CN101976316B - Information access authority control method - Google Patents
Information access authority control method Download PDFInfo
- Publication number
- CN101976316B CN101976316B CN 201010521592 CN201010521592A CN101976316B CN 101976316 B CN101976316 B CN 101976316B CN 201010521592 CN201010521592 CN 201010521592 CN 201010521592 A CN201010521592 A CN 201010521592A CN 101976316 B CN101976316 B CN 101976316B
- Authority
- CN
- China
- Prior art keywords
- sql
- rule
- authority
- filtering rule
- content
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention is mainly applied to an information management system, relates to a method for carrying out authority control on any item or batch of records of any table, enhances the authority control flexibility of an operator to achieve the purpose of information security and is a supplement for the authority control of the information management system. The method comprises the following realization steps of: (1) registering the table object of content authority; (2) setting the filtering rule of the content authority and saving the filtering rule into a database; (3) endowing a user needing the content authority with the filtering rule; and (4) filtering data and feeding the data back to the user through a program in a related service point according to the registered table object and the filtering rule input by the user. The invention is quite simple to realize, has less invasion for program codes and can be used for applying authority filtration to a service under the condition of not influencing the normal development flow of a programmer.
Description
Technical field
The present invention relates to a kind of message reference authority control method; It is a kind of method that any or a batch record of any table are carried out control of authority; Be mainly used in information management system; Enhancing is to the dirigibility of operator's control of authority, thereby reaches the purpose of information security, is replenishing the information management system control of authority.
Background technology
21st century is the epoch of infotech, and the computer technology of develop rapidly gets into the business administration field already, the means of production, the production schedule of auxiliary management enterprise, even carry to important reference frame for the decision-making of business strategy.The area of computer aided business administration makes growing stronger day by day of various medium-sized and small enterprises, develops into large enterprise even ultra-large type enterprise gradually.In order to keep the high speed development of enterprise, people have proposed higher more comprehensively requirement to management level, and it is particularly important that the information security aspect then seems.
At present control of authority method commonly used is mainly contained two kinds of function privilege and content rights.
The realization of function privilege is fairly simple, and present most of management systems are all having implementation method more flexibly to the control of function point or on based on role's management.The function privilege requirement of the complicacy that corporate client proposes is dealt with in the principle that can adopt addition and the combination of using the role.Business personnel such as company belongs to this role of keyboarder, is responsible for the typing of Back ground Information, but can't check the important form of company; And the company leader belongs to this role of decision maker, just is allowed to check important form.This whether available authority control method is to use commonplace method in the art to function, and we claim that usually it is a function privilege.
What content rights solved is that the data content that different user is seen under the identical function point is different, and it is a kind of isolation of data.Such as there being three operator A BC equally all to have the authority of information typing, but A and B can only see the information of own typing, and C is as the leader of B, and he can also see the information of his subordinate B typing except the information that can see oneself.Content rights wants relative complex a lot, so be difficult to accomplish to let the user can be according to the demand flexibly customizing of oneself.All there is different management systems in enterprise, if therefore there is not the filter method of the content rights of ability flexibly customizing, just can only depend on the secondary development of software vendor, and this will bring huge cost to the enforcement of management system.If so the self-defining method of a kind of realization content rights can be arranged, it will be an important supplement of content rights control in the management system.
Summary of the invention
The present invention solves the existing in prior technology technical matters, and a kind of message reference authority control method is provided.
Above-mentioned technical matters of the present invention mainly is able to solve through following technical proposals: a kind of message reference authority control method is characterized in that said control method comprises the steps: the table object of ⑴ registration content authority; ⑵ be provided with the filtering rule of content rights and this filtering rule be saved in the database; ⑶ compose above-mentioned filtering rule to the user who needs the foregoing authority; ⑷ the filtering rule that the program in the related service point is imported according to table object and the user of registration filters data and feeds back to the user; Promptly analyze three definite necessary conditions of three step of front; Three conditions in front are changed into SQL statement; And merge with the SQL statement that imports into, make it become a new SQL statement, this algorithm is exactly a kind of " abduction " to the operation layer code in fact; Realize very simple and program code had few invasive, can be under the situation that does not influence the normal development process of programmer with the authority filtration applications in business.Among the wherein said step ⑴; Being registered in before the information management system issue with regard to registration in advance in the database that presets of content rights; Open content rights in the place that corresponding module need filter and filter switch, program can determine whether launching the filter algorithm of content rights according to the keying of this switch; Among the said step ⑵, the information that needs to preserve user's input comprises reference gauge basic data id, operational symbol, rule definition data, logical operator then; Among the said step ⑶, rights management person through the different content rights filtering rule of step ⑵ configuration, gives corresponding operator or role with these regular allocation as required then; Said step ⑷ is specially: the first step; Whether be statement by UNION or UNION ALL combination, if each SQL clause arranged side by side of UNION is separated one by one if analyzing SQL statement; And be saved in the array, will process one by one these clauses respectively during post-processed; If do not comprise UNION, then directly return SQL statement itself; Second step, the SQL clause in the step 1 is done further decomposition, utilize key word FROM, WHERE, GROUP, HAVING, ORDER that SQL statement is resolved into a plurality of parts, and therefrom parse table name, inceptive filtering conditional information; Comprise the JOIN relevant information in the if statement, then utilize the position at JOIN and ON place, further parse the title of contingency table, decomposite the content of each ingredient of SQL clause, need use the various piece that this step analyzes in the step of back; The 3rd step; According to the table name of trying to achieve in the step 2, the current user name of landing of system and the current organizational information that lands; Remove to inquire about in the authority filter rule list filtering rule that closes with the current epiphase of active user; Dynamic variable in the rule is replaced with actual parameter: if the filtering rule that checks out be one then directly return this rule, if filtering rule is more than one then return a character string with the forms that a plurality of rules are occured simultaneously; The 4th step, the rule condition that obtains in the rule database in inceptive filtering condition of decompose in the step 2 and the step 3 is made up, form a new filtercondition, packed format is " inceptive filtering condition " AND " filtering rule "; The 5th step; Content according to each ingredient of the SQL clause who decomposes in the step 2; The new filtercondition that produces in the step 4 is inserted into becomes a new SQL statement in the original SQL statement: promptly use the inceptive filtering condition in the new filtercondition replacement step two in the step 4, again the content of each ingredient of SQL clause in the step 2 is combined into a complete SQL clause then; The 6th step, if the clause that decomposition is come out in the step 1 then jumps to step 2 and begins to handle next SQL clause more than one, all handle up to all SQL clauses, jump to step 7 again; In the 7th step, the SQL clauses who handles all in the step 6 is reused UNION or UNION ALL connects into a complete SQL statement, and return this new SQL statement.
The present invention is an important supplement of content rights control in the management system, has avoided need carrying out originally the work of secondary development, greatly reduces implementation cost, can satisfy the demand of client's self-defined content rights control again.
Embodiment
Through embodiment, do further bright specifically below to technical scheme of the present invention.
Embodiment: the present invention includes following step: the table object of ⑴ registration content authority; ⑵ be provided with the filtering rule of content rights and this filtering rule be saved in the database; ⑶ compose above-mentioned filtering rule to the user who needs the foregoing authority; ⑷ the filtering rule that the program in the related service point is imported according to table object and the user of registration filters data and feeds back to the user; Promptly analyze three definite necessary conditions of three step of front; Three conditions in front are changed into SQL statement; And merge with the SQL statement that imports into, make it become a new SQL statement, this algorithm is exactly a kind of " abduction " to the operation layer code in fact; Realize very simple and program code had few invasive, can be under the situation that does not influence the normal development process of programmer with the authority filtration applications in business.
Wherein among the step ⑴; Being registered in before the information management system issue with regard to registration in advance in the database that presets of content rights; Open content rights in the place that corresponding module need filter and filter switch, program can determine whether launching the filter algorithm of content rights according to the keying of this switch.
Among the step ⑵, the information that needs to preserve user's input comprises reference gauge basic data id, operational symbol, rule definition data, logical operator then.
Among the step ⑶, rights management person through the different content rights filtering rule of step ⑵ configuration, gives corresponding operator or role with these regular allocation as required then.
Step ⑷ is specially:
The first step, whether analyze SQL statement is the statement by UNION or UNION ALL combination, if, each SQL clause arranged side by side of UNION is separated one by one, and be saved in the array, will process one by one these clauses respectively during post-processed; If do not comprise UNION, then directly return SQL statement itself;
Second step, the SQL clause in the step 1 is done further decomposition, utilize key word FROM, WHERE, GROUP, HAVING, ORDER that SQL statement is resolved into a plurality of parts, and therefrom parse table name, inceptive filtering conditional information; Comprise the JOIN relevant information in the if statement, then utilize the position at JOIN and ON place, further parse the title of contingency table, decomposite the content of each ingredient of SQL clause, need use the various piece that this step analyzes in the step of back;
The 3rd step; According to the table name of trying to achieve in the step 2, the current user name of landing of system and the current organizational information that lands; Remove to inquire about in the authority filter rule list filtering rule that closes with the current epiphase of active user; Dynamic variable in the rule is replaced with actual parameter: if the filtering rule that checks out be one then directly return this rule, if filtering rule is more than one then return a character string with the forms that a plurality of rules are occured simultaneously;
The 4th step, the rule condition that obtains in the rule database in inceptive filtering condition of decompose in the step 2 and the step 3 is made up, form a new filtercondition, packed format is " inceptive filtering condition " AND " filtering rule ";
The 5th step; Content according to each ingredient of the SQL clause who decomposes in the step 2; The new filtercondition that produces in the step 4 is inserted into becomes a new SQL statement in the original SQL statement: promptly use the inceptive filtering condition in the new filtercondition replacement step two in the step 4, again the content of each ingredient of SQL clause in the step 2 is combined into a complete SQL clause then;
The 6th step, if the clause that decomposition is come out in the step 1 then jumps to step 2 and begins to handle next SQL clause more than one, all handle up to all SQL clauses, jump to step 7 again;
In the 7th step, the SQL clauses who handles all in the step 6 is reused UNION or UNION ALL connects into a complete SQL statement, and return this new SQL statement.
At last, should be pointed out that above embodiment only is the more representational example of the present invention.Obviously, technical scheme of the present invention is not limited to the foregoing description, and many distortion can also be arranged.All distortion that those of ordinary skill in the art can directly derive or associate from content disclosed by the invention all should be thought protection scope of the present invention.
Claims (1)
1. a message reference authority control method is characterized in that said control method comprises the steps: the table object of ⑴ registration content authority; ⑵ be provided with the filtering rule of content rights and this filtering rule be saved in the database; ⑶ compose above-mentioned filtering rule to the user who needs the foregoing authority; ⑷ the filtering rule that the program in the related service point is imported according to table object and the user of registration filters data and feeds back to the user; Promptly analyze three definite necessary conditions of three step of front; Three conditions in front are changed into SQL statement; And merge with the SQL statement that imports into, make it become a new SQL statement; Wherein
Among the said step ⑴; Being registered in before the information management system issue with regard to registration in advance in the database that presets of content rights; Open content rights in the place that corresponding module need filter and filter switch, program can determine whether launching the filter algorithm of content rights according to the keying of this switch;
Among the said step ⑵, the information that needs to preserve user's input comprises reference gauge basic data id, operational symbol, rule definition data then;
Among the said step ⑶, rights management person through the different content rights filtering rule of step ⑵ configuration, gives corresponding operator or role with these regular allocation as required then;
Said step ⑷ is specially:
The first step, whether analyze SQL statement is the statement by UNION or UNION ALL combination, if, each SQL clause arranged side by side of UNION is separated one by one, and be saved in the array, will process one by one these clauses respectively during post-processed; If do not comprise UNION, then directly return SQL statement itself;
Second step, the SQL clause in the step 1 is done further decomposition, utilize key word FROM, WHERE, GROUP, HAVING, ORDER that SQL statement is resolved into a plurality of parts, and therefrom parse table name, inceptive filtering conditional information; Comprise the JOIN relevant information in the if statement, then utilize the position at JOIN and ON place, further parse the title of contingency table, decomposite the content of each ingredient of SQL clause, need use the various piece that this step analyzes in the step of back;
The 3rd step; According to the table name of trying to achieve in the step 2, the current user name of landing of system and the current organizational information that lands; Remove to inquire about in the authority filter rule list filtering rule that closes with the current epiphase of active user; Dynamic variable in the rule is replaced with actual parameter: if the filtering rule that checks out be one then directly return this rule, if filtering rule is more than one then return a character string with the forms that a plurality of rules are occured simultaneously;
The 4th step, the rule condition that obtains in the rule database in inceptive filtering condition of decompose in the step 2 and the step 3 is made up, form a new filtercondition, packed format is " inceptive filtering condition " AND " filtering rule ";
The 5th step; Content according to each ingredient of the SQL clause who decomposes in the step 2; The new filtercondition that produces in the step 4 is inserted into becomes a new SQL statement in the original SQL statement: promptly use the inceptive filtering condition in the new filtercondition replacement step two in the step 4, again the content of each ingredient of SQL clause in the step 2 is combined into a complete SQL clause then;
The 6th step, if the clause that decomposition is come out in the step 1 then jumps to step 2 and begins to handle next SQL clause more than one, all handle up to all SQL clauses, jump to step 7 again;
In the 7th step, the SQL clauses who handles all in the step 6 is reused UNION or UNION ALL connects into a complete SQL statement, and return this new SQL statement.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010521592 CN101976316B (en) | 2010-10-27 | 2010-10-27 | Information access authority control method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN 201010521592 CN101976316B (en) | 2010-10-27 | 2010-10-27 | Information access authority control method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN101976316A CN101976316A (en) | 2011-02-16 |
CN101976316B true CN101976316B (en) | 2012-02-01 |
Family
ID=43576200
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN 201010521592 Active CN101976316B (en) | 2010-10-27 | 2010-10-27 | Information access authority control method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN101976316B (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102831123B (en) * | 2011-06-16 | 2015-04-08 | 航天信息股份有限公司 | Method and system for querying authority control of data |
CN103744050A (en) * | 2014-01-23 | 2014-04-23 | 国家电网公司 | Field detection device of intelligent electric energy meter |
CN106469282A (en) * | 2015-08-21 | 2017-03-01 | 阿里巴巴集团控股有限公司 | data access authority control method and device |
CN105512528B (en) * | 2015-12-12 | 2019-03-08 | 天津南大通用数据技术股份有限公司 | The implementation method of row permission in business model |
CN105787052B (en) * | 2016-02-26 | 2020-02-04 | 广州品唯软件有限公司 | Data processing model establishing method and data screening method based on data processing model |
CN106778341A (en) * | 2016-12-02 | 2017-05-31 | 华北计算技术研究所(中国电子科技集团公司第十五研究所) | data right management system and method |
CN107844708A (en) * | 2017-11-06 | 2018-03-27 | 中国电子科技集团公司第二十八研究所 | Towards the data permission control system and its control method of military equipment management business |
CN110704551B (en) * | 2018-06-21 | 2023-02-17 | 中兴通讯股份有限公司 | Data processing method, device, equipment and computer readable storage medium |
CN110909149B (en) * | 2018-09-17 | 2022-06-03 | 北京国双科技有限公司 | Data filtering method and device |
CN111125642B (en) * | 2018-10-31 | 2022-06-03 | 北京数聚鑫云信息技术有限公司 | Method and device for managing API, storage medium and computer equipment |
CN111552678A (en) * | 2020-03-30 | 2020-08-18 | 平安医疗健康管理股份有限公司 | Data permission configuration method and device and computer equipment |
CN114428802A (en) * | 2022-04-01 | 2022-05-03 | 北京锐融天下科技股份有限公司 | Data filtering method and system based on user permission |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101320373B (en) * | 2008-06-13 | 2011-05-18 | 华中科技大学 | Safety search engine system of website database |
CN101710348B (en) * | 2009-12-29 | 2011-11-30 | 金蝶软件(中国)有限公司 | Document data query method and server |
-
2010
- 2010-10-27 CN CN 201010521592 patent/CN101976316B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN101976316A (en) | 2011-02-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN101976316B (en) | Information access authority control method | |
CN104361424B (en) | Main data system integrated approach based on Enterprise Service Bus | |
CN102708213B (en) | Method for realizing BOM (Bill of Material) information transmission between PDM (Product Data Management) system and ERP (Enterprise Resource Planning) system | |
CN103310295B (en) | Work micro-blog management method | |
CN105512790A (en) | Integrated operation and maintenance management system | |
CN107315931A (en) | Form field values operating right authorization method | |
US20120203705A1 (en) | System And Method For Universal In-Place Lifecycle Policy Enforcement On Repositories | |
CN109167717A (en) | The method for presetting instant messaging account contact person and default address list according to the communication relations between role | |
WO2019015657A1 (en) | Attendance tracking configuration method for system | |
CN105094961A (en) | Task scheduling management system based on quartz frame and method thereof | |
CN106354857A (en) | News tag management system | |
CN110474897A (en) | A kind of file permission management system | |
CN103475727A (en) | Database auditing method based on bridged mode | |
CN105653982A (en) | Method and system used for data permission control | |
CN104182846A (en) | Client management system | |
CN104679792A (en) | Data permission achievement method | |
CN102708457A (en) | Enterprise internal information system | |
CN106548327A (en) | A kind of Workflow system and the integrated method of other Third party systems | |
CN103442212A (en) | Network security and protection comprehensive early warning type management system platform | |
CN104156435A (en) | Method for rapidly finding HSE laws and regulations from database | |
CN107885866A (en) | Integrated port checking method and its information support system | |
CN101702798B (en) | Design method of multi-service drive share frame model | |
CN106682821A (en) | Unified management control method for rail transit system users | |
CN107426137A (en) | Right management method and system | |
CN105354891A (en) | Attendance checking management method and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CP03 | Change of name, title or address | ||
CP03 | Change of name, title or address |
Address after: 310052 Jiangling Road, Binjiang District, Hangzhou, Zhejiang Province, No. 88, No. 312, Hangzhou new Zhongda Polytron Technologies Inc Patentee after: Hangzhou new China and the big Polytron Technologies Inc Address before: Hangzhou City, Zhejiang province 310013 Tianmushan Road No. 176 West Lake soyea Software Park Building No. 20 Hangzhou new software Limited by Share Ltd Patentee before: Hangzhou Newgrand Software Co., Ltd. |