CN107301349A - A kind of Access and control strategy of database method and system - Google Patents
A kind of Access and control strategy of database method and system Download PDFInfo
- Publication number
- CN107301349A CN107301349A CN201710359704.1A CN201710359704A CN107301349A CN 107301349 A CN107301349 A CN 107301349A CN 201710359704 A CN201710359704 A CN 201710359704A CN 107301349 A CN107301349 A CN 107301349A
- Authority
- CN
- China
- Prior art keywords
- data
- user
- module
- access
- rule
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a kind of Access and control strategy of database method and system, the system includes:SIM, is verified to user identity;Parsing module, calls user data access control to configure, parsing user access control rule and data processing rule;Initialization module, receives data processing rule, initialization data processing engine;Data respond module, responds user data access request;Scope judge module, judges whether user data access request runaways, if beyond user's control scope, refusal provides the data access request service of user;Data processing judge module, judges whether to need to handle data, if it is, calling the data that data processing engine cleaning is obtained.By the scheme of the invention, the data area of user-accessible can be effectively controlled, some sensitive informations of data content can be entered with row variation replacement processing, prevent sensitive information from leaking.
Description
Technical field
The present invention relates to data security arts, more particularly to a kind of Access and control strategy of database method method and system.
Background technology
At present, some terminal protection class softwares have been occurred in that in the prior art, as described below:
A, user authority management system, the access rights of major control server data are different according to user right, control
Whether data can use, so as to reach the access control of user class, determine data usable range according to authority, it is to avoid user goes beyond one's commission
Access data.
Such as Fig. 1, in the prior art user authority management system flow chart, specifically include:
1) User logs in;
2) authenticating user identification is carried out;
If 3) passed through, step 4 is jumped to), otherwise jump to step 8);
4) request data;
5) request data is determined whether, if it is, jumping to step 6), otherwise, jump to step 7);
6) data of request are returned;
7) judge whether to log offIt is to jump to step 9), otherwise jump to step 4);
8) judge whether to cancel and log inIt is to jump to step 9), otherwise jump to step 1);
9) terminate.
From the point of view of reality, user authority management system is unable to Fuzzy Processing sensitive data, there is potential safety hazard.User
Rights Management System, can only control the scope of user-accessible data, it is impossible to enter row variation to some of data sensitive information
Processing.
From the angle of actual demand and application, the transparent data storehouse access side based on user's fine-granularity access control
Method, can effectively control the data area of user-accessible, while according to the configuration of thinner dynamics, can be to some quick of data content
Sense information enters row variation replacement processing, prevents that sensitive information from leaking guarantor's information security;The data handled by system do not influence to use
Family is used.
The content of the invention
In order to solve the above technical problems, the invention provides a kind of Access and control strategy of database method, this method includes following
Step:
1) subscriber authentication passes through, and jumps to step 2), otherwise continue step 1);
2) user data access control is called to configure, parsing user access control rule and data processing rule;
3) data processing rule, initialization data processing engine are received;
4) user data access request of the response to database;
5) according to user access control rule, judge whether the user data access request runaways, if super
Go out user's control scope, refusal provides the data access request service of user, jumps to step 9);Otherwise step 6 is jumped to);
6) data that user asks are obtained by data service module;
7) judge whether to need to handle data, if it is, jumping to step 8), if not, data are returned
To user, step 9 is jumped to);
8) data for calling data processing engine cleaning to obtain, jump to step 9);
9) judge whether to exit the system, if not exiting, jump to step 4) place's execution;Otherwise step 10 is jumped to);
10) terminate.
It is preferred that, it is described that data progress processing is included:Data processing rule is checked, the data of request are entered at row variation
Reason.
It is preferred that, subscriber authentication is included:Username and password is verified.
It is preferred that, it is described to judge whether user data access request runaways and refer to:According to user access control
Rule, judges whether the data address range of request of data exceeds the efficient database table access scope of user configuring
In order to solve the above technical problems, the invention provides a kind of Access and control strategy of database system, the system includes:
SIM, is verified to user identity;
Parsing module, calls user data access control to configure, and parsing obtains user access control rule and data processing
Rule;
Initialization module, receives data processing rule, initialization data processing engine;
Data respond module, data access request of the response user to database;
Scope judge module, judges whether user data access request runaways, if beyond user's control scope,
Refusal provides the data access request service of user;Otherwise, the data that user asks are obtained by data service module;
Data processing judge module, judges whether to need to handle data, if it is, calling data processing engine clear
The data of acquisition are washed, if not, returning data to user.
It is preferred that, it is described that data progress processing is included:Data processing rule is checked, the data of request are entered at row variation
Reason.
It is preferred that, subscriber authentication is included:Username and password is verified.
It is preferred that, it is described to judge whether user data access request runaways and refer to:According to user access control
Rule, judges whether the data address range of request of data exceeds the efficient database table access scope of user configuring.
In order to solve the above technical problems, the invention provides a kind of Access and control strategy of database system, the system includes:
Control rule parsing module, response User logs in and data access request, when User logs in by after, calling and obtaining user
Access control configuration data, and parsing obtains user access control rule and data processing rule, notifies data processing module, under
Send out the user data access request to database;When user, which terminates access, to exit, the related access control rule of user is removed;
Data processing module, receiving user access control configuration data, there is provided data increase, deletion, modification, lookup clothes
Business, and carries out data mutation engine initialization, issues to the user data access request of database and to obtain module to data, according to
Family is configured, the data content that the engine cleaning of scheduling data variation is obtained, and the data after processing are returned into user;
Data acquisition module, receives data source configuration information there is provided data increase, deletion, modification, lookup service, receives
To the user data access request of database, the data of user's request are obtained, and the data got are returned to data processing
Module.
In order to solve the above technical problems, the invention provides a kind of computer-readable storage medium, the computer-readable storage medium is deposited
Computer instruction is contained, when performing the computer instruction, one of methods described is performed.
Technical scheme, framework is advanced, consistent, and compatibility is high;Suitable for most of Database Systems;With
Family authority and data processing rule configuration are flexible, and data do not influence to use after cleaning.
Brief description of the drawings
Fig. 1 is the method flow diagram of prior art.
Fig. 2 is system structure composed of the invention.
Fig. 3 is Access and control strategy of database method flow diagram of the invention.
Fig. 4 is embodiment flow chart of the invention.
Embodiment
Below in conjunction with the accompanying drawings and specific embodiment the present invention is further illustrated, but protection scope of the present invention is simultaneously
Not limited to this.
<Access and control strategy of database framework>
If Fig. 2 is the general frame of the present invention
Transparent data storehouse access method based on user's fine-granularity access control, is generally divided into three levels:Control
Rule parsing layer, data analysis layer, data acquisition layer.Rule parsing layer is controlled, is responsible for checking user identity, according to user configuring
Rule carries out access privilege parsing, and notifies data processing engine;Data analysis layer, receives the configuration of user's access granularity,
Initialization data mutation engine, sends the data acquisition request for accessing database, and cleaning obtains the data come up;Data acquisition
Layer, receives data source configuration data (i.e.:The Database Connection data of system manager's configuration), scheduling data pick-up plug-in unit is obtained
The data of user's request.
Rule parsing layer is controlled, positioned at the superiors of general frame, response User logs in and data access request work as user
After login passes through, calling and obtaining user access control configuration data (including:Data record institute in the database table of user-accessible, table
Comprising sensitive information handle rule, such as erasing, fuzzy), and parse and obtain user access control rule, notify data processing
Layer, issues user data requests;When user, which terminates access, to exit, the related access control rule of user is removed.
Data analysis layer, receives user access control configuration data there is provided data increase, deletion, modification, lookup service,
And data mutation engine initialization is carried out, issue user data requests and give data acquisition layer, according to user configuring, scheduling data become
The data content that different engine cleaning is obtained, such as wipe sensitive information, sensitive information is replaced or Fuzzy processing, and will processing
Data afterwards return to user.
Data acquisition layer, positioned at the orlop of overall architecture, receive data source configuration information there is provided data increase, delete,
Modification, lookup service, receive the data acquisition request on upper strata, call data acquisition, obtain the data of user's request, and handle
The data got return to data analysis layer.
<Access and control strategy of database method>
If Fig. 3 is the Access and control strategy of database method flow diagram of the present invention
Here, the system flow of this lower framework of description:
1st, user enters after the system, need to carry out subscriber authentication.
2nd, authentication passes through, and goes at 3 and continues executing with;Otherwise go at 1, carry out authentication.
3rd, user access control configuration data, parsing user access control rule and data processing rule are called, 4 are gone to
Place, is continued executing with.
4th, data processing rule is received, initialization data processing engine goes at 5, continued executing with.
5th, user data access request is responded, goes at 6, continues executing with.
6th, according to user access control rule, judge whether request of data exceeds the database table access model of user configuring
Enclose, if beyond database table access profile, going at 7 and performing;Otherwise go at 8 and perform.
7th, refusal provides the data request service of user, goes at 5 and continues executing with
8th, the data that user asks are obtained by data service module, goes at 9 and perform.
9th, data processing module, checks data processing rule, is determined according to user access control rule, judges whether to need
Enter row variation processing, if it is desired, then go to 10 and go out execution, otherwise go at 11 and perform.
10th, data processing module calls the data that data processing engine cleaning is obtained, and specifically includes:According to the rule of configuration
Then, sensitive data is wiped, data it is out of order, data obscure, data replace etc. processing, go at 11 perform.
11st, user is returned data to, goes at 12 and performs.
12nd, judge whether to exit the system, if not exiting, go at 5 and perform;Otherwise go at 13 and perform.
13rd, the system is exited, is terminated.
<Specific embodiment>
Accompanying drawing 4 describes the data processing step of company database desensitization system.
1st, after computer system is logged in, log database desensitization system (can be accessed and data according to the user of configuration
Processing rule, fuzzy replacement processing, such as identification card number, bank's card number etc. are carried out by the key message obtained in data), checking
The processing of the 2nd step is gone to after.
2nd, system carry out user right parsing and initialization data processing engine, after the completion of go to the 3rd step processing.
3rd, the data in user accesses data storehouse, after the completion of go to the 4th step processing.
4th, the system response user request, carries out data acquisition, goes to the processing of the 5th step.
5th, by the data got, whether needed to carry out content cleaning according to the user access control rule judgment of configuration,
If desired, going to the processing of the 6th step, the 8th step is otherwise skipped to.
6th, the data after cleaning return to user, go to the processing of the 7th step.
7th, user checks returned data, goes to the 8th step and continues with
8th, check whether and log off, if it is not, then going to the processing of the 3rd step;Otherwise log off, terminate.
In recent years, as the various leakages of a state or party secret happen suddenly, great threat is all constituted to national security and long term growth.Therefore
Country has specially set up the safe group of national information, attaches great importance to network security.For be related to national economy financial industry,
Mobile communication industry etc. proposes higher security protection requirement, it is to avoid occur the leakage of a state or party secret.
The characteristics of for mobile communication industry project testing, using data desensitization platform, test data authenticity was both met
Demand, turn avoid user sensitive information risk of leakage, widelyd popularize in actual items.
In this scheme, the application flow for being related to the present invention is similar to the aforementioned embodiment, will not be repeated here.
Technical scheme has advantages below:
A, framework are advanced, consistent, and compatibility is high
B, suitable for most of Database Systems
C, user right and data processing rule configuration are flexible, and data do not influence to use after cleaning
Above example only as the example of protection scheme of the present invention, is not limited embodiment of the invention
It is fixed.
Claims (10)
1. a kind of Access and control strategy of database method, this method comprises the following steps:
1) subscriber authentication passes through, and jumps to step 2), otherwise continue step 1);
2) user data access control is called to configure, parsing user access control rule and data processing rule;
3) data processing rule, initialization data processing engine are received;
4) user data access request of the response to database;
5) according to user access control rule, judge whether the user data access request runaways, if beyond use
Family control range, refusal provides the data access request service of user, jumps to step 9);Otherwise step 6 is jumped to);
6) data that user asks are obtained by data service module;
7) judge whether to need to handle data, if it is, jumping to step 8), if not, returning data to use
Family, jumps to step 9);
8) data for calling data processing engine cleaning to obtain, jump to step 9);
9) judge whether to exit the system, if not exiting, jump to step 4) place's execution;Otherwise step 10 is jumped to);
10) terminate.
2. according to the method described in claim 1, described include to data progress processing:Data processing rule is checked, will be asked
Data enter row variation processing.
3. according to the method described in claim 1, subscriber authentication is included:Username and password is verified.
4. according to the method described in claim 1, described judge whether user data access request runaways and refer to:Root
According to user access control rule, judge whether the data address range of request of data exceeds the efficient database table visit of user configuring
Ask scope.
5. a kind of Access and control strategy of database system, the system includes:
SIM, is verified to user identity;
Parsing module, calls user data access control to configure, and parsing obtains user access control rule and data processing rule;
Initialization module, receives data processing rule, initialization data processing engine;
Data respond module, data access request of the response user to database;
Scope judge module, judges whether user data access request runaways, if beyond user's control scope, refusal
The data access request service of user is provided;Otherwise, the data that user asks are obtained by data service module;
Data processing judge module, judges whether to need to handle data, if it is, calling data processing engine cleaning to obtain
The data taken, if not, returning data to user.
6. system according to claim 5, described that data progress processing is included:Data processing rule is checked, will be asked
Data enter row variation processing.
7. system according to claim 5, includes to subscriber authentication:Username and password is verified.
It is described to judge whether user data access request runaways and refer to 8. method according to claim 5:Root
According to user access control rule, judge whether the data address range of request of data exceeds the efficient database table visit of user configuring
Ask scope.
9. a kind of Access and control strategy of database system, the system includes:
Control rule parsing module, response User logs in and data access request, when User logs in by after, calling and obtaining user is accessed
Configuration data is controlled, and parses and obtains user access control rule and data processing rule, data processing module is notified, issues pair
The user data access request of database;When user, which terminates access, to exit, the related access control rule of user is removed;
Data processing module, receives user access control configuration data there is provided data increase, deletion, modification, lookup service, and
Data variation engine initialization is carried out, issues to the user data access request of database and to obtain module to data, matched somebody with somebody according to user
Put, the data content that the engine cleaning of scheduling data variation is obtained, and the data after processing are returned into user;
Data acquisition module, receives data source configuration information there is provided data increase, deletion, modification, lookup service, receives logarithm
According to the user data access request in storehouse, the data of user's request are obtained, and the data got are returned to data processing module.
10. a kind of computer-readable storage medium, the computer-readable storage medium is stored with computer instruction, refers to when performing the computer
When making, the method for performing one of the claim 1-4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710359704.1A CN107301349A (en) | 2017-05-20 | 2017-05-20 | A kind of Access and control strategy of database method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710359704.1A CN107301349A (en) | 2017-05-20 | 2017-05-20 | A kind of Access and control strategy of database method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107301349A true CN107301349A (en) | 2017-10-27 |
Family
ID=60138033
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710359704.1A Pending CN107301349A (en) | 2017-05-20 | 2017-05-20 | A kind of Access and control strategy of database method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107301349A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109446224A (en) * | 2018-09-25 | 2019-03-08 | 中交广州航道局有限公司 | Data push method, device, computer equipment and readable storage medium storing program for executing |
| CN110442508A (en) * | 2018-05-03 | 2019-11-12 | 阿里巴巴集团控股有限公司 | Test assignment processing method, device, equipment and medium |
| CN110795761A (en) * | 2019-10-29 | 2020-02-14 | 国网山东省电力公司信息通信公司 | Dynamic desensitization method for sensitive data of ubiquitous power Internet of things |
| CN110889129A (en) * | 2019-11-29 | 2020-03-17 | 中国银行股份有限公司 | Bank data security control method and device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102316115A (en) * | 2011-09-26 | 2012-01-11 | 浙江工商大学 | Security access control method oriented to transverse networking |
| CN104077284A (en) * | 2013-03-26 | 2014-10-01 | 中国移动通信集团湖北有限公司 | Data security access method and data security access system |
| CN106407843A (en) * | 2016-10-17 | 2017-02-15 | 深圳中兴网信科技有限公司 | Data desensitization method and data desensitization device |
| CN106599713A (en) * | 2016-11-11 | 2017-04-26 | 中国电子科技网络信息安全有限公司 | Database masking system and method based on big data |
-
2017
- 2017-05-20 CN CN201710359704.1A patent/CN107301349A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102316115A (en) * | 2011-09-26 | 2012-01-11 | 浙江工商大学 | Security access control method oriented to transverse networking |
| CN104077284A (en) * | 2013-03-26 | 2014-10-01 | 中国移动通信集团湖北有限公司 | Data security access method and data security access system |
| CN106407843A (en) * | 2016-10-17 | 2017-02-15 | 深圳中兴网信科技有限公司 | Data desensitization method and data desensitization device |
| CN106599713A (en) * | 2016-11-11 | 2017-04-26 | 中国电子科技网络信息安全有限公司 | Database masking system and method based on big data |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110442508A (en) * | 2018-05-03 | 2019-11-12 | 阿里巴巴集团控股有限公司 | Test assignment processing method, device, equipment and medium |
| CN109446224A (en) * | 2018-09-25 | 2019-03-08 | 中交广州航道局有限公司 | Data push method, device, computer equipment and readable storage medium storing program for executing |
| CN110795761A (en) * | 2019-10-29 | 2020-02-14 | 国网山东省电力公司信息通信公司 | Dynamic desensitization method for sensitive data of ubiquitous power Internet of things |
| CN110889129A (en) * | 2019-11-29 | 2020-03-17 | 中国银行股份有限公司 | Bank data security control method and device |
| CN110889129B (en) * | 2019-11-29 | 2022-02-11 | 中国银行股份有限公司 | Bank data security control method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103249045B (en) | A kind of methods, devices and systems of identification | |
| CN108200050A (en) | Single logging-on server, method and computer readable storage medium | |
| CN104184705B (en) | Verification method, device, server, subscriber data center and system | |
| CN107301349A (en) | A kind of Access and control strategy of database method and system | |
| CN110149328A (en) | Interface method for authenticating, device, equipment and computer readable storage medium | |
| CN106936772A (en) | A kind of access method, the apparatus and system of cloud platform resource | |
| CN109669718A (en) | System permission configuration method, device, equipment and storage medium | |
| CN106446638A (en) | Cloud computing operation system security access method and device | |
| CN105531679A (en) | Anomaly detection on web client | |
| CN103975567B (en) | Two-factor authentication method and virtual machine facility | |
| CN110049028B (en) | Method and device for monitoring domain control administrator, computer equipment and storage medium | |
| CN107484152A (en) | The management method and device of terminal applies | |
| CN107545637A (en) | The Activiation method and server of a kind of electronic lock | |
| CN109447384A (en) | Verification method, device, equipment and the storage medium of air control system | |
| CN107689941A (en) | A kind of apparatus and method for preventing same user's repeat logon | |
| CN110069911A (en) | Access control method, device, system, electronic equipment and readable storage medium storing program for executing | |
| CN107111511A (en) | Access control method, device and system | |
| CN108737398A (en) | Processing method, device, computer equipment and the storage medium of trust system | |
| CN110266722A (en) | A kind of method and system of multipath access server | |
| CN108184025A (en) | The processing method and processing device of identifying code short message | |
| CN107818102A (en) | data extraction method and device | |
| CN107229644A (en) | Searching method and device | |
| CN113721922B (en) | Big data Internet of things management system based on micro-service | |
| CN105991575A (en) | Cloud desktop login method and system thereof | |
| CN106209746A (en) | A kind of safety service provides method and server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171027 |