[go: up one dir, main page]

CN118468320B - Data authority control method and system - Google Patents

Data authority control method and system Download PDF

Info

Publication number
CN118468320B
CN118468320B CN202410917660.XA CN202410917660A CN118468320B CN 118468320 B CN118468320 B CN 118468320B CN 202410917660 A CN202410917660 A CN 202410917660A CN 118468320 B CN118468320 B CN 118468320B
Authority
CN
China
Prior art keywords
data
permission
authority
user
cache
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410917660.XA
Other languages
Chinese (zh)
Other versions
CN118468320A (en
Inventor
刘江
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tcl Photovoltaic Zhiwei Technology Shenzhen Co ltd
Original Assignee
Tcl Photovoltaic Zhiwei Technology Shenzhen Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tcl Photovoltaic Zhiwei Technology Shenzhen Co ltd filed Critical Tcl Photovoltaic Zhiwei Technology Shenzhen Co ltd
Priority to CN202410917660.XA priority Critical patent/CN118468320B/en
Publication of CN118468320A publication Critical patent/CN118468320A/en
Application granted granted Critical
Publication of CN118468320B publication Critical patent/CN118468320B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/45Structures or tools for the administration of authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Automation & Control Theory (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)

Abstract

本申请涉及一种数据权限控制方法及系统,涉及数据控制的技术领域,其方法包括:在用户账号登录成功后,基于登录的用户账号查询数据库以获取用户账号关联的所有角色信息;数据库中定义和存储数据权限规则;数据权限规则包括:角色、业务域、业务实体的权限规则、能够访问的数据记录和权限的操作类型;用户为多租户系统的用户;基于关联的所有角色信息查询权限规则表;基于权限规则表提取所有相关的权限设置;权限设置包括:访问控制列表、操作权限和数据访问范围;将提取到的权限设置数据缓存于用户会话中,并将权限设置数据在用户整个会话进行保持;在用户账号发起数据访问请求时,基于权限设置数据进行允许或者拒绝。

The present application relates to a data permission control method and system, and relates to the technical field of data control. The method comprises: after a user account successfully logs in, querying a database based on the logged-in user account to obtain all role information associated with the user account; defining and storing data permission rules in the database; the data permission rules include: permission rules for roles, business domains, business entities, accessible data records and permission operation types; the user is a user of a multi-tenant system; querying a permission rule table based on all associated role information; extracting all relevant permission settings based on the permission rule table; the permission settings include: access control lists, operation permissions and data access scopes; caching the extracted permission setting data in the user session, and maintaining the permission setting data throughout the user session; and allowing or denying based on the permission setting data when a user account initiates a data access request.

Description

一种数据权限控制方法及系统Data authority control method and system

技术领域Technical Field

本申请涉及数据权限控制的技术领域,尤其是涉及一种数据权限控制方法及系统。The present application relates to the technical field of data authority control, and in particular, to a data authority control method and system.

背景技术Background Art

在现代软件系统,尤其是多租户系统和基于云的服务中,数据隔离和访问控制是至关重要的问题。现有的数据权限控制方案通常固定且不够灵活,难以满足快速发展的业务需求和细粒度的数据访问控制。此外,传统权限控制方案往往缺乏扩展性和适应性,不能有效地应对不同用户和业务域间变化多端的权限需求。In modern software systems, especially multi-tenant systems and cloud-based services, data isolation and access control are critical issues. Existing data permission control schemes are usually fixed and inflexible, and it is difficult to meet the rapidly evolving business needs and fine-grained data access control. In addition, traditional permission control schemes often lack scalability and adaptability, and cannot effectively cope with the ever-changing permission requirements between different users and business domains.

现有技术中的数据权限管理通常依赖于静态的权限分配方案,这些方案在多租户和云服务环境中缺乏灵活性和可扩展性。这限制了组织在快速变化的业务环境中灵活控制数据访问的能力。Data permission management in existing technologies usually relies on static permission allocation schemes, which lack flexibility and scalability in multi-tenant and cloud service environments. This limits the ability of organizations to flexibly control data access in a rapidly changing business environment.

发明内容Summary of the invention

为了至少部分解决上述技术问题,本申请提供了一种数据权限控制方法及系统。In order to at least partially solve the above technical problems, the present application provides a data permission control method and system.

第一方面,本申请提供的一种数据权限控制方法采用如下的技术方案。In a first aspect, a data permission control method provided in the present application adopts the following technical solution.

一种数据权限控制方法,包括:A data authority control method, comprising:

在用户账号登录成功后,基于登录的用户账号查询数据库以获取所述用户账号关联的所有角色信息;所述数据库中定义和存储数据权限规则;所述数据权限规则包括:角色、业务域、业务实体的权限规则、能够访问的数据记录和权限的操作类型;所述用户为多租户系统的用户;After the user account successfully logs in, the database is queried based on the logged-in user account to obtain all role information associated with the user account; data permission rules are defined and stored in the database; the data permission rules include: role, business domain, permission rules for business entities, accessible data records and permission operation types; the user is a user of a multi-tenant system;

基于所述关联的所有角色信息查询权限规则表;基于所述权限规则表提取所有相关的权限设置;所述权限设置包括:访问控制列表、操作权限和数据访问范围;Query the permission rule table based on all the associated role information; extract all relevant permission settings based on the permission rule table; the permission settings include: access control list, operation permissions and data access scope;

将提取到的权限设置数据缓存于用户会话中,并将所述权限设置数据在用户整个会话进行保持;caching the extracted permission setting data in the user session, and maintaining the permission setting data throughout the user session;

在所述用户账号发起数据访问请求时,基于所述权限设置数据进行允许或者拒绝。When the user account initiates a data access request, permission or rejection is performed based on the permission setting data.

可选的,基于所述关联的所有角色信息查询权限规则表,包括:Optionally, querying the permission rule table based on all the associated role information includes:

在用户账号登录成功后,解析并确认用户的角色;After the user account successfully logs in, parse and confirm the user's role;

基于用户的角色从数据库的权限配置存储中提取与所述用户的角色相关的权限规则;Extracting permission rules related to the role of the user from the permission configuration storage of the database based on the role of the user;

在数据操作层根据提取出的权限规则动态拼接SQL查询的where条件;In the data operation layer, dynamically assemble the where conditions of the SQL query according to the extracted permission rules;

执行修改后的SQL查询以确保每次数据库查询或修改都按照用户的数据访问权限进行。Execute the modified SQL query to ensure that each database query or modification is performed in accordance with the user's data access permissions.

可选的,提取到的权限设置数据缓存于用户会话中,包括:Optionally, the extracted permission settings data is cached in the user session, including:

将提取到的权限设置数据写入分布式缓存;Write the extracted permission setting data into the distributed cache;

对于后续的数据访问请求,首先查询分布式缓存中是否存在与数据访问请求相对应的权限数据;若分布式缓存中存在相对应的权限数据,则直接通过分布式缓存中的缓存数据进行权限验证;若分布式缓存中不存在相对应的权限数据;则从所述数据库重新加载权限设置数据;For subsequent data access requests, first query whether there is permission data corresponding to the data access request in the distributed cache; if there is corresponding permission data in the distributed cache, then directly perform permission verification through the cached data in the distributed cache; if there is no corresponding permission data in the distributed cache; then reload the permission setting data from the database;

定期更新所述分布式缓存并且监控缓存性能。The distributed cache is updated regularly and cache performance is monitored.

可选的,在所述用户账号发起数据访问请求时,基于所述权限设置数据进行允许或者拒绝,包括:Optionally, when the user account initiates a data access request, allowing or denying the request based on the permission setting data includes:

当用户账号发起数据访问请求时,通过拦截器进行捕获;所述拦截器集成于服务器的数据处理层;所述数据访问请求包括读取、更新或删除数据;When a user account initiates a data access request, it is captured by an interceptor; the interceptor is integrated into the data processing layer of the server; the data access request includes reading, updating or deleting data;

所述拦截器调用权限检查服务;所述权限检查服务运行时从用户会话检索所述分布式缓存中预加载的权限规则;The interceptor calls the permission check service; when the permission check service runs, it retrieves the permission rules preloaded in the distributed cache from the user session;

判断请求的数据点与缓存的权限规则是否匹配;如果数据访问请求与用户权限相符,则访问被允许;若果不相符,则访问被拒绝并返回相应的错误信息或者警告信息。Determine whether the requested data point matches the cached permission rules; if the data access request matches the user permissions, access is allowed; if not, access is denied and a corresponding error message or warning message is returned.

可选的,在数据操作层根据提取出的权限规则动态拼接SQL查询的where条件,包括:Optionally, dynamically stitch the where conditions of the SQL query based on the extracted permission rules at the data operation layer, including:

预先配置权限规则模型,所述权限规则模型中存储不同角色的权限信息;Pre-configure a permission rule model, wherein the permission rule model stores permission information of different roles;

在用户登录成功后,解析用户的角色,并根据角色从权限配置存储中提取相应的权限规则;After the user logs in successfully, the user's role is parsed, and the corresponding permission rules are extracted from the permission configuration storage according to the role;

构建权限解析器,所述解析器根据用户的权限规则动态构建查询条件;Constructing a permission parser, which dynamically constructs query conditions according to the user's permission rules;

将权限规则抽象为查询条件的模板;Abstract permission rules into query condition templates;

构建动态SQL生成器,所述动态SQL生成器根据权限解析器提供的模板和实际的查询需求,动态生成SQL语句;Construct a dynamic SQL generator, which dynamically generates SQL statements according to the template provided by the authority parser and the actual query requirements;

在生成SQL查询时,合并多个条件,并对生成的查询语句进行优化;When generating SQL queries, combine multiple conditions and optimize the generated query statements;

当权限规则发生变化时,更新并同步新的权限设置。When permission rules change, update and synchronize the new permission settings.

可选的,将提取到的权限设置数据写入分布式缓存,包括:Optionally, write the extracted permission setting data to the distributed cache, including:

对权限设置数据进行序列化处理,将权限设置数据转化为SON字符串;为每条权限设置数据生成一个基于角色、业务实体和操作类型的复合哈希键值,所述哈希键值基于角色ID、业务域ID及业务实体ID生成;Serialize the permission setting data and convert the permission setting data into a SON string; generate a composite hash key value based on the role, business entity and operation type for each permission setting data, wherein the hash key value is generated based on the role ID, business domain ID and business entity ID;

采用一致性哈希算法对权限设置数据进行分片,将数据均匀分布到各个缓存节点上;在不同节点上保留数据副本,以防止单点故障导致的数据不可用;Use consistent hashing algorithm to shard permission setting data and evenly distribute data to each cache node; retain data copies on different nodes to prevent data unavailability caused by single point failure;

在权限设置数据中嵌入版本号和时间戳信息,每次权限规则更新时,同步更新版本号;在缓存数据时,一同存储版本号和最后更新时间,以此作为数据新鲜度的判断依据;在查询权限时,通过比对请求携带的版本信息与缓存中的版本信息,判断权限是否需要重新加载;Embed version number and timestamp information in permission setting data. Every time permission rules are updated, the version number is updated synchronously. When caching data, the version number and the last update time are stored together as a basis for judging the freshness of the data. When querying permissions, compare the version information carried in the request with the version information in the cache to determine whether the permissions need to be reloaded.

对于访问频繁且变更不频繁的权限规则,设置较长的缓存过期时间;对于变更频繁的权限,缩短缓存有效期并结合主动监听机制,一旦后台权限配置发生变化,立即通知缓存系统更新对应数据;For permission rules that are frequently accessed but infrequently changed, set a longer cache expiration time; for permissions that change frequently, shorten the cache validity period and combine it with an active monitoring mechanism. Once the background permission configuration changes, immediately notify the cache system to update the corresponding data;

在权限设置数据写入数据库的同时,通过分布式事务机制确保数据写入操作与分布式缓存更新操作的原子性。While the permission setting data is written to the database, the atomicity of the data writing operation and the distributed cache update operation is ensured through the distributed transaction mechanism.

第二方面,本申请提供的一种数据权限控制方法采用如下的技术方案。In a second aspect, a data permission control method provided in the present application adopts the following technical solution.

一种数据权限控制系统,包括:A data authority control system, comprising:

第一处理模块,用于:在用户账号登录成功后,基于登录的用户账号查询数据库以获取所述用户账号关联的所有角色信息;所述数据库中定义和存储数据权限规则;所述数据权限规则包括:角色、业务域、业务实体的权限规则、能够访问的数据记录和权限的操作类型;所述用户为多租户系统的用户;The first processing module is used to: after a user account successfully logs in, query the database based on the logged-in user account to obtain all role information associated with the user account; the database defines and stores data permission rules; the data permission rules include: role, business domain, permission rules for business entities, accessible data records and permission operation types; the user is a user of a multi-tenant system;

第二处理模块,用于:基于所述关联的所有角色信息查询权限规则表;基于所述权限规则表提取所有相关的权限设置;所述权限设置包括:访问控制列表、操作权限和数据访问范围;The second processing module is used to: query the permission rule table based on all the associated role information; extract all relevant permission settings based on the permission rule table; the permission settings include: access control list, operation permission and data access scope;

第三处理模块,用于:将提取到的权限设置数据缓存于用户会话中,并将所述权限设置数据在用户整个会话进行保持;A third processing module is used to: cache the extracted permission setting data in the user session, and keep the permission setting data throughout the user session;

第四处理模块,用于:在所述用户账号发起数据访问请求时,基于所述权限设置数据进行允许或者拒绝。The fourth processing module is used to: when the user account initiates a data access request, allow or deny it based on the permission setting data.

第三方面,本申请公开一种电子设备,包括存储器和处理器,所述存储器上存储有被处理器加载并执行上述的任一方法的计算机程序。In a third aspect, the present application discloses an electronic device, comprising a memory and a processor, wherein the memory stores a computer program that is loaded by the processor and executes any of the above methods.

第四方面,本申请公开一种计算机可读存储介质,存储有能够被处理器加载并执行上述的任一方法的计算机程序。In a fourth aspect, the present application discloses a computer-readable storage medium storing a computer program that can be loaded by a processor and execute any of the above methods.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

图1是本申请实施例一种数据权限控制方法的流程图;FIG1 is a flow chart of a data authority control method according to an embodiment of the present application;

图2是本申请实施例一种数据权限控制方法的系统框图;FIG2 is a system block diagram of a data authority control method according to an embodiment of the present application;

图中,201、第一处理模块;202、第二处理模块;203、第三处理模块;204、第四处理模块。In the figure, 201 is a first processing module; 202 is a second processing module; 203 is a third processing module; 204 is a fourth processing module.

具体实施方式DETAILED DESCRIPTION

下面结合附图1-图2和具体实施例对本申请作进一步说明:The present application is further described below in conjunction with Figures 1-2 and specific embodiments:

首先,这里需要说明的是:在本申请的描述中,如出现术语“中心”、“上”、“下”、“左”、“右”、“竖直”、“水平”、“内”、“外”等方位词,其所指示的方位或位置关系为基于附图所示的方位或位置关系,仅是为了便于描述,而不是指示或暗示所指的装置或元件必须具有特定的方位、以特定的方位构造和操作,因此不能理解为对本申请的限制;此外,如出现术语“第一”、“第二”、“第三”等数字量词仅用于描述目的,而不能理解为指示或暗示相对重要性。另外,在本申请中,除非另有明确的规定和限定,如出现术语“安装”、“相连”、“连接”应做广义理解,例如,可以是固定连接,也可以是可拆卸连接、过盈配合、过渡配合等限位连接,或一体连接;可以是直接相连,也可以通过中间媒介间接相连;因此对于本领域的普通技术人员而言,可以根据具体情况理解上述术语在本申请中的具体含义。First of all, it should be noted that in the description of this application, if the terms "center", "upper", "lower", "left", "right", "vertical", "horizontal", "inside", "outside" and other directional words appear, the orientation or position relationship indicated is based on the orientation or position relationship shown in the drawings, which is only for the convenience of description, and does not indicate or imply that the device or element referred to must have a specific orientation, be constructed and operated in a specific orientation, and therefore cannot be understood as a limitation of this application; in addition, if the terms "first", "second", "third" and other numerical quantifiers appear, they are only used for descriptive purposes and cannot be understood as indicating or implying relative importance. In addition, in this application, unless otherwise clearly specified and limited, if the terms "installed", "connected", and "connected" appear, they should be understood in a broad sense, for example, it can be a fixed connection, or a detachable connection, a limited connection such as an interference fit, a transition fit, or an integral connection; it can be directly connected or indirectly connected through an intermediate medium; therefore, for ordinary technicians in this field, the specific meanings of the above terms in this application can be understood according to the specific circumstances.

本申请实施例公开一种数据权限控制方法。An embodiment of the present application discloses a data permission control method.

下面对一些名称进行解释说明。Some of the names are explained below.

用户:指能登录系统进行操作的用户。User: refers to a user who can log in to the system to perform operations.

角色:系统定义的一组权限集合,用户通过被分配到一个或多个角色来获得相应的权限。Role: A set of permissions defined by the system. Users obtain corresponding permissions by being assigned to one or more roles.

RBAC:Role-Based Access Control,基于角色的访问控制,是一种成熟、广泛使用的权限管理方法,通过角色来管理和分配权限,以简化权限管理和提高安全性。RBAC: Role-Based Access Control is a mature and widely used permission management method that manages and assigns permissions through roles to simplify permission management and improve security.

数据权限:指定角色可以访问的数据范围,如视图、记录、字段等。Data permissions: Specifies the scope of data that a role can access, such as views, records, fields, etc.

租户:租户(Tenant)指的是在多租户系统中,占用系统一定资源并拥有独立数据空间的用户或用户组。Tenant: A tenant refers to a user or user group in a multi-tenant system who occupies certain system resources and has an independent data space.

业务域:业务域(Business Domain)是指系统中相关业务逻辑和数据的集合,它通常定义了一系列相关的业务规则、实体、关系和流程。如订单(电站开发建设过程)域,租后(建转运后的电站运营),进销存(物流开单、库存管理等)Business Domain: Business Domain refers to the collection of relevant business logic and data in the system. It usually defines a series of relevant business rules, entities, relationships and processes. For example, the order domain (power station development and construction process), post-rental (power station operation after construction and transportation), purchase, sales and inventory (logistics ordering, inventory management, etc.)

业务实体/表:业务实体/表(Business Entity/Table)在数据库中通常表示为表,它是存储业务域中特定类型数据的结构化形式。Business Entity/Table: Business Entity/Table is usually represented as a table in the database, which is a structured form of storing specific types of data in the business domain.

业务属性/字段:业务属性/字段(Business Attribute/Field)指的是业务实体中的具体项,用于描述业务实体的特定特性、数量、属性或状态。Business attribute/field: A business attribute/field refers to a specific item in a business entity and is used to describe a specific characteristic, quantity, property, or status of a business entity.

参照图1,作为一种数据权限控制方法的一种实施方式,一种数据权限控制方法包括以下步骤:Referring to FIG. 1 , as an implementation of a data authority control method, a data authority control method includes the following steps:

步骤S101、在用户账号登录成功后,基于登录的用户账号查询数据库以获取所述用户账号关联的所有角色信息;所述数据库中定义和存储数据权限规则;所述数据权限规则包括:角色、业务域、业务实体的权限规则、能够访问的数据记录和权限的操作类型;所述用户为多租户系统的用户。Step S101: After the user account logs in successfully, query the database based on the logged in user account to obtain all role information associated with the user account; define and store data permission rules in the database; the data permission rules include: role, business domain, business entity permission rules, accessible data records and permission operation types; the user is a user of a multi-tenant system.

具体地,用户通过输入用户名和密码进行登录。系统验证凭据的正确性后,授予登录权限。Specifically, the user logs in by entering a user name and password. After the system verifies the correctness of the credentials, it grants login permission.

步骤S102、基于所述关联的所有角色信息查询权限规则表;基于所述权限规则表提取所有相关的权限设置;所述权限设置包括:访问控制列表、操作权限和数据访问范围。Step S102, querying the permission rule table based on all the associated role information; extracting all relevant permission settings based on the permission rule table; the permission settings include: access control list, operation permission and data access scope.

步骤S103、将提取到的权限设置数据缓存于用户会话中,并将所述权限设置数据在用户整个会话进行保持。Step S103: caching the extracted permission setting data in the user session, and maintaining the permission setting data throughout the user session.

步骤S104、在所述用户账号发起数据访问请求时,基于所述权限设置数据进行允许或者拒绝。Step S104: when the user account initiates a data access request, permission or rejection is performed based on the permission setting data.

具体地,多租户系统是一种架构设计模式,允许单一实例的软件应用程序为多个组织(租户)提供服务,每个租户的数据和配置都是独立且隔离的,以确保数据隐私和安全。在权限管理中,角色是一组预定义的权限集合,代表了用户在系统中的职能和访问权限。用户通过被赋予一个或多个角色来获取相应的权限。业务域指的是系统中专注于特定业务逻辑和数据集合的区域,比如销售、财务、人力资源等,每个业务域包含特定的业务实体和操作流程。业务实体指的是系统中用于存储特定类型业务数据的结构化对象,如客户、订单、产品等。数据权限规则规定了用户在特定业务域和业务实体上的访问权限,包括可以访问哪些数据记录、字段以及允许的操作类型(如读、写、删除)。访问控制列表ACL定义了哪些用户或角色可以访问特定资源的规则列表。操作权限指用户在系统中可以执行的操作类型,如查看、编辑、删除数据等。Specifically, a multi-tenant system is an architectural design pattern that allows a single instance of a software application to provide services to multiple organizations (tenants), with each tenant's data and configuration independent and isolated to ensure data privacy and security. In permission management, a role is a set of predefined permissions that represent a user's functions and access rights in the system. Users obtain corresponding permissions by being assigned one or more roles. A business domain refers to an area in the system that focuses on a specific business logic and data set, such as sales, finance, human resources, etc. Each business domain contains specific business entities and operational processes. A business entity refers to a structured object in the system that stores a specific type of business data, such as customers, orders, products, etc. Data permission rules specify the user's access rights on specific business domains and business entities, including which data records and fields can be accessed and the types of operations allowed (such as read, write, delete). Access control lists (ACLs) define a list of rules for which users or roles can access specific resources. Operation permissions refer to the types of operations that users can perform in the system, such as viewing, editing, and deleting data.

用户登录后,系统首先识别其身份并获取其关联的所有角色信息。基于用户角色,系统查询数据库中的权限规则表,提取与这些角色相关的所有权限设置。提取的权限数据被缓存于用户的会话中,这样在用户会话期间,无需反复查询数据库即可快速验证权限,显著提升了系统响应速度和用户体验。使用缓存机制(如Redis)进一步优化了性能。当用户尝试访问数据时,系统根据会话中缓存的权限设置来决定是否允许该访问。After a user logs in, the system first identifies their identity and obtains all the role information associated with them. Based on the user role, the system queries the permission rule table in the database and extracts all the permission settings related to these roles. The extracted permission data is cached in the user's session, so that during the user session, permissions can be quickly verified without repeatedly querying the database, which significantly improves the system response speed and user experience. Using a caching mechanism (such as Redis) further optimizes performance. When a user tries to access data, the system decides whether to allow the access based on the permission settings cached in the session.

本申请的技术方案实现一种动态数据权限管理和应用机制,允许根据角色、账号和业务规则灵活控制数据访问。通过集成的权限管理和动态权限应用模块,系统能够在不牺牲性能的前提下,提供细粒度的数据访问控制。The technical solution of this application implements a dynamic data rights management and application mechanism, allowing flexible control of data access based on roles, accounts and business rules. Through integrated rights management and dynamic rights application modules, the system can provide fine-grained data access control without sacrificing performance.

作为一种数据权限控制方法的一种具体实施方式,基于所述关联的所有角色信息查询权限规则表,包括:As a specific implementation of a data permission control method, querying a permission rule table based on all the associated role information includes:

在用户账号登录成功后,解析并确认用户的角色;After the user account successfully logs in, parse and confirm the user's role;

基于用户的角色从数据库的权限配置存储中提取与所述用户的角色相关的权限规则;Extracting permission rules related to the role of the user from the permission configuration storage of the database based on the role of the user;

在数据操作层根据提取出的权限规则动态拼接SQL查询的where条件;In the data operation layer, dynamically assemble the where conditions of the SQL query according to the extracted permission rules;

执行修改后的SQL查询以确保每次数据库查询或修改都按照用户的数据访问权限进行。Execute the modified SQL query to ensure that each database query or modification is performed in accordance with the user's data access permissions.

具体地,通过解析用户角色并提取相应的权限规则,实现了对用户权限的精细化管理。在数据操作层动态拼接SQL查询的where条件,是一种动态权限应用的具体体现。这一过程确保了即使是在执行查询或更新操作时,也能实时根据用户当前的权限进行数据筛选,防止越权访问。例如,如果用户仅被允许查看自己部门的数据,那么系统会自动在SQL查询中加入部门ID的筛选条件,避免了用户看到其他部门的数据。相比每次操作都需要查询数据库权限配置,动态生成SQL查询条件并在数据操作层应用,减少了数据库的访问次数,提升了系统的处理速度和响应效率。特别是在高并发环境下,这种做法显著降低了数据库的负载。Specifically, by parsing user roles and extracting corresponding permission rules, refined management of user permissions is achieved. Dynamically splicing the where conditions of SQL queries at the data operation layer is a specific embodiment of dynamic permission application. This process ensures that even when executing queries or update operations, data can be filtered in real time according to the user's current permissions to prevent unauthorized access. For example, if a user is only allowed to view the data of his or her own department, the system will automatically add the department ID filtering condition to the SQL query to prevent the user from seeing data from other departments. Compared with the need to query the database permission configuration for each operation, dynamically generating SQL query conditions and applying them at the data operation layer reduces the number of database accesses and improves the system's processing speed and response efficiency. Especially in a high-concurrency environment, this approach significantly reduces the database load.

作为一种数据权限控制方法的一种具体实施方式,将提取到的权限设置数据缓存于用户会话中,包括:As a specific implementation of a data permission control method, caching the extracted permission setting data in a user session includes:

将提取到的权限设置数据写入分布式缓存;Write the extracted permission setting data into the distributed cache;

对于后续的数据访问请求,首先查询分布式缓存中是否存在与数据访问请求相对应的权限数据;若分布式缓存中存在相对应的权限数据,则直接通过分布式缓存中的缓存数据进行权限验证;若分布式缓存中不存在相对应的权限数据;则从所述数据库重新加载权限设置数据;For subsequent data access requests, first query whether there is permission data corresponding to the data access request in the distributed cache; if there is corresponding permission data in the distributed cache, then directly perform permission verification through the cached data in the distributed cache; if there is no corresponding permission data in the distributed cache; then reload the permission setting data from the database;

定期更新所述分布式缓存并且监控缓存性能。The distributed cache is updated regularly and cache performance is monitored.

具体地,通过将权限设置数据缓存于分布式缓存(如Redis)中,系统在处理用户的数据访问请求时,可以直接从缓存中快速获取权限验证所需的权限信息,而无需每次都查询数据库。这显著减少了数据库的访问频率,降低了I/O操作的时间成本,从而提升了数据访问的效率和系统的响应速度。虽然权限数据被缓存,但通过定期更新缓存的机制,确保了权限信息的时效性。这意味着,即便权限配置发生变化(如管理员调整了某个角色的权限),经过一定时间间隔后,这些变更会反映到缓存中,进而即时应用于权限验证过程中,保障了权限控制的实时性和准确性。分布式缓存的引入,使得系统在面临用户规模扩大、业务复杂度增加的情况下,依然能保持良好的性能表现。通过监控缓存性能,系统管理员可以获得关于缓存命中率、响应时间等关键指标的实时反馈,这对于优化缓存策略、识别潜在问题至关重要。例如,如果发现缓存命中率较低,可能需要调整缓存策略或增加缓存容量;如果缓存访问延迟增加,则需排查是否缓存节点负载不均或网络延迟问题。Specifically, by caching the permission setting data in a distributed cache (such as Redis), when the system processes the user's data access request, it can quickly obtain the permission information required for permission verification directly from the cache without querying the database every time. This significantly reduces the frequency of database access and the time cost of I/O operations, thereby improving the efficiency of data access and the response speed of the system. Although the permission data is cached, the timeliness of the permission information is ensured by the mechanism of regularly updating the cache. This means that even if the permission configuration changes (such as the administrator adjusts the permissions of a role), these changes will be reflected in the cache after a certain time interval, and then applied to the permission verification process immediately, ensuring the real-time and accuracy of permission control. The introduction of distributed cache enables the system to maintain good performance in the face of expanding user scale and increasing business complexity. By monitoring cache performance, system administrators can obtain real-time feedback on key indicators such as cache hit rate and response time, which is crucial for optimizing cache strategies and identifying potential problems. For example, if the cache hit rate is found to be low, it may be necessary to adjust the cache strategy or increase the cache capacity; if the cache access delay increases, it is necessary to check whether the cache node load is uneven or the network delay is a problem.

作为一种数据权限控制方法的一种具体实施方式,在所述用户账号发起数据访问请求时,基于所述权限设置数据进行允许或者拒绝,包括:As a specific implementation of a data permission control method, when the user account initiates a data access request, permission or rejection is performed based on the permission setting data, including:

当用户账号发起数据访问请求时,通过拦截器进行捕获;所述拦截器集成于服务器的数据处理层;所述数据访问请求包括读取、更新或删除数据;When a user account initiates a data access request, it is captured by an interceptor; the interceptor is integrated into the data processing layer of the server; the data access request includes reading, updating or deleting data;

所述拦截器调用权限检查服务;所述权限检查服务运行时从用户会话检索所述分布式缓存中预加载的权限规则;The interceptor calls the permission check service; when the permission check service runs, it retrieves the permission rules preloaded in the distributed cache from the user session;

判断请求的数据点与缓存的权限规则是否匹配;如果数据访问请求与用户权限相符,则访问被允许;若果不相符,则访问被拒绝并返回相应的错误信息或者警告信息。Determine whether the requested data point matches the cached permission rules; if the data access request matches the user permissions, access is allowed; if not, access is denied and a corresponding error message or warning message is returned.

具体地,当用户尝试进行数据访问操作时(无论是读取、更新还是删除),拦截器在数据处理层立即介入,有效拦截了所有数据访问请求。拦截器调用权限检查服务,而该服务直接从用户会话中读取已预加载的权限规则(这些规则存储在分布式缓存中)。这一过程利用了缓存的优势,极大减少了对数据库的直接访问,加快了权限验证速度,提升了系统性能。权限检查服务对数据访问请求的具体内容(如数据类型、字段、操作类型)与缓存中的权限规则进行精确匹配,实现了细粒度的权限控制。基于权限匹配结果,系统能够动态决定是否允许该数据访问请求。如果请求与用户权限相匹配,则访问顺利进行;如果不匹配,则立即拒绝访问,并返回错误或警告信息,明确告知用户其访问权限不足。Specifically, when a user attempts to perform a data access operation (whether it is reading, updating or deleting), the interceptor immediately intervenes at the data processing layer and effectively intercepts all data access requests. The interceptor calls the permission check service, which directly reads the preloaded permission rules (these rules are stored in the distributed cache) from the user session. This process takes advantage of the cache, greatly reduces direct access to the database, speeds up permission verification, and improves system performance. The permission check service accurately matches the specific content of the data access request (such as data type, field, operation type) with the permission rules in the cache, achieving fine-grained permission control. Based on the permission matching results, the system can dynamically decide whether to allow the data access request. If the request matches the user's permissions, the access is successful; if it does not match, the access is immediately denied, and an error or warning message is returned to clearly inform the user that their access rights are insufficient.

作为一种数据权限控制方法的其中一种实施方式,在数据操作层根据提取出的权限规则动态拼接SQL查询的where条件,包括:As one implementation method of a data permission control method, the where condition of the SQL query is dynamically spliced according to the extracted permission rules at the data operation layer, including:

预先配置权限规则模型,所述权限规则模型中存储不同角色的权限信息;Pre-configure a permission rule model, wherein the permission rule model stores permission information of different roles;

在用户登录成功后,解析用户的角色,并根据角色从权限配置存储中提取相应的权限规则;After the user logs in successfully, the user's role is parsed, and the corresponding permission rules are extracted from the permission configuration storage according to the role;

构建权限解析器,所述解析器根据用户的权限规则动态构建查询条件;Constructing a permission parser, which dynamically constructs query conditions according to the user's permission rules;

将权限规则抽象为查询条件的模板;Abstract permission rules into query condition templates;

构建动态SQL生成器,所述动态SQL生成器根据权限解析器提供的模板和实际的查询需求,动态生成SQL语句;Construct a dynamic SQL generator, which dynamically generates SQL statements according to the template provided by the authority parser and the actual query requirements;

在生成SQL查询时,合并多个条件,并对生成的查询语句进行优化;When generating SQL queries, combine multiple conditions and optimize the generated query statements;

当权限规则发生变化时,更新并同步新的权限设置。When permission rules change, update and synchronize the new permission settings.

具体地,通过预先配置的权限规则模型,系统能够根据用户角色动态调整数据访问权限,这使得权限控制策略能够实时适应用户角色的变化,无需手动调整每一条SQL查询语句。在数据操作层动态拼接SQL查询的WHERE条件,确保了每一次数据查询都严格遵循用户的权限边界。即使用户尝试访问未经授权的数据,由于查询条件中已经嵌入了权限限制,系统也能自动阻止这类请求,有效防止了潜在的数据泄露风险。构建的权限解析器和动态SQL生成器能够高效地根据用户权限生成定制化的查询语句,减少了不必要的数据访问,降低了数据库的负载。同时,通过合并多个条件并优化生成的查询语句,进一步提升了查询效率。当权限规则发生变化时,只需在权限配置存储中更新相应设置,解析器和SQL生成器会自动根据最新权限规则动态生成查询条件。通过将权限规则抽象为查询条件模板,新角色或新权限的添加变得更为简便,只需在权限规则模型中增加对应条目即可,无需修改底层SQL生成逻辑。动态生成的SQL语句包含了权限控制的逻辑,便于日志记录,帮助管理员监控权限使用情况。Specifically, through the pre-configured permission rule model, the system can dynamically adjust data access permissions according to user roles, which enables the permission control strategy to adapt to changes in user roles in real time without manually adjusting each SQL query statement. The WHERE conditions of the SQL query are dynamically spliced at the data operation layer to ensure that each data query strictly follows the user's permission boundaries. Even if the user tries to access unauthorized data, the system can automatically block such requests because the permission restrictions have been embedded in the query conditions, effectively preventing potential data leakage risks. The constructed permission parser and dynamic SQL generator can efficiently generate customized query statements based on user permissions, reducing unnecessary data access and reducing database load. At the same time, by merging multiple conditions and optimizing the generated query statements, the query efficiency is further improved. When the permission rules change, you only need to update the corresponding settings in the permission configuration storage, and the parser and SQL generator will automatically generate query conditions dynamically according to the latest permission rules. By abstracting the permission rules into query condition templates, it becomes easier to add new roles or new permissions. You only need to add corresponding entries in the permission rule model without modifying the underlying SQL generation logic. The dynamically generated SQL statements contain the logic of permission control, which facilitates logging and helps administrators monitor permission usage.

作为一种数据权限控制方法的其中一种实施方式,将提取到的权限设置数据写入分布式缓存,包括:As one implementation of a data permission control method, writing the extracted permission setting data into a distributed cache includes:

对权限设置数据进行序列化处理,将权限设置数据转化为SON字符串;为每条权限设置数据生成一个基于角色、业务实体和操作类型的复合哈希键值,所述哈希键值基于角色ID、业务域ID及业务实体ID生成;Serialize the permission setting data and convert the permission setting data into a SON string; generate a composite hash key value based on the role, business entity and operation type for each permission setting data, wherein the hash key value is generated based on the role ID, business domain ID and business entity ID;

采用一致性哈希算法对权限设置数据进行分片,将数据均匀分布到各个缓存节点上;在不同节点上保留数据副本,以防止单点故障导致的数据不可用;Use consistent hashing algorithm to shard permission setting data and evenly distribute data to each cache node; retain data copies on different nodes to prevent data unavailability caused by single point failure;

在权限设置数据中嵌入版本号和时间戳信息,每次权限规则更新时,同步更新版本号;在缓存数据时,一同存储版本号和最后更新时间,以此作为数据新鲜度的判断依据;在查询权限时,通过比对请求携带的版本信息与缓存中的版本信息,判断权限是否需要重新加载;Embed version number and timestamp information in permission setting data. Every time permission rules are updated, the version number is updated synchronously. When caching data, the version number and the last update time are stored together as a basis for judging the freshness of the data. When querying permissions, compare the version information carried in the request with the version information in the cache to determine whether the permissions need to be reloaded.

对于访问频繁且变更不频繁的权限规则,设置较长的缓存过期时间;对于变更频繁的权限,缩短缓存有效期并结合主动监听机制,一旦后台权限配置发生变化,立即通知缓存系统更新对应数据;For permission rules that are frequently accessed but infrequently changed, set a longer cache expiration time; for permissions that change frequently, shorten the cache validity period and combine it with an active monitoring mechanism. Once the background permission configuration changes, immediately notify the cache system to update the corresponding data;

在权限设置数据写入数据库的同时,通过分布式事务机制确保数据写入操作与分布式缓存更新操作的原子性。While the permission setting data is written to the database, the atomicity of the data writing operation and the distributed cache update operation is ensured through the distributed transaction mechanism.

具体地,通过将权限设置数据序列化为JSON字符串并存储于分布式缓存中,减少了每次权限验证时对数据库的直接访问。生成复合哈希键值并采用一致性哈希算法分片,不仅确保了数据的均匀分布,还通过在不同节点上保留数据副本,提高了系统的容错能力,即使某个节点发生故障,仍能从其他副本获取权限信息,保证服务连续性。通过在缓存数据中嵌入版本号和时间戳,并在每次更新权限规则时同步更新这些元数据,系统能够有效判断权限数据的新鲜度,确保了数据的一致性和准确性。根据权限规则的变更频率动态调整缓存过期时间,对于变更不频繁的规则设置较长期限,而对频繁变动的规则则缩短有效期,结合主动监听机制,实现了资源的高效利用和实时性需求的满足,平衡了性能与数据的时效性。利用分布式事务机制,确保了权限数据在数据库和缓存系统间的同步更新操作具备原子性,即要么两个操作全部成功,要么全部失败,避免了数据不一致的问题,保证了权限控制的严谨性和系统数据的完整性。Specifically, by serializing the permission setting data into a JSON string and storing it in a distributed cache, direct access to the database is reduced for each permission verification. Generating a composite hash key value and using a consistent hash algorithm for sharding not only ensures uniform distribution of data, but also improves the fault tolerance of the system by retaining data copies on different nodes. Even if a node fails, permission information can still be obtained from other copies to ensure service continuity. By embedding version numbers and timestamps in cached data and synchronously updating these metadata each time the permission rules are updated, the system can effectively determine the freshness of permission data and ensure data consistency and accuracy. The cache expiration time is dynamically adjusted according to the frequency of permission rule changes. A longer period is set for rules that do not change frequently, while the validity period is shortened for rules that change frequently. Combined with the active monitoring mechanism, efficient resource utilization and real-time requirements are achieved, balancing performance and data timeliness. The distributed transaction mechanism is used to ensure that the synchronization update operation of permission data between the database and the cache system is atomic, that is, either both operations are successful or both fail, avoiding data inconsistency problems and ensuring the rigor of permission control and the integrity of system data.

本申请还提供了一种数据权限控制方法,包括:This application also provides a data permission control method, including:

第一处理模块201,用于:在用户账号登录成功后,基于登录的用户账号查询数据库以获取所述用户账号关联的所有角色信息;所述数据库中定义和存储数据权限规则;所述数据权限规则包括:角色、业务域、业务实体的权限规则、能够访问的数据记录和权限的操作类型;所述用户为多租户系统的用户;The first processing module 201 is used to: after a user account successfully logs in, query the database based on the logged-in user account to obtain all role information associated with the user account; define and store data permission rules in the database; the data permission rules include: permission rules for roles, business domains, business entities, accessible data records and permission operation types; the user is a user of a multi-tenant system;

第二处理模块202,用于:基于所述关联的所有角色信息查询权限规则表;基于所述权限规则表提取所有相关的权限设置;所述权限设置包括:访问控制列表、操作权限和数据访问范围;The second processing module 202 is used to: query the permission rule table based on all the associated role information; extract all relevant permission settings based on the permission rule table; the permission settings include: access control list, operation permission and data access scope;

第三处理模块203,用于:将提取到的权限设置数据缓存于用户会话中,并将所述权限设置数据在用户整个会话进行保持;The third processing module 203 is used to: cache the extracted permission setting data in the user session, and keep the permission setting data throughout the user session;

第四处理模块204,用于:在所述用户账号发起数据访问请求时,基于所述权限设置数据进行允许或者拒绝。The fourth processing module 204 is used to: when the user account initiates a data access request, allow or deny the request based on the permission setting data.

本申请实施例还公开一种电子设备。The embodiment of the present application also discloses an electronic device.

具体来说,该设备包括存储器和处理器,存储器上存储有能够被处理器加载并执行上述任意一种数据权限控制方法的计算机程序。Specifically, the device includes a memory and a processor, and the memory stores a computer program that can be loaded by the processor and execute any of the above-mentioned data authority control methods.

本申请实施例还公开一种计算机可读存储介质。具体来说,该计算机可读存储介质,其存储有能够被处理器加载并执行如上述任意一种数据权限控制方法的计算机程序,该计算机可读存储介质例如包括:U盘、移动硬盘、只读存储器(Read-Only Memory,ROM)、随机存取存储器(Random Access Memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。The embodiment of the present application also discloses a computer-readable storage medium. Specifically, the computer-readable storage medium stores a computer program that can be loaded by a processor and execute any of the above-mentioned data authority control methods, and the computer-readable storage medium includes, for example: a USB flash drive, a mobile hard disk, a read-only memory (ROM), a random access memory (RAM), a magnetic disk or an optical disk, and other media that can store program codes.

需要说明的是:以上实施例仅用于说明本申请而并非限制本申请所描述的技术方案,尽管本说明书参照上述的实施例对本申请已进行了详细的说明,但是,本领域的普通技术人员应当理解,所属技术领域的技术人员仍然可以对本申请进行修改或者等同替换,而一切不脱离本申请的精神和范围的技术方案及其改进,均应涵盖在本申请的权利要求范围内。It should be noted that the above embodiments are only used to illustrate the present application and are not intended to limit the technical solutions described in the present application. Although the present application has been described in detail in this specification with reference to the above embodiments, a person of ordinary skill in the art should understand that a person of ordinary skill in the art can still modify or make equivalent substitutions to the present application, and all technical solutions and improvements thereof that do not depart from the spirit and scope of the present application should be included in the scope of the claims of the present application.

Claims (4)

1. A data authority control method, characterized by comprising:
After the user account is successfully logged in, inquiring a database based on the logged-in user account to acquire all role information associated with the user account; defining and storing data authority rules in the database; the data authority rule includes: roles, service domains, authority rules of service entities, accessible data records and operation types of authorities; the user is a user of the multi-tenant system;
Querying a permission rule table based on the associated all role information; extracting all relevant rights settings based on the rights rule table; the authority setting includes: access control list, operation authority and data access range;
caching the extracted authority setting data in a user session, and keeping the authority setting data in the whole session of the user;
When the user account initiates a data access request, allowing or rejecting based on the authority setting data;
querying a permission rule table based on the associated all role information, wherein the permission rule table comprises:
after the user account login is successful, analyzing and confirming the role of the user;
Extracting authority rules related to the roles of the users from authority configuration storage of a database based on the roles of the users;
Dynamically splicing a sphere condition of the SQL query according to the extracted authority rule at a data operation layer;
Executing the modified SQL query to ensure that each database query or modification is performed according to the data access rights of the user;
Caching the extracted rights setting data in the user session, including:
writing the extracted authority setting data into a distributed cache;
For the subsequent data access request, firstly inquiring whether rights data corresponding to the data access request exist in the distributed cache; if the corresponding authority data exists in the distributed cache, directly verifying the authority through the cache data in the distributed cache; if the distributed cache does not have the corresponding authority data; reloading rights setting data from said database;
Periodically updating the distributed cache and monitoring cache performance;
when the user account initiates a data access request, allowing or rejecting based on the permission setting data, including:
capturing through an interceptor when a user account initiates a data access request; the interceptor is integrated in a data processing layer of the server; the data access request comprises reading, updating or deleting data;
The interceptor invokes a rights check service; the authority checking service retrieves the preloaded authority rules in the distributed cache from a user session when running;
judging whether the requested data point is matched with the authority rule of the cache; if the data access request matches the user rights, access is allowed; if the result is not consistent, access is refused and corresponding error information or warning information is returned;
dynamically splicing the sphere condition of the SQL query according to the extracted authority rule at the data operation layer, wherein the sphere condition comprises the following steps:
Pre-configuring a permission rule model, wherein permission information of different roles is stored in the permission rule model;
After the user logs in successfully, analyzing the role of the user, and extracting corresponding authority rules from the authority configuration storage according to the role;
constructing a permission analyzer, wherein the analyzer dynamically constructs query conditions according to permission rules of a user;
Abstracting the authority rule into a template of a query condition;
Constructing a dynamic SQL generator, wherein the dynamic SQL generator dynamically generates SQL sentences according to templates provided by a permission analyzer and actual query requirements;
when SQL query is generated, combining a plurality of conditions, and optimizing the generated query statement;
when the right rule changes, updating and synchronizing the new right setting;
Writing the extracted authority setting data into a distributed cache, including:
Carrying out serialization processing on the authority setting data, and converting the authority setting data into SON character strings; generating a composite hash key value based on a role, a service entity and an operation type for each piece of authority setting data, wherein the hash key value is generated based on a role ID, a service domain ID and a service entity ID;
Fragmenting the authority setting data by adopting a consistent hash algorithm, and uniformly distributing the data to each cache node; data copies are reserved on different nodes so as to prevent data unavailability caused by single-point faults;
Embedding a version number and timestamp information in the permission setting data, and synchronously updating the version number when each permission rule is updated; when caching data, storing the version number and the last updating time together, and taking the version number and the last updating time as the judging basis of the data freshness; when inquiring the rights, judging whether the rights need to be reloaded or not by comparing the version information carried by the request with the version information in the cache;
Setting longer buffer expiration time for authority rules which are accessed frequently and changed infrequently; for the rights which are changed frequently, shortening the cache validity period and combining an active monitoring mechanism, and immediately notifying a cache system to update corresponding data once the background rights configuration is changed;
And when the authority setting data is written into the database, ensuring the atomicity of data writing operation and distributed cache updating operation through a distributed transaction mechanism.
2. A data rights control system, comprising:
A first processing module for: after the user account is successfully logged in, inquiring a database based on the logged-in user account to acquire all role information associated with the user account; defining and storing data authority rules in the database; the data authority rule includes: roles, service domains, authority rules of service entities, accessible data records and operation types of authorities; the user is a user of the multi-tenant system;
A second processing module for: querying a permission rule table based on the associated all role information; extracting all relevant rights settings based on the rights rule table; the authority setting includes: access control list, operation authority and data access range;
A third processing module for: caching the extracted authority setting data in a user session, and keeping the authority setting data in the whole session of the user;
A fourth processing module for: when the user account initiates a data access request, allowing or rejecting based on the authority setting data;
querying a permission rule table based on the associated all role information, wherein the permission rule table comprises:
after the user account login is successful, analyzing and confirming the role of the user;
Extracting authority rules related to the roles of the users from authority configuration storage of a database based on the roles of the users;
Dynamically splicing a sphere condition of the SQL query according to the extracted authority rule at a data operation layer;
Executing the modified SQL query to ensure that each database query or modification is performed according to the data access rights of the user;
Caching the extracted rights setting data in the user session, including:
writing the extracted authority setting data into a distributed cache;
For the subsequent data access request, firstly inquiring whether rights data corresponding to the data access request exist in the distributed cache; if the corresponding authority data exists in the distributed cache, directly verifying the authority through the cache data in the distributed cache; if the distributed cache does not have the corresponding authority data; reloading rights setting data from said database;
Periodically updating the distributed cache and monitoring cache performance;
when the user account initiates a data access request, allowing or rejecting based on the permission setting data, including:
capturing through an interceptor when a user account initiates a data access request; the interceptor is integrated in a data processing layer of the server; the data access request comprises reading, updating or deleting data;
The interceptor invokes a rights check service; the authority checking service retrieves the preloaded authority rules in the distributed cache from a user session when running;
judging whether the requested data point is matched with the authority rule of the cache; if the data access request matches the user rights, access is allowed; if the result is not consistent, access is refused and corresponding error information or warning information is returned;
dynamically splicing the sphere condition of the SQL query according to the extracted authority rule at the data operation layer, wherein the sphere condition comprises the following steps:
Pre-configuring a permission rule model, wherein permission information of different roles is stored in the permission rule model;
After the user logs in successfully, analyzing the role of the user, and extracting corresponding authority rules from the authority configuration storage according to the role;
constructing a permission analyzer, wherein the analyzer dynamically constructs query conditions according to permission rules of a user;
Abstracting the authority rule into a template of a query condition;
Constructing a dynamic SQL generator, wherein the dynamic SQL generator dynamically generates SQL sentences according to templates provided by a permission analyzer and actual query requirements;
when SQL query is generated, combining a plurality of conditions, and optimizing the generated query statement;
when the right rule changes, updating and synchronizing the new right setting;
Writing the extracted authority setting data into a distributed cache, including:
Carrying out serialization processing on the authority setting data, and converting the authority setting data into SON character strings; generating a composite hash key value based on a role, a service entity and an operation type for each piece of authority setting data, wherein the hash key value is generated based on a role ID, a service domain ID and a service entity ID;
Fragmenting the authority setting data by adopting a consistent hash algorithm, and uniformly distributing the data to each cache node; data copies are reserved on different nodes so as to prevent data unavailability caused by single-point faults;
Embedding a version number and timestamp information in the permission setting data, and synchronously updating the version number when each permission rule is updated; when caching data, storing the version number and the last updating time together, and taking the version number and the last updating time as the judging basis of the data freshness; when inquiring the rights, judging whether the rights need to be reloaded or not by comparing the version information carried by the request with the version information in the cache;
Setting longer buffer expiration time for authority rules which are accessed frequently and changed infrequently; for the rights which are changed frequently, shortening the cache validity period and combining an active monitoring mechanism, and immediately notifying a cache system to update corresponding data once the background rights configuration is changed;
And when the authority setting data is written into the database, ensuring the atomicity of data writing operation and distributed cache updating operation through a distributed transaction mechanism.
3. An electronic device comprising a memory and a processor, the memory having stored thereon a computer program for loading and executing the method of claim 1 by the processor.
4. A computer readable storage medium, characterized in that a computer program is stored which can be loaded by a processor and which performs the method as claimed in claim 1.
CN202410917660.XA 2024-07-10 2024-07-10 Data authority control method and system Active CN118468320B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410917660.XA CN118468320B (en) 2024-07-10 2024-07-10 Data authority control method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410917660.XA CN118468320B (en) 2024-07-10 2024-07-10 Data authority control method and system

Publications (2)

Publication Number Publication Date
CN118468320A CN118468320A (en) 2024-08-09
CN118468320B true CN118468320B (en) 2024-11-01

Family

ID=92162344

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410917660.XA Active CN118468320B (en) 2024-07-10 2024-07-10 Data authority control method and system

Country Status (1)

Country Link
CN (1) CN118468320B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119396930B (en) * 2025-01-03 2025-05-16 北京科杰科技有限公司 Authority synchronization method and system for distributed storage and data warehouse

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109670768A (en) * 2018-09-27 2019-04-23 深圳壹账通智能科技有限公司 Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain
CN112926071A (en) * 2021-03-03 2021-06-08 浪潮云信息技术股份公司 Multi-level data authority control method based on government affair cloud management platform

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110245478A (en) * 2019-06-20 2019-09-17 云南电网有限责任公司大理供电局 A kind of system that safety management is integrated in rights management
CN112350997A (en) * 2020-10-16 2021-02-09 杭州安恒信息技术股份有限公司 Database access right control method and device, computer equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109670768A (en) * 2018-09-27 2019-04-23 深圳壹账通智能科技有限公司 Right management method, device, platform and the readable storage medium storing program for executing in multi-service domain
CN112926071A (en) * 2021-03-03 2021-06-08 浪潮云信息技术股份公司 Multi-level data authority control method based on government affair cloud management platform

Also Published As

Publication number Publication date
CN118468320A (en) 2024-08-09

Similar Documents

Publication Publication Date Title
US8955041B2 (en) Authentication collaboration system, ID provider device, and program
US10055561B2 (en) Identity risk score generation and implementation
US9628471B1 (en) Protecting user identity at a cloud using a distributed user identity system
US9569634B1 (en) Fine-grained structured data store access using federated identity management
RU2598324C2 (en) Means of controlling access to online service using conventional catalogue features
CN107277049B (en) Access method and device of application system
WO2021115231A1 (en) Authentication method and related device
US10673905B1 (en) Service-level authorization policy management
CN103109298A (en) Authentication collaboration system and id provider device
US12250212B2 (en) Computer user credentialing and verification system
CN108092945A (en) Definite method and apparatus, the terminal of access rights
CN111914295A (en) Database access control method and device and electronic equipment
US10616281B1 (en) Service-level authorization policy management
CN115422526B (en) Role authority management method, device and storage medium
SG193224A1 (en) Authentication collaboration system, id provider device, and program
CN118468320B (en) Data authority control method and system
US9537893B2 (en) Abstract evaluation of access control policies for efficient evaluation of constraints
WO2021164194A1 (en) Reward point management method based on blockchain, and related apparatus
CN114168930A (en) A Hive permission control method, apparatus, device and readable storage medium
US12160427B2 (en) Managing access level permissions by a distributed ledger network
CN108156111A (en) The treating method and apparatus of network service permission
CN111368286A (en) Authority control method, device, equipment and storage medium
US11868494B1 (en) Synchronization of access management tags between databases
CN112817997A (en) Method and device for accessing S3 object storage by using dynamic user through distributed computing engine
CN118656874B (en) Method and system for realizing row-column access control of database

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant