CN118797747A - A fine-grained permission control method, device, equipment and storage medium - Google Patents

Abstract

The present invention discloses a fine-grained permission control method, device, equipment and storage medium, including: grouping users into permission groups according to data access rights; associating one or more permission groups with each field in a data table, so that the associated permission group has the execution permission of the column; associating one or more permission groups with each data record in the data table, and only the permission group that meets the corresponding row permission conditions and is associated has the execution permission of the row; when the security policy is updated, the row permission and column permission are dynamically updated; parsing the data request raised by the user, and verifying whether the user has the permission for the corresponding data according to the data access rights, if yes, then execute, otherwise not execute. The present invention realizes fine-grained control of data access through the setting of column permissions and row permissions, reduces the risk of data leakage and unauthorized access, and improves security.

Description

A fine-grained permission control method, device, equipment and storage medium

Technical Field

The present invention relates to the field of computer data security, and in particular to a fine-grained permission control method, device, equipment and storage medium.

Background Art

With the rapid development of information technology and the dramatic increase in global data volume, data security has become a major challenge facing enterprises and organizations. Data security is related to the protection of personal information, corporate intellectual property, and the security of key business operations. Therefore, ensuring the security of sensitive data has become an important issue. However, early data security solutions mainly focused on firewalls and traditional security mechanisms, which usually focused on preventing external attacks, but did not adequately address internal threats and fine-grained data access control. In addition, with the popularity of cloud computing and distributed systems, data is increasingly stored in distributed environments, which makes data management and protection more complicated. For example, there are the following key issues:

(1) Fine-grained access control: More detailed control is required over data access, not just which users can access the system, but also the specific ways in which they can access and manipulate data.

(2) Dynamic permission management: As organizational structure and business needs change, the permission management system needs to be able to flexibly adjust and update in real time to cope with changing access requirements.

(3) Multi-environment compatibility: As enterprise IT architectures diversify, data security solutions need to be able to work effectively in multiple environments, including traditional data centers, private clouds, and public clouds.

In summary, existing data security solutions have problems such as insufficient protection against internal threats, lack of flexible dynamic permission management capabilities, and poor compatibility in multiple environments. These defects limit their effectiveness in increasingly complex data environments, and more complete and innovative solutions are urgently needed.

Summary of the invention

In view of the deficiencies in the prior art, the present invention proposes a fine-grained permission control method, device, equipment and storage medium, which solve the problems of fine-grained access control, dynamic permission management, multi-environment compatibility, etc. in the prior art.

The specific technical solutions are as follows:

A fine-grained permission control method includes the following steps:

S1: Grouping users into permission groups, where different permission groups have different data access permissions, including column permissions and row permissions;

S2. Editing column permissions of a data table: Associate one or more permission groups with each field, i.e., each column, in a data table. Only the associated permission group has execution permissions for the field. The execution permissions include: read, write, update, and delete. When the security policy is updated, the column permissions are dynamically edited.

S3. Edit row permissions of a data table: associate one or more permission groups with each data record, i.e. each row, in the data table. Only the permission groups that meet the corresponding row permission conditions and are associated have the execution permission for the data record. The row permission conditions are generated according to business rules or data sensitivity. When the security policy is updated, the row permission conditions are dynamically updated, and the row permissions are dynamically edited.

S4: Parse the data request SQL statement initiated by the user, and verify whether the user has the corresponding data permissions based on the set column permissions and row permissions. If yes, execute the data request; otherwise, do not execute.

Furthermore, S2 is specifically implemented through the following sub-steps:

S201: Select a data table for which column permissions need to be configured from a database;

S202: Associating the column permissions of the selected data table with one or more permission groups;

S203: Select the specific field in the data table for which column permissions need to be configured;

S204: For each selected field, set execution permissions for the field for one or more permission groups.

Furthermore, in S202, if the existing permission group cannot meet the column permission association requirement, a new permission group is created, and users who need to associate column permissions are added to the new permission group, and the column permissions of the selected data table are associated with the new permission group.

Furthermore, S3 is specifically implemented through the following sub-steps:

S301: Select a data table for which row permissions need to be configured from the database;

S302: Associating the row permissions of the selected data table with one or more permission groups;

S303, edit row permission conditions: set row permission conditions for the associated permission group, wherein the row permission conditions are SQL statements corresponding to conditional expressions based on specific field values in the data table;

S304, setting row execution permissions: based on the defined row permission conditions, setting the permission group's execution permissions for each row in the data table.

Furthermore, in S302, if the existing permission group cannot meet the row permission association requirement, a new permission group is created, and users who need to be associated with row permissions are added to the new permission group, and the row permissions of the selected data table are associated with the new permission group.

Furthermore, the S303 specifically includes the following steps:

S3031: Select the field in the database for which row permissions need to be set as needed;

S3032: Determine the type of the selected field. Fields in the database are classified into the following types according to their attributes: numerical type, string type, and user attribute type. The selected field is classified into the corresponding type according to its attributes.

S3033: Set field conditions based on the type of field:

If the field type is numeric, set the value range of the field;

If the field type is string, it is an enumeration value of the existing value of the field in the database or a new custom value is added, so that the value of the field is equal to a certain string, belongs to a certain string set, or does not belong to a certain string set;

If the field type is user attribute class, set the value of the field to be equal to a certain value of the corresponding attribute in the user attribute table, or a set of certain values of the corresponding attribute in the user attribute table, or a set of certain values that do not belong to the corresponding attribute in the user attribute table;

S3034: Generate an SQL conditional statement corresponding to the SQL semantics according to the set field conditions to obtain the row permission conditions.

Furthermore, the administrator executes S2 and S3 through a graphical user interface or a command line interface.

A fine-grained permission control device, used to implement the fine-grained permission control method, comprising: a permission configuration module, a security policy editing module, an identity authentication module, an SQL parsing module, an access control module, a log and audit module, and an interface management module;

The permission configuration module is used to define and manage the data access rights of users and their permission groups. The administrator can use this module to divide users into different permission groups and assign different column permissions and row permissions.

The security policy editing module is used to edit and update security policies in real time. Administrators use this module to create and modify row permission conditions and column permissions for data tables.

The identity verification module is used to verify the identity of the user who issues the data request and the data access rights he/she has;

The SQL parsing module is used to parse the data request SQL statement initiated by the user and splice the SQL statement of the row permission condition and the column permission;

The access control module is used to check the compatibility of the data request SQL statement initiated by the user with the current permission configuration, and decide whether to allow the SQL operation to be executed according to the user's permission;

The log and audit module is used to record all data requests made by users;

The interface management module is used to provide a visual interface, allowing administrators to configure permissions and security policies and monitor system status through the interface.

An electronic device includes a memory and one or more processors, wherein the memory stores executable code, and when the one or more processors execute the executable code, they are used to implement the fine-grained permission control method.

A computer-readable storage medium stores a program, which, when executed by a processor, implements the fine-grained permission control method.

The beneficial effects of the present invention are:

(1) The present invention achieves fine-grained control over data access by setting column permissions and row permissions, and reduces the risk of data leakage and unauthorized access through precise permission control, thereby improving security.

(2) The present invention can dynamically adjust column permissions and row permissions to adapt to changes in business needs and security policies.

(3) The present invention uses a permission configuration module and a security policy editing module to centrally configure column permissions and row permissions, as well as adjust security policies, making management more convenient.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the accompanying drawings required for use in the description of the embodiments will be briefly introduced below. Obviously, the accompanying drawings in the following description are only some embodiments of the present invention. For ordinary technicians in this field, other accompanying drawings can be obtained based on these accompanying drawings without paying creative labor.

FIG1 is a schematic flow chart of a fine-grained permission control method proposed in an embodiment of the present invention.

FIG. 2 is a schematic diagram of a column permission editing process of a fine-grained permission control method proposed in an embodiment of the present invention.

FIG3 is a schematic diagram of a row permission editing process of a fine-grained permission control method proposed in an embodiment of the present invention.

FIG. 4 is a schematic diagram of a row permission condition editing process of a fine-grained permission control method proposed in an embodiment of the present invention.

FIG. 5 is a schematic diagram of the structure of an electronic device provided in an embodiment of the present invention.

DETAILED DESCRIPTION

In order to make the purpose, technical solution and advantages of the embodiments of the present application clearer, the technical solution in the embodiments of the present application will be clearly and completely described below in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without making creative work are within the scope of protection of this application.

In the following description, reference is made to “one specific embodiment”, which describes a subset of all possible embodiments, but it can be understood that “one specific embodiment” describes the same subset or different subsets of all possible embodiments and can be combined with each other without conflict.

Unless otherwise defined, all technical science and technology used herein have the same meaning as commonly understood by those skilled in the art of the present invention. The terms used herein are only for the purpose of describing the embodiments of the present invention and are not intended to limit the present invention.

Before further describing the embodiments of the present invention in detail, the nouns and terms involved in the embodiments of the present invention are described. The nouns and terms involved in the embodiments of the present invention are subject to the following explanations.

(1) SQL (Structured Query Language) is a standard computer language used to manage and query data in databases. It is feature-rich and concise, capable of performing complex database operations, and has a wide range of application scenarios.

(2) Graphical User Interface (GUI) is an operating system user interface based on a graphical interface that interacts with users through graphical elements (such as windows, icons, buttons, and menus). This interface allows users to use input devices such as a mouse to manipulate icons or menu options on the screen to select commands, call files, start programs, or perform other daily tasks.

(3) Command Line Interface (CLI) is a user interface that interacts with a computer by entering text commands on the keyboard. Users can enter commands and parameters in the command line or terminal interface to complete various operations, such as creating, deleting, and moving files and directories, configuring networks, and running programs.

(4) Field: A vertical part of a data table that defines the type of data in the table. Each field has a name and a data type (such as integer, string, date, etc.) that specifies the type of data that the field can store. A field represents an attribute or feature in a data table. For example, in an employee table, the fields include: employee ID, name, age, position, etc.

(5) Data record: The horizontal part of a data table, which contains a complete row of data in the data table. Each row of data record is a specific instance of all the fields in the table, that is, each field has a specific value in the record. For example: in the employee table, a data record contains the specific values of the employee ID, name, age, and position of a specific employee.

It should be noted that, in the absence of conflict, the features in the following embodiments and implementations may be combined with each other.

As shown in FIG1 , a fine-grained permission control method provided by an embodiment of the present invention specifically includes the following steps:

S1. Group users into permission groups: Create different permission groups, each of which defines a specific set of data access permissions; divide users into corresponding permission groups. Data access permissions include personalized settings for access permissions to specific columns (i.e. fields) and rows (i.e. data records), i.e. column permissions and row permissions.

The grouping can be adjusted dynamically, specifically allowing administrators to flexibly group users according to changes in business needs or security policies, and assign different data access rights to each user or permission group.

S2: Edit the column permissions of the data table. In this step, the administrator specifies access permissions for each field (column) in one or more data tables so that only authorized users or permission groups can access or modify the data in the corresponding fields. This permission setting can be edited and updated through the graphical user interface (GUI) or command line interface (CLI) to adapt to changes in the organization's internal permission management needs.

As shown in FIG. 2 , in the embodiment of the present invention, S2 is specifically implemented through the following sub-steps:

S201, select data table: The administrator selects the data table from the database for which column permissions need to be configured. This step is implemented through the GUI (the entire S2 can be implemented through the GUI), allowing the administrator to browse the database structure and select a specific table.

S202, associate user or permission group: After selecting a data table, the administrator associates the column permissions of the selected data table to a single user or permission group. The administrator can create new permission groups and add relevant users to these permission groups, and then associate the selected data table with the user or permission group for subsequent permission settings.

S203, select data table fields: After the selected data table is associated with a user or permission group, the administrator needs to view and select the specific fields in the data table for which column permissions need to be configured through the field list provided in the interface.

S204. Set field execution permissions: For each selected field, the administrator sets the specific permissions that the user or permission group can perform on the field, such as read, write, update, or delete permissions. The administrator can also define more complex column permission rules, such as setting field-level encryption. After setting column permissions, the administrator can use a test account to verify whether the column permission settings are correct to ensure that only authorized users can perform the corresponding operations.

After completing the above column permission editing settings, the administrator saves the configuration, which will be applied to the actual data access control.

In actual application, the column permission configuration needs to be continuously monitored and audited. Specifically, all data access requests are continuously monitored to ensure that they comply with the configured column permission rules; all access attempts and operations are recorded in the audit log for subsequent review and analysis. In addition, regular review and updates are required. Specifically, administrators should regularly review column permission configurations to ensure that they still meet the organization's business needs and security policies; based on the review results, administrators can update column permission settings to respond to new security threats or business changes.

S3. Customization and dynamic editing of data table row permissions: In addition to column permissions, this method also supports access control for each data record. Administrators define access conditions (i.e., row permission conditions) for each data record in the data table based on business rules or data sensitivity. These row permission conditions are generated by the row permission editor and can be updated at any time to ensure that only users or permission groups that meet specific row permission conditions can access sensitive data or key information.

As shown in FIG. 3 , in the embodiment of the present invention, row permission editing is specifically implemented through the following sub-steps:

S301, select data table: The administrator selects the data table for which row permissions need to be configured from the database. This step is implemented through the GUI (the entire S3 can be implemented through the GUI), allowing the administrator to browse the database structure and select a specific table.

S302, associate user or permission group: After selecting a data table, the administrator chooses to associate the row permissions of the selected data table with a single user or permission group. The administrator can create new permission groups and add relevant users to these permission groups, and then associate the selected data table with the user or permission group for subsequent permission settings.

S303. Edit row permission conditions: The administrator sets row-level permission conditions for the associated user or permission group. These row-level permission conditions are based on specific field values in the data table, such as user ID, date, amount, etc. The administrator defines conditional expressions, such as "user ID equals the current logged-in user ID" or "date is within a specific range", and tests the defined row-level permission conditions to ensure that they work as expected and only allow users to access data rows that meet the row-level permission conditions. The row permission editor automatically generates the corresponding SQL statement based on the row-level permission conditions set by the administrator to obtain the row permission conditions.

As shown in FIG. 4 , in the embodiment of the present invention, S303 specifically includes the following steps:

S3031. Select fields: The administrator selects the fields in the database for which row permissions need to be set as needed.

S3032. Determine the field type: According to the different field attributes in the database, it is divided into three types of simple operations: numerical type, string type, and user attribute type. The system pre-determines which type the field belongs to, and the administrator can select which type the field belongs to as needed.

S3033. Set field conditions according to field type:

If the field type is a numeric type, such as integer type, you can set the value range of the field, which generally includes equal to, greater than, less than, greater than or equal to, less than or equal to, or an interval combination.

If the field type is a string class, such as varchar type, you can set the value of the field to an enumeration value of the existing value of the field in the database or add a custom value, so that the value of the field is equal to one of the strings, belongs to one of the string sets, or does not belong to one of the string sets.

If the field type is a user attribute class, such as department, you can set the value of the field to be equal to a value of the corresponding attribute in the user attribute table, or to a set of certain values in the corresponding attribute in the user attribute table, or to a set of certain values that do not belong to the corresponding attribute in the user attribute table.

S3034: Generate SQL conditional statements corresponding to SQL semantics according to the set field conditions. These SQL conditional statements can be used to constrain original SQL statements in the process of users making data requests.

Specifically, if the salary table has fields such as employee number, name, and salary, the administrator has set up permission group 1 and permission group 2. The column condition of permission group 1 in the salary table is: the employee number and name fields can be accessed. The row condition is: all can be accessed. The column condition of permission group 2 in the salary table is: the employee number, name, and salary fields can be accessed. The row condition is: the row data whose employee number is the Information Department can be accessed (the employee number is a user attribute, and the row permission condition can be limited to the user whose department field value in the user attribute table is the Information Department). When the user uses it, the user of permission group 1 cannot access the salary field, but can see all employees. The user of permission group 2 can access the salary field, but can only see the salary data of the employees in the Information Department.

S304, set row execution permissions: Based on the defined row permission conditions, the administrator sets the specific permissions that users or permission groups can execute on each row in the data table, such as read, write, update or delete permissions. After setting permissions, the administrator can use a test account to verify whether the row permission settings are correct to ensure that only authorized users can perform corresponding operations.

After completing the above row permission editing settings, the administrator saves the configuration, which will be applied to the actual data access control to ensure that only qualified row data is visible or operable to users.

In actual application, row permission configurations need to be continuously monitored and audited. Specifically, all data access requests are continuously monitored to ensure that they meet the configured row permission conditions; all access attempts and operations are recorded in the audit log for subsequent review and analysis. In addition, regular review and updates are required. Specifically, administrators should regularly review row permission configurations to ensure that they still meet the organization's security policies and business needs; based on the review results, administrators can update row permission settings to respond to new security threats or business changes.

S4: Check and parse the permissions of the data request made by the user: When the user submits a data request (such as a query, update, or delete operation), parse the SQL statement in the data request. Based on the column permissions defined in S2 and the row permissions defined in S3, determine whether the request is granted data access rights. If so, execute the SQL statement; otherwise, do not execute the SQL statement. This process includes verification of the identity and permissions of the requester (i.e., user), thereby ensuring that only users with sufficient permissions can access or modify data.

Dynamic permission management and policy updates: This fine-grained permission control method supports real-time permission changes and security policy updates (i.e., batch permission changes) without restarting the database or application. This provides managers with great flexibility to adapt to organizational changes, role changes, or security policy adjustments.

On this basis, in order to implement the above-mentioned fine-grained permission control method, this embodiment also provides a fine-grained permission control device, including: a permission configuration module, a security policy editing module, an identity authentication module, an SQL parsing module, an access control module, a log and audit module, and an interface management module. The administrator performs permission configuration operations through the interface displayed by the interface management module, and this permission configuration operation is based on the permission configuration module and the security policy editing module. After the user makes a data request, the SQL parsing module parses and converts it, the identity authentication module verifies the user's permissions, and the access control module decides whether to execute the SQL operation based on the user's permissions. All records of data requests made by users and execution records are recorded through the log and audit modules.

Specifically, the permission configuration module is used to define and manage data access permissions of users and their permission groups. Administrators use this module to group users and assign different column permissions and row permissions.

The security policy editing module is used to edit and update security policies in real time. Administrators use this module to create and modify row permission conditions and column permissions for data tables.

The authentication module is used to verify the identity and authority of the user making the data request.

The SQL parsing module is used to parse the SQL statements of data requests initiated by users and to splice the SQL statements of row permission conditions and column permissions. It also checks the compatibility of the SQL request with the current permission configuration to ensure that all database operations comply with security policies.

The access control module is used to check the compatibility of the data request SQL statement initiated by the user with the current permission configuration, and to perform access control decisions based on the permission configuration, that is, to decide whether to allow the SQL operation to be executed based on the user's permissions.

The log and audit module is used to record all data requests made by users (including access and operation attempts) for subsequent monitoring and security auditing.

The interface management module is used to provide a user-friendly interface, allowing administrators to easily configure permissions and security policies and monitor system status through the interface.

The present invention also provides a computer-readable storage medium, in which a computer program is stored. When the computer program is executed by a processor, the above-mentioned fine-grained permission control method is implemented.

The present invention also provides an electronic device as shown in FIG5. At the hardware level, the electronic device for editing permissions and controlling permissions includes: a processor, an internal bus, a network interface, a memory, and a non-volatile memory, and of course may also include hardware required for other services. The processor reads the corresponding computer program from the non-volatile memory into the memory and then runs it to implement the above-mentioned fine-grained permission control method. Of course, in addition to the software implementation method, the present invention does not exclude other implementation methods, such as logic devices or a combination of software and hardware, etc., that is to say, the execution subject of the following processing flow is not limited to each logic unit, but can also be hardware or logic devices.

The systems, devices, modules or units described in the above embodiments may be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer. Specifically, the computer may be, for example, a personal computer, a laptop computer, a cellular phone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.

For the convenience of description, the above device is described as being divided into various units according to their functions. Of course, when implementing the present invention, the functions of each unit can be implemented in the same or multiple software and/or hardware.

It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as methods, systems, or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment, or an embodiment combining software and hardware. Furthermore, the present invention may take the form of a computer program product implemented on one or more computer-readable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

The present invention is described with reference to the flowcharts and/or block diagrams of the methods, devices (systems), and computer program products according to the embodiments of the present invention. It should be understood that each process and/or box in the flowchart and/or block diagram, as well as the combination of the processes and/or boxes in the flowchart and/or block diagram, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing device to generate a machine, so that the instructions executed by the processor of the computer or other programmable data processing device generate a device for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to operate in a specific manner, so that the instructions stored in the computer-readable storage medium produce a manufactured product including an instruction device that implements the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

These computer program instructions may also be loaded onto a computer or other programmable data processing device so that a series of operational steps are executed on the computer or other programmable device to produce a computer-implemented process, whereby the instructions executed on the computer or other programmable device provide steps for implementing the functions specified in one or more processes in the flowchart and/or one or more boxes in the block diagram.

In a typical configuration, a computing device includes one or more processors (CPU), input/output interfaces, network interfaces, and memory.

The memory may include non-permanent storage in a computer-readable medium, random access memory (RAM) and/or non-volatile memory in the form of read-only memory (ROM) or flash RAM. The memory is an example of a computer-readable medium.

Computer readable media include permanent and non-permanent, removable and non-removable media that can be implemented by any method or technology to store information. Information can be computer readable instructions, data structures, program modules or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technology, compact disk read-only memory (CD-ROM), digital versatile disk (DVD) or other optical storage, magnetic cassettes, magnetic tape disk storage or other magnetic storage devices or any other non-transmission media that can be used to store information that can be accessed by a computing device. As defined herein, computer readable media does not include temporary computer readable media (transitory media), such as modulated data signals and carrier waves.

It should also be noted that the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, commodity or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, commodity or device. In the absence of more restrictions, the elements defined by the sentence "comprises a ..." do not exclude the existence of other identical elements in the process, method, commodity or device including the elements.

It should be understood by those skilled in the art that the embodiments of the present invention may be provided as methods, systems or computer program products. Therefore, the present invention may take the form of a complete hardware embodiment, a complete software embodiment or an embodiment combining software and hardware aspects. Moreover, the present invention may take the form of a computer program product implemented on one or more computer-readable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

The present invention may be described in the general context of computer-executable instructions executed by a computer, such as program modules. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform specific tasks or implement specific abstract data types. The present invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices connected through a communication network. In a distributed computing environment, program modules may be located in local and remote computer storage media, including storage devices.

Each embodiment of the present invention is described in a progressive manner, and the same or similar parts between the embodiments can be referred to each other, and each embodiment focuses on the differences from other embodiments. In particular, for the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the partial description of the method embodiment.

The above description is only an embodiment of the present invention and is not intended to limit the present invention. For those skilled in the art, the present invention may have various modifications and variations. Any modification, equivalent substitution, improvement, etc. made within the spirit and principle of the present invention should be included in the scope of the claims of the present invention.

Claims (10)

1. A fine-grained authority control method, characterized by comprising the steps of:

S1: performing authority group grouping on users, wherein different authority groups have different data access authorities, and the data access authorities comprise column authorities and row authorities;

S2, editing column authorities of a data table: for each field in the data table, namely each column, one or more permission groups are respectively associated, and only the associated permission group has the execution permission of the field; the execution authority comprises the following steps: reading, writing, updating and deleting; when the security policy is updated, dynamically editing the column rights;

S3, editing row permission of the data table: for each data record in the data table, namely each row, one or more permission groups are respectively associated, and only the permission groups which meet the permission conditions of the corresponding row and are associated have the execution permission of the data record; the line authority conditions are generated according to business rules or data sensitivity; when the security policy is updated, dynamically updating the row authority conditions and dynamically editing the row authority;

s4: analyzing the SQL statement of the data request initiated by the user, verifying whether the user has the authority of the corresponding data according to the set column authority and row authority, and executing the data request if the user has the authority of the corresponding data; otherwise, the method is not executed.

2. The fine-grained entitlement control method according to claim 1, characterized in that S2 is realized in particular by the sub-steps of:

S201: selecting a data table needing configuration column permission from a database;

s202: associating column permissions of the selected data table to one or more permission groups;

s203: selecting a specific field needing to be configured with column permission in a data table;

s204: for each selected field, one or more permission groups are set to execute permissions on that field.

3. The fine-grained permission control method according to claim 2, wherein in S202, if the existing permission group cannot fulfill the column permission association requirement, a new permission group is created, and the user who needs to associate the column permission is added to the new permission group, and the column permission of the selected data table is associated with the new permission group.

4. The fine-grained entitlement control method according to claim 1, characterized in that S3 is realized in particular by the sub-steps of:

S301: selecting a data table needing to be configured with row authorities from a database;

S302: associating row permissions of the selected data table to one or more permission groups;

S303, editing line authority conditions: setting row authority conditions for the associated authority groups, wherein the row authority conditions are SQL sentences corresponding to conditional expressions based on specific field values in a data table;

S304, setting row execution permission: and setting the execution authority of the authority group on each row in the data table based on the defined row authority condition.

5. The fine-grained permission control method according to claim 4, wherein in S302, if the existing permission set cannot fulfill the permission association requirement, a new permission set is created, and the users who need to associate the permission are added to the new permission set, and the permission of the selected data table is associated with the new permission set.

6. The fine-grained entitlement control method according to claim 4, wherein said S303 specifically comprises the steps of:

s3031: selecting a field in the database, which needs to be provided with row permission, according to the need;

s3032: judging the type of the selected field; fields in the database are classified into according to attributes: a numeric class, a character string class, and a user attribute class; the selected fields are classified into corresponding types according to the attribute of the selected fields;

s3033: setting field conditions according to the type to which the field belongs:

If the field type is a numerical value type, setting a value range of the field;

If the field type is a character string type, an enumeration value or a newly added custom value of the existing value of the field in the database is used for enabling the value of the field to be equal to a certain character string, or belong to a certain character string set, or not belong to a certain character string set;

If the field type is a user attribute type, setting the value of the field to be equal to a certain value of a corresponding attribute in the user attribute table, or belonging to a set of certain values in the corresponding attribute in the user attribute table, or not belonging to a set of certain values in the corresponding attribute in the user attribute table;

S3034: and generating SQL conditional statements corresponding to SQL semantics according to the set field conditions to obtain row permission conditions.

7. The fine-grained entitlement control method according to claim 1, wherein the administrator performs S2 and S3 through a graphical user interface or a command line interface.

8. A fine-grained authority control device for implementing the fine-grained authority control method according to any one of claims 1 to 7, characterized by comprising: the system comprises an authority configuration module, a security policy editing module, an identity verification module, an SQL analysis module, an access control module, a log and audit module and an interface management module;

The permission configuration module is used for defining and managing the data access permissions of the users and the permission groups to which the users belong, and an administrator divides the users into different permission groups and allocates different column permissions and row permissions through the module;

The security policy editing module is used for editing and updating the security policy in real time, and an administrator creates and modifies row permission conditions and column permissions of the data table through the module;

The identity verification module is used for verifying the identity of a user sending a data request and the owned data access authority;

the SQL analysis module is used for analyzing the SQL statement of the data request initiated by the user and splicing the SQL statement of the row authority condition and the column authority;

The access control module is used for checking the compatibility of a data request SQL statement initiated by a user and the current authority configuration, and determining whether to allow SQL operation to be executed or not according to the authority of the user;

the log and audit module is used for recording all data requests proposed by a user;

the interface management module is used for providing a visual interface, allowing an administrator to configure authority and security policies through the interface and monitoring the system state.

9. An electronic device comprising a memory and one or more processors, the memory having executable code stored therein, the one or more processors configured to implement the fine-grained entitlement control method of any of claims 1-7 when executing the executable code.

10. A computer-readable storage medium, having stored thereon a program which, when executed by a processor, implements the fine-grained entitlement control method of any of claims 1-7.