CN104766023B - User management method based on ORACLE databases - Google Patents
User management method based on ORACLE databases Download PDFInfo
- Publication number
- CN104766023B CN104766023B CN201510052388.4A CN201510052388A CN104766023B CN 104766023 B CN104766023 B CN 104766023B CN 201510052388 A CN201510052388 A CN 201510052388A CN 104766023 B CN104766023 B CN 104766023B
- Authority
- CN
- China
- Prior art keywords
- user
- distribution
- database
- authority
- management method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to a kind of user management method based on ORACLE databases, it is characterized in, user's classification and operating right is managed by user's management tool, user is performed using the distribution of user management instrument, identity i.e. to user carries out role's distribution, assigns different operating rights.Also, role's distribution at least includes distribution authority, creates user.During this period, if alerting, early warning mechanism is triggered, Operation Log is recorded, if there is high-risk operation, user is directly locked.So; can be from user management, database can be segmented in certain isolation section and carry out separate operations by the action type and authority of strict control different brackets user; the influence that cut-out illegal operation is caused, from the complete of entrance scope protection creation data and stably.Also, operated for the user of certain rule, certain early warning mechanism can be triggered, notify corresponding personnel to carry out follow-up analysis, or even directly lock high-risk operation user, greatly improve security.
Description
Technical field
The present invention relates to a kind of user management method, more particularly to a kind of user management side based on ORACLE databases
Method.
Background technology
The data of modern enterprise develop towards Large Copacity direction, wherein business data of the database in enterprise, business
The proportion that occupies is increasing in algorithm, analysis decryption, constantly break into user data unofficial biography, the leakage of Enterprise business secret,
Under the warnings of malignant event such as assault destruction, the management and protection of database become to be even more important.
Meanwhile, internet traditional database user is often divided into System Management User and program and directly accesses the class of user two.
Database all uses silent formula Full-open towards the entrance authority that program is connected, can in the case where program is by malicious sabotage
With the direct change of unreserved progress database, significant damage is produced to enterprise database.
The content of the invention
The purpose of the present invention is exactly to be based on ORACLE numbers there is provided one kind to solve the above-mentioned problems in the prior art
According to the user management method in storehouse.
The purpose of the present invention is achieved through the following technical solutions:User's classification is managed by user's management tool and operated
Authority, performs user, the i.e. identity to user by the distribution of user's management tool and carries out role's distribution, assign different operating rights
Limit, described role's distribution at least include distribution authority, create in user, described operating right comprising user's operation parsing,
User management.
The management process is that step one, the application program for connecting database generates correspondence by ORM Object Relation Mappings
Database SQL statement, the corresponding database connection pool of application program obtains the corresponding user's connection of database, SQL existed
Execution is carried out in connection to call.Step 2, database receives the SQL performed, corresponding synonymous according to active user's range-based searching
Word title, if synonym title is not present, the alarm of throw exception " object is not present ", if synonym is present, enters
Step 3.Step 3, the destination object that data obtain agency according to synonym carries out parsing SQL and operated, if not effective behaviour
Make authority, then the alarm of throw exception prompting " invalid operation ", if operating effectively authority, then into step 4.Step
Four, execution is explained in the user where database to destination object.
In said process, if alerting, early warning mechanism is triggered, Operation Log is recorded, if there is high-risk operation, directly
Meet locking user.
The above-mentioned user management method based on ORACLE databases, wherein:Described high-risk operation is destruction database
The behavior of structure and data, is all considered as high-risk operation.
Further, the above-mentioned user management method based on ORACLE databases, wherein:Described Operation Log content
Including the sentence of operation, time, account, machine name, the one or more accessed in IP.
Further, the above-mentioned user management method based on ORACLE databases, wherein:Described user management work
Have for the self-defined package implementation Process bags of oracle.
Further, the above-mentioned user management method based on ORACLE databases, wherein:Described distribution authority is
Default access, both according to business needs, self-defined corresponding Permission Levels, or, carry out specifying access object according to user
Distribution.
Further, the above-mentioned user management method based on ORACLE databases, wherein:Described establishment user bag
Include, set up user, distributing user permission, the object permission of distributing user.Described establishment user is that calls tool bag is inputted
User name, password and authority numbering.Described authority numbering includes keeper, operator, read-only user.Described keeper,
Possess DDL authorities, can create, change, deleting table structure, process bag, and additions and deletions can be carried out to data change to look into.Described operation
Member, possesses DML authorities, can inquiry table structure, and carry out additions and deletions for data and change to look into operation.Described read-only user, is only capable of looking into
Ask table structure and data.The object permission of described distributing user is that all objects of some user are all licensed to another
User, or, independent authorization is carried out to some object of user.
Further, the above-mentioned user management method based on ORACLE databases, wherein:Described mandate is at least wrapped
Containing increase, delete, modification, search in one or more, per sub-authorization be all to user create one duplication of name it is synonymous
Word carries out proxy access.
Further, the above-mentioned user management method based on ORACLE databases, wherein:Described user's operation solution
Analysis process is that 1. step, recognizes corresponding role by user's verification, assign different role-securities.2. step, passes through correspondence
Synonym under role-security, finds corresponding agent object.3., the operating right of check object passes through step if verifying,
It is final to perform, if verification does not pass through, carry out abnormal prompt.
Yet further, the above-mentioned user management method based on ORACLE databases, wherein:Described user management
For the access operation for user carries out log recording, and it is reserved to retain extension, definable user management strategy, when finding certain
During the high-risk operation of individual user's occurrence law, it can carry out forcing to withdraw for the user authorizing or locking, and notify related
Keeper.
The advantage of technical solution of the present invention is mainly reflected in:Can be from user management, strict control different brackets is used
Database, can be segmented in certain isolation section and carry out separate operations, cut-out illegal operation is made by the action type and authority at family
Into influence, protect creation data complete and stably from entrance scope.At the same time it can also be carried out from the angle for implementing control
Procedure operation mode it is predefined, and a virtual subregion carries out the data isolation of corresponding operating, only authorized data
Formal environments are submitted under authorized operation.Furthermore, operate, can trigger certain for the user of certain rule
Early warning mechanism, notifies corresponding personnel to carry out follow-up analysis, or even directly locks high-risk operation user, greatly improves safety
Property.Thus, it is that space has been expanded in the technological progress of this area, implementation result is good.
Brief description of the drawings
Fig. 1 is the schematic flow sheet of the user management method based on ORACLE databases.
Embodiment
Based on the user management method of ORACLE databases, it is particular in that:Managed and used by user's management tool
Classify and operating right at family.Meanwhile, user can be performed by the distribution of user's management tool.That is, the identity to user is entered
Row role distributes, and assigns different operating rights.Also, in order to realize effective safety management, the role used distribute to
It is few to include distribution authority, create in user, and operating right comprising user's operation parsing, user management.Furthermore, it is contemplated that implement
Versatility, user management instrument be the self-defined package implementation Process bags of oracle.
Specifically, the management process of use is as follows:
Step one, the application program of connection database generates the SQL languages of corresponding database by ORM Object Relation Mappings
Sentence, the corresponding database connection pool of application program obtains the corresponding user's connection of database, and SQL is carried out into execution tune in this connection
With.
Step 2, database receives the SQL performed, according to the corresponding synonym title of active user's range-based searching, if
Synonym title is not present, then the alarm of throw exception " object is not present ", if synonym is present, into step 3.
Step 3, data obtain the destination object of agency according to synonym(Such as table structure)SQL operations are parsed, if not
Authority is operated effectively, then the alarm of throw exception prompting " invalid operation ", if operating effectively authority, then into step
Four.
Execution is explained in user where step 4, database to destination object.The explanation used is performed
Oracle self mechanisms are determined.Specifically, the explanation that the present invention is used performs to search corresponding database table knot
Structure, according to condition filter table data, is then back to data.The process specifically refined can also inquire about official's skill of oracle issues
Art handbook.It is easy to technical staff to adjust custom strategies at any time.
In said process, if alerting, early warning mechanism is triggered, Operation Log is recorded, if there is high-risk operation, directly
Meet locking user.During actually implementing, the reason for being illustrated using early warning mechanism is, is grasped for specified data modification
Make, operated if not program standard, it is possible to achieve carry out pre-alert notification.For example, modification member's login password etc..If there is
Direct Modify password, and without current password is provided, be then considered as unsafe operation, can be recorded.
Just from the point of view of the preferably embodiment of the present invention one, high-risk operation is destroys the behavior of database structure and data, all
It is considered as high-risk operation.It can be shown as in actual treatment, the type such as modification database user password, modification data lab setting
Operation.Also, according to the setting of authority, high-risk operation can not be performed substantially, but need to retain daily record, and generated to keeper
Pre-alert notification, sends message by correspondence program, for example, sends short message.
From the point of view of further, record is operated effectively in order to realize, is easy to safeguard in the future, Operation Log content includes, is operated
Sentence, the time, account, machine name, access IP in one or more.Certainly, it is contemplated that the facility of implementation, program or
Client is submitted inside the information come automatically comprising information such as sentence, time, accounts.The need in view of safety management, adopt
It is default access with distribution authority, both according to business needs, self-defined corresponding Permission Levels, or, referred to according to user
Surely the distribution of object is accessed.
From the point of view of further, creating user includes, and sets up user, distributing user permission, the object permission of distributing user.Tool
For body, creating user is, calls tool bag, inputs the authority numbering of user name, password and above-mentioned distribution.In order to carry out effectively
Authority distribution, use authority numbering include, A:Keeper, O:Operator, G:Read-only user.
Specifically, keeper, possesses DDL(Data structure definition)Authority, can create, changes, delete table structure, process
Bag, and additions and deletions can be carried out to data and change and look into.Operator, possesses DML(Data manipulation is managed)Authority, energy inquiry table structure, and it is right
Change in data progress additions and deletions and look into operation.Read-only user, is only capable of inquiry table structure and data.Also, in order to realize stable authority
Management, the object permission of distributing user is that all objects of some user are all licensed to another user.Can also be to
Some object at family carries out independent authorization.
From the point of view of actual implementation process, authorize including at least increase, delete, modification, search in one kind or many
Kind.Also, all it is that the synonym for creating a duplication of name to user carries out proxy access per sub-authorization.The generation that the present invention is used
Reason, our similar daily TV remote controllers used, can just operate television set to carry out zapping, tuning amount by remote controller
Etc. function, there is provided an effective middle controlling unit.
For the ease of recognize user operation, used user operation resolving for:First, verified and known by user
Not corresponding role, assigns different role-securities.Afterwards, by the synonym under correspondence role-security, corresponding generation is found
Manage object.Finally, the operating right of check object, it is final to perform if verification passes through, if verification does not pass through, carry out abnormal
Prompting.
Also, user management is carried out in view of database can be coordinated and realizes effective data tracking, the present invention is involved
And user management be, for user access operation carry out log recording, and retain(User management)Extension is reserved.Also,
User management strategy can be defined, when finding the high-risk operation of some user's occurrence law, can be carried out for the user strong
System, which is withdrawn, to be authorized or locks, and notifies relevant supervisor.
From the point of view of software implementation with reference to the present invention, can letter answer and be expressed as following process:
The first step, performs user management kit.
Second step, pre-set user classification and authority.
3rd step, creates sorted users, calls pkg_admin. p_create_user (user name, password, authority
Numbering).
4th step, authorized user's object, calling pkg_admin. p_grant_user_object, (source user, target is used
Family), by all Object Authorizations of source user to targeted customer.Or call pkg_admin. p_grant_user_object (sources
User, targeted customer, source object), by the specified Object Authorization of source user to targeted customer.
5th step, implements to complete, switches the user newly created, verify using effect.
It can be seen that using after the present invention, can strictly be controlled not from user management by above-mentioned character express
Database, can be segmented in certain isolation section and carry out separate operations, cut off non-by the action type and authority of ad eundem user
The influence that method operation is caused, from the complete of entrance scope protection creation data and stably.At the same time it can also the angle controlled from implementation
Degree has carried out the predefined of procedure operation mode, and a virtual subregion carries out the data isolation of corresponding operating, is only awarded
The data of power are submitted to formal environments under authorized operation.Furthermore, operate, can touch for the user of certain rule
The early warning mechanism for sending out certain, notifies corresponding personnel to carry out follow-up analysis, or even directly locks high-risk operation user, greatly improves
Security.
Claims (6)
1. the user management method based on ORACLE databases, it is characterised in that:
Pair user's classification and operating right are managed by user's management tool, user is performed by the distribution of user's management tool, i.e.,
The identity of user carries out role's distribution, assigns different operating rights, and described user management instrument is self-defined for oracle
Package implementation Process bags, described role's distribution at least includes distribution authority, creates in user, described operating right and wrap
Containing user's operation parsing, user management;
Described distribution authority be default access, both according to business needs, self-defined corresponding Permission Levels, or, according to
Family carries out specifying the distribution for accessing object;
Described establishment user includes, and sets up user, distributing user permission, the object permission of distributing user,
Described establishment user is that calls tool bag inputs user name, password and authority numbering,
Described authority numbering includes keeper, operator, read-only user,
Described keeper, possesses DDL authorities, can create, change, deleting table structure, process bag, and can carry out additions and deletions to data
Change and look into,
Described operator, possesses DML authorities, can inquiry table structure, and carry out additions and deletions for data and change to look into operation,
Described read-only user, is only capable of inquiry table structure and data,
The object permission of described distributing user is that all objects of some user are all licensed to another user, or, it is right
Some object of user carries out independent authorization;
The management process is,
Step one, the application program of connection database generates the SQL statement of corresponding database by ORM Object Relation Mappings,
The corresponding database connection pool of application program obtains the corresponding user's connection of database, and SQL is carried out to execution in this connection and called;
Step 2, database receives the SQL performed, according to the corresponding synonym title of active user's range-based searching, if synonymous
Word title is not present, then the alarm of throw exception " object is not present ", if synonym is present, into step 3;
Step 3, the destination object that data obtain agency according to synonym carries out parsing SQL and operated, if not effective operating rights
The alarm of limit, then throw exception prompting " invalid operation ", if operating effectively authority, then into step 4;
Execution is explained in user where step 4, database to destination object;
In said process, if alerting, early warning mechanism is triggered, Operation Log is recorded, if there is high-risk operation, directly locked
Determine user.
2. the user management method according to claim 1 based on ORACLE databases, it is characterised in that:Described is high-risk
The behavior for destruction database structure and data is operated, is all considered as high-risk operation.
3. the user management method according to claim 1 based on ORACLE databases, it is characterised in that:Described operation
Log content includes, the sentence of operation, time, account, machine name, the one or more accessed in IP.
4. the user management method according to claim 1 based on ORACLE databases, it is characterised in that:Described mandate
All it is to create a duplication of name to user per sub-authorization including at least the one or more in increase, deletion, modification, lookup
Synonym carry out proxy access.
5. the user management method according to claim 1 based on ORACLE databases, it is characterised in that:Described user
Operation resolving be,
1. step, recognizes corresponding role by user's verification, assigns different role-securities,
2. step, by the synonym under correspondence role-security, finds corresponding agent object,
3., the operating right of check object is final to perform if verification passes through, if verification does not pass through, and carries out abnormal carry for step
Show.
6. the user management method according to claim 1 based on ORACLE databases, it is characterised in that:Described user
Manage and be, the access operation for user carries out log recording, and retain extension and reserve, definable user management strategy works as hair
During the high-risk operation of some existing user's occurrence law, it can carry out forcing to withdraw for the user authorizing or locking, and notify
Relevant supervisor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510052388.4A CN104766023B (en) | 2015-02-02 | 2015-02-02 | User management method based on ORACLE databases |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510052388.4A CN104766023B (en) | 2015-02-02 | 2015-02-02 | User management method based on ORACLE databases |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104766023A CN104766023A (en) | 2015-07-08 |
| CN104766023B true CN104766023B (en) | 2017-09-19 |
Family
ID=53647842
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510052388.4A Expired - Fee Related CN104766023B (en) | 2015-02-02 | 2015-02-02 | User management method based on ORACLE databases |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104766023B (en) |
Families Citing this family (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105844142B (en) * | 2016-03-16 | 2019-04-05 | 上海新炬网络技术有限公司 | Management-control method in a kind of database account number safe collection |
| CN107229644A (en) * | 2016-03-25 | 2017-10-03 | 阿里巴巴集团控股有限公司 | Searching method and device |
| CN107273758A (en) * | 2017-05-03 | 2017-10-20 | 上海上讯信息技术股份有限公司 | A kind of data bank access method and equipment |
| CN107944840A (en) * | 2017-12-25 | 2018-04-20 | 新疆机汇网络科技有限公司 | Data processing method and device for service management |
| CN109766686A (en) * | 2018-04-25 | 2019-05-17 | 新华三大数据技术有限公司 | Rights management |
| CN109409042B (en) * | 2018-08-23 | 2021-04-20 | 顺丰科技有限公司 | User authority distribution abnormity detection system, method, equipment and storage medium |
| CN110188089B (en) * | 2019-05-31 | 2021-07-27 | 杭州安恒信息技术股份有限公司 | Database operation and maintenance management and control method and device |
| CN110929278A (en) * | 2019-11-21 | 2020-03-27 | 浪潮云信息技术有限公司 | Ansible-based cloud database authority management system and method |
| CN111460500B (en) * | 2020-03-31 | 2023-12-01 | 贵州电网有限责任公司 | Authority management method of network resource |
| CN111400681B (en) * | 2020-04-07 | 2023-09-12 | 杭州指令集智能科技有限公司 | Data authority processing method, device and equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1967560A (en) * | 2006-11-09 | 2007-05-23 | 华为技术有限公司 | Controlling method of business operations competence and generating method of relational database |
| CN101515931A (en) * | 2009-03-24 | 2009-08-26 | 北京理工大学 | Method for enhancing the database security based on agent way |
| CN102508898A (en) * | 2011-11-04 | 2012-06-20 | 浪潮(北京)电子信息产业有限公司 | Data access method and database system based on cloud computing |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8521768B2 (en) * | 2011-01-13 | 2013-08-27 | International Business Machines Corporation | Data storage and management system |
-
2015
- 2015-02-02 CN CN201510052388.4A patent/CN104766023B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1967560A (en) * | 2006-11-09 | 2007-05-23 | 华为技术有限公司 | Controlling method of business operations competence and generating method of relational database |
| CN101515931A (en) * | 2009-03-24 | 2009-08-26 | 北京理工大学 | Method for enhancing the database security based on agent way |
| CN102508898A (en) * | 2011-11-04 | 2012-06-20 | 浪潮(北京)电子信息产业有限公司 | Data access method and database system based on cloud computing |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104766023A (en) | 2015-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104766023B (en) | User management method based on ORACLE databases | |
| CN107403106A (en) | Database fine-grained access control method based on terminal user | |
| CN109995796B (en) | Industrial control system terminal safety protection method | |
| US20020066038A1 (en) | Method and a system for preventing impersonation of a database user | |
| US8683220B2 (en) | System and method for securing database activity | |
| Yunus et al. | Review of SQL injection: problems and prevention | |
| CN103441926B (en) | Security gateway system of numerically-controllmachine machine tool network | |
| CN103246849A (en) | Safe running method based on ROST under Windows | |
| KR20070114725A (en) | A multi-layer system for privacy enforcement and monitoring of suspicious data access behavior | |
| CN102546672A (en) | Out-of-band authorization safety reinforcement method for cloud computing platform | |
| CN110222485A (en) | Industry control white list management system and method based on SGX software protecting extended instruction | |
| CN106228078A (en) | Method for safe operation based on enhancement mode ROST under a kind of Linux | |
| CN107147665B (en) | Application method of the beam-based alignment model in industrial 4.0 systems | |
| CN102411689B (en) | Method for controlling authority of database administrator | |
| Fernandez et al. | Two security patterns: least privilege and security logger and auditor | |
| CN112364328A (en) | Computer network information safety monitoring system | |
| Braband | What's Security Level got to do with Safety Integrity Level? | |
| CN101860436A (en) | Technology for accurately controlling system user data authority | |
| CN104732160A (en) | Control method for preventing database information from being leaked internally | |
| CN105262770A (en) | Method for managing account password | |
| KR101025029B1 (en) | Implementation method for integration database security system using electronic authentication | |
| KR20080057918A (en) | Method for illegal privilege flow prevention and mandatory access control using the state transition model of security role in unix/linux system | |
| EP1211589A2 (en) | A method and system for preventing impersonation of a database user | |
| Zaman et al. | Self-protection against insider threats in DBMS through policies implementation | |
| CN117675414B (en) | Command auditing method, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170919 Termination date: 20210202 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |