[go: up one dir, main page]

CN115510464A - A dynamic authority control method, system and device - Google Patents

A dynamic authority control method, system and device Download PDF

Info

Publication number
CN115510464A
CN115510464A CN202211172081.4A CN202211172081A CN115510464A CN 115510464 A CN115510464 A CN 115510464A CN 202211172081 A CN202211172081 A CN 202211172081A CN 115510464 A CN115510464 A CN 115510464A
Authority
CN
China
Prior art keywords
data
authority
user
control
permission
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211172081.4A
Other languages
Chinese (zh)
Inventor
张俊
刘亚军
贺欢庆
代庆国
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xinge Technology Co ltd
Original Assignee
Beijing Xinge Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xinge Technology Co ltd filed Critical Beijing Xinge Technology Co ltd
Priority to CN202211172081.4A priority Critical patent/CN115510464A/en
Publication of CN115510464A publication Critical patent/CN115510464A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

本发明涉及信息安全技术领域,具体涉及一种动态权限控制方法、系统和装置。本发明中获取用户输入的查看请求,通过界面可视化的方式,设置用户在数据集中的查看内容,并判断用户是否有所述查看请求对应的权限,若有,放行,并显示数据集的操作权限,若无,拦截,并提示无权查看,本发明的技术方案,能够大大降低对数据库用户权限控制的门槛和成本,用户无需了解各类型数据库对权限控制的专业细节,通过可视化交互的方式设置,大大提升用户进行权限管理的效率,并通过数据集的方式以满足用户对各类业务场景的管控需求。

Figure 202211172081

The present invention relates to the technical field of information security, in particular to a dynamic authority control method, system and device. In the present invention, the viewing request input by the user is obtained, and the viewing content of the user in the data set is set through a visual interface, and it is judged whether the user has the authority corresponding to the viewing request, and if so, release, and display the operating authority of the data set , if not, intercept and prompt that there is no right to view. The technical solution of the present invention can greatly reduce the threshold and cost of database user authority control. Users do not need to know the professional details of various types of database authority control, and set the , greatly improving the efficiency of user rights management, and meeting the user's control needs for various business scenarios through data sets.

Figure 202211172081

Description

一种动态权限控制方法、系统和装置A dynamic authority control method, system and device

技术领域technical field

本发明涉及信息安全技术领域,具体涉及一种动态权限控制方法、系统和装置。The present invention relates to the technical field of information security, in particular to a dynamic authority control method, system and device.

背景技术Background technique

随着互联网应用的发展,信息存储和实时交换的效率也得到了很大的提高。同时这也对数据共享技术提出了更高的要求,如今不同领域之间大多采用开放网络的形式进行数据交互,这种高度开放形式的网络很容易成为非法攻击者的目标,如何保证各类数据信息的安全,保障各种设备的正常运行,是数据共享技术需要解决的一个难题。With the development of Internet applications, the efficiency of information storage and real-time exchange has also been greatly improved. At the same time, this also puts forward higher requirements for data sharing technology. Nowadays, data exchange in the form of an open network is mostly used in different fields. This highly open network can easily become the target of illegal attackers. How to ensure that all kinds of data Information security and ensuring the normal operation of various devices is a difficult problem that data sharing technology needs to solve.

目前,人们在享受互联网带来巨大便利的同时,也在担心着自己隐私数据的安全性,访问控制技术作为数据安全的核心之一,可以保证数据仅能被拥有对应属性权限的成员访问,使用不同属性参数来访问不同等级的共享资源使资源能够灵活、动态、细粒度的被访问,这大大提高了数据的安全性。At present, while enjoying the great convenience brought by the Internet, people are also worried about the security of their private data. As one of the cores of data security, access control technology can ensure that data can only be accessed by members with corresponding attribute permissions. Accessing different levels of shared resources with different attribute parameters enables flexible, dynamic, and fine-grained access to resources, which greatly improves data security.

为了防止不具权限的非法终端加入域间数据共享,终端成员在进行信息资源共享前需要进行身份认证,即:数据库运维涉及到的角色除了数据库管理员(DatabaseAdministrator,DBA)之外,通常还包括业务人员、开发人员或外包人员。DBA需要根据不同的角色设置不同的权限,例如:外包人员在运维过程中只能有指定的几张表的查看权限。而DBA设置用户对权限的控制方式一般为在数据库内,使用SQL命令为指定角色创建用户,并控制用户的授权权限,使得用户只能查看授权后的数据库信息。In order to prevent illegal terminals without permission from joining inter-domain data sharing, terminal members need to perform identity authentication before sharing information resources, that is, the roles involved in database operation and maintenance usually include database Business people, developers or outsourcers. DBAs need to set different permissions according to different roles. For example, outsourcing personnel can only have viewing permissions for a few specified tables during the operation and maintenance process. The DBA generally controls the user's authority by using SQL commands to create users for specified roles in the database, and controls the user's authorization authority, so that the user can only view the authorized database information.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提供一种动态权限控制方法、系统和装置,以解决现有技术中每增加一个用户就需要进入数据库内,使用SQL命令为用户创建用户名和密码并授权,费时费力的技术问题。In view of this, the object of the present invention is to provide a dynamic authority control method, system and device to solve the problem of time-consuming access to the database for each additional user in the prior art, and the use of SQL commands to create and authorize user names and passwords for users. Difficult technical issues.

根据本发明实施例的第一方面,提供一种动态权限控制方法,包括:According to the first aspect of the embodiments of the present invention, a dynamic permission control method is provided, including:

获取用户输入的查看请求;Obtain the view request entered by the user;

通过界面可视化的方式,设置用户在数据集中的查看内容,并判断用户是否有所述查看请求对应的权限;Set the user's viewing content in the data set through the interface visualization method, and determine whether the user has the permission corresponding to the viewing request;

若有,放行,并显示数据集的操作权限;If yes, let it go, and display the operation authority of the dataset;

若无,拦截,并提示无权查看。If not, block it and prompt that you have no right to view it.

优选地,所述获取数据库的连接信息,包括:Preferably, said obtaining the connection information of the database includes:

获取数据库所在服务器的IP地址、数据库的类型、数据库连接的端口号、数据库认证的用户名和密码。Obtain the IP address of the server where the database is located, the type of the database, the port number of the database connection, and the user name and password for database authentication.

优选地,所述设置用户在数据库中的查看内容,包括:Preferably, the setting of the viewing content of the user in the database includes:

数据库表和字段的操作权限、用户请求数据的频率、返回的最大数据量、用户访问数据的IP地址、时间段。The operation authority of database tables and fields, the frequency of users requesting data, the maximum amount of data returned, the IP address of users accessing data, and the time period.

优选地,所述并显示数据集的操作权限,包括:Preferably, the operation authority of the described and displayed data set includes:

数据内容:读权限、写权限、修改权限、删除权限,和/或,执行权限;Data content: read permission, write permission, modify permission, delete permission, and/or, execute permission;

数据表:表新增权限、表删除权限、表修改权限、表插入数据权限、表查询数据权限、表删除数据权限、表更新数据权限;Data table: table addition permission, table deletion permission, table modification permission, table insert data permission, table query data permission, table delete data permission, table update data permission;

行级数据范围:将数据表放入数据集时,通过过滤条件筛选出可加入数据集的数据;访问数据集时,可访问筛选后的行级数据。Row-level data range: When putting a data table into a dataset, filter the data that can be added to the dataset through filter conditions; when accessing a dataset, you can access the filtered row-level data.

优选地,所述方法,还包括:Preferably, the method also includes:

通过数据集的方式同时对多个数据库的数据进行权限管控,以满足用户对不同业务场景下的管控需求。Through data sets, authority control is performed on the data of multiple databases at the same time to meet the user's control needs in different business scenarios.

优选地,业务隔离权限控制,当多个业务系统共用一个数据库时,可控制A业务部门用户只能访问A业务部门的数据,B业务部门用户只能访问B业务部门的数据,不能互访。Preferably, business isolation authority control, when multiple business systems share a database, can control the users of A business department to only access the data of A business department, and the users of B business department can only access the data of B business department, and cannot visit each other.

优选地,还包括:外包角色权限控制:授权外包人员只能有指定表的查看权限,并设置权限的有效期,过期自动回收权限。Preferably, it also includes: outsourcing role authority control: authorized outsourcing personnel can only have the viewing authority of the specified table, and set the validity period of the authority, and the authority will be automatically recovered when it expires.

优选地,还包括:数据分析师权限控制:通过管控系统设置数据分析师每次请求数据返回的最大数据条数。Preferably, it also includes: data analyst access control: setting the maximum number of data pieces returned by data analysts each time they request data through the management and control system.

根据本发明实施例的第二方面,提供一种动态权限控制系统,应用于管控终端,包括:According to the second aspect of the embodiments of the present invention, a dynamic authority control system is provided, which is applied to management and control terminals, including:

获取模块,用于获取用户输入的查看请求;An acquisition module, configured to acquire a viewing request input by a user;

设置模块,通过界面可视化的方式,设置用户在数据集中的查看内容,并判断用户是否有所述查看请求对应的权限;The setting module sets the user's viewing content in the data set through the interface visualization method, and determines whether the user has the permission corresponding to the viewing request;

若有,放行,并显示数据集的操作权限;If yes, let it go, and display the operation authority of the dataset;

若无,拦截,并提示无权查看。If not, block it and prompt that you have no right to view it.

根据本发明实施例的第三方面,提供一种动态权限控制装置,包括:上述的方法。According to a third aspect of the embodiments of the present invention, there is provided a dynamic permission control device, including: the above-mentioned method.

本发明的实施例提供的技术方案可以包括以下有益效果:The technical solutions provided by the embodiments of the present invention may include the following beneficial effects:

本发明中获取用户输入的查看请求,通过界面可视化的方式,设置用户在数据集中的查看内容,并判断用户是否有所述查看请求对应的权限,若有,放行,并显示数据集的操作权限,若无,拦截,并提示无权查看,本发明的技术方案,能够大大降低对数据库用户权限控制的门槛和成本,用户无需了解各类型数据库对权限控制的专业细节,通过可视化交互的方式设置,大大提升用户进行权限管理的效率,并通过数据集的方式以满足用户对各类业务场景的管控需求。In the present invention, the viewing request input by the user is obtained, and the viewing content of the user in the data set is set through a visual interface, and it is judged whether the user has the permission corresponding to the viewing request, and if so, release, and display the operation permission of the data set , if not, intercept and prompt that there is no right to view. The technical solution of the present invention can greatly reduce the threshold and cost of database user authority control. Users do not need to know the professional details of various types of database authority control, and set the , greatly improving the efficiency of user rights management, and meeting the user's control needs for various business scenarios through data sets.

应当理解的是,以上的一般描述和后文的细节描述仅是示例性和解释性的,并不能限制本发明。It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the invention.

附图说明Description of drawings

此处的附图被并入说明书中并构成本说明书的一部分,示出了符合本发明的实施例,并与说明书一起用于解释本发明的原理。The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description serve to explain the principles of the invention.

图1是根据一示例性实施例示出的一种动态权限控制方法流程;Fig. 1 is a flow chart of a method for dynamic authority control according to an exemplary embodiment;

图2是根据一示例性实施例示出的一种动态权限控制系统的示意框图。Fig. 2 is a schematic block diagram of a dynamic permission control system according to an exemplary embodiment.

具体实施方式detailed description

这里将详细地对示例性实施例进行说明,其示例表示在附图中。下面的描述涉及附图时,除非另有表示,不同附图中的相同数字表示相同或相似的要素。以下示例性实施例中所描述的实施方式并不代表与本发明相一致的所有实施方式。相反,它们仅是与如所附权利要求书中所详述的、本发明的一些方面相一致的装置和方法的例子。Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, the same numerals in different drawings refer to the same or similar elements unless otherwise indicated. The implementations described in the following exemplary examples do not represent all implementations consistent with the present invention. Rather, they are merely examples of apparatuses and methods consistent with aspects of the invention as recited in the appended claims.

实施例一Embodiment one

在一个实施例中,请参阅图1,图1是根据一示例性实施例示出的一种动态权限控制方法的流程图,如图1所示,该方法包括:In an embodiment, please refer to FIG. 1. FIG. 1 is a flow chart of a dynamic permission control method according to an exemplary embodiment. As shown in FIG. 1, the method includes:

步骤S01、获取用户输入的查看请求;Step S01, obtaining a viewing request input by a user;

步骤S02、通过界面可视化的方式,设置用户在数据集中的查看内容,并判断用户是否有所述查看请求对应的权限;Step S02: Set the viewing content of the user in the data set through a visualized interface, and determine whether the user has the permission corresponding to the viewing request;

步骤S03、若有,放行,并显示数据集的操作权限;Step S03, if yes, release, and display the operation authority of the data set;

若无,拦截,并提示无权查看。If not, block it and prompt that you have no right to view it.

需要说明的是,本实施例提供的技术方案适用的应用场景为银行、证券公司、保险公司等需要对客户的查看权限限制、进行业务隔离、外包单位权限控制、数据分析师等的使用场合。It should be noted that the technical solution provided by this embodiment is applicable to application scenarios such as banks, securities companies, insurance companies, etc. that need to restrict customer viewing authority, perform business isolation, control authority of outsourcing units, and use occasions such as data analysts.

需要说明的是,本实施例提供的技术方案,获取用户输入的查看请求,通过界面可视化的方式,设置用户在数据集中的查看内容,并判断用户是否有所述查看请求对应的权限,若有,放行,并显示数据集的操作权限,若无,拦截,并提示无权查看,本发明的技术方案,能够大大降低对数据库用户权限控制的门槛和成本,用户无需了解各类型数据库对权限控制的专业细节,通过可视化交互的方式设置,大大提升用户进行权限管理的效率,并通过数据集的方式以满足用户对各类业务场景的管控需求。It should be noted that the technical solution provided by this embodiment obtains the viewing request input by the user, sets the viewing content of the user in the data set through a visual interface, and determines whether the user has the authority corresponding to the viewing request. , release, and display the operation authority of the data set, if not, intercept, and prompt that there is no right to view, the technical solution of the present invention can greatly reduce the threshold and cost of database user authority control, and users do not need to understand the authority control of various types of databases The professional details are set through visual interaction, which greatly improves the efficiency of user rights management, and meets the user's management and control needs for various business scenarios through data sets.

需要说明的是,传统授权方式是直接在数据库内创建相应的用户名和密码,并控制用户的权限。本发明的动态权限控制指的是,无需在数据库内创建用户并授权,而是在管控终端进行策略授权,管控系统会拦截用户所有的SQL请求,根据用户设定的策略,来动态的判断用户是否有SQL命令的权限,来决定是否放行。It should be noted that the traditional authorization method is to directly create the corresponding user name and password in the database and control the user's authority. The dynamic authority control of the present invention means that it is not necessary to create and authorize users in the database, but to perform policy authorization on the management and control terminal. The management and control system will intercept all SQL requests of users, and dynamically judge users according to the policies set by users. Whether there is permission for SQL commands to decide whether to release or not.

需要说明的是,用户只需要在管控系统内,通过友好的界面可视化的方式,来精准控制用户的权限,无需通过专业工具建立与数据库的连接,无需写专业的SQL命令来控制权限,更加方便快捷,且对用户的专业性要求低。It should be noted that the user only needs to precisely control the user's authority in the management and control system through a friendly and visual interface, without using professional tools to establish a connection with the database, and without writing professional SQL commands to control authority, which is more convenient It is fast and has low professional requirements for users.

在具体实践中,所述设置用户在数据库中的查看内容,包括:In specific practice, the setting of the user's viewing content in the database includes:

数据库表和字段的操作权限、用户请求数据的频率、返回的最大数据量、用户访问数据的IP地址、时间段。The operation authority of database tables and fields, the frequency of users requesting data, the maximum amount of data returned, the IP address of users accessing data, and the time period.

在具体实践中,所述并显示数据集的操作权限,包括:In practice, the operation authority of the dataset is described and displayed, including:

数据内容:读权限、写权限、修改权限、删除权限,和/或,执行权限;Data content: read permission, write permission, modify permission, delete permission, and/or, execute permission;

数据表:表新增权限、表删除权限、表修改权限、表插入数据权限、表查询数据权限、表删除数据权限、表更新数据权限;Data table: table addition permission, table deletion permission, table modification permission, table insert data permission, table query data permission, table delete data permission, table update data permission;

行级数据范围:将数据表放入数据集时,通过过滤条件筛选出可加入数据集的数据;访问数据集时,可访问筛选后的行级数据。Row-level data range: When putting a data table into a dataset, filter the data that can be added to the dataset through filter conditions; when accessing a dataset, you can access the filtered row-level data.

需要说明的是,用户只需要在管控系统内,通过友好的界面可视化的方式,来精准控制用户对数据库表和字段的操作权限、用户请求数据的频率、返回的最大数据量、用户访问数据的IP地址、时间段等,无需专业的SQL命令来控制权限。It should be noted that the user only needs to precisely control the user's operation authority to the database tables and fields, the frequency of the user's request for data, the maximum amount of data returned, and the user's access to data in the management and control system through a friendly and visual interface. IP address, time period, etc., without professional SQL commands to control permissions.

在具体实践中,所述方法,还包括:In specific practice, said method also includes:

通过数据集的方式同时对多个数据库的数据进行权限管控,以满足用户对不同业务场景下的管控需求。Through data sets, authority control is performed on the data of multiple databases at the same time to meet the user's control needs in different business scenarios.

在具体实践中,所述方法,包括:In practice, the method includes:

业务隔离权限控制,当多个业务系统共用一个数据库时,可控制A业务部门用户只能访问A业务部门的数据,B业务部门用户只能访问B业务部门的数据,不能互访。Business isolation authority control, when multiple business systems share a database, it can be controlled that users of A business department can only access the data of A business department, and users of B business department can only access the data of B business department, and cannot visit each other.

在具体实践中,所述方法,还包括:In specific practice, said method also includes:

外包角色权限控制:授权外包人员只能有指定表的查看权限,并设置权限的有效期,过期自动回收权限。Outsourcing role authority control: Authorized outsourcing personnel can only have the viewing authority of the specified table, and set the validity period of the authority, and the authority will be automatically revoked when it expires.

在具体实践中,所述方法,还包括:In specific practice, said method also includes:

数据分析师权限控制:通过管控系统设置数据分析师每次请求数据返回的最大数据条数。Data analyst access control: Set the maximum number of data returned by data analysts each time they request data through the management and control system.

需要说明的是,在业务隔离权限控制中,当多个业务系统共用一个数据库时,可控制A业务部门用户只能访问A业务部门的数据,B业务部门用户只能访问B业务部门的数据,A业务部门用户不能访问B业务部门的数据,B业务部门用户不能访问A业务部门的数据,即:不能互访。It should be noted that in business isolation authority control, when multiple business systems share a database, users in business department A can only access data in business department A, and users in business department B can only access data in business department B. Users of business department A cannot access the data of business department B, and users of business department B cannot access the data of business department A, that is, they cannot access each other.

需要说明的是,在外包角色权限控制中,外包人员运维的特点是,只需要某几张表的查询权限,并且权限需要在一段时间后回收。管控系统可授权外包人员只能有指定表的查看权限,并设置权限有效期,过期自动回收权限。本发明的技术方案更加符合实际,且方便。It should be noted that in the control of outsourcing role permissions, the operation and maintenance of outsourced personnel is characterized by only requiring the query permissions of certain tables, and the permissions need to be recovered after a period of time. The management and control system can authorize outsourced personnel to only have the viewing authority of the specified table, and set the validity period of the authority, and the authority will be automatically revoked when it expires. The technical scheme of the invention is more practical and convenient.

需要说明的是,在数据分析师权限控制中,由于数据分析师使用数据的特点是,一般不会进行全量数据查询,而是使用计算后的中间结果数据,而全量数据查询属于较敏感的操作行为,因此,可通过管控系统中的可视化界面设置数据分析师用户每次请求数据返回的最大数据条数,可有效避免此问题。It should be noted that in data analyst authority control, due to the characteristics of data analysts' use of data, they generally do not perform full data query, but use the calculated intermediate result data, and full data query is a relatively sensitive operation Therefore, this problem can be effectively avoided by setting the maximum number of data returned by data analyst users each time they request data through the visual interface in the management and control system.

实施例二Embodiment two

在一个实施例中,请参阅图2,图2是根据一示例性实施例示出的一种动态权限控制系统200示意框图,如图2所示,该系统包括:In an embodiment, please refer to FIG. 2 , which is a schematic block diagram of a dynamic permission control system 200 according to an exemplary embodiment. As shown in FIG. 2 , the system includes:

获取模块201,用于获取用户输入的查看请求;An acquisition module 201, configured to acquire a viewing request input by a user;

设置模块202,通过界面可视化的方式,设置用户在数据集中的查看内容,并判断用户是否有所述查看请求对应的权限;The setting module 202 is configured to set the viewing content of the user in the data set through a visualized interface, and determine whether the user has the corresponding authority of the viewing request;

判断模块203,若有,放行,并显示数据集的操作权限;Judgment module 203, if there is, release, and display the operation authority of the data set;

若无,拦截,并提示无权查看。If not, block it and prompt that you have no right to view it.

需要说明的是,本实施例提供的技术方案适用的应用场景为银行、证券公司、保险公司等需要对客户的查看权限限制、进行业务隔离、外包单位权限控制、数据分析师等的使用场合。It should be noted that the technical solution provided by this embodiment is applicable to application scenarios such as banks, securities companies, insurance companies, etc. that need to restrict customer viewing authority, perform business isolation, control authority of outsourcing units, and use occasions such as data analysts.

需要说明的是,本实施例的技术方案中,获取模块201,用于获取用户输入的查看请求,设置模块202,用于通过界面可视化的方式,设置用户在数据集中的查看内容,并判断用户是否有所述查看请求对应的权限,判断模块203,若有,放行,并显示数据集的操作权限,若无,拦截,并提示无权查看,本发明的技术方案,能够大大降低对数据库用户权限控制的门槛和成本,用户无需了解各类型数据库对权限控制的专业细节,通过可视化交互的方式设置,大大提升用户进行权限管理的效率,并通过数据集的方式以满足用户对各类业务场景的管控需求。It should be noted that, in the technical solution of this embodiment, the obtaining module 201 is used to obtain the viewing request input by the user, and the setting module 202 is used to set the viewing content of the user in the data set through a visual interface, and judge the user's Whether there is the authority corresponding to the viewing request, the judging module 203, if yes, let it go, and display the operation authority of the data set, if not, intercept, and prompt that you have no right to view, the technical solution of the present invention can greatly reduce the impact on database users. The threshold and cost of authority control, users do not need to know the professional details of authority control for various types of databases, through the setting of visual interaction, the efficiency of user authority management is greatly improved, and the data set is used to meet the needs of users for various business scenarios control needs.

实施例三Embodiment Three

一种动态权限控制装置,其特征在于,包括如上述的方法。A dynamic permission control device is characterized by including the above-mentioned method.

需要说明的是,本实施例提供的技术方案适用的应用场景为银行、证券公司、保险公司等需要对客户的查看权限限制、进行业务隔离、外包单位权限控制、数据分析师等的使用场合。It should be noted that the technical solution provided by this embodiment is applicable to application scenarios such as banks, securities companies, insurance companies, etc. that need to restrict customer viewing authority, perform business isolation, control authority of outsourcing units, and use occasions such as data analysts.

可以理解的是,本发明中获取用户输入的查看请求,通过界面可视化的方式,设置用户在数据集中的查看内容,并判断用户是否有所述查看请求对应的权限,若有,放行,并显示数据集的操作权限,若无,拦截,并提示无权查看,本发明的技术方案,能够大大降低对数据库用户权限控制的门槛和成本,用户无需了解各类型数据库对权限控制的专业细节,通过可视化交互的方式设置,大大提升用户进行权限管理的效率,并通过数据集的方式以满足用户对各类业务场景的管控需求。It can be understood that in the present invention, the viewing request input by the user is obtained, and the viewing content of the user in the data set is set through the interface visualization mode, and it is judged whether the user has the permission corresponding to the viewing request, and if so, it is released and displayed If there is no operation authority for the data set, it will be intercepted and prompted to view without permission. The technical solution of the present invention can greatly reduce the threshold and cost of authority control for database users. Users do not need to know the professional details of authority control for various types of databases. The setting of visual interaction greatly improves the efficiency of user rights management, and meets the user's management and control needs for various business scenarios through data sets.

本实施例公开的计算机可读存储介质包括但不限于:电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子(非穷举的列表)包括:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本发明中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。The computer-readable storage medium disclosed in this embodiment includes, but is not limited to: electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, or devices, or any combination thereof. More specific examples (non-exhaustive list) of computer readable storage media include: electrical connections with one or more leads, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), Erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above. In the present invention, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device.

可以理解的是,上述各实施例中相同或相似部分可以相互参考,在一些实施例中未详细说明的内容可以参见其他实施例中相同或相似的内容。It can be understood that, the same or similar parts in the above embodiments can be referred to each other, and the content that is not described in detail in some embodiments can be referred to the same or similar content in other embodiments.

流程图中或在此以其他方式描述的任何过程或方法描述可以被理解为,表示包括一个或更多个用于实现特定逻辑功能或过程的步骤的可执行指令的代码的模块、片段或部分,并且本发明的优选实施方式的范围包括另外的实现,其中可以不按所示出或讨论的顺序,包括根据所涉及的功能按基本同时的方式或按相反的顺序,来执行功能,这应被本发明的实施例所属技术领域的技术人员所理解。Any process or method descriptions in flowcharts or otherwise described herein may be understood to represent modules, segments or portions of code comprising one or more executable instructions for implementing specific logical functions or steps of the process , and the scope of preferred embodiments of the invention includes alternative implementations in which functions may be performed out of the order shown or discussed, including substantially concurrently or in reverse order depending on the functions involved, which shall It is understood by those skilled in the art to which the embodiments of the present invention pertain.

应当理解,本发明的各部分可以用硬件、软件、固件或它们的组合来实现。在上述实施方式中,多个步骤或方法可以用存储在存储器中且由合适的指令执行系统执行的软件或固件来实现。例如,如果用硬件来实现,和在另一实施方式中一样,可用本领域公知的下列技术中的任一项或他们的组合来实现:具有用于对数据信号实现逻辑功能的逻辑门电路的离散逻辑电路,具有合适的组合逻辑门电路的专用集成电路,可编程门阵列(PGA),现场可编程门阵列(FPGA)等。It should be understood that various parts of the present invention can be realized by hardware, software, firmware or their combination. In the embodiments described above, various steps or methods may be implemented by software or firmware stored in memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, it can be implemented by any one or combination of the following techniques known in the art: Discrete logic circuits, ASICs with suitable combinational logic gates, programmable gate arrays (PGAs), field programmable gate arrays (FPGAs), etc.

本技术领域的普通技术人员可以理解实现上述实施例方法携带的全部或部分步骤是可以通过程序来指令相关的硬件完成,所述的程序可以存储于一种计算机可读存储介质中,该程序在执行时,包括方法实施例的步骤之一或其组合。Those of ordinary skill in the art can understand that all or part of the steps carried by the methods of the above embodiments can be completed by instructing related hardware through a program, and the program can be stored in a computer-readable storage medium. During execution, one or a combination of the steps of the method embodiments is included.

此外,在本发明各个实施例中的各功能单元可以集成在一个处理模块中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个模块中。上述集成的模块既可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。所述集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时,也可以存储在一个计算机可读取存储介质中。In addition, each functional unit in each embodiment of the present invention may be integrated into one processing module, each unit may exist separately physically, or two or more units may be integrated into one module. The above-mentioned integrated modules can be implemented in the form of hardware or in the form of software function modules. If the integrated modules are realized in the form of software function modules and sold or used as independent products, they can also be stored in a computer-readable storage medium.

上述提到的存储介质可以是只读存储器,磁盘或光盘等。The storage medium mentioned above may be a read-only memory, a magnetic disk or an optical disk, and the like.

在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不一定指的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任何的一个或多个实施例或示例中以合适的方式结合。In the description of this specification, descriptions referring to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structure, material or characteristic is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the specific features, structures, materials or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.

尽管上面已经示出和描述了本发明的实施例,可以理解的是,上述实施例是示例性的,不能理解为对本发明的限制,本领域的普通技术人员在本发明的范围内可以对上述实施例进行变化、修改、替换和变型。Although the embodiments of the present invention have been shown and described above, it can be understood that the above embodiments are exemplary and should not be construed as limiting the present invention, those skilled in the art can make the above-mentioned The embodiments are subject to changes, modifications, substitutions and variations.

Claims (9)

1. A dynamic authority control method is applied to a management and control system and is characterized by comprising the following steps:
acquiring a viewing request input by a user;
setting the viewing content of a user in a data set in an interface visualization mode, and judging whether the user has the authority corresponding to the viewing request;
if yes, releasing and displaying the operation authority of the data set;
if not, intercepting and prompting that the user has no right to check.
2. The method of claim 1, wherein the setting of the user's viewing content in the database comprises:
the operation authority of the database table and the field, the frequency of data request of the user, the maximum data volume returned, the IP address of the data access of the user and the time period.
3. The method of claim 1, wherein the merging and displaying the operational rights of the data set comprises:
data content: read permission, write permission, modify permission, delete permission, and/or execute permission;
data table: table adding authority, table deleting authority, table modifying authority, table inserting data authority, table inquiring data authority, table deleting data authority and table updating data authority;
line level data range: when the data table is put into the data set, screening out data which can be added into the data set through filtering conditions; the screened row level data may be accessed when accessing the data set.
4. The method of any of claims 1-3, further comprising:
and simultaneously carrying out authority control on the data of the multiple databases in a data set mode so as to meet the control requirements of users on different service scenes.
5. The method of claim 4, comprising:
and when a plurality of service systems share one database, the service isolation authority control can control that the users in the service department A can only access the data in the service department A, and the users in the service department B can only access the data in the service department B, so that the users cannot access each other.
6. The method of claim 4, further comprising: outsourcing role authority control: the authorized outsourcing personnel only have the viewing authority of the appointed table, the validity period of the authority is set, and the authority is automatically recovered after expiration.
7. The method of claim 4, further comprising: and (3) controlling the authority of a data analyst: and setting the maximum data number returned by the data analyst requesting data each time through the management and control system.
8. The utility model provides a dynamic authority control system, is applied to management and control terminal, its characterized in that includes:
the acquisition module is used for acquiring a viewing request input by a user;
the setting module is used for setting the viewing content of the user in the data set in an interface visualization mode and judging whether the user has the authority corresponding to the viewing request;
the judging module, if there is, release, and display the operation authority of the data set;
if not, intercepting and prompting that the user has no right to check.
9. A dynamic rights control device comprising a method as claimed in any one of claims 1 to 7.
CN202211172081.4A 2022-09-26 2022-09-26 A dynamic authority control method, system and device Pending CN115510464A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211172081.4A CN115510464A (en) 2022-09-26 2022-09-26 A dynamic authority control method, system and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211172081.4A CN115510464A (en) 2022-09-26 2022-09-26 A dynamic authority control method, system and device

Publications (1)

Publication Number Publication Date
CN115510464A true CN115510464A (en) 2022-12-23

Family

ID=84505873

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211172081.4A Pending CN115510464A (en) 2022-09-26 2022-09-26 A dynamic authority control method, system and device

Country Status (1)

Country Link
CN (1) CN115510464A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115906179A (en) * 2022-12-27 2023-04-04 杭州每刻科技有限公司 Enterprise data authority control method and system based on business granularity
CN115906179B (en) * 2022-12-27 2025-10-10 杭州每刻科技有限公司 Enterprise data authority control method and system based on business granularity

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110941628A (en) * 2019-08-09 2020-03-31 四川邦辰信息科技有限公司 Data isolation implementation method based on SQL statement interception and analysis technology
US20200250328A1 (en) * 2019-02-01 2020-08-06 Intertrust Technologies Corporation Data management systems and methods
CN111914295A (en) * 2020-08-04 2020-11-10 北京金山云网络技术有限公司 Database access control method and device and electronic equipment
CN114036552A (en) * 2021-10-26 2022-02-11 南方电网深圳数字电网研究院有限公司 Data authority control method and device based on microservice

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200250328A1 (en) * 2019-02-01 2020-08-06 Intertrust Technologies Corporation Data management systems and methods
CN110941628A (en) * 2019-08-09 2020-03-31 四川邦辰信息科技有限公司 Data isolation implementation method based on SQL statement interception and analysis technology
CN111914295A (en) * 2020-08-04 2020-11-10 北京金山云网络技术有限公司 Database access control method and device and electronic equipment
CN114036552A (en) * 2021-10-26 2022-02-11 南方电网深圳数字电网研究院有限公司 Data authority control method and device based on microservice

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115906179A (en) * 2022-12-27 2023-04-04 杭州每刻科技有限公司 Enterprise data authority control method and system based on business granularity
CN115906179B (en) * 2022-12-27 2025-10-10 杭州每刻科技有限公司 Enterprise data authority control method and system based on business granularity

Similar Documents

Publication Publication Date Title
US10367821B2 (en) Data driven role based security
US8429191B2 (en) Domain based isolation of objects
US11201746B2 (en) Blockchain access control system
WO2020019839A1 (en) Method for creating enterprise cloud and management platform
CN106485101B (en) Data access method and device in cloud computing environment
KR102403480B1 (en) Device policy manager
RU2691211C2 (en) Technologies for providing network security through dynamically allocated accounts
AU2011202736B2 (en) Policy creation using dynamic access controls
US8595821B2 (en) Domains based security for clusters
US12250212B2 (en) Computer user credentialing and verification system
US9430665B2 (en) Dynamic authorization to features and data in JAVA-based enterprise applications
EP2962244B1 (en) Discretionary policy management in cloud-based environment
US11146560B1 (en) Distributed governance of computing resources
WO2017020693A1 (en) Control method of storage system and storage system
CN102063479A (en) Method and system for controlling data access right
TWI690819B (en) Authority revocation method and device
JP2012009026A (en) Dynamic management for roll membership
CN116438778A (en) The persistent source value for the assumed alternate identity
CN117610058A (en) RBAC-based multi-tenant supporting data authority management device and method
CN106326760B (en) A description method of access control rules for data analysis
US8631123B2 (en) Domain based isolation of network ports
JP2024108150A (en) Data record correlation and migration
CN115510464A (en) A dynamic authority control method, system and device
CN107451159A (en) A kind of data bank access method and device
CN116644453A (en) A rights management method, device and equipment for a file system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination