CN110135146B - Database authority management method - Google Patents
Database authority management method Download PDFInfo
- Publication number
- CN110135146B CN110135146B CN201910359595.2A CN201910359595A CN110135146B CN 110135146 B CN110135146 B CN 110135146B CN 201910359595 A CN201910359595 A CN 201910359595A CN 110135146 B CN110135146 B CN 110135146B
- Authority
- CN
- China
- Prior art keywords
- security
- administrator
- database
- users
- auditor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/21—Design, administration or maintenance of databases
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a database authority management method and a system, wherein three management users are respectively a system administrator, a security administrator and an auditor, the three management users respectively have different management authorities and are restricted mutually, the system security administrator distributes security roles to each service user, each security role has different authorities, and the users can access a database only by activating the security roles through security certificates (such as passwords or digital certificates) provided by an application system. The invention provides a safer and more convenient management idea for the authority management of the database, and has good safety performance and application prospect.
Description
Technical Field
The invention relates to the technical field of database security management, in particular to a database authority management method.
Background
In a traditional database system, a root administrator exists, and the root administrator has all the rights of the database, that is, once an account number of the root administrator is stolen, any data in the database is leaked. In order to avoid the too large authority of a root administrator and further improve the security performance and daily security management of the database, decentralized management needs to be implemented on the authority of the database.
In the traditional database, a user can access the database after inputting a user name and a password, and for application systems with a multilayer structure, the systems are all connected with the database by using a single shared user, so that on one hand, the password of the user is stored on a server in an unsafe manner and is easy to leak, and on the other hand, the user has too large authority and is not beneficial to the separation of the authority among different application systems.
Disclosure of Invention
In view of the above, the present invention provides a method and a system for managing database permissions, which can effectively weaken and disperse the permission of a root administrator and simultaneously associate the user access permission with an application system security credential (e.g., a password or a digital certificate).
The technical scheme of the invention is realized as follows: the invention provides a database authority management method, which comprises the following steps:
step one, pre-creating three users during system initialization, wherein the three users are respectively a system administrator, a security administrator and an auditor;
step two, pre-creating three security attributes during system initialization, and respectively granting the three security attributes to a system administrator, a security administrator and an auditor, wherein the three security attributes respectively correspond to the management authorities of the three subsystems;
step three, distributing all the authorities of the data table to a security administrator when the system is initialized, wherein the security administrator is used for transferring the authorities;
step four, forbidding the original super user root of the system during system initialization;
a system administrator creates users, database tables and system resources, and a security administrator allocates database permissions to the users and assigns security roles to the users;
step six, a security administrator configures a database access control strategy, and configures a role activation certificate requirement for a security role;
step seven, connecting the user with a database, utilizing a role activation certificate configured by a security administrator to request to activate a security role, and accessing data;
and step eight, the auditor checks the operation records of the user, the system administrator and the safety administrator.
On the basis of the above technical solution, preferably, in the second step, the three security attributes are a system administrator security attribute, a security administrator security attribute, and an auditor security attribute, respectively.
On the basis of the above technical solution, preferably, in step two, the system administrator is used to manage creation of all resources, grant of autonomous access control authority, and role assignment in the database system, and the system administrator has a security attribute of the system administrator, and can only execute system management operations, but cannot access the database data.
On the basis of the above technical solution, preferably, in step two, the security administrator is configured to manage attribute access control, specify attributes of the user, the database, and the table, and formulate a security access control policy, where the security administrator has security attributes of the security administrator, and can only perform security management operations, but cannot access database data.
Preferably, in the second step, the auditor is responsible for auditing the operations of all users in the database, where all users include a system administrator and a security administrator, and the auditor has the security attribute of the auditor, and can only perform the auditing operation, but cannot access the database data.
On the basis of the technical scheme, preferably, the three security attributes are incompatible with each other, the authorities of a system administrator, a security administrator and an auditor are independent from each other, and users with the security attributes can only perform management operation and cannot access database table data.
On the basis of the technical scheme, preferably, after the user logs in the database system, the user only has the connection authority, and can obtain the access authority for accessing the database table after the user obtains the security certificate and activates the security role through the security certificate.
The invention also provides a database authority management system which comprises users, a system manager module, a security manager module and an auditor module, wherein the system manager module is used for managing the users and distributing the authority to the security manager module and the auditor module, the security manager module is used for making an access strategy for the users and generating security role activation certificates, and the auditor module is used for managing the operations of the users, the system manager module and the security manager module.
On the basis of the technical scheme, preferably, the system administrator module further comprises a user management module, a resource management module and a data table module, wherein the user management module is used for creating users and distributing database permissions to the users, the resource management module is used for creating and managing database table resources, and the data table module is used for distributing the data table permissions to the security administrator module and the auditor module.
On the basis of the above technical solution, preferably, the security administrator module further includes a policy management module and a security role credential module, where the policy management module is configured to configure a database access control policy, and the security role credential module is configured to configure a security role and configure a credential requirement for activating the security role.
Compared with the prior art, the database authority management method and the database authority management system have the following beneficial effects:
(1) the database permission management method and the database permission management system provide a permission management idea, and each account obtains one or more independent and unique management permissions by weakening the permission of an account of a database administrator and dividing an account management mode into three accounts for management. The safety risk of one account management is reduced by a mode of independently managing the authority of three accounts;
(2) the database authority management method and the system thereof separate the connection authority of the user from the database access authority, establish a connection buffer pool after the user connects the database to ensure the high-speed access channel of the data, and different application systems obtain the dynamic authority different from other application systems by activating the security certificate of the application system, such as a password or a digital certificate.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a management block diagram of a user in the database privilege management method of the present invention;
fig. 2 is a connection block diagram of each functional module in the database privilege management system of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without any inventive step based on the embodiments of the present invention, are within the scope of the present invention.
As shown in fig. 1, the database right management method of the present invention includes the following steps:
step one, pre-creating three users during system initialization, wherein the three users are respectively a system administrator, a security administrator and an auditor;
step two, pre-creating three security attributes during system initialization, and respectively granting the three security attributes to a system administrator, a security administrator and an auditor, wherein the three security attributes respectively correspond to the management authorities of the three subsystems;
step three, distributing all the authorities of the data table to a security administrator when the system is initialized, wherein the security administrator is used for transferring the authorities;
step four, forbidding the original super user root of the system during system initialization;
a system administrator creates users, database tables and system resources, and a security administrator allocates database permissions to the users and assigns security roles to the users;
step six, a security administrator configures a database access control strategy, and configures a role activation certificate requirement for a security role;
step seven, connecting the user with a database, utilizing a role activation certificate configured by a security administrator to request to activate a security role, and accessing data;
and step eight, the auditor checks the operation records of the user, the system administrator and the safety administrator.
In the above embodiment, one management user is managed by the conventional database, and the present invention divides one management user into three management users, allocates all rights of the attribute access control model data table to the security administrator, and controls the attribute access in the database by the security administrator, and the three security attributes limit that the corresponding administrator user can only execute the corresponding management operation, but cannot access the data in the database table.
In a specific embodiment, in the second step, the three security attributes are a system administrator security attribute, a security administrator security attribute, and an auditor security attribute, respectively.
In a specific embodiment, in step two, the system administrator is configured to manage creation of all resources in the database system, grant of an autonomous access control authority, and role assignment, and the system administrator has a security attribute of the system administrator, and can only execute a system management operation, but cannot access the database data.
In the above embodiment, the system administrator is used to manage the resources and the users, the resources in the database need to be created by the system administrator, and meanwhile, the users need to be autonomously access-controlled first, and the system administrator can grant the authority of autonomous access control and assign roles to the users.
In a specific embodiment, in step two, the security administrator is configured to manage attribute access control, specify attributes of the user, the database, and the table, and formulate a security access control policy, where the security administrator has security attributes of the security administrator, and can only perform security management operations, but cannot access database data.
In the above embodiment, the security administrator is used to manage the attribute access control, and can make the attribute of the resource and the user of the database and make the corresponding security access control policy according to the corresponding attribute, so as to refine the access authority of the user, refine the management of the security access, and improve the security performance of the data.
In a specific implementation manner, in the second step, the auditor is responsible for auditing the operations of all users in the database, wherein all users include a system administrator and a security administrator, and the auditor has the security attribute of the auditor, can only execute the auditing operation, and cannot access the database data.
In the above embodiment, the auditor mainly manages the operations of the user, and can also manage the operations of the system administrator and the security administrator, so as to achieve the purpose of restricting the operations of the system administrator and the security administrator, prevent the accounts of the system administrator and the security administrator from being stolen, and at the same time, the auditor can only manage the operations of the user, but cannot actually operate the resources in the database.
In the above embodiment, the system administrator, the security administrator, and the auditor are respectively responsible for certain permissions, and do not conflict with each other, and unless the three accounts are stolen at the same time, the resources of the database cannot be revealed.
In a specific implementation mode, the three security attributes are incompatible with each other, the permissions of a system administrator, a security administrator and an auditor are independent from each other, and users with the security attributes can only perform management operation and cannot access database table data.
In a specific implementation mode, after logging in a database system, a user only has a connection right, and can obtain an access right for accessing a database table after acquiring a security certificate and activating a security role through the security certificate.
As shown in fig. 2, the present invention further provides a database permission management system, which includes a user, a system administrator module, a security administrator module, and an auditor module, wherein the system administrator module is configured to manage the user and perform permission assignment on the security administrator module and the auditor module, the security administrator module is configured to make an access policy for the user and generate a security role activation credential, and the auditor module is configured to manage operations of the user, the system administrator module, and the security administrator module.
In a specific implementation manner, the system administrator module further includes a user management module, a resource management module and a data table module, the user management module is used for creating users and allocating database permissions to the users, the resource management module is used for creating and managing database table resources, and the data table module is used for allocating the data table permissions to the security administrator module and the auditor module.
In a specific embodiment, the security administrator module further includes a policy management module and a security role credential module, where the policy management module is configured to configure a database access control policy, and the security role credential module is configured to configure a security role and configure a credential requirement for activating the security role.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (5)
1. A database authority management method is characterized by comprising the following steps:
step one, pre-creating three users during system initialization, wherein the three users are respectively a system administrator, a security administrator and an auditor;
step two, pre-creating three security attributes during system initialization, wherein the three security attributes are respectively a system administrator security attribute, a security administrator security attribute and an auditor security attribute, the three security attributes are respectively granted to the system administrator, the security administrator and the auditor, and the three security attributes respectively correspond to the management authorities of the three subsystems; after logging in a database system, a user only has connection authority, and can obtain access authority for accessing a database table after acquiring a security certificate and activating a security role through the security certificate;
step three, distributing all the authorities of the data table to a security administrator when the system is initialized, wherein the security administrator is used for transferring the authorities;
step four, forbidding the original super user root of the system during system initialization;
a system administrator creates users, database tables and system resources, and a security administrator allocates database permissions to the users and assigns security roles to the users;
step six, a security administrator configures a database access control strategy, and configures a role activation certificate requirement for a security role;
step seven, connecting the user with a database, utilizing a role activation certificate configured by a security administrator to request to activate a security role, and accessing data;
and step eight, the auditor checks the operation records of the user, the system administrator and the safety administrator.
2. The database permission management method according to claim 1, wherein in step two, the system administrator is configured to manage creation of all resources, grant of autonomous access control permission, and role assignment in the database system, and the system administrator has a security attribute of the system administrator, and is only capable of performing system management operations and is not capable of accessing database data.
3. The database authority management method according to claim 1, wherein in step two, the security administrator is used for managing attribute access control, specifying attributes of users, databases and tables, and making a security access control policy, and the security administrator has security attributes of the security administrator, and can only perform security management operations, but cannot access database data.
4. The database permission management method according to claim 1, wherein in the second step, the auditor is responsible for auditing the operations of all users in the database, wherein all users include a system administrator and a security administrator, and the auditor has the security attribute of the auditor, and can only perform the auditing operations and cannot access the database data.
5. The database permission management method of claim 1, wherein the three security attributes are incompatible with each other, permissions of a system administrator, a security administrator and an auditor are independent from each other, and a user having the security attribute can only perform management operation and cannot access database table data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910359595.2A CN110135146B (en) | 2019-04-29 | 2019-04-29 | Database authority management method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910359595.2A CN110135146B (en) | 2019-04-29 | 2019-04-29 | Database authority management method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110135146A CN110135146A (en) | 2019-08-16 |
| CN110135146B true CN110135146B (en) | 2021-04-02 |
Family
ID=67575881
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910359595.2A Active CN110135146B (en) | 2019-04-29 | 2019-04-29 | Database authority management method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110135146B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110417820A (en) * | 2019-09-05 | 2019-11-05 | 曙光信息产业(北京)有限公司 | Processing method, device and the readable storage medium storing program for executing of single-node login system |
| CN111222161A (en) * | 2019-12-31 | 2020-06-02 | 航天信息股份有限公司 | A kind of picture library management method and device based on authority control |
| CN111914295A (en) * | 2020-08-04 | 2020-11-10 | 北京金山云网络技术有限公司 | Database access control method and device and electronic equipment |
| CN115563635A (en) * | 2022-09-30 | 2023-01-03 | 浙江云趣网络科技有限公司 | Database security management and control device, electronic equipment and readable storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1858740A (en) * | 2006-05-31 | 2006-11-08 | 武汉华工达梦数据库有限公司 | 'Three powers separation' safety method for data bank safety management |
| CN102184355A (en) * | 2011-04-11 | 2011-09-14 | 浪潮电子信息产业股份有限公司 | Method for realizing separation of three powers by using kernel technology |
| CN102411689A (en) * | 2011-12-21 | 2012-04-11 | 北京人大金仓信息技术股份有限公司 | Method for controlling authority of database administrator |
| CN102891840A (en) * | 2012-06-12 | 2013-01-23 | 北京可信华泰信息技术有限公司 | Three power separation-based information security management system and information security management method |
| CN103838719A (en) * | 2012-11-20 | 2014-06-04 | 镇江鼎拓科技信息有限公司 | Design method for database connection middleware |
| CN106850512A (en) * | 2015-12-07 | 2017-06-13 | 北京航天长峰科技工业集团有限公司 | A kind of information system design method for meeting cascade protection requirement |
| CN108881108A (en) * | 2017-05-09 | 2018-11-23 | 北京京东尚科信息技术有限公司 | The method and apparatus of rights management |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7032241B1 (en) * | 2000-02-22 | 2006-04-18 | Microsoft Corporation | Methods and systems for accessing networks, methods and systems for accessing the internet |
| US7844829B2 (en) * | 2006-01-18 | 2010-11-30 | Sybase, Inc. | Secured database system with built-in antivirus protection |
| CN107392051A (en) * | 2017-07-28 | 2017-11-24 | 北京明朝万达科技股份有限公司 | A kind of big data processing method and system |
| CN109298929B (en) * | 2018-10-12 | 2024-07-16 | 平安科技(深圳)有限公司 | Timed task execution time recommending method, device, equipment and storage medium |
-
2019
- 2019-04-29 CN CN201910359595.2A patent/CN110135146B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1858740A (en) * | 2006-05-31 | 2006-11-08 | 武汉华工达梦数据库有限公司 | 'Three powers separation' safety method for data bank safety management |
| CN102184355A (en) * | 2011-04-11 | 2011-09-14 | 浪潮电子信息产业股份有限公司 | Method for realizing separation of three powers by using kernel technology |
| CN102411689A (en) * | 2011-12-21 | 2012-04-11 | 北京人大金仓信息技术股份有限公司 | Method for controlling authority of database administrator |
| CN102891840A (en) * | 2012-06-12 | 2013-01-23 | 北京可信华泰信息技术有限公司 | Three power separation-based information security management system and information security management method |
| CN103838719A (en) * | 2012-11-20 | 2014-06-04 | 镇江鼎拓科技信息有限公司 | Design method for database connection middleware |
| CN106850512A (en) * | 2015-12-07 | 2017-06-13 | 北京航天长峰科技工业集团有限公司 | A kind of information system design method for meeting cascade protection requirement |
| CN108881108A (en) * | 2017-05-09 | 2018-11-23 | 北京京东尚科信息技术有限公司 | The method and apparatus of rights management |
Non-Patent Citations (1)
| Title |
|---|
| "DBMS的安全管理";朱虹 等;《计算机工程与应用》;20001231;参见第1-3节 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110135146A (en) | 2019-08-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110135146B (en) | Database authority management method | |
| CN101986599B (en) | Network security control method based on cloud service and cloud security gateway | |
| CN111431843B (en) | Access control method based on trust and attribute in cloud computing environment | |
| CA2649862C (en) | Translating role-based access control policy to resource authorization policy | |
| CN105429999B (en) | Unified single sign-on system based on cloud platform | |
| CN101453475B (en) | Authentication management system and method | |
| CN116743440A (en) | Security design and architecture for multi-tenant HADOOP clusters | |
| CN107104931A (en) | A kind of access control method and platform | |
| US20130218911A1 (en) | Systems and methods for enforcement of security profiles in multi-tenant database | |
| CN102611699A (en) | Method and system for access control in cloud operation system | |
| CN114389894B (en) | Authorization control methods, equipment, storage media and computer program products | |
| CN105516160B (en) | A kind of domain management object map device and unified single sign-on system | |
| CN115422526B (en) | Role authority management method, device and storage medium | |
| CN112019543A (en) | Multi-tenant permission system based on BRAC model | |
| CN112804193A (en) | Unified account system for realizing multi-platform service intercommunication | |
| CN102882715A (en) | Permission managing system | |
| CN115865502A (en) | Authority management and control method, device, equipment and storage medium | |
| CN110414213A (en) | A kind of method and device to rights management in operation management system based on keycloak | |
| Salunke et al. | A survey paper on role based access control | |
| CN101827110B (en) | Application server access system in intranet | |
| CN115378635A (en) | Inter-system cross-domain access control method and platform based on roles | |
| CN103188269B (en) | The control method of access privilege in cloud platform | |
| US8219807B1 (en) | Fine grained access control for linux services | |
| CN108881197A (en) | High score grid system authentication system based on RBAC model | |
| CN107124429B (en) | A network business security protection method and system based on double data table design |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |