CN101976316B - Information access authority control method - Google Patents

Abstract

The invention is mainly applied to an information management system, relates to a method for carrying out authority control on any item or batch of records of any table, enhances the authority control flexibility of an operator to achieve the purpose of information security and is a supplement for the authority control of the information management system. The method comprises the following realization steps of: (1) registering the table object of content authority; (2) setting the filtering rule of the content authority and saving the filtering rule into a database; (3) endowing a user needing the content authority with the filtering rule; and (4) filtering data and feeding the data back to the user through a program in a related service point according to the registered table object and the filtering rule input by the user. The invention is quite simple to realize, has less invasion for program codes and can be used for applying authority filtration to a service under the condition of not influencing the normal development flow of a programmer.

Description

A kind of message reference authority control method

Technical field

The present invention relates to a kind of message reference authority control method; It is a kind of method that any or a batch record of any table are carried out control of authority; Be mainly used in information management system; Enhancing is to the dirigibility of operator's control of authority, thereby reaches the purpose of information security, is replenishing the information management system control of authority.

Background technology

21st century is the epoch of infotech, and the computer technology of develop rapidly gets into the business administration field already, the means of production, the production schedule of auxiliary management enterprise, even carry to important reference frame for the decision-making of business strategy.The area of computer aided business administration makes growing stronger day by day of various medium-sized and small enterprises, develops into large enterprise even ultra-large type enterprise gradually.In order to keep the high speed development of enterprise, people have proposed higher more comprehensively requirement to management level, and it is particularly important that the information security aspect then seems.

At present control of authority method commonly used is mainly contained two kinds of function privilege and content rights.

The realization of function privilege is fairly simple, and present most of management systems are all having implementation method more flexibly to the control of function point or on based on role's management.The function privilege requirement of the complicacy that corporate client proposes is dealt with in the principle that can adopt addition and the combination of using the role.Business personnel such as company belongs to this role of keyboarder, is responsible for the typing of Back ground Information, but can't check the important form of company; And the company leader belongs to this role of decision maker, just is allowed to check important form.This whether available authority control method is to use commonplace method in the art to function, and we claim that usually it is a function privilege.

What content rights solved is that the data content that different user is seen under the identical function point is different, and it is a kind of isolation of data.Such as there being three operator A BC equally all to have the authority of information typing, but A and B can only see the information of own typing, and C is as the leader of B, and he can also see the information of his subordinate B typing except the information that can see oneself.Content rights wants relative complex a lot, so be difficult to accomplish to let the user can be according to the demand flexibly customizing of oneself.All there is different management systems in enterprise, if therefore there is not the filter method of the content rights of ability flexibly customizing, just can only depend on the secondary development of software vendor, and this will bring huge cost to the enforcement of management system.If so the self-defining method of a kind of realization content rights can be arranged, it will be an important supplement of content rights control in the management system.

Summary of the invention

The present invention solves the existing in prior technology technical matters, and a kind of message reference authority control method is provided.

Above-mentioned technical matters of the present invention mainly is able to solve through following technical proposals: a kind of message reference authority control method is characterized in that said control method comprises the steps: the table object of ⑴ registration content authority; ⑵ be provided with the filtering rule of content rights and this filtering rule be saved in the database; ⑶ compose above-mentioned filtering rule to the user who needs the foregoing authority; ⑷ the filtering rule that the program in the related service point is imported according to table object and the user of registration filters data and feeds back to the user; Promptly analyze three definite necessary conditions of three step of front; Three conditions in front are changed into SQL statement; And merge with the SQL statement that imports into, make it become a new SQL statement, this algorithm is exactly a kind of " abduction " to the operation layer code in fact; Realize very simple and program code had few invasive, can be under the situation that does not influence the normal development process of programmer with the authority filtration applications in business.Among the wherein said step ⑴; Being registered in before the information management system issue with regard to registration in advance in the database that presets of content rights; Open content rights in the place that corresponding module need filter and filter switch, program can determine whether launching the filter algorithm of content rights according to the keying of this switch; Among the said step ⑵, the information that needs to preserve user's input comprises reference gauge basic data id, operational symbol, rule definition data, logical operator then; Among the said step ⑶, rights management person through the different content rights filtering rule of step ⑵ configuration, gives corresponding operator or role with these regular allocation as required then; Said step ⑷ is specially: the first step; Whether be statement by UNION or UNION ALL combination, if each SQL clause arranged side by side of UNION is separated one by one if analyzing SQL statement; And be saved in the array, will process one by one these clauses respectively during post-processed; If do not comprise UNION, then directly return SQL statement itself; Second step, the SQL clause in the step 1 is done further decomposition, utilize key word FROM, WHERE, GROUP, HAVING, ORDER that SQL statement is resolved into a plurality of parts, and therefrom parse table name, inceptive filtering conditional information; Comprise the JOIN relevant information in the if statement, then utilize the position at JOIN and ON place, further parse the title of contingency table, decomposite the content of each ingredient of SQL clause, need use the various piece that this step analyzes in the step of back; The 3rd step; According to the table name of trying to achieve in the step 2, the current user name of landing of system and the current organizational information that lands; Remove to inquire about in the authority filter rule list filtering rule that closes with the current epiphase of active user; Dynamic variable in the rule is replaced with actual parameter: if the filtering rule that checks out be one then directly return this rule, if filtering rule is more than one then return a character string with the forms that a plurality of rules are occured simultaneously; The 4th step, the rule condition that obtains in the rule database in inceptive filtering condition of decompose in the step 2 and the step 3 is made up, form a new filtercondition, packed format is " inceptive filtering condition " AND " filtering rule "; The 5th step; Content according to each ingredient of the SQL clause who decomposes in the step 2; The new filtercondition that produces in the step 4 is inserted into becomes a new SQL statement in the original SQL statement: promptly use the inceptive filtering condition in the new filtercondition replacement step two in the step 4, again the content of each ingredient of SQL clause in the step 2 is combined into a complete SQL clause then; The 6th step, if the clause that decomposition is come out in the step 1 then jumps to step 2 and begins to handle next SQL clause more than one, all handle up to all SQL clauses, jump to step 7 again; In the 7th step, the SQL clauses who handles all in the step 6 is reused UNION or UNION ALL connects into a complete SQL statement, and return this new SQL statement.

The present invention is an important supplement of content rights control in the management system, has avoided need carrying out originally the work of secondary development, greatly reduces implementation cost, can satisfy the demand of client's self-defined content rights control again.

Embodiment

Through embodiment, do further bright specifically below to technical scheme of the present invention.

Embodiment: the present invention includes following step: the table object of ⑴ registration content authority; ⑵ be provided with the filtering rule of content rights and this filtering rule be saved in the database; ⑶ compose above-mentioned filtering rule to the user who needs the foregoing authority; ⑷ the filtering rule that the program in the related service point is imported according to table object and the user of registration filters data and feeds back to the user; Promptly analyze three definite necessary conditions of three step of front; Three conditions in front are changed into SQL statement; And merge with the SQL statement that imports into, make it become a new SQL statement, this algorithm is exactly a kind of " abduction " to the operation layer code in fact; Realize very simple and program code had few invasive, can be under the situation that does not influence the normal development process of programmer with the authority filtration applications in business.

Wherein among the step ⑴; Being registered in before the information management system issue with regard to registration in advance in the database that presets of content rights; Open content rights in the place that corresponding module need filter and filter switch, program can determine whether launching the filter algorithm of content rights according to the keying of this switch.

Among the step ⑵, the information that needs to preserve user's input comprises reference gauge basic data id, operational symbol, rule definition data, logical operator then.

Among the step ⑶, rights management person through the different content rights filtering rule of step ⑵ configuration, gives corresponding operator or role with these regular allocation as required then.

Step ⑷ is specially:

The first step, whether analyze SQL statement is the statement by UNION or UNION ALL combination, if, each SQL clause arranged side by side of UNION is separated one by one, and be saved in the array, will process one by one these clauses respectively during post-processed; If do not comprise UNION, then directly return SQL statement itself;

Second step, the SQL clause in the step 1 is done further decomposition, utilize key word FROM, WHERE, GROUP, HAVING, ORDER that SQL statement is resolved into a plurality of parts, and therefrom parse table name, inceptive filtering conditional information; Comprise the JOIN relevant information in the if statement, then utilize the position at JOIN and ON place, further parse the title of contingency table, decomposite the content of each ingredient of SQL clause, need use the various piece that this step analyzes in the step of back;

The 3rd step; According to the table name of trying to achieve in the step 2, the current user name of landing of system and the current organizational information that lands; Remove to inquire about in the authority filter rule list filtering rule that closes with the current epiphase of active user; Dynamic variable in the rule is replaced with actual parameter: if the filtering rule that checks out be one then directly return this rule, if filtering rule is more than one then return a character string with the forms that a plurality of rules are occured simultaneously;

The 4th step, the rule condition that obtains in the rule database in inceptive filtering condition of decompose in the step 2 and the step 3 is made up, form a new filtercondition, packed format is " inceptive filtering condition " AND " filtering rule ";

The 5th step; Content according to each ingredient of the SQL clause who decomposes in the step 2; The new filtercondition that produces in the step 4 is inserted into becomes a new SQL statement in the original SQL statement: promptly use the inceptive filtering condition in the new filtercondition replacement step two in the step 4, again the content of each ingredient of SQL clause in the step 2 is combined into a complete SQL clause then;

The 6th step, if the clause that decomposition is come out in the step 1 then jumps to step 2 and begins to handle next SQL clause more than one, all handle up to all SQL clauses, jump to step 7 again;

In the 7th step, the SQL clauses who handles all in the step 6 is reused UNION or UNION ALL connects into a complete SQL statement, and return this new SQL statement.

At last, should be pointed out that above embodiment only is the more representational example of the present invention.Obviously, technical scheme of the present invention is not limited to the foregoing description, and many distortion can also be arranged.All distortion that those of ordinary skill in the art can directly derive or associate from content disclosed by the invention all should be thought protection scope of the present invention.

Claims (1)

1. a message reference authority control method is characterized in that said control method comprises the steps: the table object of ⑴ registration content authority; ⑵ be provided with the filtering rule of content rights and this filtering rule be saved in the database; ⑶ compose above-mentioned filtering rule to the user who needs the foregoing authority; ⑷ the filtering rule that the program in the related service point is imported according to table object and the user of registration filters data and feeds back to the user; Promptly analyze three definite necessary conditions of three step of front; Three conditions in front are changed into SQL statement; And merge with the SQL statement that imports into, make it become a new SQL statement; Wherein

Among the said step ⑴; Being registered in before the information management system issue with regard to registration in advance in the database that presets of content rights; Open content rights in the place that corresponding module need filter and filter switch, program can determine whether launching the filter algorithm of content rights according to the keying of this switch;

Among the said step ⑵, the information that needs to preserve user's input comprises reference gauge basic data id, operational symbol, rule definition data then;

Among the said step ⑶, rights management person through the different content rights filtering rule of step ⑵ configuration, gives corresponding operator or role with these regular allocation as required then;

Said step ⑷ is specially:

The first step, whether analyze SQL statement is the statement by UNION or UNION ALL combination, if, each SQL clause arranged side by side of UNION is separated one by one, and be saved in the array, will process one by one these clauses respectively during post-processed; If do not comprise UNION, then directly return SQL statement itself;

Second step, the SQL clause in the step 1 is done further decomposition, utilize key word FROM, WHERE, GROUP, HAVING, ORDER that SQL statement is resolved into a plurality of parts, and therefrom parse table name, inceptive filtering conditional information; Comprise the JOIN relevant information in the if statement, then utilize the position at JOIN and ON place, further parse the title of contingency table, decomposite the content of each ingredient of SQL clause, need use the various piece that this step analyzes in the step of back;

The 3rd step; According to the table name of trying to achieve in the step 2, the current user name of landing of system and the current organizational information that lands; Remove to inquire about in the authority filter rule list filtering rule that closes with the current epiphase of active user; Dynamic variable in the rule is replaced with actual parameter: if the filtering rule that checks out be one then directly return this rule, if filtering rule is more than one then return a character string with the forms that a plurality of rules are occured simultaneously;

The 4th step, the rule condition that obtains in the rule database in inceptive filtering condition of decompose in the step 2 and the step 3 is made up, form a new filtercondition, packed format is " inceptive filtering condition " AND " filtering rule ";

The 5th step; Content according to each ingredient of the SQL clause who decomposes in the step 2; The new filtercondition that produces in the step 4 is inserted into becomes a new SQL statement in the original SQL statement: promptly use the inceptive filtering condition in the new filtercondition replacement step two in the step 4, again the content of each ingredient of SQL clause in the step 2 is combined into a complete SQL clause then;

The 6th step, if the clause that decomposition is come out in the step 1 then jumps to step 2 and begins to handle next SQL clause more than one, all handle up to all SQL clauses, jump to step 7 again;

In the 7th step, the SQL clauses who handles all in the step 6 is reused UNION or UNION ALL connects into a complete SQL statement, and return this new SQL statement.