and complicated, especially for large enterprises, if only one channel is adopted for data acquisition, the data acquisition generally takes several hours, and the efficiency is low. In the embodiment, by starting a plurality of threads, each thread acquires authority data of one dimension, and the data acquisition efficiency is greatly improved.
Optionally, in an embodiment, the multiple threads are constructed in a thread pool, where the thread pool includes a core thread and a non-core thread. Specifically, in step 13, the number of core threads of the thread pool may be determined; and starting a plurality of core threads corresponding to the dimensionality of the authority data based on the number of the core threads.
In addition, after step 13, the method may further include:
step 14: detecting and confirming that a buffer queue corresponding to a first thread in the multiple threads reaches a target data volume, starting a second thread related to the first thread, and acquiring authority data of one dimension by using the first thread and the threads.
For example, the thread pool has 10 core threads and 10 non-core threads, and the number of the authority data dimensions is 8, then 8 core threads can be started to collect the authority data of 8 dimensions respectively. Optionally, each thread has a buffer queue, and if the buffer queue of a certain core thread is full, a non-core thread may be enabled to perform parallel acquisition on the dimension data, that is, a core thread and a non-core thread perform parallel acquisition on the same dimension thread data.
For another example, the thread pool has 10 core threads and 10 non-core threads, and the number of the authority data dimensions is 12, then 10 core threads may be started to collect the authority data of 10 dimensions, respectively, and the acquisition of the authority data of the other two dimensions may be suspended. Optionally, each thread has a buffer queue, and if the buffer queue of a certain core thread is full, a non-core thread may be enabled to perform parallel acquisition on the dimension data, that is, a core thread and a non-core thread perform parallel acquisition on the same dimension thread data.
Optionally, in an embodiment, after the permission data is collected, the collected permission data needs to be saved in a permission database, where the permission database is used to store and manage the permission data collected from each permission management system, and the permission database may also be called a permission center or a permission center station. The enterprise internet middle platform architecture is called a middle platform for short. In modern times, a middle stage corresponds to a front stage and a back stage, and refers to a set of middleware that is shared in some systems. Commonly found in website architectures, financial systems. Referring to fig. 2 in particular, fig. 2 is a schematic flow chart of a second embodiment of the method for acquiring authority data provided by the present application, and the method mainly includes:
step 21: and compressing the acquired authority data to obtain a compressed data packet.
Step 22: and importing the compressed data packet to a permission database.
Step 23: and decompressing the compressed data packet in the permission database.
Optionally, in an embodiment, before the compressed data packet is imported, the compressed data packet is further encrypted, and after the compressed data packet is imported, the compressed data packet is further decrypted.
Step 24: and storing the decompressed authority data to an authority database.
Specifically, after the acquired authority data are collected, the data are directly imported into an authority center in an encrypted and compressed packet mode, the authority center decompresses the data and then imports a large data container, each object independently constructs an index database, the index database is constructed in an enterprise ID + application ID + object ID mode, and the data of each batch are distinguished by batch IDs and then are stored in the same index database.
Understandably, the stored rights data can be queried directly in the rights database. In one mode, the authority data can be queried by inputting two search range information, for example, inputting "post + business role" to query, and displaying the queried authority data after the query is completed.
Different from the prior art, the method for acquiring authority data provided by the embodiment includes: acquiring an authority data acquisition instruction; determining the dimensionality of the authority data in the authority management system based on the authority data acquisition instruction; the dimensionality of the authority data at least comprises one of user information, user classification and authority information; and starting a plurality of threads corresponding to the dimensionality of the authority data, and collecting the authority data of the corresponding dimensionality by utilizing each thread. In the mode, the permission data in the permission management system are acquired by adopting a plurality of threads, the data acquisition time can be greatly saved when the threads run in parallel, and further, because each thread only acquires dimensional data, the permission data can be classified when the permission data are acquired, on one hand, the neatness of the data is ensured, and on the other hand, the data acquisition efficiency is improved.
Referring to fig. 3, fig. 3 is a schematic flow chart of a first embodiment of a method for analyzing authority data provided by the present application, where the method is mainly used to analyze the authority data of an authority center after the authority data in an authority management system is collected in the above embodiment, and the method includes:
step 31: first authority data of a first authority management system is obtained.
The first permission data includes multiple dimension data in the above embodiments, such as user, organization, post, group, service role, system permission, system resource, user authorization, organization authorization, post authorization, group authorization, and the like.
Step 32: performing multi-dimensional analysis on the first authority data to obtain a plurality of first data analysis results; wherein the multidimensional analysis comprises at least one of an authorized object analysis, an authorized scope analysis and an authorized content analysis.
It should be noted that the multidimensional analysis in the present embodiment does not correspond to the "dimension" in the multidimensional data in the foregoing embodiments, and the multidimensional analysis does not refer to performing separate analysis on each dimension of data, but performs analysis on the permission data through a plurality of different analysis angles.
Optionally, in an embodiment, step 32 may specifically include: inquiring multidimensional characteristic data from the first authority data; and analyzing the multi-dimensional characteristic data respectively to obtain a plurality of first data analysis results.
Specifically, as shown in fig. 4, fig. 4 is a schematic diagram of an analysis model provided by the present application, where a plurality of query models are run in parallel, and feature data of corresponding dimensions are queried from first authority data respectively; and operating a plurality of analysis models, and analyzing the feature data of one dimension obtained by each query model respectively to obtain a plurality of first data analysis results.
The following is detailed by several analytical models:
a. disable analysis (disabled objects grant valid permissions);
for example, the user a belongs to an object for which authorization is prohibited, but in the data analysis process, it is determined that the user a is authorized with valid rights.
b. Zombie analysis (free objects without any organization, post, or rights grant);
for example, user A does not have any organization, position, or group, and is not granted any permissions; or user a has joined an organization, station or group, but has not been granted any rights.
c. Redundant analysis (the definition of authority data has repeated codes and names, and the specification is not uniform);
for example, the ID of the user A and the ID of the user B are repeated, or a certain unique authority is granted to two different users;
for example, if the naming convention is "username + ID", but some nomenclature is "ID + username", then the naming convention may be determined to be non-canonical.
d. Analysis with too large authorization scope (the role association organization scope covers a large range);
for example, user a is granted multiple rights, some of which are the rights that users in organization a should have, and some of which are the rights that users in organization b should have, resulting in an overly large scope of rights for user a. Specifically, a threshold value may be set, and for example, when the authorization range of the user a exceeds 3 organizations, the authorization range of the user a may be considered to be too large.
e. Analysis of authorization granularity (user or organization authorization role too large);
authorization granularity refers to the thickness of a certain authority. For example, user a may view reports for a certain department, and user B may view reports for all departments, then the authorization granularity of user B is greater than that of user a for the permission to view reports. In the present embodiment, whether the authorization role of each user is too large is determined by analyzing the authorization granularity of each user.
f. Common authority analysis (authority of various functional personnel) for various types of personnel;
and the enterprise has the authority of all the posts, such as the authority of viewing personal information, wage information, performance information, such as leave application, reimbursement application and the like.
g. Common authority analysis of various types of posts (the authority of various post personnel);
generally, the special authority of the post is pointed, for example, the financial post can view financial statements, the reimbursement sheet submitted by each person and the like, and the administrative post can view resume information and the like.
The above example is to analyze the rights data in the same rights management system of the same enterprise, and other ways may also include the following ways:
h. analysis by comparison (comparison of different physical examination batches in the system);
the same-proportion analysis mainly comprises the step of carrying out comparison analysis among a plurality of data analysis results of different batches of the same system. The method specifically comprises the following steps: acquiring second authority data of a second authority management system; the first authority management system and the second authority management system are the same authority management system, and the first authority data and the second authority data are obtained data in different batches; performing multi-dimensional analysis on the second authority data to obtain a plurality of second data analysis results; and comparing the first data analysis result with the second data analysis result to obtain a first comparison analysis result.
For example, a first batch of analysis determines that there is redundancy in the enterprise rights data, and a second batch of analysis determines that there is no redundancy in the enterprise rights data. The reasons for the different results of the two redundant analyses can be analyzed whether a clean-up of redundant data has been performed between the two batches. Further, due to the comparison of different batches, improvement and progress of the company in the management of the authority data can be reflected.
i. Ring ratio analysis (compare to other systems of the company);
the ring ratio analysis is mainly to perform comparative analysis between analysis results of different authority management systems (such as an ERP system and an OA system) of the same enterprise. The method specifically comprises the following steps: acquiring third authority data of a third authority management system; the first authority management system and the third authority management system are different and are used for carrying out authority data management on the same object group; performing multi-dimensional analysis on the third permission data to obtain a plurality of third data analysis results; and comparing the first data analysis result with the third data analysis result to obtain a second comparative analysis result.
For example, if the ERP system analysis result shows that the enterprise has the authority data redundancy problem, and the OA system analysis result shows that the enterprise does not have the authority data redundancy problem, it can be analyzed why such a difference exists between the two systems, whether the data acquisition stage is different or the data analysis stage is different, and the like. Further, it is also possible to analyze which system is more suitable for the company.
j. Line ratio analysis (compare with other companies and the same system).
The row ratio analysis is mainly the comparative analysis between the analysis results of the same authority management system of different enterprises. The method specifically comprises the following steps: acquiring fourth authority data of a fourth authority management system; the first right management system and the fourth right management system are the same right management system and are used for respectively managing the right data of different object groups; performing multi-dimensional analysis on the fourth permission data to obtain a plurality of fourth data analysis results; and comparing the first data analysis result with the fourth data analysis result to obtain a third comparative analysis result.
For example, company a and company B both use an ERP system to compare the authority data and analysis results of the two companies, and perform comparative analysis on the authority management of the two companies.
Step 33: and generating a permission data analysis report according to the plurality of first data analysis results.
It is understood that the data analysis result may be embodied in the form of digital data, graphs, tables, etc., and then the data, graphs, and tables are combined to generate the final analysis report.
Further, when an analysis report is generated, boundary value judgment may be further performed for each analysis result. For example, a boundary value is set for each analysis result, such as the boundary value of the redundant data is 10%, and when the result of the redundancy analysis shows that the redundant data exceeds 10%, a correction suggestion for the redundant data is excessive may be made, for example, the redundant data may be deleted.
Different from the prior art, the method for analyzing the permission data provided by the embodiment includes: acquiring first authority data of a first authority management system; performing multi-dimensional analysis on the first authority data to obtain a plurality of first data analysis results; wherein the multidimensional analysis comprises at least one of authorized object analysis, authorized scope analysis and authorized content analysis; and generating a permission data analysis report according to the plurality of first data analysis results. By the mode, the authority data can be comprehensively analyzed from a plurality of angles, the multi-angle problem of the authority data can be detected, and enterprises can find the problems of authority management in time to correct and modify the problems in time.
Referring to fig. 5, fig. 5 is a schematic flowchart of a first embodiment of the method for synchronizing authority data provided by the present application, and the method is mainly used for synchronizing the authority data of the authority management system and the authority database. It can be understood that, by collecting the authority data in the authority management system into the authority database through the above-mentioned embodiment, it is possible for any one of the authority management system and the authority database to generate a change of the authority data, and when one changes, it needs to be synchronized to the other, and this embodiment mainly synchronizes from the authority management system to the authority database. The method comprises the following steps:
step 51: and monitoring a log of the authority management system.
The change of the authority data is recorded in the authority management system in the form of log.
The log information may include a timestamp, a permission change ID, and permission change content. Further, an operator of the right change may be included. For example, the user a is a department supervisor, the user B is a general employee of the department, and the user a operates on the system to grant the user B a right, so the log information may include an authorizer, an authorized person, authorization time, authorization content, right deadline, and the like.
The monitoring log is mainly used for monitoring each newly added authority change information in the log. It will be understood that the log may also include operations that are not related to the change of the authority, such as a shift of a certain user's station, but the log information will be generated without any change of the authority. In this case, attention needs to be paid to filtering of unauthorized change information.
Optionally, a log monitoring plug-in may be established for monitoring log information in the rights management system.
Step 52: and determining the authority data change information of the authority management system from the log.
The change of rights may include authorization and authorization, as follows:
step 53: and synchronizing the changed authority data in the authority management system to the authority database according to the authority data change information.
Optionally, according to the permission data change information, acquiring corresponding permission data in the service data table; and storing the acquired authority data into an authority database. Specifically, a business data table name and a corresponding field name in the authority data change information are obtained; searching a corresponding service data table according to the name of the service data table; and searching corresponding authority data in the service data table according to the field name.
One form of the service data table is as follows:
for example, if a certain permission change log includes information "Department _ table + Is _ update", the "Department _ table" service data table may be searched from a large number of service data tables, and then permission data for editing Department employee information may be determined according to the field name "Is _ update".
Different from the prior art, the method for synchronizing the authority data provided by the embodiment includes: monitoring a log of the authority management system; determining authority data change information of the authority management system from the log; and synchronizing the changed authority data in the authority management system to the authority database according to the authority data change information. Through the mode, a double-track management mode of the authority management system and the authority database can be realized, when one party changes data, the two parties can be conveniently synchronized, diversified management of the authority data is realized, the management capability is improved, and inconsistency of the authority data is also avoided.
Referring to fig. 6, fig. 6 is a schematic flowchart of a second embodiment of the method for synchronizing authority data provided by the present application, and the method is mainly used for synchronizing the authority data of the authority management system and the authority database. It can be understood that, by collecting the authority data in the authority management system into the authority database through the above-mentioned embodiment, it is possible for any one of the authority management system and the authority database to generate a change of the authority data, and when one changes, it needs to be synchronized to the other, and this embodiment mainly synchronizes from the authority database to the authority management system. The method comprises the following steps:
step 61: and the permission database sends the permission data change message to the message middleware.
Message Middleware (MQ) is a supportive software system that provides synchronous or asynchronous, reliable messaging for application systems in a network environment based on queue and messaging techniques. The message middleware utilizes an efficient and reliable message transfer mechanism for platform-independent data communication and integration of a distributed system based on data communication. By providing a messaging and message queuing model, it can extend inter-process communication in a distributed environment.
Alternatively, the message middleware may employ ActiveMQ, RabbitMQ, or Kafka.
Step 62: and monitoring the message in the message middleware.
Optionally, a plurality of queues may be established in the message middleware, each queue corresponding to a rights management system, for example, one message queue corresponding to the ERP system and another message queue corresponding to the OA system.
In particular, an agent module may be created that listens to messages in each queue in the message middleware to determine if there is permission data to synchronize. It is understood that the agent module may exist in the form of a plug-in, or may be implemented in various ways, such as by a service or process. The agent module and the message middleware may be located in the same device or in different devices.
And step 63: and detecting and confirming that the message middleware has the message, and synchronizing the changed authority data in the authority database to the corresponding authority management system.
Specifically, upon detecting a message in a message queue in the message middleware, the message is consumed, corresponding rights data is determined, and then the rights data is inserted into the rights management system.
Through the two modes, the dual-track management of the authority data is realized, namely, the authority data can be managed by the authority management system (an EPR system or an OA system) and the authority database, and the authority data can be synchronized to the other party no matter which party performs the authority change.
Further, when the authority management system and the authority database perform authority data synchronization, if the authority management system synchronizes a certain authority data to the authority database, the authority data is changed for the authority database. According to the above embodiment, the rights database will send a message to the MQ again and synchronize to the rights management system again, which will cause the rights database and the rights management system to perform data synchronization back and forth, and the following embodiments are directed to solving such a problem.
Different from the prior art, the method for synchronizing the limit data provided by the embodiment includes: the permission database sends the permission data change message to the message middleware; monitoring the message in the message middleware; and detecting and confirming that the message middleware has the message, and synchronizing the changed authority data in the authority database to the corresponding authority management system. Through the mode, a double-track management mode of the authority management system and the authority database can be realized, when one party changes data, the two parties can be conveniently synchronized, diversified management of the authority data is realized, the management capability is improved, and inconsistency of the authority data is also avoided.
Referring to fig. 7, fig. 7 is a schematic flowchart of a third embodiment of a method for synchronizing rights data provided by the present application, where the present embodiment is applied to a rights database to synchronize rights data to a rights management system, and the method includes:
step 71: and the permission database sends the permission data change message to the message middleware.
Step 72: and monitoring the message in the message middleware.
Step 73: and detecting and confirming that the message middleware has a message, and adding first identification information to the changed authority data in the authority database.
Optionally, the rights data includes an authorization object, an authorization time, authorization content, an authorization identifier (i.e., first identification information), and the like, wherein the addition of the authorization identifier depends on which party performs the rights data change, and if the rights data change is performed in the rights database, the first identification information is added.
Step 74: and sending the authority data added with the first identification information to a corresponding authority management system.
In this way, the rights management system can perform normal synchronization operation when receiving the rights data with the first identification information.
Referring to fig. 8, fig. 8 is a schematic flowchart of a fourth embodiment of the method for synchronizing authority data provided by the present application, where the present embodiment is applied to an authority management system to synchronize authority data to an authority database, and the method includes:
step 81: and monitoring a log of the authority management system.
Step 82: and determining the authority data change information of the authority management system from the log.
Step 83: and adding second identification information to the changed authority data in the authority management system according to the authority data change information.
Alternatively, the rights data includes an authorization object, an authorization time, authorization content, an authorization identifier (i.e., second identification information), and the like, wherein the addition of the authorization identifier depends on which party performs the rights data change, and the second identification information is added if the rights data change is performed in the rights management system.
Step 84: and sending the authority data added with the second identification information to an authority database.
In this way, the permission database can perform normal synchronization operation when receiving the permission data with the second identification information.
In the embodiment of fig. 7 and fig. 8, the permission database detects and confirms that the permission data to be synchronized has the first identification information, and does not perform synchronization; and the authority management system detects and confirms that the authority data to be synchronized has the second identification information, and does not perform synchronization.
For example, when the authority database performs an authorization operation, the identifier a is added to the authority data, and when the authority management system performs an authorization operation, the identifier B is added to the authority data. Then, when receiving that a certain permission data sent by the permission management system contains the identifier a, the permission database can determine that the permission data is authorized by itself, and does not need to perform synchronization operation again. Similarly, when receiving that a certain permission data sent by the permission database contains the identifier B, the permission management system can determine that the permission data is authorized by itself, and does not need to perform synchronization operation again.
In addition, in other embodiments, because both the EPR system and the OA system have an existing rights management system, the rights management system may not be modified, that is, only the identification information is added when the data in the rights database is changed, and no identification is made when the rights management system changes the rights. Then, the authority database only synchronizes the authority data without any identifier, and the authority management system only synchronizes the authority data with the identifier information.
Optionally, in an embodiment, all the rights data in the rights management system and the rights database may be synchronized once according to a set frequency, so that data consistency between the two may be ensured.
Referring to fig. 9, fig. 9 is a schematic flowchart of a first embodiment of a method for managing rights data provided by the present application, where the method includes:
step 91: obtaining a data set from a rights management system; wherein the data set includes at least one of base rights data, rights alteration data, and rights consumption data.
It is to be understood that, in the above-described embodiment, the rights data in the rights management system is collected into the rights database. In the embodiment, a data lake is established, and then the authority data in the authority database or the authority management system is collected into the data lake, so that the management is facilitated.
The data set may include:
optionally, in an embodiment, step 91 may include: obtaining log data from a rights management system; filtering non-authority data in the log data; and processing the filtered log data to obtain basic authority data and authority change data.
Since the log in the rights management system contains non-rights change information, filtering of non-rights data is required.
During data collection, log information can be collected by using a probe, authority data of an authority management system (such as an ERP system or an OA system) is collected by using a collection probe (such as a log) so as to collect incremental log data, data except the authority log is intercepted, and the reserved log data is stored in an authority data lake. Because the log generally includes an audit log (authorization, etc.), basic authority data needs to be collected to complete the audit data.
In addition, ETL (Extract-Transform-Load) data acquisition can be used, wherein the ETL is used for extracting data in distributed and heterogeneous data sources, such as relationship data, plane data files and the like, to a temporary middle layer, then cleaning, converting and integrating the data, and finally loading the data to a data warehouse or a data mart to become the basis of online analysis processing and data mining. The ETL starts different tasks, each task is used to collect authority incremental data of different business objects (users, organizations, posts, authorities, roles, etc.), and then controls the operation of each task in a unified manner, so as to realize data collection.
When data is acquired, the data acquisition can be divided into real-time acquisition and non-real-time acquisition. Collecting in real time, and monitoring log data of the authority management system in real time; adding the filtered log data into a buffer queue, and processing the log data in the buffer queue in real time; after the log of the authority management system is monitored in real time, real-time calculation of data and real-time data acquisition are carried out in a data stream buffering mode immediately. Acquiring log data from the right management system at intervals of a preset time period in a non-real-time manner; namely, calculating data within a period of time by a construction mode of off-line calculation, and then collecting the data.
And step 92: the data set is imported into a data lake.
A Data Lake (Data Lake) is a repository or system that stores Data in raw format. It stores the data as it is without the need for structuring the data in advance. A data lake may store structured data (e.g., tables in a relational database), semi-structured data (e.g., CSV, log, XML, JSON), unstructured data (e.g., email, document, PDF), and binary data (e.g., graphics, audio, video).
Step 93: and auditing the data in the data lake to obtain an audit report.
Data auditing is an audit of the entire life cycle for application, creation, use (consumption), reclamation, and destruction of rights data.
The auditing of the application process, the creation process, the recovery process and the destruction process mainly comprises the steps of judging whether the application process is legal (meets preset rules), whether an applicant and an approver meet qualification, whether the applied authority meets requirements and the like.
Optionally, during auditing, corresponding feature data is acquired from the rights data according to requirements, and a corresponding auditing result is obtained by analyzing the feature data.
For example, based on the authority consumption data, determining a current consumption place and a previous consumption place corresponding to the target authority consumption data; and detecting and confirming that the current consumption place is different from the previous consumption place, and determining that the target authority consumption data is illegal.
It can be understood that, taking login authority as an example, if the last time is logged in Shanghai, the next time is logged in Shenzhen, and the audit is logged in different places.
For example, based on the base rights data and the rights consumption data, determining a ratio of the rights data that was consumed to the total rights data; and detecting and confirming that the ratio is smaller than a set proportion threshold value, and determining that the consumption rate of the authority data is unqualified.
It is understood that a user has 100 rights, but only 30 rights are used daily, which can be used as a category of data governance.
In an optional embodiment, the audit report is displayed, and the display content at least comprises the life cycle of application, creation, use, recovery and destruction of the authority data.
For example, the auditing result can be presented in a kanban form, and the enterprise high administration can see that a plurality of business systems are accessed in total, the authority management efficiency is improved, data of a plurality of dimensions and the value of an authority database. Due to the fact that management views ' application, creation, use, recovery and destruction ' of the complete life cycle, manageability, awareness and traceability ' of all business links are achieved finally.
Different from the prior art, the method for managing rights data provided by the embodiment includes: obtaining a data set from a rights management system; wherein the data set comprises at least one of basic rights data, rights alteration data, and rights consumption data; importing a data set into a data lake; and auditing the data in the data lake to obtain an audit report. By the method, the authority data in the authority database and the authority management system can be managed in a unified mode, the whole life cycle of each authority data is tracked, and management and control of each link are achieved.
Referring to fig. 10, fig. 10 is a schematic structural diagram of an embodiment of a rights data management device provided in the present application, where the data management device 100 includes a processor 101 and a memory 102, the memory 102 is used for storing program data, and the processor 101 is used for executing the program data to implement the following methods:
acquiring an authority data acquisition instruction; determining the dimensionality of the authority data in the authority management system based on the authority data acquisition instruction; the dimensionality of the authority data at least comprises one of user information, user classification and authority information; and starting a plurality of threads corresponding to the dimensionality of the authority data, and collecting the authority data of the corresponding dimensionality by utilizing each thread.
Acquiring first authority data of a first authority management system; performing multi-dimensional analysis on the first authority data to obtain a plurality of first data analysis results; wherein the multidimensional analysis comprises at least one of authorized object analysis, authorized scope analysis and authorized content analysis; and generating a permission data analysis report according to the plurality of first data analysis results.
Monitoring a log of the authority management system; determining authority data change information of the authority management system from the log; and synchronizing the changed authority data in the authority management system to the authority database according to the authority data change information.
The permission database sends the permission data change message to the message middleware; monitoring the message in the message middleware; and detecting and confirming that the message middleware has the message, and synchronizing the changed authority data in the authority database to the corresponding authority management system.
Obtaining a data set from a rights management system; wherein the data set comprises at least one of basic rights data, rights alteration data, and rights consumption data; importing a data set into a data lake; and auditing the data in the data lake to obtain an audit report.
Referring to fig. 11, fig. 11 is a schematic structural diagram of an embodiment of a computer-readable storage medium provided in the present application, the computer-readable storage medium 110 stores program data 111, and the program data 111, when executed by a processor, is used to implement the following method:
acquiring an authority data acquisition instruction; determining the dimensionality of the authority data in the authority management system based on the authority data acquisition instruction; the dimensionality of the authority data at least comprises one of user information, user classification and authority information; and starting a plurality of threads corresponding to the dimensionality of the authority data, and collecting the authority data of the corresponding dimensionality by utilizing each thread.
Acquiring first authority data of a first authority management system; performing multi-dimensional analysis on the first authority data to obtain a plurality of first data analysis results; wherein the multidimensional analysis comprises at least one of authorized object analysis, authorized scope analysis and authorized content analysis; and generating a permission data analysis report according to the plurality of first data analysis results.
Monitoring a log of the authority management system; determining authority data change information of the authority management system from the log; and synchronizing the changed authority data in the authority management system to the authority database according to the authority data change information.
The permission database sends the permission data change message to the message middleware; monitoring the message in the message middleware; and detecting and confirming that the message middleware has the message, and synchronizing the changed authority data in the authority database to the corresponding authority management system.
Obtaining a data set from a rights management system; wherein the data set comprises at least one of basic rights data, rights alteration data, and rights consumption data; importing a data set into a data lake; and auditing the data in the data lake to obtain an audit report.
In the several embodiments provided in the present application, it should be understood that the disclosed method and apparatus may be implemented in other manners. For example, the above-described device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The above description is only for the purpose of illustrating embodiments of the present application and is not intended to limit the scope of the present application, and all modifications of equivalent structures and equivalent processes, which are made according to the content of the present specification and the accompanying drawings, or which are directly or indirectly applied to other related technical fields, are also included in the scope of the present application.