CN102831123A - Method and system for querying authority control of data - Google Patents
Method and system for querying authority control of data Download PDFInfo
- Publication number
- CN102831123A CN102831123A CN2011101620648A CN201110162064A CN102831123A CN 102831123 A CN102831123 A CN 102831123A CN 2011101620648 A CN2011101620648 A CN 2011101620648A CN 201110162064 A CN201110162064 A CN 201110162064A CN 102831123 A CN102831123 A CN 102831123A
- Authority
- CN
- China
- Prior art keywords
- entity
- authority control
- query
- identity information
- control point
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000012423 maintenance Methods 0.000 abstract description 7
- 238000000638 solvent extraction Methods 0.000 abstract 1
- 238000010586 diagram Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 230000002349 favourable effect Effects 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 238000013459 approach Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a method and a system for querying authority control of data, wherein the method comprises the steps as follows: step 1: partitioning data in a database to obtain more than one authority control point and setting an attribute for each entity included in each authority control point; step 2: building a rule tree corresponding to each attribute of each entity; step 3: specifying query criteria corresponding to each entity in each authority control point, wherein the query criteria are operation results of the rule trees corresponding to more than one attribute of the entity through logical operations; step 4: receiving a query request, wherein the query request comprises a name of the entity to be queried and the authority control point to be queried; and step 5: determining the entity to be queried according to the name of the entity to be queried, thereby determining the query criteria corresponding to the entity in the authority control point to be queried; and searching the data suitable for the query criteria in the database and outputting the data. According to the method and the system for querying authority control of data, the expansion is easy, and the maintenance cost is very low.
Description
Technical Field
The present invention relates to the field of rights control, and in particular, to a method and a system for controlling rights for querying data.
Background
Today, database systems are widely used, and workers acquire information on all aspects of work by inquiring data in the database, and further take various measures to promote the development of work.
The data stored in the database is of various types, wherein data such as financial data, order information, statistical data and the like which are important to enterprises and governments are not lacked, so that certain access rights need to be set for the data in the database, and a user who has access to the data can be enabled to query the data through the database, and a user who does not have access to the data cannot query the data through the database. This involves the issue of rights control.
In the prior art, two methods for performing authority control on data stored in a database are available, one method is realized by adopting hardware, namely, authority control software is stored in the hardware, authority control is performed by running a program through the hardware, and meanwhile, the authority control software cannot be copied, so that the safety of the authority control method is ensured; the second approach is to develop the rights control software from a row or ask a third party using various open source frameworks.
The first method in the prior art has the disadvantage of difficult expansion, because the authority control software stored in the hardware cannot be modified, and if the authority control software needs to be modified, the authority control software needs to be reprogrammed and stored in the hardware again, which undoubtedly wastes time and cost. The second method in the prior art has a disadvantage of great difficulty in development and later maintenance, because the open-source framework itself does not have the authority control function, so that a developer needs to know the open-source framework first and then develop and test the authority control software, and in addition, when maintenance is needed in the using process, corresponding programs need to be read again, codes need to be rewritten and tests need to be performed again, which wastes a long time and is high in cost.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method and a system for controlling the authority for inquiring data, which are easy to expand and have low maintenance cost.
The technical scheme for solving the technical problems is as follows: an authority control method for querying data, wherein the data is stored in a database; the method comprises the following steps:
step 1: aiming at the data in the database, more than one authority control point is obtained through division, and the attribute of each entity included by each authority control point is set;
step 2: establishing a rule tree corresponding to each attribute of each entity;
and step 3: appointing a query rule corresponding to each entity in each authority control point, wherein the query rule is an operation result of a rule tree corresponding to more than one attribute of the entity after logical operation;
and 4, step 4: receiving a query request, wherein the query request comprises the name of an entity to be queried and an authority control point to be queried;
and 5: determining an entity to be queried according to the name of the entity to be queried, and further determining a query rule corresponding to the entity in the authority control point to be queried; and searching the data which accords with the query rule in the database and outputting the data.
The invention has the beneficial effects that: in the invention, more than one authority control point can be divided aiming at the data in the database according to the business requirement, each authority control point can comprise more than one entity, the attribute of each entity in each authority control point is also set, and then a rule tree corresponding to each attribute of each entity is established, so that the rule trees corresponding to the attributes of the entities can be logically operated, and the query rule corresponding to each entity is determined. After the query rules of all entities in each authority control point are stored, the query purpose of a user is determined according to the authority control point to be queried in the received query request, and then the entity to be queried is determined according to the name of the entity to be queried in the query request, so that the query rule corresponding to the entity in the authority control point to be queried is determined, and then corresponding data can be searched from a database according to the query rule. When the authority control system needs to be expanded to modify the authority control method, the authority control method provided by the invention only needs to reset the authority control points and the attributes of each entity in each authority control point, reestablish the rule tree of each entity and appoint the query rule corresponding to each entity again, so that the authority control method provided by the invention is easy to expand and has low maintenance cost.
On the basis of the technical scheme, the invention can be further improved as follows:
further, after the step 3, before the step 4, the method further comprises the step 30: and receiving user identity information, judging whether the user identity information is legal identity information, if so, executing the step 4, otherwise, not allowing to inquire the data.
Further, the method for determining whether the user identity information is legal identity information in step 30 includes: and traversing the stored legal identity information, and judging whether the user identity information is the same as one of all the stored legal identity information, if so, determining that the user identity information is legal identity information, otherwise, determining that the user identity information is illegal identity information.
Further, the user identity information includes: a user account and a user password.
Further, the logical operation in the step 3 is a logical and operation.
In addition, the present invention also provides an authority control system for querying data, the system comprising: the system comprises a storage module, a configuration module, an inquiry rule specifying module and a terminal module; wherein,
the storage module is used for storing the data and storing the query rule corresponding to each entity in each authority control point;
the configuration module is used for dividing the data in the storage module to obtain more than one authority control point and setting the attribute of each entity included by each authority control point; establishing a rule tree corresponding to each attribute of each entity; sending the attribute of each entity included in each authority control point and the rule tree corresponding to each attribute of each entity to the query rule specifying module;
the inquiry rule specifying module is used for specifying an inquiry rule corresponding to each entity in each authority control point, enabling the inquiry rule to be an operation result of a rule tree corresponding to more than one attribute of the entity after logical operation, and sending the inquiry rule corresponding to each entity in each authority control point to the storage module;
the terminal module is used for receiving a query request, wherein the query request comprises the name of an entity to be queried and an authority control point to be queried; determining the entity to be queried according to the name of the entity to be queried, and further obtaining a query rule corresponding to the entity in the authority control point to be queried from the storage module; and searching data which conforms to the query rule from the storage module and outputting the data.
Further, the terminal module is further configured to receive user identity information, determine whether the user identity information is legal identity information, receive the query request if the user identity information is legal identity information, and not receive the query request if the user identity information is legal identity information.
Drawings
FIG. 1 is a flowchart of a method for controlling authority for querying data according to the present invention;
FIG. 2 is a diagram of one embodiment of specifying query rules using an established rule tree;
fig. 3 is a structural diagram of an authority control system for querying data according to the present invention.
Detailed Description
The principles and features of this invention are described below in conjunction with the following drawings, which are set forth by way of illustration only and are not intended to limit the scope of the invention.
Fig. 1 is a flowchart of an authority control method for querying data according to the present invention. The data to be queried by the method is stored in a database. As shown in fig. 1, the method includes:
step 101: and aiming at the data in the database, more than one authority control point is obtained through division, and the attribute of each entity included by each authority control point is set.
The authority control points obtained by division correspond to the query purpose, and if the query purpose is different, the used authority control points are different, so that the finally obtained query result is different. For example, the user who inquires data is a salesman, if the inquiry purpose of the user is to obtain order information of products which are in charge of the user in a sales area which is in charge of the user, the authority control point inquires the order, but if the inquiry purpose of the user is to obtain a contact address of a sales manager, the authority control point inquires the contact address. The data are uniformly stored in the database, if a salesperson needs to inquire the order information of the products in the sales area in which the salesperson is responsible for, but searches the information including the order information of all salespersons and the contact ways of all sales managers, a great amount of time is wasted for the salesperson to select useful information, and the core secret of the company is threatened, so that when the access right of the data is determined, different authority control points need to be firstly divided according to the inquiry purpose.
Each rights control point may comprise more than one entity. For example, for a salesperson, the entity may be an order or a contact of a sales manager. Furthermore, the same entity may be included in different rights control points, for example, the entity for the order may be included in the order query or the annual financial data query. The same entity may be included in different authority control points, and if one entity has a plurality of attributes, it is necessary to set the attributes included in the entity in each authority control point, for example, the order entity has a plurality of attributes such as a sales area attribute, an amount attribute, a product type attribute, a salesman attribute, and a buyer attribute, which are respectively used to describe information of a product sales area, a total amount, a type of the product involved, a salesman responsible for fulfilling the order, and a buyer responsible for purchasing the product for the order. An order entity can be used for a salesman to inquire the sale condition, namely the authority control point where the order entity is located inquires the sale condition, and can also be used for logistics personnel to check whether the type of a transported product is correct, namely the authority control point where the order entity is located inquires the logistics check, so that in the authority control point of the sale condition inquiry, the order entity only comprises all attributes related to the sales, such as the attribute of a sales area, the attribute of money, the attribute of a product type, the attribute of a salesman, the attribute of a buyer and the like, and the attribute related to the logistics check, such as the attribute of the sales area, the attribute of the product type and the like, and shields other unrelated attributes, thereby eliminating redundant information to facilitate the inquiry and preventing the company secret from leaking.
By setting the attribute of each entity in each authority control point, the query rule corresponding to each attribute of each entity can be established.
Step 102: a rule tree is established corresponding to each attribute of each entity.
In the present invention, a rule tree refers to a correspondence relationship. For an entity, each attribute of the entity can correspond to different values, for example, the attribute of a salesman in an order entity can be Zhang three or Li four; the product type attribute in the order entity may be product a, product B, product C, or a combination of two or three thereof. Here, after the attributes of each entity included in each authority control point are set, the corresponding relationship between the attributes of each entity and the values thereof can be established in the range of each authority control point, and the corresponding relationship can be visually regarded as a tree form and is used for establishing the query rule in step 103, so the present invention is called as a rule tree.
Step 103: and appointing a query rule corresponding to each entity in each authority control point, wherein the query rule is an operation result of logic operation of a rule tree corresponding to more than one attribute of the entity.
In this step, based on the rule tree corresponding to each attribute of the entity established in step 102, the query rule corresponding to the entity in each authority control point is further determined, so that the query rule is used to search for a query result corresponding to the authority control point.
If an entity has only one attribute under a certain authority control point, the query rule of the entity is the rule tree corresponding to the attribute under the authority control point without any logic operation. If an entity has multiple attributes under a certain authority control point, the query rule of the entity performs logical operation on the rule trees corresponding to all the attributes under the authority control point.
There are many kinds of logical operations, and for example, logical and operation, logical or operation, logical not operation, logical nand operation, logical nor operation, logical exclusive or operation, logical and operation, and the like may be performed. The present invention may take the logical and operation as the preferred embodiment of the logical operation described in this step. For example, an order as an entity has a seller attribute, a buyer attribute and a total amount attribute, so that when the right control point is queried in the sales situation, the query rule corresponding to the order is as follows: (salesman attribute of zhang) & (buyer attribute of buyer 1) & (total < 3500 yuan), where "&" is the logical and operator, the query rule indicates: the order entity is responsible for implementation by a salesman named Zhang III, products related to the order entity are purchased by a buyer 1, and the total amount of the products related to the order entity is less than 3500 Yuan, so that the order entity can only be checked when Zhang III inquires about the sales condition that the buyer 1 is responsible for purchasing and the total amount is less than 3500 Yuan.
In the step, after the query rule corresponding to each entity is established, the query rule can be stored for long-term use. Therefore, when the entity needs to be inquired, the inquiry result can be output to the user only by automatically calling the corresponding inquiry rule for inquiry, so that the inquiry efficiency is improved, and the inquiry work of the user is greatly facilitated.
Step 104: and receiving a query request, wherein the query request comprises the name of the entity to be queried and the authority control point to be queried.
This step is a step of receiving a user indication on the basis that the basic query framework has been established in step 101-103, so as to further perform the query in step 105, where the user indication is in the form of a query request.
The authority control point to be queried in this step refers to information that can indicate a query purpose of a user, that is, the query purpose of the user can be determined according to the authority control point to be queried, and then a query rule corresponding to an entity under the authority control point to be queried is determined on the basis of determining the entity corresponding to the name of the entity to be queried.
The query request may be received in a form of receiving a click of a mouse on an icon, text, or the like that identifies an entity to be queried on a User Interface (UI), or in a form of receiving text input from a User. The receiving form of the query request can determine the name of the entity to be queried and the authority control point to be queried, and further determine the query purpose according to the authority control point to be queried, and determine the entity according to the name, which is within the protection scope of the invention.
Besides the name of the entity to be queried and the authority control point to be queried, the query request may also include other contents, such as the issuing time of the query request, the name of the product to which the order relates, the time period in which the order to be queried is located, and the like.
Step 105: determining an entity to be queried according to the name of the entity to be queried, and further determining a query rule corresponding to the entity in the authority control point to be queried; and searching the data which accords with the query rule in the database and outputting the data.
This step is a step of performing a query according to the query request received in step 104 and outputting a query result.
According to the query request received in step 104, the name of the entity to be queried can be determined, and then the entity to be queried can be determined. Since the query rule corresponding to each entity in each authority control point is specified in step 103, in this step, after the entity to be queried is determined, the query rule corresponding to the entity under the authority control point to be queried may be directly invoked, and data conforming to the query rule is searched in the database and then output to the user, where the output mode may be display on a display, storage in a certain storage medium, printing, or the like.
FIG. 2 is a diagram of one embodiment for specifying query rules using an established rule tree. As shown in fig. 2, the sales area of the company includes three areas of north, north east and south, the products sold include A, B, C and D, the purchasers providing the company with the service of purchasing four products are, respectively, purchaser 1, purchaser 2, purchaser 3 and purchaser 4, and the sellers responsible for placing the order of the company are, respectively, numbered 1, 2, 3 and 4. The sales clerks of the company engaged in sales activities in the north China are 1 and 2, sales are only made by the salesman 3 in the northeast China, and sales are made by the salesman 3 and 4 together in the south China. The buyer 1 is solely responsible for the purchasing of the products sold by the company in the north China, the buyer 2 and the buyer 3 are jointly responsible for the purchasing of the products sold in the northeast China, and the buyer 3 and the buyer 4 are jointly responsible for the purchasing of the products sold in the south China. Also, the products that salesperson 1 is responsible for selling are of two types a and B, salesperson 2 is responsible for selling of two products B and C, salesperson 3 is responsible for selling of two products C and D, and salesperson 4 only sells product D.
The rule tree in this embodiment refers to the following correspondence relationships: the corresponding relation between the attribute of the buyer and the buyer 1, the buyer 2, the buyer 3 and the buyer 4; the corresponding relation between the area attribute and the areas north China, northeast China and south China; the corresponding relation between the attributes of the salesman and 1, 2, 3 and 4; and the product type attribute corresponds to the product A, the product B, the product C and the product D.
The authority control requirements related to the invention are as follows: the salesperson can only inquire the order of the product acquired by the buyer in the area in charge of the salesperson, and the type of the product must be the type in charge of the salesperson, and other orders cannot be inquired by the salesperson. Thus, when the salesperson 1 wants to query the order condition in charge of himself, that is, when the authority control point queries the order, according to the rule tree, the query rule corresponding to the order entity specified in step 103 is as follows: (area attribute north) & (buyer attribute 1) & (salesman attribute 1) & (product type attribute a and B), the information that the salesman 1 can query is the order information (the whole order information related to the product a and the partial order information related to the product B) included in the inside of the oval curve in fig. 2 by using the query rule.
It is worth pointing out that if an order includes information of products a and B purchased from buyer 1 in north china, where the sale of product a is responsible for salesperson 1 and product B is responsible for sale by salesperson 2, salesperson 1 can only check the information about product a in the order and cannot check the information about product B in the order when querying data according to the above query rule, i.e. salesperson 1 cannot obtain all the information of the order, which is beneficial to protect the confidentiality of the company.
Therefore, in the invention, more than one authority control point can be divided aiming at the data in the database according to the business requirement, each authority control point can comprise more than one entity, the attribute of each entity in each authority control point is also set, and the rule tree corresponding to each attribute of each entity is further established, so that the rule trees corresponding to the attributes of the entities can be subjected to logical operation to determine the query rule corresponding to each entity. After the query rules of all entities in each authority control point are stored, the query purpose of a user is determined according to the authority control point to be queried in the received query request, and then the entity to be queried is determined according to the name of the entity to be queried in the query request, so that the query rule corresponding to the entity in the authority control point to be queried is determined, and then corresponding data can be searched from a database according to the query rule. When the authority control system needs to be expanded to modify the authority control method, the authority control method provided by the invention only needs to reset the authority control points and the attributes of each entity in each authority control point, reestablish the rule tree of each entity and appoint the query rule corresponding to each entity again, so that the authority control method provided by the invention is easy to expand and has low maintenance cost.
The invention divides different authority control points which correspond to different query purposes, which is favorable for ensuring that the query result highly conforms to the query purpose and provides redundant information as little as possible. And the rule tree corresponding to each entity in each authority control point is set, so that a user inquiring the entity can not search unauthorized data, and the safety of information is ensured.
After step 103, before step 104, step 1040 may be further included: receiving user identity information, judging whether the user identity information is legal identity information, if so, executing the step 104, otherwise, not allowing to inquire data.
Step 1040 is a step of verifying whether the user is a legitimate user, in order to prevent the company secret from being leaked, it is necessary to ensure that only legitimate users can query the data in the database, and illegitimate users are not allowed to query the data, so step 1040 sets a step of determining whether the user identity information is legitimate.
After receiving the user identity information, the method for determining whether the user identity information is legal identity information in step 1040 may be: and traversing all the stored legal identity information, judging whether the received user identity information is the same as one of all the stored legal identity information, if so, determining that the user identity information is legal identity information, and executing the step 104, otherwise, determining that the user identity information is illegal identity information, and not allowing the user to inquire data.
The received user identity information and the stored legal identity information may both include: a user account and a user password. Namely: all the stored legal identity information is in the form of corresponding user accounts and user passwords, the user identity information received in step 1040 is also in the form of corresponding user accounts and user passwords, if a group of corresponding user accounts and user passwords in the received user identity information are completely the same as a group of corresponding user accounts and user passwords in all the stored legal identity information, the user identity information is legal identity information, the user is a legal user, step 104 can be executed, the query request is allowed to be provided, otherwise, the user identity information is illegal identity information, the user is an illegal user, step 104 is not allowed to be executed, and the query request of the user is not received.
Fig. 3 is a structural diagram of an authority control system for querying data according to the present invention. As shown in fig. 2, the system includes: a storage module 301, a configuration module 302, a query rule specifying module 303 and a terminal module 304; wherein,
the storage module 301 is configured to store data and store query rules corresponding to each entity in each authority control point;
the configuration module 302 is configured to divide the data in the storage module 301 to obtain more than one authority control point, and set an attribute of each entity included in each authority control point; establishing a rule tree corresponding to each attribute of each entity; sending the attribute of each entity included in each authority control point and the rule tree corresponding to each attribute of each entity to the query rule specifying module 303;
the query rule specifying module 303 is configured to specify a query rule corresponding to each entity in each authority control point, so that the query rule is an operation result of a rule tree corresponding to one or more attributes of the entity after logical operation, and send the query rule corresponding to each entity in each authority control point to the storage module 301;
the terminal module 304 is configured to receive a query request, where the query request includes a name of an entity to be queried and an authority control point to be queried; determining an entity to be queried according to the name of the entity to be queried, and further obtaining a query rule corresponding to the entity in the authority control point to be queried provided by the query request from the storage module 301; the data conforming to the query rule is searched from the storage module 301 and output.
In the invention, the storage module can store data in the form of a database. In addition, the storage module also has the function of storing the query rule established by the query rule specifying module, so that when a plurality of terminal modules provide query services for different users, the query rule only needs to be called from the same storage module.
The configuration module can divide the data stored in the storage module according to different query purposes to obtain more than one authority control point, each authority control point corresponds to one query purpose and simultaneously comprises more than one entity. Moreover, different query purposes can relate to the same entity, so that the same entity can be shared by different authority control points without influencing each other. In addition, the configuration module can also set the attribute of each entity in each authority control point, establish a rule tree corresponding to each attribute of each entity, and send the rule tree and the rule tree to the query rule specifying module, so that the query rule corresponding to each entity in each authority control point can be specified according to the rule tree.
In the present invention, each entity may have only one attribute or a plurality of attributes.
In the invention, the query rule specifying module is a module for specifying the query rule corresponding to each entity under each authority control point, wherein the query rule is related to the authority control point, namely related to the query purpose, and the query rules under different query purposes are naturally different. Meanwhile, the query rule also corresponds to an entity, which is the result of performing logical operation on the rule tree corresponding to more than one attribute of the entity, and the logical operation is preferably a logical and operation.
The inquiry rule appointed by the inquiry rule appointing module is stored in the storage module, so that the terminal module can call the inquiry rule corresponding to the entity to be inquired in the storage module when providing inquiry service for the user, and then the inquiry rule is applied to search in the storage module, thereby obtaining and outputting the inquiry result.
The terminal module is a module for providing query service for users, and the number of the terminal modules can be multiple. The method comprises the steps of receiving a query request provided by a user, obtaining the name of an entity to be queried and an authority control point to be queried from the query request, and further determining the entity to be queried according to the name of the entity to be queried, so that a query rule corresponding to the entity to be queried under the authority control point to be queried can be obtained from a storage module. Therefore, the query rule is automatically called according to the entity to be queried by the user by presetting the query rule corresponding to the entity, and then the corresponding data is queried and output, so that the query process is greatly simplified, and the query efficiency is improved.
In addition, for data security, the terminal module 304 is further configured to receive user identity information, determine whether the user identity information is legal identity information, receive an inquiry request if the user identity information is legal identity information, and not receive the inquiry request if the user identity information is legal identity information.
It can be seen that the present invention has the following advantages:
(1) in the invention, more than one authority control point can be divided aiming at the data in the database according to the business requirement, each authority control point can comprise more than one entity, the attribute of each entity in each authority control point is also set, and then a rule tree corresponding to each attribute of each entity is established, so that the rule trees corresponding to the attributes of the entities can be logically operated, and the query rule corresponding to each entity is determined. After the query rules of all entities in each authority control point are stored, the query purpose of a user is determined according to the authority control point to be queried in the received query request, and then the entity to be queried is determined according to the name of the entity to be queried in the query request, so that the query rule corresponding to the entity in the authority control point to be queried is determined, and then corresponding data can be searched from a database according to the query rule. When the authority control system needs to be expanded to modify the authority control method, the authority control method provided by the invention only needs to reset the authority control points and the attributes of each entity in each authority control point, reestablish the rule tree of each entity and appoint the query rule corresponding to each entity again, so that the authority control method provided by the invention is easy to expand and has low maintenance cost.
(2) The invention divides different authority control points which correspond to different query purposes, which is favorable for ensuring that the query result highly conforms to the query purpose and provides redundant information as little as possible. In addition, the invention appoints the query rule corresponding to each entity in each authority control point, which can ensure that the user who queries the entity can not search the unauthorized information, thus being beneficial to ensuring the safety of the information.
(3) The invention automatically calls the query rule according to the entity to be queried by the user by presetting the query rule corresponding to the entity, and further queries the corresponding data output, thereby greatly simplifying the query process and improving the query efficiency.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (7)
1. An authority control method for querying data, wherein the data is stored in a database; the method is characterized by comprising the following steps:
step 1: aiming at the data in the database, more than one authority control point is obtained through division, and the attribute of each entity included by each authority control point is set;
step 2: establishing a rule tree corresponding to each attribute of each entity;
and step 3: appointing a query rule corresponding to each entity in each authority control point, wherein the query rule is an operation result of a rule tree corresponding to more than one attribute of the entity after logical operation;
and 4, step 4: receiving a query request, wherein the query request comprises the name of an entity to be queried and an authority control point to be queried;
and 5: determining an entity to be queried according to the name of the entity to be queried, and further determining a query rule corresponding to the entity in the authority control point to be queried; and searching the data which accords with the query rule in the database and outputting the data.
2. The method of claim 1, further comprising, after step 3 and before step 4, step 30: and receiving user identity information, judging whether the user identity information is legal identity information, if so, executing the step 4, otherwise, not allowing to inquire the data.
3. The method according to claim 2, wherein the step 30 of determining whether the user identity information is legal identity information comprises: and traversing the stored legal identity information, and judging whether the user identity information is the same as one of all the stored legal identity information, if so, determining that the user identity information is legal identity information, otherwise, determining that the user identity information is illegal identity information.
4. The method according to claim 2 or 3, wherein the user identity information comprises: a user account and a user password.
5. The method of claim 1, wherein the logical operation in step 3 is a logical and operation.
6. An entitlement control system for querying data, the system comprising: the system comprises a storage module, a configuration module, an inquiry rule specifying module and a terminal module; wherein,
the storage module is used for storing the data and storing the query rule corresponding to each entity in each authority control point;
the configuration module is used for dividing the data in the storage module to obtain more than one authority control point and setting the attribute of each entity included by each authority control point; establishing a rule tree corresponding to each attribute of each entity; sending the attribute of each entity included in each authority control point and the rule tree corresponding to each attribute of each entity to the query rule specifying module;
the inquiry rule specifying module is used for specifying an inquiry rule corresponding to each entity in each authority control point, enabling the inquiry rule to be an operation result of a rule tree corresponding to more than one attribute of the entity after logical operation, and sending the inquiry rule corresponding to each entity in each authority control point to the storage module;
the terminal module is used for receiving a query request, wherein the query request comprises the name of an entity to be queried and an authority control point to be queried; determining the entity to be queried according to the name of the entity to be queried, and further obtaining a query rule corresponding to the entity in the authority control point to be queried from the storage module; and searching data which conforms to the query rule from the storage module and outputting the data.
7. The system of claim 6, wherein the terminal module is further configured to receive user identity information, determine whether the user identity information is legal identity information, receive the query request if the user identity information is legal identity information, and not receive the query request if the user identity information is legal identity information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110162064.8A CN102831123B (en) | 2011-06-16 | 2011-06-16 | Method and system for querying authority control of data |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110162064.8A CN102831123B (en) | 2011-06-16 | 2011-06-16 | Method and system for querying authority control of data |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102831123A true CN102831123A (en) | 2012-12-19 |
| CN102831123B CN102831123B (en) | 2015-04-08 |
Family
ID=47334266
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110162064.8A Active CN102831123B (en) | 2011-06-16 | 2011-06-16 | Method and system for querying authority control of data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102831123B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104077694A (en) * | 2013-03-27 | 2014-10-01 | 阿里巴巴集团控股有限公司 | User right and interest information processing method and system |
| CN104240005A (en) * | 2013-06-21 | 2014-12-24 | 刘伟 | Application information management system, device and method |
| CN107133522A (en) * | 2016-02-29 | 2017-09-05 | 阿里巴巴集团控股有限公司 | A kind of authority determines method and device |
| CN109684793A (en) * | 2018-12-29 | 2019-04-26 | 北京神舟航天软件技术有限公司 | A method of data permission management is carried out based on permission domain structure tree |
| CN112102592A (en) * | 2020-09-14 | 2020-12-18 | 江苏华世远电力技术有限公司 | Modularization cable trench system with outer broken perception function |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1967560A (en) * | 2006-11-09 | 2007-05-23 | 华为技术有限公司 | Controlling method of business operations competence and generating method of relational database |
| CN101004683A (en) * | 2007-01-31 | 2007-07-25 | 华为技术有限公司 | Method and device for accessing database |
| CN101493872A (en) * | 2009-02-09 | 2009-07-29 | 汪金保 | Fine grain authority management method based on classification method |
| CN101976316A (en) * | 2010-10-27 | 2011-02-16 | 杭州新中大软件股份有限公司 | Information access authority control method |
-
2011
- 2011-06-16 CN CN201110162064.8A patent/CN102831123B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1967560A (en) * | 2006-11-09 | 2007-05-23 | 华为技术有限公司 | Controlling method of business operations competence and generating method of relational database |
| CN101004683A (en) * | 2007-01-31 | 2007-07-25 | 华为技术有限公司 | Method and device for accessing database |
| CN101493872A (en) * | 2009-02-09 | 2009-07-29 | 汪金保 | Fine grain authority management method based on classification method |
| CN101976316A (en) * | 2010-10-27 | 2011-02-16 | 杭州新中大软件股份有限公司 | Information access authority control method |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104077694A (en) * | 2013-03-27 | 2014-10-01 | 阿里巴巴集团控股有限公司 | User right and interest information processing method and system |
| CN104077694B (en) * | 2013-03-27 | 2018-04-06 | 阿里巴巴集团控股有限公司 | User's right information processing method and system |
| CN104240005A (en) * | 2013-06-21 | 2014-12-24 | 刘伟 | Application information management system, device and method |
| CN107133522A (en) * | 2016-02-29 | 2017-09-05 | 阿里巴巴集团控股有限公司 | A kind of authority determines method and device |
| CN109684793A (en) * | 2018-12-29 | 2019-04-26 | 北京神舟航天软件技术有限公司 | A method of data permission management is carried out based on permission domain structure tree |
| CN112102592A (en) * | 2020-09-14 | 2020-12-18 | 江苏华世远电力技术有限公司 | Modularization cable trench system with outer broken perception function |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102831123B (en) | 2015-04-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20200402062A1 (en) | Data processing method, apparatus and computer-readable non-transitory storage medium | |
| CN107679749B (en) | Authority application approval method and authorization management platform | |
| CN105095970B (en) | The execution method and system of third-party application | |
| CN111695156A (en) | Service platform access method, device, equipment and storage medium | |
| CN111177275A (en) | Block chain-based management method, terminal, device and storage medium | |
| CN102831123B (en) | Method and system for querying authority control of data | |
| US20150081494A1 (en) | Calibration of strategies for fraud detection | |
| US10649881B2 (en) | Determining compliance of software applications to compliance standards based on mapped application capabilities | |
| CN107679937B (en) | Method, system, storage medium and device for customizing service function | |
| CN101277294A (en) | Method and system for controlling service data visitation | |
| CN115935421B (en) | Data product release method, system and storage medium | |
| KR102432068B1 (en) | Method and Server for Providing Web Service with Customer Compatibility using Matching Table related to Standardized Bill of Material | |
| CN118504036B (en) | Enterprise data desensitization management and control method, device, equipment and readable storage medium | |
| CN115587701A (en) | Enterprise risk assessment processing method and device and electronic equipment | |
| JP6598973B2 (en) | Tracking data flow in distributed computing systems | |
| US8863132B2 (en) | Using abstraction layers to facilitate communication between systems | |
| CN103530232B (en) | A kind of software testing management framework establishment method and device | |
| US20130318088A1 (en) | Management of Class of Service | |
| US11799658B2 (en) | Tracking data throughout an asset lifecycle | |
| US7707432B2 (en) | Enabling communication between an application program and services used by the application program | |
| CN114238273A (en) | Database management method, device, equipment and storage medium | |
| CN113704285A (en) | Permission-based retrieval method, device and equipment | |
| US20210279226A1 (en) | System and method for detecting violations of segregation of duties in software systems | |
| CN112785230A (en) | Warehouse entry list generation method and system, computer equipment and storage medium | |
| US20060037031A1 (en) | Enabling communication between a service and an application program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |