CN110175464A - Data access control method, device, storage medium and electronic equipment - Google Patents
Data access control method, device, storage medium and electronic equipment Download PDFInfo
- Publication number
- CN110175464A CN110175464A CN201910488737.5A CN201910488737A CN110175464A CN 110175464 A CN110175464 A CN 110175464A CN 201910488737 A CN201910488737 A CN 201910488737A CN 110175464 A CN110175464 A CN 110175464A
- Authority
- CN
- China
- Prior art keywords
- data
- access
- expression formula
- control
- formula
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The application provides a kind of data access control method, device, storage medium and electronic equipment, method includes: the data access request for obtaining client and sending to access interface, wherein, the access identity of client and the data type of access are carried in data access request;From and the associated access control expression formula of access interface in determine and access identity corresponding target access control expression formula, wherein there are the corresponding target access control expression formula differences of at least two access identity;Determine with matched first data of data type, and, according to target access control expression formula determined from the first data with access identities match the second data;Second data are returned into client.According to the data access request that different clients issues, determines different target access control expression formulas, data are screened using target access control expression formula, so that it may the differentiation access of data is realized, so as to promote the safety of access data.
Description
Technical field
This application involves data control fields, are situated between in particular to a kind of data access control method, device, storage
Matter and electronic equipment.
Background technique
Currently, during most of data access, the accessible same type data of different clients lead to this
Categorical data can obtain for the client of all access the type data, have no small information security hidden danger.
Summary of the invention
In view of this, the application's is designed to provide a kind of data access control method, device, storage medium and electronics
Equipment, by realizing that the differentiation of data accesses, to improve the safety of access data.
To achieve the goals above, embodiments herein is accomplished in that
In a first aspect, the embodiment of the present application provides a kind of data access control method, comprising:
Obtain the data access request that client is sent to access interface, wherein carry in the data access request
The access identity of the client and the data type of access;From with the associated access control expression formula of the access interface really
Make target access control expression formula corresponding with the access identity, wherein there are at least two access identity are corresponding
Target access control expression formula it is different;Determine with matched first data of the data type, and, according to the target
Access control expression formula determines the second data with the access identities match from first data;By second number
According to the return client.
In the embodiment of the present application, the data access request issued by intercepting client, determines that client is corresponding
Target access controls expression formula, is carried out in the first data determined to data access request using target access control expression formula
After screening, client is returned to by the second data obtained are screened, can make the data returned to client is through looking over so as to check
Access control expression formula screening is marked, and according to the data access request of different client sendings, different access identity
Different target access control expression formulas can be corresponded to, by the screening of target access control expression formula, so that it may realize and return
Discrepant data realize the differentiation access of data, with this so as to promote the safety of access data.
With reference to first aspect, in the first possible implementation of the first aspect, the access control expresses formula packet
Include: row data control expression formula and column data control expression formula, wherein the row data control expression formula is for controlling data
Data access amount, the column data control expression formula are used to control the data attribute of data;From associated with the access interface
Target access control expression formula corresponding with the access identity is determined in access control expression formula, comprising:
Target corresponding with the access identity is determined from the associated row data control expression formula of the access interface
Row data control expression formula;And it is determined and the visit from the associated column data control expression formula of the access interface
Ask the corresponding target column data control table of identity up to formula;Wherein it is determined that the target line data control expression formula and the mesh out
The target access control expression formula is determined in mark column data control expression formula expression.
In the embodiment of the present application, access control expression formula includes row data control expression formula, for controlling the number of data
According to amount of access, realization controls the quantity of the data of return.Access control expression formula further includes column data control expression formula,
For controlling the data attribute of data, realization controls the content of the data of return.In conjunction with the two, may be implemented to returning
The Precise control for the data returned, to promote the fine degree of data access differentiation.
The possible implementation of with reference to first aspect the first, in second of possible implementation of first aspect
In, expression formula is controlled according to the target access and determines to count with the second of the access identities match from first data
According to, comprising:
According to data access amount defined in target line data control expression formula, determined from first data
Data volume and the flux matched data to be selected of the data access;According to the target column data control table up to data defined in formula
Attribute determines matched second data of data attribute of data attribute Yu the definition from the data to be selected.
In the embodiment of the present application, the first number determined and to the data type accessed based on data access request
According to quantitative screening is carried out, data to be selected are determined, realize the control of the data access amount to the data of return;And to be selected
Data carry out the screening of data attribute, determine the second data for returning to client, realize the data to the data of return
Content is controlled.It first determines the quantity of returned data, then the content of returned data is screened, can determine as soon as possible
The second data returned improve the efficiency of data access control.
The possible implementation of second with reference to first aspect, in the third possible implementation of first aspect
In, the data attribute of the definition includes multiple subdata attributes, according to the target column data control table up to defined in formula
Data attribute determines matched second data of data attribute of data attribute Yu the definition from the data to be selected, packet
It includes:
By the way that the subdata attribute of every partial data in the data to be selected and the target column data control table are reached
Subdata attribute in formula is matched, and determines subdata attribute and the target column data control table up to the subdata in formula
Second data of attributes match.
In the embodiment of the present application, by by the subdata attribute of every partial data of data and the target column data control
Subdata attribute in expression formula processed is matched, and can accurately and efficiently determine the second data, is realized to access data
Control.And the fining definition of subdata attribute, the fining screening control to data content may be implemented, thus real
The fining access of existing data.
The possible implementation of with reference to first aspect the first, in the 4th kind of possible implementation of first aspect
In, from and the associated access control expression formula of the access interface in determine target access corresponding with the access identity
Control expression formula after, and, determine with before matched first data of the data type, the method also includes:
Judge that the target line data control expression formula and the target column data control table reach in formula whether have at least one
The content of a expression formula is sky;If not empty, it executes step: determining and matched first data of the data type.
In the embodiment of the present application, by first controlling expression formula and target column data control table up to formula to target line data
Content with the presence or absence of being judged, the two all in the presence of, just execute subsequent step procedure;If at least one in the two
Content is sky, then illustrate the permission that the client does not access the data requested access to, it can direct backward reference exception
Information, invalid data access request can quickly be reacted in this way, improve the execution of entire data access system
Efficiency.
With reference to first aspect, or with reference to first aspect the first to any possible implementation in the 4th kind,
In 5th kind of possible implementation of first aspect, when the type of the access interface is application programming interface,
From and the associated access control expression formula of the access interface in determine that corresponding with access identity target access controls
Before expression formula, the method also includes:
It determines described in the method name of the associated application programming interface of the application programming interface, calling
Data type, the addressable attribute-name and the return of the data of the return for the data that application programming interface returns
Data addressable method;The method of title, the application programming interface based on the application programming interface
Type, the addressable attribute-name and the addressable method of name, the data of the return, generate the application programming
The access control of interface conjunctionn expresses formula.
In the embodiment of the present application, it when the type of access interface is application programming interface, determines to using journey
The much information of the definition of sequence programming interface generates the associated access control expression of application programming interface with these information
Formula.By being accessed with application programming interface type, it can be convenient client and carry out data access, also, to a variety of
The definition of information, in conjunction with the definition of the access identity to client, access control method can be to avoid multiple phases of homogeneous data
As access interface, provide unified interface for homogeneous data access, the quantity of access interface effectively controlled, so that access interface
It safeguards simpler.
Second aspect, the embodiment of the present application provide a kind of data access control device, comprising:
Request module, the data access request sent for obtaining client to access interface, wherein the data
The access identity of the client and the data type of access are carried in access request;Data processing module, for from institute
It states and determines target access control expression formula corresponding with the access identity in the associated access control expression formula of access interface,
Wherein, there are the corresponding target access control expression formula of at least two access identity is different;The data processing module, also
For determine with matched first data of the data type, and, expression formula is controlled from described according to the target access
The second data with the access identities match are determined in first data;Data return module is used for second data
Return to the client.
In conjunction with second aspect, in the first possible implementation of the second aspect, the access control expresses formula packet
Include: row data control expression formula and column data control expression formula, wherein the row data control expression formula is for controlling data
Data access amount, the column data control expression formula are used to control the data attribute of data;The data processing module, is also used
In:
Target corresponding with the access identity is determined from the associated row data control expression formula of the access interface
Row data control expression formula;And it is determined and the visit from the associated column data control expression formula of the access interface
Ask the corresponding target column data control table of identity up to formula;Wherein it is determined that the target line data control expression formula and the mesh out
The target access control expression formula is determined in mark column data control expression formula expression.
In conjunction with the first possible implementation of second aspect, in second of possible implementation of second aspect
In, the data processing module is also used to the data access amount according to defined in target line data control expression formula, from institute
It states and determines data volume and the flux matched data to be selected of the data access in the first data;It is controlled according to the target column data
Data attribute defined in expression formula determines that data attribute and the data attribute of the definition are matched from the data to be selected
The second data.
In conjunction with second of possible implementation of second aspect, in the third possible implementation of second aspect
In, the data attribute of the definition includes multiple subdata attributes, and the data processing module is also used to:
By the way that the subdata attribute of every partial data in the data to be selected and the target column data control table are reached
Subdata attribute in formula is matched, and determines subdata attribute and the target column data control table up to the subdata in formula
Second data of attributes match.
In conjunction with the first possible implementation of second aspect, in the 4th kind of possible implementation of second aspect
In, the data processing module is also used to:
From and the associated access control expression formula of the access interface in determine mesh corresponding with the access identity
After marking access control expression formula, and, it is determining to judge the mesh with before matched first data of the data type
Mark row data control expression formula and the target column data control table reach whether have the content of at least one expression formula for sky in formula;
If not empty, it determines and matched first data of the data type.
In conjunction with second aspect, or combine second aspect the first to any possible implementation in the 4th kind,
In 5th kind of possible implementation of second aspect, when the type of the access interface is application programming interface, institute
Data processing module is stated, is also used to:
From and the associated access control expression formula of the access interface in determine mesh corresponding with the access identity
Before marking access control expression formula, the side of the associated application programming interface of the application programming interface is determined
The addressable attribute of religious name, the data type for the data for calling the application programming interface to return, the data of the return
The addressable method of name and the data of the return;Title, the application program based on the application programming interface
The method name of programming interface, the type of the data of the return, the addressable attribute-name and the addressable method generate institute
State the associated access control expression formula of application programming interface.
The third aspect, the embodiment of the present application provide a kind of calculating of non-volatile program code that can be performed with computer
The readable storage medium of machine, for storing program code, said program code executes first party when being readable by a computer and running
Data access control method described in any optional implementation of face or first aspect.
Fourth aspect, the embodiment of the present application provide a kind of server, comprising: communication interface, bus, processor and deposit
Reservoir, the processor, the memory and the communication interface are connected by the bus;The memory, for storing
Computer-readable instruction fetch, the processor, for passing through calling and running the computer-readable instruction fetch, to execute first
Data access control method described in any possible implementation of aspect or first aspect.
To enable the above objects, features, and advantages of the application to be clearer and more comprehensible, preferred embodiment is cited below particularly, and cooperate
Appended attached drawing, is described in detail below.
Detailed description of the invention
Technical solution in ord to more clearly illustrate embodiments of the present application, below will be to needed in the embodiment attached
Figure is briefly described, it should be understood that the following drawings illustrates only some embodiments of the application, therefore is not construed as pair
The restriction of range for those of ordinary skill in the art without creative efforts, can also be according to this
A little attached drawings obtain other relevant attached drawings.
Fig. 1 shows a kind of the first application scenario diagram of data access control method provided by the embodiments of the present application;
Fig. 2 shows a kind of second application scenario diagrams of data access control method provided by the embodiments of the present application;
Fig. 3 shows a kind of third application scenario diagram of data access control method provided by the embodiments of the present application;
Fig. 4 shows the structural block diagram of server provided by the embodiments of the present application;
Fig. 5 shows a kind of flow chart of data access control method provided by the embodiments of the present application;
Fig. 6 shows the foundation and knowledge of the access control in a kind of data access control method provided by the embodiments of the present application
The flow chart in other stage;
Fig. 7 shows the operation phase of access control in a kind of data access control method provided by the embodiments of the present application
Flow chart;
Fig. 8 shows the structural block diagram of data access control device provided by the embodiments of the present application.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present application, technical solutions in the embodiments of the present application is described.
It should also be noted that similar label and letter indicate similar terms in following attached drawing, therefore, once a certain Xiang Yi
It is defined in a attached drawing, does not then need that it is further defined and explained in subsequent attached drawing.Meanwhile the application's
In description, term " first ", " second " etc. are only used for distinguishing description, are not understood to indicate or imply relative importance.
The embodiment of the present application provides a kind of data access control control system 30, and data access control system may include:
Server and terminal, wherein can be with the program of installation and operation server-side on server, it can be with installation and operation client in terminal
Program.It can also include the data independently of the server of installation and operation server-side in the data access control system 30 having
Library.
When server-side applies data access control method provided by the present application, client can send data to server-side
Access request, server-side can carry out screening control to data according to data access request and using access control expression formula, real
Now the differentiation of data is accessed, and then realizes and different clients is able to access that in the case where not influencing using data buffer storage
To the function of the data of differentiation.Also, the screening of data is carried out in server-side, the data after screening are returned into client,
The data returned can be controlled in server-side, the control to data be realized, thus, it is possible to improve the safety of data access.
Referring to Fig. 1, Fig. 1 shows a kind of the first application scenarios of data access control method provided in this embodiment.
In the present embodiment, client 11 can be APP, web, the small routine also run based on client-side program etc.
It may rely on the software program of hardware operation.Client 11 can be installed and be operated in terminal 10.Based on access data
Need and send to server 100 data access request of access data;Installation and operation has server-side 110 on server 100
Application program, the application program include the program of data access control method provided by the embodiments of the present application.Based on this, server-side
110 is available to the data access request sent by client 11.Server-side 110 can be visited according to the data access request
It asks the database 20 independently of server 100, the first data is accessed from database 20.And server-side 110 can use number
According to the access control expression formula in the program of access control method and the access identity in data access request, the client is determined
The target access at end 11 controls expression formula, and controls expression formula according to target access and screen to the first data being accessed,
It determines the second data, and the second data is returned into client 11.Data access control method under this application scenarios
It executes, the control of data is separated with the access to data, and the access control of the differentiation access to mass data may be implemented.
Referring to Fig. 2, Fig. 2 shows a kind of second application scenarios of data access control method provided in this embodiment.
In the present embodiment, installed in terminal 10 and the client 11 that runs can the needs based on access data and to clothes
The data access request for the transmission access data of device 100 of being engaged in;The server-side 110 installed and run on server 100 is available to be arrived
The data access request that user sends.Server-side 110 can directly access the database of itself according to the data access request, really
The first data corresponding with the data access request are made, and further the first data being accessed are screened, are determined
Second data are returned to client 11 by the second data.The execution of data access control method under this application scenarios, by taking
The access and screening for end 110 itself execution data of being engaged in, do not need to access the database independently of server, have lacked a data and have passed
Defeated link, the available further promotion of the safety of data.
In the present embodiment, user can pass through the acquisition that client carries out information it should be understood that when some information.Visitor
Family end group sends data access request to server-side in the operation in response to user.Server-side can execute data access control at this time
Method processed.
And when client application data access control method provided by the present application, client generates the request of access data
Afterwards, the access control expression formula of the corresponding access interface of the request can be obtained to server-side, and requests first to server-side
Data screen the first data using the information such as access control expression formula and access identity, to realize the difference of data
Change access.This mode is advantageous in that, can easily carry out the differentiation access of data, and flexibility is high.
Referring to Fig. 3, Fig. 3 shows a kind of third application scenarios of data access control method provided in this embodiment.
In the present embodiment, the client 11 installed and run in terminal 10 can also include in the program of client 11
The program of data access control method provided by the embodiments of the present application.Client 11 is also based on the need of access data as a result,
The data access request of access data is wanted and generates and send to server 100, to obtain and the data access from server-side 110
Request corresponding first data;And client 11 can also obtain the data access request, and determine the data access request
The access control of the access interface of calling expresses formula, in conjunction with the access identity of client 11 itself, determines that client 11 is corresponding
Target access control expression formula.And the first data are screened using target access control expression formula, determine second
Data return to client 11 itself with this, and differentiation access is realized in the screening of complete paired data.
The execution of data access control method under this application scenarios is executed the screening of data by client 11 itself,
With very strong flexibility.
Referring to Fig. 4, the embodiment of the present application provides a kind of electronic equipment 300, the clothes of data access control method are executed
Business end may operate on electronic equipment 300.When electronic equipment 300 is server 100, server 100 can take for network
Business device, database server, Cloud Server or the server set that is made of multiple child servers at etc..And work as electronic equipment 300
When for terminal 10, terminal 10 can be smart phone, tablet computer, PC, personal digital assistant etc., certainly, above-mentioned column
The equipment of act is that should not be used as the restriction to the present embodiment for being easy to understand the present embodiment.
In the present embodiment, electronic equipment 300 may include: memory 301, communication interface 302, bus 303 and processing
Device 304.Wherein, processor 304, communication interface 302 and memory 301 are connected by bus 303.
Processor 304 is for executing the executable module stored in memory 301, such as computer program.As shown in the figure
Electronic equipment 300 component and structure be it is illustrative, and not restrictive, as needed, electronic equipment 300 can also be with
With other assemblies and structure.
Memory 301 may include high-speed random access memory (Random Access Memory RAM), it is also possible to
It further include non-labile memory (non-volatile memory), for example, at least two magnetic disk storages.The present embodiment
In, memory 301 stores program required for executing data access control method.
Bus 303 can be isa bus, pci bus or eisa bus etc..It is total that bus can be divided into address bus, data
Line, control bus etc..Only to be indicated with a four-headed arrow in figure, it is not intended that an only bus or one convenient for indicating
The other bus of type.
Processor 304 may be a kind of processing capacity IC chip with signal.During realization, above-mentioned side
Each step of method can be completed by the integrated logic circuit of the hardware in processor 304 or the instruction of software form.It is above-mentioned
Processor 304 can be general processor, including central processing unit (Central Processing Unit, abbreviation CPU),
Network processing unit (Network Processor, abbreviation NP) etc.;It can also be digital signal processor (DSP), dedicated integrated electricity
Either other programmable logic device, discrete gate circuit or transistor are patrolled for road (ASIC), ready-made programmable gate array (FPGA)
Collect device, discrete hardware components.General processor can be microprocessor or the processor is also possible to any conventional place
Manage device etc..The step of method in conjunction with disclosed in the embodiment of the present application, can be embodied directly in hardware decoding processor and execute
At, or in decoding processor hardware and software module combination execute completion.Software module can be located at random access memory,
This fields such as flash memory, read-only memory, programmable read only memory or electrically erasable programmable memory, register maturation
In storage medium.
Method performed by the device of stream process or definition that the embodiment of the present application any embodiment discloses can be applied to
In processor 304, or realized by processor 304.Processor 304 is deposited after receiving and executing instruction by the calling of bus 303
After the program in memory 301, processor 304, which controls communication interface 302 by bus 303, can then execute data access for storage
The process of control method.
Referring to Fig. 5, in the present embodiment, data access control method may include: step S100, step S200, step
Rapid S300 and step S400.
Step S100: the data access request that client is sent to access interface is obtained, wherein the data access request
In carry the access identity of the client and the data type of access.
Step S200: it is determined from the associated access control expression formula of the access interface and the access identity pair
The target access control expression formula answered, wherein there are the corresponding target access control expression formulas of at least two access identity
It is different.
Step S300: determine with matched first data of the data type, and, according to the target access control
Expression formula determines the second data with the access identities match from first data.
Step S400: second data are returned into the client.
Before the content to step S100 is illustrated, by the foundation of the access control to data access control method
Journey and identification process are illustrated, in order to understand the operational process and original of data access control method provided in this embodiment
Reason.
Referring to Fig. 6, Fig. 6 shows foundation and the cognitive phase of a kind of access control in data access control method
Flow chart.
In the present embodiment, the establishment stage of the access control in data access control method, can be according to data class
Type defines API (Application Programming Interface, application programming interface) and connects as the access of data
Mouthful.Wherein, API table shows some functions predetermined, without access source code or understand internal work mechanism details feelings
Under condition, it is supplied to the ability that application program or developer are able to one group of routine of access based on software or hardware.For data
The API that access provides can simply be interpreted as the channel that server-side is the acquisition data that client provides in this application.
In the present embodiment, it can access according to demand to API and control definition.For example, needing to carry out for some
The API of the data of access control can be the controlled note of API addition to indicate that API needs to be implemented access control.Pass through simultaneously
Controlled note can essential information to API and key data element be illustrated, annotate;Cooperate reflection mechanism again, to this
A little controlled API are analyzed, and realize the foundation and identification controlled API Access.The control that accesses is not needed for some
The API of data, so that it may not deal with, when access is not by the API of access control, so that it may data are normally accessed, without warp
Data access control method provided in this embodiment screens data.Wherein, it explains as a kind of other explanation of code level, it can
To act on the program elements such as class, field, method, local variable, method parameter, for being illustrated, infusing to these elements
It releases.Reflection mechanism is a kind of computer processing mode, refers to the one of accessible program, detection and modification itself state or behavior
Kind ability, by reflection mechanism, the available object type into program, method and information about firms.
By using explaining whether mark API needs to be implemented access control, the controlled shape of API can be very easily changed
State, it is only necessary to which adding controlled note or eliminating controlled note can realize.
In the present embodiment, it can be defined according to access identity of the controlled API information to client, to realize difference
The client of access identity can obtain the function of discrepant data, realize the differentiation access of data.
In the present embodiment, it can define and be added to the associated AOP (AspectOriented of API of controlled note
Programming, towards tangent plane programming) section class is related to processing access control to the first data are obtained using AOP technology
The service logics of various pieces be isolated so that the degree of coupling between the service logic of various pieces reduces, avoid changing
Other business logic codes are influenced when some service logic therein, improve the reusability of program, and improve code
Flexibility and scalability.Wherein, AOP is that a kind of realized by precompile mode and runtime dynamic proxy is not modifying source
To the technology of program dynamic unity addition function in the case where code.
It should be noted that the associated access control expression formula of access interface uses EL (Expression in the present embodiment
Language, expression language) it is described, including row data control expression formula and column data control expression formula, to state
The data attribute of the second data of screening rule and generation to the first data.The expression language specifically used can be JEXL
(Java Expression Language, Java expression language), SpEL (Spring Expression Language,
Spring expression language) etc., it is not construed as limiting herein.
For example, being described in the example of an application SpEL description control expression formula to the controlled note of API addition
The data type that the title of API and the API are returned.And the attribute-name of returned data is preset, for example, in a flight data
Including attribute-name are as follows: airlines (airline), execdate (execution date), flightNo (flight number), task (flight
Task), dep (original base), arr (landing station), the partial datas such as isVIP (honored guest's mark) content.In addition, using
The logical operator combination flight data attribute of SpEL can describe control expression formula, such as: " airlines=='CA'and
Dep='CTU' ", meaning are the Air China flight data that Chengdu Shuangliu Airport takes off;Complicated son can also be described using SpEL
Data attribute and data method call, such as: " dep.name.length () ", meaning are the Chinese for obtaining original base
Title and the length for returning to title.
It is the introduction to the establishment stage of the access control in data access control method above, next, being visited introducing
Ask the generation phase of control expression formula.
In server starting, all API for being added to controlled note can be gone out with automatically scanning, and can use reflection machine
System handles the access interface, determines the method name of API, reads the corresponding controlled elements of the interface, including call API
The letter such as addressable method of data of the data type of the data of return, the addressable attribute-name of the data of return and return
Breath.
By controlling the access interface with controlled mark, and ignore the access interface without controlled mark
Access control may be implemented the flexible Application of data access control, be conducive to the execution for improving entire data access control method
Efficiency.
In the addressable category of the method name for determining API, the data type for the data for calling API to return, the data of return
Property name and return data addressable method after, server-side can be based on these controlled elements, and building is comprising these are controlled
The data store organisation of element.By generating the data store organisation comprising controlled elements, can make associated controlled with API
Element is kept for a long time in the case where the controlled note of API does not change.
It should be noted that describing a kind of acquisition side of the data store organisation comprising controlled elements in the present embodiment
Formula is to directly generate, and in some other optional implementation, server-side can also be by having directly read access interface
The data store organisation of stored mistake, is not construed as limiting herein.By way of generating the data store organisation comprising controlled elements,
Since with real-time, updating in frequent, the faster application environment of variation in controlled elements has very high accuracy;And
The mode for obtaining the data store organisation of stored mistake updates not due to needing not move through the process of generation in controlled elements
There is very high efficiency in frequent application environment.
After determining the data store organisation that API includes controlled elements, server-side can be to the data storage knot determined
Structure is parsed, obtain data store organisation in controlled elements, such as API method name, call API return data number
According to type, the addressable attribute-name of the data of return and addressable method of data of return etc..On this basis, server-side
It can be needed to express formula using the associated access control of EL grammer building corresponding A PI based on controlled elements according to access control.
By controlling the access interface with controlled mark, and ignore the access interface without controlled mark
Access control may be implemented the flexible Application of data access control, be conducive to the execution for improving entire data access control method
Efficiency.And the rule of data access control is described by using EL, code logic transformation originally complicated and changeable is independent
Scrutable expression formula allows the control logic of entire data access control method more flexible, is also conveniently managed,
Avoid regular hard coded bring later maintenance cost height and service interruption problem.
In the present embodiment, access control expression formula includes the row data control table for controlling the data access amount of data
The column data of data attribute up to formula, and for controlling data controls expression formula.Row data control in access control expression formula
Expression formula processed can screen the type of data, can control the data access amount of data;And column data controls expression formula
The data attribute of data can be screened, can control the content of data.In this way, expressing formula to data by access control
It is screened, so that it may realize the fining of data and the access of differentiation.
The introduction of the generation phase of formula is expressed by the above-mentioned access control in data access control method, hereinafter, will
Continue to be illustrated data access control method provided in this embodiment.
After client sends the data access request of access data to server-side, server-side can execute step S100.
Step S100: the data access request that client is sent to access interface is obtained, wherein the data access request
In carry the access identity of the client and the data type of access.
In the present embodiment, the available data access request of server-side.
Fig. 6-Fig. 7 is please referred to, the cognitive phase of the access control in data access control method and operation phase are being obtained
After taking data access request, server-side can be handled data access request, determine include in data access request
The access interface of request call, the access identity of client and the data type requested access to.
It should be noted that in data access request including the access identity of client, and same access can connect
In all clients that mouth accesses, it is different at least to there is the access identity that two clients are included.And access identity can
To indicate the access authority of the client, by corresponding to different access authority with different access identity, data are realized
Differentiation access.It is of course also possible to there are different clients access identity having the same, and accessible identical number
According to being not construed as limiting herein.
In addition, the determination of the access identity of client, can be absolutely fixation, i.e., customer end A can only access the client
The data that the access identity at end can be accessed;Be also possible to it is relatively-stationary, depending on client access identity generate when ginseng
Depending on number.The access identity of client can be determined by the identity for logging in the user of the client, and the identity of the user,
It can have changeability.For example, user B had purchased the air ticket of China Southern Airline January 23, then the user logs in client
The identity at end is the customer of China Southern Airline, thus, the access identity of the client can be the Gu of China Southern Airline
Visitor;Second day, user B had purchased the air ticket of Spring-Autumn Airline company, then the user logs in the identity of client, it is Spring-Autumn Airline
The customer of company, thus, the access identity of the client can be the customer of Spring-Autumn Airline company.
It is assumed that tourist's first will obtain same day flight data, first client's end group by first client wants on March 5th, 2018
In tourist's first access operation and send data access request to server-side, include first client request tune in data access request
The information of first access interface, the access identity of first client are honored guest, and the data type requested access to is same day flight
Data.And tourist's second equally will obtain same day flight data by second client wants on March 5th, 2018, second client is based on
The access operation of tourist's second and send data access request to server-side, called comprising second client request in data access request
The first access interface information, the access identity of second client is common guests, and the data type requested access to is to work as Japan Airline
Class's data.
In the present embodiment, after the access interface for determining data access request request call, server-side can be by sentencing
The access interface of disconnected data access request request call whether be there is the API of controlled mark come judge access interface whether by
Control, if the access interface is the API without controlled mark, the access interface is uncontrolled, then server-side can be ignored to data
The access control of access request access data.
If the access interface is the API with controlled mark, the access interface is controlled, and server-side can be by pre-defined
The section AOP class truncated data access request.By using the section AOP class truncated data access request, may be implemented will be to obtaining
Take the processing of data access request to be isolated with other service logics, to reduce to the treatment process for obtaining data access request and
The relevance of other service logics improves the journey for obtaining the program of data access request and being handled data access request
The availability of sequence.
Certainly, in addition to using the section AOP class truncated data access request, the side of blocker complement filter device can also be used
Formula realizes that the truncation to data access request and the data to return are screened.Therefore, it is not construed as herein to the application
Restriction.
Continue aforementioned it is assumed that server-side determines that the first access interface is controlled access interface, being truncated using AOP technology should
Access request.Server-side can use reflection mechanism and handle the access interface, determine the method name of API.And it determines
Out after the method name of the corresponding API of the access interface, the associated access of the access interface can be determined based on the method name of API
Control expression formula.
After the associated access control expression formula of access identity and access interface for determining client, server-side can be held
Row step S200.
Step S200: it is determined from the associated access control expression formula of the access interface and the access identity pair
The target access control expression formula answered, wherein there are the corresponding target access control expression formulas of at least two access identity
It is different.
In the present embodiment, server-side can carry out the associated row data control expression formula of access interface and access identity
Matching determines target line data control table corresponding with access identity from the associated row data control expression formula of access interface
Up to formula.
And the data attribute that column data control expression formula defines may include multiple subdata attributes, therefore, server-side can
It is matched one by one with the multiple subdata attributes for including by column data control expression formula with access identity, from multiple subdata categories
Property in determine that with the corresponding subdata attribute of access identity be the control table of target column data up to formula.For example, the access of client
Identity is honored guest, then, determine that the corresponding target line data control expression formula of the client is VIP.And target column data control
Expression formula processed can be determined, the target column of the access identity of corresponding honored guest from the associated column data control expression formula of API
It includes: airlines, execdate, flightNo, dep, arr, isVIP that data, which control expression formula,.
It should be noted that the quantity of subdata attribute corresponding with access identity can be multiple.It is multiple by being arranged
The content of data can be carried out more careful division by subdata attribute, realize the difference access of data fining.
In addition, different access identity can correspond to different target access control expression formulas, but must not believe that different
Access identity is bound to correspond to different target access control expression formulas.For example, access identity D, access identity E and access identity
F, wherein the corresponding target access control expression formula of access identity E target access corresponding with access identity D controls expression formula phase
Together, but target access control expression formula corresponding from access identity F is different, herein not as restriction.
Continue aforementioned it is assumed that being serviced during the data access request to first client carries out data access control
It end can be by column datas such as airline, execution date, flight number, aerial mission, original base, landing station, honored guest's marks
This access identity matches control expression formula with honored guest one by one, determines airline therein, execution date, flight
Number, honored guest's mark, original base, landing station be the control table of target column data reach formula.And in the data access to second client
Request carry out data access control during, server-side can by airline, execution date, flight number, aerial mission, rise
This access identity matches the column datas control such as airport, landing station, honored guest's mark expression formula with non-honored guest one by one, really
Make airline therein, execution date, original base are the control table of target column data up to formula.
By determining that target line data corresponding to the data access request of client transmission control expression formula and target
Column data controls expression formula, it is determined that has gone out the access authority of client.Based on this, server-side be may be implemented to different access
The client of permission by same access interface carry out same type data access when, can according to the access authority of client,
It is corresponding to return and the matched data of access authority.
Referring to Fig. 7, reaching formula in the target line data control expression formula for determining client and target column data control table
Afterwards, server-side may determine that whether the content of target line data control expression formula is empty, if target line data control expression formula
Content is sky, and server-side can return to prompt information for prompting access exception to client, and terminate access.
If the content of target line data control expression formula is not empty, then may determine that target column data control table reaches in formula
The quantity of subdata attribute whether be not zero.If so, server-side can return to prompt information for prompting access to client
It is abnormal, and terminate access;If it is not, server-side can execute subsequent step.
After reaching formula in the target line data control expression formula and target column data control table of determining corresponding client
Judge that the two whether all comprising the content for being used for the expression formula of garbled data, that is, judges whether client has substantive access right
Limit, with before data are accessed and screens, to the data access request of the not client of the access authority of substance
Without corresponding data access, so as to improve the safety and execution efficiency of data access control method.
It should be noted that the content of target line data control expression formula is that sky can control expression formula with feeling the pulse with the finger-tip mark row data
Data access amount be zero, can also be not present with the content that feeling the pulse with the finger-tip mark row data control expression formula, be not construed as limiting herein, only need table
It is zero to the obtained data after data screening that improving eyesight mark row data, which control expression formula,.And server-side judges target line data
It controls expression formula and target column data control table reaches the process of formula, can be and first judge that target line data control expression formula judges again
Target column data control table reaches formula, is also possible to first judge that target column data control table judges target line data control table up to formula again
Up to formula, it can also be while judging, the concrete mode of judgement does not limit herein.
Judging that target line data control expression formula and target column data control table be not up to the content of expression formula of formula
When empty, server-side can execute step S300.
Step S300: determine with matched first data of the data type, and, according to the target access control
Expression formula determines the second data with the access identities match from first data.
Referring to Fig. 7, in the present embodiment, server-side can carry out data visit to database according to data access request
It asks, to determine and matched first data of data type in data access request.Each data packet in first data
Multiple portions data are included, every partial data is corresponding at least one subdata attribute, and subdata attribute is for reflecting corresponding portion
The attribute of the data content of divided data.
By the way that each data is divided into multiple portions, corresponding subdata attribute is arranged in each part, can make pair
The Attribute transposition of the content of data is finer.Various pieces data can access control and screening in every data, so as to
Enough data difference alienation access for realizing fining, also can carry out finer control to the content of data, to a greater extent
Avoid client that the data content for surmounting access authority is accessed, to further increase the safety of data.
After determining the first data, server-side can be determined to control expression formula with target line data from the first data
The flux matched data to be selected of defined data access.It is upper newest to can be a certain number of times for data to be selected herein
Data are also possible to the highest data of a certain number of amount of access, can also be a certain number of rankings near preceding data, this
Place is not construed as limiting.
After determining data to be selected, server-side can use target column data control table and sieve up to formula to data to be selected
Choosing.The subdata attribute of every partial data in data to be selected and the control table of target column data can be reached to the subdata category in formula
Property matched, determine subdata attribute and the control table of target column data up to the subdata attributes match in formula the second number
According to.For example, the access identity of honored guest determine column data control expression formula: airlines, execdate, flightNo,
Airlines (airline), execdate (execution date), flightNo in dep, arr, isVIP, with subdata attribute
(flight number), task (aerial mission), dep (original base), arr (landing station), isVIP (honored guest's mark) are carried out one by one
Match, so that it is determined that the second data out.
Continue aforementioned it is assumed that including 500 boats by the first data that the data access request that first client issues is determined
Class's data, every data include and airline, execution date, flight number, aerial mission, original base, landing station, honored guest
Identify corresponding partial data.500 flight datas are matched with target line data control expression formula first, are determined wherein
The flight data for meeting condition is 100;Then by the subdata category of each partial data in data each in 100 datas
Property matched with the content of target column data control table up to each of formula expression formula, determine in 100 flight datas
The airline of each flight data, execution date, flight number, aerial mission, original base, landing station part number
According to, it is corresponding generate 100 comprising airline, execution date, flight number, honored guest's mark, original base, landing station part
Second data of data.And the first data determined that the data access request that second client issues is determined include 500
Flight data, every data include and airline, execution date, flight number, aerial mission, original base, landing station, expensive
Guest identifies corresponding partial data.500 flight datas are matched with target line data control expression formula first, determine it
The middle flight data for meeting condition only has 20;Then by the subdata of each partial data in data each in 20 datas
Attribute is matched with the content of target column data control table up to each of formula expression formula, is determined in 20 flight datas
The airline of each flight data, execution date, original base partial data, it is corresponding generate 20 it is public comprising aviation
Department, execution date, original base partial data the second data.
Since target access control expression formula has used EL to be described, expressed so being controlled by ELP target access
Formula is parsed, and substitutes into the first data, can easily determine that controlling expression formula rule with target access requires unanimously
The second data because target access control expression formula match with the access identity, so that it is determined that out and the access body
Matched second data of part.And pass through the corresponding subdata attribute of partial data every from every data in data to be selected and mesh
The subdata attributes match in column data control expression formula is marked, to realize the screening to data to be selected.It is each in data every in this way
A partial data can access control and screening, also being capable of logarithm so as to realize the data difference alienation access of fining
According to content carry out finer control, surmount the data content of access authority from avoiding client to be accessed to a greater extent,
To further increase the safety of data.
After determining the second data, server-side can execute step S400.
Step S400: second data are returned into the client.
In the present embodiment, the second data determined can be compressed and be encrypted by server-side, be packaged into data packet,
And client is delivered a packet to, to respond to the data access request that client issues, complete data access control
The entire flow of method.
Continue aforementioned it is assumed that server-side can include airline, execution date, flight number, flight for 100 of generation
Second data of task, the partial data of original base, landing station, are compressed and are encrypted, be packaged into data packet, returned to
First client, so that tourist's first is checked.It similarly, similarly will be true according to the corresponding target access control expression formula of second client
The second data made, transmit and give second client, so that tourist's second is checked.
Referring to Fig. 8, the embodiment of the present application also provides a kind of data access control device 200, data access control device
200 can be applied in server, comprising:
Request module 210, the data access request sent for obtaining client to access interface, wherein described
The access identity of the client and the data type of access are carried in data access request;
Data processing module 220, for being determined from the associated access control expression formula of the access interface and institute
State access identity corresponding target access control expression formula, wherein there are the corresponding target visits of at least two access identity
Ask that control expression formula is different;
The data processing module 220, be also used to determine with matched first data of the data type, and, root
The second data with the access identities match are determined from first data according to target access control expression formula;
Data return module 230, for second data to be returned to the client.
In the present embodiment, the access control expression formula includes: row data control expression formula and column data control expression
Formula, wherein the row data control expression formula is used to control the data access amount of data, and the column data control expression formula is used for
Control the data attribute of data;The data processing module 220, is also used to:
Target corresponding with the access identity is determined from the associated row data control expression formula of the access interface
Row data control expression formula;And it is determined and the visit from the associated column data control expression formula of the access interface
Ask the corresponding target column data control table of identity up to formula;Wherein it is determined that the target line data control expression formula and the mesh out
The target access control expression formula is determined in mark column data control expression formula expression.
In the present embodiment, the data processing module 220 is also used to control expression formula institute according to the target line data
The data access amount of definition determines data volume and the flux matched data to be selected of the data access from first data;
According to the target column data control table up to data attribute defined in formula, determined from the data to be selected data attribute with
Matched second data of the data attribute of the definition.
In the present embodiment, the data attribute of the definition includes multiple subdata attributes, the data processing module
220, it is also used to:
By the way that the subdata attribute of every partial data in the data to be selected and the target column data control table are reached
Subdata attribute in formula is matched, and determines subdata attribute and the target column data control table up to the subdata in formula
Second data of attributes match.
In the present embodiment, the data processing module 220, is also used to:
From and the associated access control expression formula of the access interface in determine mesh corresponding with the access identity
After marking access control expression formula, and, it is determining to judge the mesh with before matched first data of the data type
Mark row data control expression formula and the target column data control table reach whether have the content of at least one expression formula for sky in formula;
If not empty, it determines and matched first data of the data type.
In the present embodiment, when the type of the access interface is application programming interface, the data processing mould
Block 220, is also used to:
From and the associated access control expression formula of the access interface in determine mesh corresponding with the access identity
Before marking access control expression formula, the side of the associated application programming interface of the application programming interface is determined
The addressable attribute of religious name, the data type for the data for calling the application programming interface to return, the data of the return
The addressable method of name and the data of the return;Title, the application program based on the application programming interface
The method name of programming interface, the type of the data of the return, the addressable attribute-name and the addressable method generate institute
State the associated access control expression formula of application programming interface.
It is set in conclusion the embodiment of the present application provides a kind of data access control method, device, storage medium and electronics
Data access request that is standby, being issued by intercepting client determines the corresponding target access control expression formula of client, right
It, will be through screening obtain the after the first data that data access request is determined are screened using target access control expression formula
Two data return to client, and can make the data returned to client is screened by target access control expression formula,
And the data access request issued according to different clients, different access identity can correspond to different target access controls
Expression formula processed, by the screening of target access control expression formula, so that it may realize and return to discrepant data, realize data with this
Differentiation access, so as to promoted access data safety.
More than, the only specific embodiment of the application, but the protection scope of the application is not limited thereto, and it is any to be familiar with
Those skilled in the art within the technical scope of the present application, can easily think of the change or the replacement, and should all cover
Within the protection scope of the application.Therefore, the protection scope of the application should be subject to the protection scope in claims.
Claims (10)
1. a kind of data access control method, which is characterized in that the described method includes:
Obtain the data access request that client is sent to access interface, wherein carry in the data access request described
The access identity of client and the data type of access;
From and the associated access control expression formula of the access interface in determine target access corresponding with the access identity
Control expression formula, wherein there are the corresponding target access control expression formula differences of at least two access identity;
Determine with matched first data of the data type, and, expression formula is controlled from described according to the target access
The second data with the access identities match are determined in first data;
Second data are returned into the client.
2. data access control method according to claim 1, which is characterized in that the access control expresses formula and includes:
Row data control expression formula and column data controls expression formula, wherein the row data control expression formula is used to control the number of data
According to amount of access, the column data control expression formula is used to control the data attribute of data;From with the associated visit of the access interface
It asks and determines target access control expression formula corresponding with the access identity in control expression formula, comprising:
Target line number corresponding with the access identity is determined from the associated row data control expression formula of the access interface
According to control expression formula;And it is determined and the access body from the associated column data control expression formula of the access interface
The corresponding target column data control table of part reaches formula;Wherein it is determined that the target line data control expression formula and the target column out
The target access control expression formula is determined in data control expression formula expression.
3. data access control method according to claim 2, which is characterized in that controlled and expressed according to the target access
Formula determines the second data with the access identities match from first data, comprising:
According to data access amount defined in target line data control expression formula, data are determined from first data
Amount and the flux matched data to be selected of the data access;
According to the target column data control table up to data attribute defined in formula, data category is determined from the data to be selected
Property with matched second data of data attribute of the definition.
4. data access control method according to claim 3, which is characterized in that the data attribute of the definition includes more
A sub- data attribute, according to the target column data control table up to data attribute defined in formula, from the data to be selected really
Make matched second data of data attribute of data attribute Yu the definition, comprising:
By the way that the subdata attribute of every partial data in the data to be selected and the target column data control table are reached in formula
Subdata attribute matched, determine subdata attribute and the target column data control table up to the subdata attribute in formula
Matched second data.
5. data access control method according to claim 2, which is characterized in that from associated with the access interface
After determining target access control expression formula corresponding with the access identity in access control expression formula, and, in determination
Out and before matched first data of the data type, the method also includes:
Judge that the target line data control expression formula and the target column data control table reach in formula whether have at least one table
Content up to formula is sky;
If not empty, it executes step: determining and matched first data of the data type.
6. -5 any data access control method according to claim 1, which is characterized in that in the class of the access interface
When type is application programming interface, determined and the visit from the associated access control expression formula of the access interface
Before asking the corresponding target access control expression formula of identity, the method also includes:
It determines the method name of the associated application programming interface of the application programming interface, call the application
Data type, the addressable attribute-name of the data of the return and the number of the return for the data that Program Interfaces return
According to addressable method;
The method name of title, the application programming interface based on the application programming interface, the return number
According to type, the addressable method of the addressable attribute-name of the data of the return and the data of the return, answer described in generation
Formula is expressed with the associated access control of Program Interfaces.
7. a kind of data access control device, which is characterized in that described device includes:
Request module, the data access request sent for obtaining client to access interface, wherein the data access
The access identity of the client and the data type of access are carried in request;
Data processing module, for being determined and the access body from the associated access control expression formula of the access interface
Part corresponding target access controls expression formula, wherein there are the corresponding target access control tables of at least two access identity
Up to formula difference;
The data processing module, be also used to determine with matched first data of the data type, and, according to the mesh
Mark access control expression formula determines the second data with the access identities match from first data;
Data return module, for second data to be returned to the client.
8. data access control device according to claim 7, which is characterized in that the access control expresses formula and includes:
Row data control expression formula and column data controls expression formula, wherein the row data control expression formula is used to control the number of data
According to amount of access, the column data control expression formula is used to control the data attribute of data;
The data processing module, be also used to determine from the access interface associated row data control expression formula with it is described
It accesses the corresponding target line data of identity and controls expression formula;And it is expressed from the associated column data control of the access interface
Determine target column data control table corresponding with the access identity up to formula in formula;Wherein it is determined that target line data out
Control expression formula and the target column data control table indicate to determine the target access control expression formula up to formula.
9. a kind of computer-readable storage media for the non-volatile program code that can be performed with computer, for storing program generation
Code, which is characterized in that when being readable by a computer and running, perform claim requires any described in 1-6 said program code
Data access control method.
10. a kind of electronic equipment characterized by comprising communication interface, bus, processor and memory, the processing
Device, the memory and the communication interface are connected by the bus;The memory, for storing computer-readable fetching
It enables, the processor, for being required with perform claim any in 1-6 by calling and running the computer-readable instruction fetch
The data access control method.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910488737.5A CN110175464A (en) | 2019-06-05 | 2019-06-05 | Data access control method, device, storage medium and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910488737.5A CN110175464A (en) | 2019-06-05 | 2019-06-05 | Data access control method, device, storage medium and electronic equipment |
Publications (1)
Publication Number | Publication Date |
---|---|
CN110175464A true CN110175464A (en) | 2019-08-27 |
Family
ID=67698082
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910488737.5A Pending CN110175464A (en) | 2019-06-05 | 2019-06-05 | Data access control method, device, storage medium and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN110175464A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111708806A (en) * | 2020-08-24 | 2020-09-25 | 腾讯科技(深圳)有限公司 | Data access method, device, server, system and storage medium |
CN112035858A (en) * | 2020-08-28 | 2020-12-04 | 中国建设银行股份有限公司 | API access control method, device, equipment and medium |
CN112269982A (en) * | 2020-11-19 | 2021-01-26 | 四川长虹电器股份有限公司 | Data access control method based on authority configuration |
CN113238815A (en) * | 2021-05-13 | 2021-08-10 | 北京京东振世信息技术有限公司 | Interface access control method, device, equipment and storage medium |
CN113542290A (en) * | 2021-07-21 | 2021-10-22 | 腾讯科技(深圳)有限公司 | Data access request processing method, device, equipment and readable storage medium |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107403106A (en) * | 2017-07-18 | 2017-11-28 | 北京计算机技术及应用研究所 | Database fine-grained access control method based on terminal user |
CN107871084A (en) * | 2016-09-27 | 2018-04-03 | 北京计算机技术及应用研究所 | The Access and control strategy of database method of identity-based and rule |
-
2019
- 2019-06-05 CN CN201910488737.5A patent/CN110175464A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107871084A (en) * | 2016-09-27 | 2018-04-03 | 北京计算机技术及应用研究所 | The Access and control strategy of database method of identity-based and rule |
CN107403106A (en) * | 2017-07-18 | 2017-11-28 | 北京计算机技术及应用研究所 | Database fine-grained access control method based on terminal user |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111708806A (en) * | 2020-08-24 | 2020-09-25 | 腾讯科技(深圳)有限公司 | Data access method, device, server, system and storage medium |
CN112035858A (en) * | 2020-08-28 | 2020-12-04 | 中国建设银行股份有限公司 | API access control method, device, equipment and medium |
CN112035858B (en) * | 2020-08-28 | 2023-06-20 | 建信金融科技有限责任公司 | API access control method, device, equipment and medium |
CN112269982A (en) * | 2020-11-19 | 2021-01-26 | 四川长虹电器股份有限公司 | Data access control method based on authority configuration |
CN113238815A (en) * | 2021-05-13 | 2021-08-10 | 北京京东振世信息技术有限公司 | Interface access control method, device, equipment and storage medium |
CN113238815B (en) * | 2021-05-13 | 2023-08-08 | 北京京东振世信息技术有限公司 | Interface access control method, device, equipment and storage medium |
CN113542290A (en) * | 2021-07-21 | 2021-10-22 | 腾讯科技(深圳)有限公司 | Data access request processing method, device, equipment and readable storage medium |
CN113542290B (en) * | 2021-07-21 | 2022-04-05 | 腾讯科技(深圳)有限公司 | Data access request processing method, device, equipment and readable storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110175464A (en) | Data access control method, device, storage medium and electronic equipment | |
JP7252286B2 (en) | On-device machine learning platform | |
JP6923676B2 (en) | On-device machine learning platform | |
US8356274B2 (en) | System and methods to create a multi-tenancy software as a service application | |
CN109981619A (en) | Data capture method, device, medium and electronic equipment | |
CN105100051B (en) | Realize the method and system of data resource access permission control | |
CN106796526A (en) | JSON Stylesheet Language Transformations | |
CN113272825A (en) | Reinforcement learning model training by simulation | |
CN106095522A (en) | A kind of method realizing distributed compilation and distributed compilation system | |
CN109074265A (en) | The preformed instruction of mobile cloud service | |
CN110221901A (en) | Container asset creation method, apparatus, equipment and computer readable storage medium | |
CN109976914A (en) | Method and apparatus for controlling resource access | |
CN109716331A (en) | Meet the shared application deployment with decision service platform mode of application data | |
CN110832458B (en) | Stealth patterns for personalized machine learning models | |
CN108776756A (en) | Access authorization for resource management method and device | |
CN105204863B (en) | Unlawful data auditing system | |
CN108763960A (en) | Access authorization for resource management method and device | |
CN109284198A (en) | A kind of method and apparatus verifying data | |
CN113076502A (en) | Parameter control method and system based on request identification | |
CN105553671B (en) | A kind of management method of digital certificate, apparatus and system | |
CN105871695A (en) | Emoji sending method and device | |
US10623929B1 (en) | Method and apparatus for shared mobile device app with unique business function adaptation and rendering | |
Sanderson | Programming Google App Engine with Python: Build and Run Scalable Python Apps on Google's Infrastructure | |
CN107154936B (en) | Login method, device and system | |
US20230179536A1 (en) | Systems and methods for adaptive multi-system operations with smart routing protocols |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |